Policy Server Guides › Policy Server Configuration Guide › User Directories › User Directory Connections Overview

User Directory Connections Overview

To verify user identities, the Policy Store uses user directories to store organizational information, user attributes, and user credentials. You configure connections to existing user directories and databases through the Administrative UI. These directory connections resolve how the Policy Server establishes a context for user identities.

The Policy Server supports the following types of user directories:

• LDAP
• ODBC
• Oracle
• Custom

LDAP Overview

The Policy Server can communicate with user directories that use the Lightweight Data Access Protocol (LDAP). The Policy Server opens three connections when connecting to an LDAP user store:

• The first connection verifies that the user store is up and running. By default, the Policy Server contacts the user store every 30 seconds on this connection.
• The second connection is for searches and updates. For example, the Policy Server uses this connection for user lookup and setting attributes on bind failures.
• The third connection is for testing credentials. The Policy Server attempts to bind to the user store using the provided credentials. The result of the bind attempt determines whether the credentials are acceptable.

ODBC Database Overview

CA SiteMinder® can use a proprietary schema in an ODBC-compatible database as a user directory for authentication and authorization purposes. The Policy Server supports connections to the following types of ODBC-compatible databases:

• Microsoft SQL Server—Windows Policy Servers only
• Oracle RDBMS

To configure the Policy Server to use a database as a user directory:

• Type the SQL query information in the fields on the SQL Query Scheme pane. This pane is accessible from the User Directory pane. The fields in this pane map information between the Policy Server and the ODBC-compatible database.

  Note: Create a unique data source for each query scheme.

• Define an ODBC data source that points to the database containing user information. Configure the ODBC data source as a System DSN. The data source points to a Microsoft SQL Server database or an Oracle database.

Active Directory Overview

CA SiteMinder® supports user directories on the Microsoft Active Directory platform. The configuration for Active Directory (AD) and LDAP namespaces is similar with several functional differences.

The advantage of using the AD namespace when configuring an Active Directory user store include:

• SSL connectivity using a native Windows certificate database.

  Note: Both the Policy Server and the systems hosting Active Directory user stores have an established trust.

• Support for native Windows SASL,which allows for secure LDAP bind operations.

The disadvantages of using the AD namespace when configuring an Active Directory user store include:

• No support for enhanced LDAP referrals.
• No support for LDAP paging and sorting operations.

Note: If the Policy Server is installed on a UNIX operating system, you cannot use the AD namespace for connecting to the AD user store.

Custom Directory Overview

The Administrative UI allows you to create custom user directory connections by creating shared libraries with the CA SiteMinder® Directory API. This C-language API is available separately with the Software Development Kit. Custom connections allow the Policy Server to interact with legacy directories. You configure a custom namespace on the User Directory pane.