Policy Server Guides › Policy Server Configuration Guide › User Directories › SQL Query Schemes › Configure a SQL Query Scheme

Configure a SQL Query Scheme

You can configure a SQL Query Scheme that finds user data in the relational database that you are using as a user store.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To configure a SQL Query Scheme

1. Click Infrastructure, Directory.
2. Click SQL Query Scheme, Create SQL Query Scheme.

   The Create SQL Query Scheme pane opens.

3. Verify that Create a new object is selected, and click OK.

   The SQL Query Scheme: Name pane opens.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

4. Type a name and description in the fields on the General group box.
5. Update the contents of the query fields to correspond to your database schema.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

   You must configure each of the queries to work with your relational database. You must replace the following database table and column names with the table and column names from your relational database:

   • Name

     When you configure the Policy Server to use a user store residing in a relational database, the Name parameter for a user must be unique so that SiteMinder can correctly identify the user. Thus, two users cannot have the same user name.

   • SmUser—table
   • SmGroup—table
   • Password
   • SmUserGroup—table
   • Id
   • UserID
   • FirstName
   • LastName
   • TelephoneNumber
   • EmailAddress
   • Mileage
   • PIN
   • GroupID
   • Disabled
6. Select a query type, and click Submit.

   The query is saved. You can associate query scheme with a user directory connection

7. Restart the Policy Server using the Policy Server Management Console.

More information:

Configure ODBC Directory Connections

Add SQL Query Schemes to ODBC User Directory Connections

You can select an SQL Query Scheme using the User Directory Dialog.

To select an SQL Query Scheme

1. Open the User Directory pane for an existing user directory connection object.
2. Select the SQL query scheme from the SQL Query Scheme list, and click Submit.

   The SQL query scheme is saved to the directory connection.

3. Restart the Policy Server using the Policy Server Management Console.

Note: If you are using MS SQL Server, and your queries are returning names that include the apostrophe character (for example, O’Neil), you must replace any instance of ‘%s’ in the query strings to ‘’%s’’. To avoid this problem, base your queries on user IDs that do not include apostrophes, or modify the query strings that include ‘%s’.

How to Configure SQL Query Schemes for Authentication via Stored Procedures

When stored procedures are required for authentication with ODBC user directories, configure the SQL query scheme to call the stored procedure as follows:

SQLServer

Syntax: Call Procedure_Name %s , %s

Example: Call EncryptPW %s , %s

Stored procedures in SQLServer must meet the following requirements:

• The first parameter must be the username, and the second parameter must be the password.
• All parameters must be defined using the keyword OUT.
• The stored procedure must return an integer value.

The following example shows how to create a stored procedure for a SQLServer user directory:

CREATE PROCEDURE EncryptPW
@UserName varchar(20) OUT ,
@PW  varchar(20) OUT
AS
SELECT Smuser.name from Smuser where Smuser.name= @UserName and  password = @PW
SELECT Smuser.password from Smuser where name= @UserName and  password = @PW
return 0

MySQL

Syntax: Call Procedure_Name %s, %s

Example: Call EncryptPW %s, %s

Stored procedures in MySQL must meet the following requirements:

• The first parameter must be the username, and the second parameter must be the password.
• The stored procedure does not return a value.

The following example shows how to create a stored procedure for a MySQL user directory:

CREATE PROCEDURE EncryptPW(INOUT p_UserName varchar(20), INOUT p_PW varchar(20))
BEGIN
SELECT SmUser.Name into p_UserName from test.SmUser where SmUser.Name =
p_UserName and SmUser.Password = p_PW;
SELECT SmUser.Password into p_PW from test.SmUser where SmUser.Name =
p_UserName and SmUser.Password = p_PW;
END;

Oracle Functions

For Oracle user directories, you can create the following functions using the templates below:

• EncryptPW
• ChangePW

Stored procedures in Oracle functions must meet the following requirement:

• The first parameter must be the username, and the second parameter must be the password.

EncryptPW Function

The EncryptPW function must return an integer value, as follows:

• value = 0

  Specifies success.

• value = 1

  Specifies failure.

You can use the following template to create the EncryptPW function:

CREATE OR REPLACE FUNCTION EncryptPW(p_UserName IN OUT SmUser.Name%type, p_PW IN OUT SmUser.Password%type)
RETURN INTEGER IS
nRet INTEGER :=1;
nCount NUMBER := 0;
BEGIN
select count(*) into nCount
from SmUser
where SmUser.Name = p_UserName and SmUser.Password = p_PW;
IF (nCount = 1) THEN
SELECT SmUser.Name  into p_UserName
from SmUser
where SmUser.Name = p_UserName and SmUser.Password = p_PW;
SELECT SmUser.Password into p_PW
from SmUser
where SmUser.Name = p_UserName and SmUser.Password = p_PW;
RETURN 0;
END IF;
RETURN nRet;
END EncryptPW;

ChangePW Function

The ChangePW function must return an integer value, as follows:

• value = 1

  Specifies success.

• value = 0

  Specifies failure.

You can use the following template to create the ChangePW function:

CREATE OR REPLACE FUNCTION ChangePW(p_PW IN SmUser.Password%type, p_UserName IN SmUser.Name%type)
RETURN INTEGER IS
nRet INTEGER :=1;
nCount NUMBER := 0;
BEGIN
select count(*) into nCount 
from SmUser 
where SmUser.Name = p_UserName;
IF (nCount = 1) THEN
UPDATE SmUser 
SET SmUser.Password = p_PW 
where SmUser.Name = p_UserName;
COMMIT;
RETURN 0;
END IF;

Asynchronous Call Support During Failover and Connection Pooling

Synchronous calls are reliable, returning only after the request is complete. Asynchronous calls return immediately. A caller can choose to abandon an asynchronous call and avoid delays associated with network failures.

SiteMinder supports asynchronous calls to the following databases:

• SQLServer
• Oracle 8 through 11g on Windows NT and Solaris

Asynchronous Call Support Configuration

The following registry options are stored under the registry sub-key Netegrity\SiteMinder\CurrentVersion\Database.

AsynchronousCalls

Determines whether database calls are made asynchronously.

Values: 0 (no); 1 (yes)

Default: 0

AsynchronousSleepTime

Specifies the amount of time between calls to wait before checking the status of an outstanding SQL call.

Values: 0 to n milliseconds

Default: 15 milliseconds

LoginTimeout

The amount of time to allow for a connection to log in to the database.

Values: minimum of 1 second

Default: 15 seconds

QueryTimeout

The amount of time to allow for a query to complete before canceling it.

Values: minimum of 1 second

Default: 15 seconds

Note: When SQL Server is running on Windows NT, asynchronous call support causes a very small memory leak per abandoned connection. You may choose to extend the timeouts to reduce the number of failovers in an unreliable network by adjusting the settings discussed in the table above.

Configure Oracle 8 on Solaris for Asynchronous Calls

The Merant ODBC driver for Oracle on Solaris 2.6 and 2.7 may cause a core dump when asynchronous calls are supported. This is due to an Oracle bug which is fixed as follows:

Oracle 8.0.5

To each data source in system_odbc.ini in the <install_directory>/db directory, add the entry:

ArraySize=1

Note: This change turns off multi-row fetches and will affect performance when loading large policy stores.

Oracle 8.1.5

1. Remove or rename libclntsh.so in siteminder/bin and/or
   siteminder/odbc/lib.
2. