Policy Server Guides › Policy Server Administration Guide › Configuring Policy Server Data Storage Options › Configure LDAP Storage Options

Configure LDAP Storage Options

Use the LDAP context-sensitive storage controls to point to an LDAP directory configured to be used as a policy store to hold policy information or to point to an LDAP directory configured to be used as a key store.

Note: Whenever you update parameters relating to an LDAP database, restart the Policy Server to make the new parameters effective.

Configure an LDAP Database

To configure an LDAP database

1. Specify the Server name or IP address of the LDAP server in the LDAP IP Address field. For performance reasons, the IP address is preferred.

   Note: You can specify multiple servers in this field to allow for LDAP server failover.

2. Specify the LDAP branch under which the SiteMinder schema is located in the Root DN field (for example, o=myorg.org).
3. If your Policy Server communicates with the LDAP directory over SSL, select the Use SSL check box.

   Note: If you select this option, you must specify a certificate database in the Netscape Certificate Database File field.

4. Specify the DN of the LDAP directory administrator (for example, cn=Directory Manager) in the Admin Username field.
5. Enter the administrative password for the LDAP directory in the Admin Password field.
6. Confirm the administrative password for the LDAP directory in the Confirm Password field.
7. Click Test LDAP Connection to verify that the parameters you entered are correct and that the connection can be made.

Configure LDAP Failover

If you have multiple LDAP directories, you can configure directories for failover. To enable failover, enter LDAP server IP addresses and port numbers in the LDAP Server field as a space-delimited list of LDAP server addresses. You can specify a unique port for each server. If your LDAP servers are running on a non-standard port (389 for non SSL/ 636 for SSL), append the port number to the last server IP address using a ‘:’ as a delimiter. For example, if your servers are running on ports 511 and 512, you can enter the following:

123.123.12.11:511 123.123.12.22:512

If the LDAP server 123.123.12.11 on port 511 did not respond to a request, the request is automatically passed to 123.123.12.22 on port 512.

If all of your LDAP servers are running on the same port, you can append the port number to the last server in the sequence. For example, if all of your servers are running on port 511, you can enter the following:

123.123.12.11 123.123.12.22:511

Configure Enhanced LDAP Referral Handling

Enhancements have been made to SiteMinder’s LDAP referral handling to improve performance and redundancy. Previous versions of SiteMinder supported automatic LDAP referral handling through the LDAP SDK layer. When an LDAP referral occurred, the LDAP SDK layer handled the execution of the request on the referred server without any interaction with the Policy Server.

SiteMinder now includes support for non-automatic (enhanced) LDAP referral handling. With non-automatic referral handling, an LDAP referral is returned to the Policy Server rather than the LDAP SDK layer. The referral contains all of the information necessary to process the referral. The Policy Server can detect whether the LDAP directory specified in the referral is operational, and can terminate a request if the appropriate LDAP directory is not functioning. This feature addresses performance issues that arise when an LDAP referral to an offline system causes a constant increase in request latency. Such an increase can cause SiteMinder to become saturated with requests.

To configure LDAP referral handling

1. Open the Policy Server Management Console.

   Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your SiteMinder component.

2. Select the Data tab.

   Enable Enhanced Referrals

   Mark this check box to allow the Policy Server to use enhanced handling LDAP referrals at the Policy Server, rather than allowing LDAP referral handling by the LDAP SDK layer.

   Max Referral Hops

   Indicates the maximum number of consecutive referrals that will be allowed while attempting to resolve the original request. Since a referral can point to a location that requires additional referrals, this limit is helpful when replication is misconfigured, causing referral loops.

3. Modify the values as required.
4. Restart the Policy Server.

Configure Support for Large LDAP Policy Stores

Large LDAP policy stores can cause Administrative UI performance issues.

To prevent these problems, you can modify the values of the following registry settings:

Max AdmComm Buffer Size

Specifies the Administrative UI buffer size (the maximum amount of data [bytes] that is passed from the Policy Server to the Administrative UI in one packet).

Configure this setting at the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion
\PolicyServ\

We recommend using caution when setting this value. Allocation of a larger buffer decreases overall performance.

Range: 256 KB to 2,097,000 KB

Default: 256 KB (also applies when this registry setting does not exist).

SearchTimeout

Specifies the search timeout, in seconds, for LDAP policy stores.

Configure this setting at the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion
\LdapPolicyStore\SearchTimeout

Examples of factors which influence the appropriate value for this setting include (but are not limited to) the following items:

• The network speed
• The size of the LDAP search query response
• The LDAP connection state
• The load on the LDAP server

A large enough value prevents any LDAP timeouts when fetching large amounts of policy store data.

Limit: Use hexadecimal numbers.

Default: 0x14 (20 seconds). This value is also used when the registry setting does not exist.

Example: 0x78 (120 seconds)

More information:

Configure the Policy Store Database

Configure a Separate Database for the Key Store

Configure ODBC Storage Options

Use the ODBC context–sensitive storage controls to configure an ODBC data source for:

• A policy store
• A key store
• Audit logs
• A session store

Note: For more information about configuring ODBC data sources, see the Policy Server Installation Guide.

Configure an ODBC Data Source

To configure an ODBC data source

1. Specify the name of the ODBC data source in the Data Source Information field. You can enter multiple names in this field to enable ODBC failover.

   Data Source Information

   Indicates the name of the ODBC data source. You can enter multiple names in this field to enable failover.

   User Name

   Indicates the user name of the database account (if required) with full rights to access the database.

