Installation and Upgrade Guides › Directory Configuration Guide › CA LDAP Server for z/OS › How to Upgrade a 6.x Policy Store › SiteMinder Features Not Supported by CA LDAP Server for z/OS (RACF)

SiteMinder Features Not Supported by CA LDAP Server for z/OS (RACF)

CA LDAP Server for z/OS (RACF) does not support the following SiteMinder features:

Password Services

Password Services is not supported.

Anonymous Binds

When configuring a CA LDAP Server r15 for z/OS (RACF) as a user store, provide values for the Administrator Credentials in the Create User Directory page.

Characters Not Supported in User Names

The following characters are not supported in user names:

• space
• single quote
• opening parenthesis
• closing parenthesis
• comma
• backslash

User Groups and Policies

Adding a user group to a policy and attempting to authorize a user in that group fails.

LDAP Failover and Replication

LDAP Failover and Replication is not supported.

CA LDAP Server r15 for z/OS (ACF2) Backend Security Option

This section describes the settings that are required to configure the CA LDAP Server r15 for z/OS (ACF2) as a user store with the Policy Server.

Configure Policy Server Registry Entries for ACF2

The CA LDAP Server r15 for z/OS (ACF2) contains a different set of objectclasses than other LDAP servers. Before configuring a user directory connection from the Policy Server to the CA LDAP Server, add the ACF2 objectclasses to certain Policy Server registry entries in the LDAP namespace. Substitute the replacement values for the default values of the following Policy Server registry entries:

registry_entry_home

Specifies the following registry entry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds.

default_value

Specifies the default value of the registry entry.

replacement_value

Specifies a new value containing the ACF2 objectclasses for the registry entry.

• registry_entry_home\ClassFilters

  class_filters_default_value:

  organization,organizationalUnit,groupOfNames,groupOfUniqueNames,group

  class_filters_replacement_value:

  class_filters_default_value,*

• registry_entry_home\GroupClassFilters

  group_class_filters_default_value:

  groupOfNames,groupOfUniqueNames,group

  group_class_filters_replacement_value:

  group_class_filters_default_value,*

• registry_entry_home\PolicyClassFilters

  policy_class_filters_default_value:

  organizationalPerson,inetOrgPerson,organization,organizationalUnit,groupOfNames,groupOfUniqueNames,group

  policy_class_filters_replacement_value:

  policy_class_filters_default_value,*

• registry_entry_home\PolicyResolution

  Add the following ACF2 objectclasses to this registry entry:

• registry_entry_home\Debug

  In UNIX, add the following ACF2 objectclass to this registry entry:

Note: The value of this registry key can be changed based on the response time of the CA LDAP Server r15 for z/OS (ACF2).

Configure a Connection from the Policy Server to CA LDAP Server for z/OS

To configure a directory connection from the Policy Server to the CA LDAP Server for z/OS (RACF) or CA LDAP Server for z/OS (ACF2), open an existing user directory object in the Administrative UI.

Follow these steps:

1. Open the User Directory Dialog.
2. In Directory Setup, select LDAP as the namespace.
3. Enter the connection information for your LDAP directory.

   Note: For more information, see the topic LDAP Namespace Directory Setup Tab in the Policy Design Reference Guide.

   Note: Failover is not supported for this LDAP Server.

4. In the LDAP Search section, in the Max Time field, specify a value of 300 seconds.

   Note: A greater timeout value is required, because the Policy Server takes more time to retrieve data from this LDAP Server.

5. In Credentials and Connection, specify administrator credentials that the Policy Server uses to connect to this LDAP Server.

   Important! Specifying administrator credentials is mandatory as anonymous binds to the user store are not allowed with CA LDAP Server r15 for z/OS (RACF) and CA LDAP Server r15 for z/OS (ACF2).