All FPS settings appear in the APS configuration file after the keyword [FPS]:
Value: File Path
Default: off
Recommended: yes
Complexity Level: Basic
FPS can log all attempts, successful or failed, to an audit log. This log is written to a flat file in comma-delimited format (suitable for import into many database and spreadsheet applications).
To specify the location of this log file, use this setting.
There is no way to control the format or content of this log, nor is there provision for wrapping or deleting the file. If this setting does not appear in the configuration file, no audit log will be written. Please be sure that the user under which the SiteMinder Policy Server processes are running can create and write to this file.
This file is not terribly useful. A site should check its contents to determine if the information is worth keeping.
Audit Log=/usr/Netegrity/SiteMinder/Logs/FPS.log
Value: Server name or ip address for LDAP,
SN name for ODBC
Default: 127.0.0.1:389
Recommended: required
Complexity Level: Basic
This keyword tells FPS which directories to search when FPS is invoked.
Each instance specifies one or more SiteMinder user directories.
After the list of directories, an optional condition can be defined that tells FPS when that particular set of directories should be searched. This condition is surrounded by square brackets ("[" and "]") and can contain a partial URL (or stem) of the Forgot stub This URL must contain the port number, if other than 80, and cannot contain the "http:" or "https:" prefix. FPS will use the full URL of the FORGOT stub that invoked the process and, if the specified stem is included entirely, that directory or set of directories will be used.
If multiple lines exist with the Directory keyword and apply, all lines will be used.
If the same directory appears in more than one line, it will only be searched once.
Directories are specified as the ip address and port of an LDAP directory server or servers OR the DSN name of an ODBC directory.
If a nonstandard LDAP port (not 389) is used, it must be appended to each ip address in the list that it applies to, separated from the ip address by a colon.
Directory=127.0.0.1 Directory=DSN_CNA DSN_SCA [//www.acme-calif.com] Directory=DSN_TX [//www.acme-texas.com]
If the user requesting FPS came in from www.acme-calif.com, FPS will search the local LDAP directory (127.0.0.1) and the ODBC directories with the DSN's of DSN_NCA and DSN_SCA.
If the user arrived from www.acme-texas.com, then the LDAP directory and DSN_TX will be searched.
The directories will be searched in the order that they appear.
FPS looks into the list of User Directories stored in the SiteMinder Policy Store, looking for an entry that references the server identified by this setting. FPS will use the first entry that matches to obtain administrator credentials and the search base (for LDAP directories).
Some sites will define multiple User Directory entries that reference the same physical LDAP server, each User Directory defining a different search base (or, in rare situations, credentials). This can confuse FPS, causing it to read the wrong portion of these LDAP directories.
To get around this problem, a site should trick SiteMinder (and FPS) into thinking that the multiple User Directory entries are implemented on separate servers. This is easily done using the hosts file on the Policy Server (it can be done using DNS as well, though that is a little more complicated) to define multiple names for the same physical IP address. Each User Directory should then reference a different alias for the same physical LDAP server. In the APS.cfg file, this setting, Directory, can then uniquely identify the proper User Directories.
Value: Standard override expression
Recommended: If required
Complexity Level: Basic
The Allowed keyword is used to define which users in a directory are allowed to use FPS. If no Allowed keyword exists in this section, all users in the directory will be allowed to use FPS. If a single instance of this keyword exists, then rights must be explicitly granted to this functionality.
The Allowed keyword may appear as many times as necessary.
Allowed=true
|
Copyright © 2014 CA.
All rights reserved.
|
|