Specify the SiteMinder Schema Files

Installation and Upgrade Guides › Directory Configuration Guide › OpenLDAP Server › How to Upgrade a 6.x Policy Store › Specify the SiteMinder Schema Files

Specify the SiteMinder Schema Files

Specifying the schema files in the include section of the slapd configuration file (slapd.conf) ensures that the slapd process (the LDAP Directory Server daemon) reads the additional configuration information. The included files must follow the correct slapd configuration file format.

To specify the schema files

Copy the following schema files to the schema folder in the OpenLDAP installation directory:
- siteminder_home/db/tier2/OpenLDAP/openldap_attribute.schema
- siteminder_home/db/tier2/OpenLDAP/openldap_object.schema
- siteminder_home/xps/db/tier2/openldap/openldap_attribute_XPS.schema
- siteminder_home/xps/db/tier2/openldap/openldap_object_XPS.schema
siteminder_home

Specifies the Policy Server installation path.
Type the following in the include section of the slapd configuration file:
```
....
.....
include /usr/local/etc/openldap/schema/openldap_attribute.schema
include /usr/local/etc/openldap/schema/openldap_object.schema
include /usr/local/etc/openldap/schema/openldap_attribute_XPS.schema
include /usr/local/etc/openldap/schema/openldap_object_XPS.schema
```
Note: This procedure assumes that the OpenLDAP server is located at /usr/local/etc/openldap and that the schema files are located in the schema subdirectory.

The policy store schema is created for r12.0 SP3.

Specify Policy Store Indexing

Specify indexing in the slapd.conf file to use OpenLDAP as a policy store.

Follow these steps:

Stop the slapd instance.
Open the slapd.conf file with a text editor.

Locate the following lines:

# Indices to maintain
index   objectClass     eq

Insert a new line in the file, and then add the following lines:

index smAdminOID4 pres,eq
index smAuthDirOID4 pres,eq
index smAzDirOID4 pres,eq
index smcertmapOID4 pres,eq
index smIsRadius4 pres,eq
index smIsAffiliate4 pres,eq
index smParentRealmOID4 pres,eq
index smPasswordPolicyOID4 pres,eq
index smAgentGroupOID4 pres,eq
index smKeyManagementOID4 pres,eq
index smAgentOID4 pres,eq
index smAgentKeyOID4 pres,eq
index smRootConfigOID4 pres,eq
index smAGAgents4 pres,eq
index smDomainAdminOIDs4 pres,eq
index smDomainOID4 pres,eq
index smvariableoid5 pres,eq
index smNestedVariableOIDs5 pres,eq
index smvariabletypeoid5 pres,eq
index smActiveExprOID5 pres,eq
index smDomainUDs4 pres,eq
index smVariableOIDs5 pres,eq
index smusractiveexproid5 pres,eq
index smPropertyOID5 pres,eq
index smPropertySectionOID5 pres,eq
index smPropertyCollectionOID5 pres,eq
index smFilterClass4 pres,eq
index smTaggedStringOID5 pres,eq
index smNoMatch5 pres,eq
index smTrustedHostOID5 pres,eq
index smIs4xTrustedHost5 pres,eq
index smDomainMode5 pres,eq
# index smImsEnvironmentOIDs5 pres,eq
index smSecretRolloverEnabled6 pres,eq
index smSecretGenTime6 pres,eq
index smSecretUsedTime6 pres,eq
index smSharedSecretPolicyOID6 pres,eq
index smFilterPath4 pres,eq
index smPolicyLinkOID4 pres,eq
index smIPAddress4 pres,eq
index smRealmOID4 pres,eq
index smSelfRegOID4 pres,eq
index smAzUserDirOID4 pres,eq
index smResourceType4  pres,eq
index smResponseAttrOID4 pres,eq
index smResponseGroupOID4  pres,eq
index smResponseOID4     pres,eq
index smRGResponses4 pres,eq
index smRGRules4     pres,eq
index smRuleGroupOID4 pres,eq
index smRuleOID4   pres,eq
index smSchemeOID4 pres,eq
index smisTemplate4  pres,eq
index smisUsedbyAdmin4 pres,eq
index smSchemeType4   pres,eq
index smUserDirectoryOID4 pres,eq
index smODBCQueryOID4 pres,eq
index smUserPolicyOID4 pres,eq
index smAgentTypeAttrOID4 pres,eq
index smAgentTypeOID4 pres,eq
index smAgentTyperfcid4 pres,eq
index smAgentTypeType4 pres,eq
index smAgentCommandOID4 pres,eq
index smTimeStamp4     pres,eq
index smServerCommandOID4 pres,eq
index smAuthAzMapOID4 pres,eq
index xpsParameter pres,eq
index xpsValue  pres,eq
index xpsNumber pres,eq
index xpsCategory pres,eq
index xpsGUID pres,eq
index xpsSortKey pres,eq
index xpsIndexedObject pres,eq

Save the file and close the text editor.
Run the following command:
```
slapindex -f slapd.conf
```
Restart the slapd instance.
The policy store indexing for OpenLDAP is specified.

Enable User Authentication

Enabling user authentication ensures that you can protect resources with a supported authentication scheme.

To enable user authentication, add the following to the slapd configuration file:

access to attrs=userpassword
by self write
by anonymous auth
by * none

Specify Database Directives

The slapd configuration file requires values for additional database directives.

To specify the directives, edit the following:

database

Specify any supported backend type.

Example: bdb

suffix

Specify the database suffix.

Example: dc=example,dc=com

rootdn

Specify the DN of root.

Example: cn=Manager,dc=example,dc=com

rootpw

Specify the password to root.

directory

Specify the path of the database directory.

Example: /usr/local/var/openldap-data

Note: The database directory must exist prior to running slapd and should only be accessible to the slapd process.

Support Client-Side Sorting

OpenLDAP is the only supported LDAP directory that does not support server-side sorting. Instead, OpenLDAP requires that all sorting be performed on the client side. To accomplish this, all XPS objects are retrieved at start-up using server-side paging.

To support client-side sorting, the OpenLDAP directory administrator must configure the following settings in the slapd.conf file:

Enable reading of the Root DSE.
This setting allows the XPS client to read the OpenLDAP directory's type and capabilities.
Set the maximum number of entries that can be returned from a search operation >= 500.
This setting accommodates XPS objects which are retrieved in increments of 500 by server-side paging.
Allow a simple V2 bind.
This setting allows smconsole to test the LDAP connection using a simple V2 bind.

To support client-side sorting

Add the following lines to the slapd.conf file:
```
access to *
by users read
by anonymous read
access to dn.base=ACL by users read
```
ACL

Specifies an access control list or list of permissions.

Note: For more information on how to specify the ACL, see http://www.openldap.org/doc/admin24/access-control.html.
Verify that the value specified by the sizelimit directive in the slapd.conf file >= 500:
```
sizelimit 500
```
Note: The default sizelimit value is 500. For more information, see http://www.openldap.org/doc/admin24/slapdconfig.html.
Add the following line to the slapd.conf file:
```
allow bind_v2
```

The slapd.conf file is configured to support client-side sorting.

Test the Configuration File

Testing the configuration file ensures that it is correctly formatted.

To test the configuration file

Change the directory to the OpenLDAP server directory.
Run the following command:
```
./slapd
```
Note: Unless you specified a debugging level, including level 0, slapd automatically forks, detaches itself from its controlling terminal, and runs in the background.
Run the following command:
```
 ./slapd -Tt
```
The slapd configuration file is tested.

Restart the OpenLDAP Server

Restarting the OpenLDAP directory server loads the SiteMinder schema. The Policy Server requires that the SiteMinder schema is loaded before you can use the directory server as a policy store.

To restart the directory server

Stop the directory server using the following command:
```
kill -INT 'cat path_of_var/run_directory/slapd.pid`
```
path_of_var/run_directory

Specifies the path of the database directory.

Example: kill -INT `cat /usr/local/var/run/slapd.pid`
Start the directory server using the following command:
```
./slapd
```

How to Create the Database

The following process lists the steps for creating the directory server database for the policy store:

Create the base tree structure.
Add entries.