Range: n/a
Default: off
Recommended: Yes
Complexity Level: Basic
If this keyword appears, then tracing is turned on within APS. Traces appear in the Policy Server console log. To turn tracing off, comment out or delete this keyword from the file. This affects tracing of authentication and authorization time processing only. To enable tracing for FPS and SmCPW, use the Trace keyword in the SmPortal.cfg file.
This keyword cannot be overridden per user.
Example:
Trace
Range: 0-300
Default: 0
Recommended: No
Complexity Level: Advanced
This setting controls how long to wait for a User Directory to respond to a call. This value is for each call, not overall time. If this time limit is exceeded for a single call, a timeout error will result.
The default is zero (no limit or limit enforced by driver). In general, this setting should be used only with great care, since it may cause timeout failures.
This setting is specified in seconds. The maximum is 300 (5 minutes), but should never be used, since a browser session will time out long before the interaction with the directory server.
If an override is required, it must be a restricted override. That is, it can reference the Directory, but not the user.
This setting is supported for ODBC and LDAP directories only. It does affect LDAP Writeback connections.
Example:
Timeout=30
Range: 10-1000
Default: 100
Recommended: No
Complexity Level: Advanced
This setting controls how long to sleep between checks to see if an ODBC User Directory call has completed. Lower numbers indicate that the driver should be checked more frequently. This may improve response time for the current user, but will increase overall CPU utilization. Higher numbers will decrease user responsiveness, but will use less CPU.
This setting is specified in thousandths of a second. The minimum value is 10 milliseconds (1/100 second) and the maximum is 1000 milliseconds (1 second). Default is 100 milliseconds (1/10 second).
If an override is required, it must be a restricted override. That is, it can reference the Directory, but not the user.
This setting is supported only for ODBC directories. LDAP directories support the Timeout keyword only.
Example:
Poll=500
The write back settings indicate where APS should write back information when writing to the LDAP directory. This is used primarily for when SiteMinder is reading from a replicant (consumer) and APS must write back to a master (producer). Instead of attempting the write to the (by definition: read-only) replicant, which will always fail, APS will always write to the Write Back server instead (it will still read from the replicant).
If you know that you are going to be doing referrals on writebacks (if SiteMinder reads from a replicant), use these settings.
Whenever APS needs to write information to an LDAP Directory, it looks for a writeback setting for the current user. If one exists, APS will perform the write to the writeback server instead of to the original server. When the LDAP Directory is configured as a Producer/Consumer (rather than Primary/Backup), this is much more efficient than writing back to the consumer, failing, then referring the write to the producer.
All write backsettings can be overridden. It is not necessary to use the IsLDAP() function with these overrides, since they will only ever be used for LDAP User Directories.
Be careful when using overrides with these settings, since they each override separately. Make sure that there are no "overlaps" in the overrides, where one setting is overridden separately from the others.
When SiteMinder supports referrals in all cases, these keywords will technically no longer be needed; however, they may still be desirable, since performance may be greatly enhanced (since APS will apply changes directly to the master, rather than "bouncing" all writes off of the replicant).
A list of writable servers can be provided, separated with a space. APS will treat the list as a list of LDAP servers for fail over purposes. All must be writable. In this way, APS supports multi-mastering.
It may be desirabled to load-balance APS writes across multiple masters. APS will not do this automatically, but sites may do it in either of two ways. Note that both methods provide the same level of fault tolerance.
Range: n/a
Default: none
Recommended: no
Complexity Level: Advanced
This setting controls the server to which writebacks will be directed. It can be overridden. To use writebacks, both the Server and a Password must be specified (the DN is not required because it has a default).
LDAP Writeback Server=127.0.0.1
LDAP Writeback Server={IsAt("o=security.com"} 10.24.86.177
Range: n/a
Default: cn=Directory Manager
Recommended: cn=Directory Manager
Complexity Level: Advanced
This is the Distinguished Name (DN) of the administrator account to use to log into the writeback server. It is not required to use writebacks, since there is a default.
LDAP Writeback DN=cn=Directory Manager
LDAP Writeback DN={IsAt("o=security.com"}uid=Admin, o= security.com
Range: n/a
Default: none
Recommended: no
Complexity Level: Advanced
This is the password to use for binding to the writeback server. If both this setting and a server are supplied, it indicates that writebacks should be used, even if the Writeback DN (above) is not supplied.
The writeback Password can be supplied either in clear text or encrypted. To encrypt the password, use the APSEncrypt utility.
LDAP Writeback Password=[NDSEnc-A]68SExOCvk(MrHfSSY) cuDHfuyG2
LDAP Writeback Password={IsAt("o=security.com"}password
Range: n/a
Default: no
Recommended: if needed
Complexity Level: Advanced
If writebacks are used, this setting tells APS that LDAPS (LDAP over SSL) should be used for the writeback connection.