   Password

   Contains the password of the database account.

   Confirm Password

   Contains a duplicate of the database account password, for verification.

   Maximum Connections

   Indicates the maximum number of ODBC connections per database allowed at one time.

2. Click Test ODBC Connection to verify that the parameters you entered are correct and that the connection can be made.

Configure ODBC Failover

If you have multiple ODBC data sources and you want to configure failover, list the data source names in the Data Source Information field, separated by commas. For example, entering SiteMinder Data Source1,SiteMinder Data Source2 causes the Policy Server to look at Data Source 1 first. If SiteMinder Data Source1 does not respond, the Policy Server automatically looks for SiteMinder Data Source2.

Note: Using the method described above, you can configure failover for data sources used as policy stores, key stores, session stores, and audit logs.

Configure Limit to Number of Records Returned by a SQL Query

SQL queries that return large numbers of records can cause the Policy Server to hang or crash. To manage this outcome, you can output a warning message to the SMPS logs when the number of records returned exceeds a maximum value that you specify.

To configure the maximum, add the registry key, MaxResults, and set its value to one or more. When the number of records returned by a query equals or exceeds the limit specified by MaxResults, the Policy Server outputs a warning to the SMPS logs. When MaxResults is set to zero or undefined, no warning messages are output.

Adding the registry key, MaxResults, does not change the number of records returned. Adding the key does warn you when the number of results exceeds a limit that you set. You can use this feedback to modify your SQL queries and fine-tune the number of records returned, as needed.

To configure a limit to the number of records returned by a SQL query

1. Manually add the registry key MaxResults:

   Windows

   Add the registry key MaxResults to the following location:

   HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds
   \ODBCProvider
   

   Solaris

   Add the following lines to the sm.registry file:

   HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds
   \ODBCProvider=35921
   MaxResults=0x1; REG_DWORD
   

2. Assign MaxResults a value greater than or equal to one.

Configure ODBC Registry Settings for Timeout

The parameters listed following control timeout for the connection between and ODBC database and the Policy Server in various situations. The key on Windows and UNIX is available the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database

"LoginTimeout"

The time that is allowed to connect to the database.

"QueryTimeout"

Allows 30 seconds for the query to complete. When the query does not complete within this time, a cancel request is sent to the database. For an ODBC user directory, the query timeout is overridden with the user directory object Searchtimeout. You set this value using XPSExplorer.

"ConnectionHangWaitTime"

The number of seconds before the Policy Server marks a connection as hung. This value must be larger than twice the value of QueryTimeout or SearchTimeout.

"ConnectionTimeout"

The maximum wait time on a connection. In cases where the query timeout or the log-in timeout apply, those values override the connection timeout.

Configure Text File Storage Options

Use the Text File storage options to configure a text file to store the Policy Store audit logs.

To specify a text file, type the full path of a file in the File name field or click the Browse button and browse to the required directory and click on or type the name of the desired file.

Audit Data Import Tool for ODBC

The Policy Server can store audit data in an ODBC database or output audit data to a text file. The smauditimport tool reads a SiteMinder audit data text file and imports the data into an ODBC database. The database has been configured as an audit store using 5.x or 6.x schema.

The smauditimport tool imports authentication, authorization, and admin data into the corresponding tables in the ODBC database. The tool logs the number of rows successfully imported into the ODBC database. For each row that cannot be imported into the ODBC database, the tool logs the row number.

The characters '[', ']', or '\' appearing in a field in the policy or user store require a preceding escaping character '\' (backslash). These characters appear because they have been used in fields like username, realm name, and so on.

Set the following registry key, to escape these characters automatically:
[HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LogConfig]
Value Type: DWORD VALUE
Value Name: EscapeAuditFields
Value Data: 1

When Value Data is set to 0, or if the key does not exist, there is no escaping, and the operation fails.

Note: In some SiteMinder documentation, the terms audit and logging are used interchangeably.

Log More Audit Data to a Text File

By default, the Policy Server logs less audit data to a text file than to an ODBC database. You can log more audit data to a text file than the default and bring the amount of data in line with an ODBC database. To do so, manually add the following registry key and set its value to one: "Enable Enhance Tracing". To disable "Enable Enhance Tracing", set its value to zero (the default).

To log more audit data to a text file

1. Manually add the registry key "Enable Enhance Tracing":

   Windows

   Add the following key:

   TYPE=DWORD
   \netegrity\SiteMinder\CurrentVersion\Reports
   \"Enable Enhance Tracing"
   

   Solaris

   Follow these steps:

   1. Open the file: .../siteminder/registry/sm.registry.
   2. Locate the line:

      HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder
      \CurrentVersion\Reports=25089
      

   3. Below the line, add the following:

      "Enable Enhance Tracing"=0x1;	REG_DWORD
      

   4. Save and close the file.
2. Set "Enable Enhance Tracing" to one.

Note: The value of "Enable Enhance Tracing" does not affect logging of Entitlement Management Services (EMS) events.

Audit Data Import Prerequisites for ODBC

Before you run the tool smauditimport, verify that the following prerequisites have been satisfied:

• The Policy Server is installed on a Windows, Solaris, or Linux operating environment.

  Note: For Solaris and Linux platforms, run nete_ps_env.ksh before running the smauditimport tool.

• The ODBC database is configured as an audit (logging) store with 5.x or 6.x schema.

  Note: For more information about how to configure an ODBC database as an audit (logging) store, see the Policy Server Installation Guide.

• The registry key "Enable Enhance Tracing" is set to one.