Policy Server Guides › Policy Server Configuration Guide › LanMan User Directories

LanMan User Directories

This section contains the following topics:

About LanMan User Directories

LanMan Directory Connection Prerequisites

Configure a LanMan Directory Connection

Failover for Windows User Directories

LanMan User Directory Search Criteria

About LanMan User Directories

In a Windows environment, the Policy Server enumerates and manages the resources in a directory service through the Microsoft Active Directory Service Interface (ADSI) layer. This layer abstracts the capabilities of directory services from different network providers in a distributed computing environment. However, the current version of ADSI has its own limitations which can adversely affect the performance of the Policy Server.

With ADSI, every Windows directory request must always pass through the Primary Domain Controller (PDC) first. This compounds the network traffic that the PDC must handle. A custom solution to this dilemma is for the Policy Server to channel Windows directory requests to Backup Domain Controllers (BDCs) while bypassing the PDC. The Policy Server handles this sort of custom solution by using LanMan directory connections.

The LanMan user directory connection option allows you to specify a failover list of BDCs used for each user directory lookup in the Windows Registry. Using a LanMan directory connection, the Policy Server sends Windows directory requests to the first active BDC in the Registry list, rather than forcing requests to pass through the PDC.

LanMan Directory Connection Prerequisites

The following conditions must be met before the Policy Server can use a LanMan directory connection to access user data in a Windows directory:

• The file SmDsLanman.dll must reside in the Policy Server installation directory. The default location is:

  installation_directory\netegrity\siteminder\bin\

• You must configure a connection to the LanMan directory.

More information:

Configure a LanMan Directory Connection

Configure a LanMan Directory Connection

You can configure a LanMan user directory. The following process lists the steps for creating a user directory connection to the Policy Server.

1. Configure Registry Keys for a LanMan Directory Connection
2. Configure a LanMan User Directory Connection

Configure Registry Keys for a LanMan Directory Connection

The first procedure in configuring a LanMan directory connection is configuring the appropriate registry keys.

Follow these steps:

1. Select Run from the Windows Start menu.

   The Run dialog opens.

2. Enter regedit, and click OK.

   The Registry Editor opens.

3. Modify the following registry key:
   • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\Siteminder\CurrentVersion\Ds, the NameSpaces key is set to the following string value:

     "LDAP:,ODBC:,OCI:,WinNT:,Custom:,AD:"

   • Add the following string to the value data for the NameSpaces registry key: Lanman.
4. Create the following registry key:

   \HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Ds\Lanman_DC

5. Create a registry key of the NT Domain Name under the Lanman_DC key:

   \HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Ds\Lanman_DC\<NT_domain_name>

   For example:

   \HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Ds\Lanman_DC\MyDomain

6. Create a registry value named NumUserDir of type DWORD under the newly created NT Domain key. For the value data, enter the actual number of separate sets of user directories (maximum 16) in this NT domain.
7. Create String registry values of UserDir0, UserDir1, …, UserDirN, in sequential order starting from 0, for each failover list of BDCs.
8. Enter comma delimited strings for each failover list. SmDsLanman will read the lists and will find the first active BDC in each failover list to look up NT users and groups.
9. Repeat steps 5 through 7 for other NT domains.
10. Restart the Policy Server services.

Configure a LanMan User Directory Connection

You can configure a user directory connection that lets the Policy Server communicate with a LanMan Directory user store.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To configure a LanMan user directory connection

1. Click Infrastructure, Directory.
2. Click User Directories.

   The User Directories page appears.

3. Click Create User Directory.

   The Create User Directory page appears.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

4. Type the name and a description of the user directory.
5. Select LanMan from the Namespace list.

   LanMan settings open.

6. Type the name of the NT Domain that you configured in the registry keys in the Domain Controller Key field.
7. Click Submit.

   The Create User Directory task is submitted for processing.

More information:

User Directories

Configure Registry Keys for a LanMan Directory Connection

Failover for Windows User Directories

The list of registry keys you create for the LanMan user directory connection determines failover order.

LanMan User Directory Search Criteria

LanMan directory connections are a type of Windows user directory connection. A LanMan directory connection functions similarly to a regular Windows connection, with the exception of which actual Domain Controller handles requests. This does not affect the procedure for executing a user directory search.

More information:

Search User Directories