LDAP Writeback Use SSL=true
Range: n/a
Default: Search Base defined in SiteMinder User Directory
Recommended: no
Complexity Level: Advanced
By default, APS will search for and create (if necessary) disabled groups in the root of the user account's directory. If APS will not have rights to this location, the root is not identified by o=xxx, or your site wishes these groups to appear elsewhere in the directory tree, you can specify their exact location using this keyword. Note that this is the location, not the names of the groups themselves.
This affects only where such groups are created, not where they are searched for. APS will always search the entire search base as defined in the SiteMinder User Directory entry.
This setting can be overridden, but the IsLDAP function is not required, since the setting will only be used for LDAP User Directories.
APS does not create groups for ODBC directories, so this setting does not apply to them.
LDAP Disabled Groups=ou=Groups,o=nds.com
Range: n/a
Default: audio
Recommended: audio
Complexity Level: Advanced (upgraded sites only)
Prior to APS Version 3.0, APS maintained user information for LDAP users in an attribute called the APS Blob. This keyword allowed the site to specify the attribute in which to store this information. However, at Version 3.0, the APS blob no longer exists.
This keyword exists only for backwards compatibility. Users converting from pre-version-3.0 APS should contact CA for the proper data conversion tool.
If this site did not upgrade from a prior version of APS or it is no longer maintaining old Blob information, then this keyword is not needed and should not be specified.
Range: n/a
Default: off
Recommended: off
Complexity Level: Advanced
This keyword will cause APS to check for the existence of an LDAP password before expiring it or requiring it to be changed. It should be used at sites where some users will be accessing the system using authentication schemes that do not use passwords (and thus the user record may or may not actually have a password).
Note that this was a new feature at version 2.0 and requires that the Directory Manager credentials be entered into the SiteMinder policy GUI for each LDAP directory (it only impacts LDAP User Directories). It may also impact performance.
This functionality requires that the existing password be readable from the directory (at least the encrypted/hashed value). For iPlanet Directories, this requires that the administrator be cn=Directory Manager. Other implementations of LDAP servers may have different requirements. Some implemented, most notably Microsoft Active Directory, do not allow this information to be read in any case and thus this functionality is not supported in those environments.
Check LDAP Password Existence
Range: n/a
Default: userPassword
Recommended: no
Complexity Level: Advanced (Deprecated)
This keyword causes APS to use an attribute other than userPassword as the password attribute within an LDAP directory. The standard LDAP schemas use userPassword; however, some may use a different attribute. Use this keyword to specify a different attribute.
This setting may be overridden (but that would be unusual).
At APS Version 4.0, this setting is deprecated (a warning will be output to the log, if the keyword is encountered). If something other than userPassword should be used, specify it in the new Mappings section.
LDAP Password Attribute=userPassword
Range: n/a
Default: off
Recommended: true
Complexity Level: Advanced
If this setting is enabled, when APS disables an LDAP user account (it only applies to LDAP User Directories), it will NOT put the user account into a Disabled group. Instead, it will set the Disable Until date to FOREVER, effectively disabling the user account forever.
This feature was new at APS Version 3.0. It provides a considerable performance improvement for very large sites, in that large groups are not used for disabling user accounts. However, it is a change to existing functionality and may impact user administration tools (the tools used to reset the user).
In addition, if this setting is enabled, a user account can only be disabled for a single reason at a time. This may impact how some of the security policies at your site are to be architected.
ODBC User Directories always use internal disables (Disabled groups are honored, but APS will never create one or put a user account into one).
Use Internal Disables
Range: n/a
Default: off
Recommended: no
Complexity Level: Advanced
APS functionality is accessed in many ways. For the two secured client mechanisms (Change Password Interface and Help Desk Interface), access is controlled by SiteMinder Policies. FPS is configured separately to allow or disallow access for particular users. The APSAPI is accessed by the applications that call it and thus access can be controlled using any of a variety of methods.
However, APS is involved with all SiteMinder authentications. SiteMinder calls APS, regardless of User Directory or the success or failure of an authentication.
The Ignore keyword can be used to tell APS when to ignore a user during the authentication process. While this is rarely used, it does have a purpose. For example, when rolling out a new User Directory, it can be desirable to ignore all of the users in that new directory until the schema is set up and the users are initialized.
The value of this setting is either true or false. However, this setting is almost always overridden, defining the user cases where the user should be ignored.
Ignore={IsODBC()} true
Range: n/a
Default: off
Recommended: no
Complexity Level: Advanced
APS has a wealth of mechanisms for enabling/disabling user accounts, but they are mostly geared for APS' own use. Sometimes (especially in legacy directories), other mechanisms are used to disable accounts.
This setting allows sites to specify other conditions under which APS is to consider that an account is disabled. The override of the setting specifies the condition; the value of the setting is used as the "Disabled Reason" passing such codes to redirects or email.
APS will never actually disable an account with this mechanism. However, if the override is true for a particular account, that user will not be allowed to log into the system.
Disable={employeeStatus="Terminated"} Term
Disable={customerStatus="IN LEGAL"} Litigation
|
Copyright © 2014 CA.
All rights reserved.
|
|