SiteMinder supports user directories on the Microsoft Active Directory platform. Although the configuration for Active Directory (AD) and LDAP namespaces in the Administrative UI is very similar, there are several functional differences.
The advantages of using the LDAP namespace for an Active Directory user store include:
The disadvantages include:
The LDAP namespace does not support native Windows SASL, which allows native secure LDAP bind operations to support native Windows authentication methods such as Kerberos and NTLM.
Microsoft Active Directory uses a non-standard method for identifying object classes. Because of this, the objectclass attribute in Active Directory is not indexed by default. This can cause the Administrative UI to timeout when it searches through an Active Directory LDAP implementation that includes large numbers of users or groups.
For SiteMinder to run efficiently with an Active Directory user directory, you must index the objectClass attribute in Active Directory. For more information, see your Active Directory documentation.
Microsoft Active Directory requires an SSL connection to change stored user passwords. For Password Services to work with Active Directory user directories, you must configure an SSL connection to any Active Directory LDAP user directory to which password policies will be applied.
Additionally you must define a specific Password Attribute: unicodePWD to enable Password Services to work with Active Directory user directories.
Note: For complete information about configuring Microsoft Active Directory, see your Active Directory documentation.
A SiteMinder Web Agent can run in a Windows user security context for accessing Web resources on IIS Web servers. Before SiteMinder can provide the Windows user security context, you must configure a session store and enable persistent sessions on a per realm basis (see How SiteMinder Is Configured to Provide a Windows User Security Context). You must also enable this feature in the Credentials and Connection tab in the User Directory dialog.
Copyright © 2010 CA. All rights reserved. | Email CA about this topic |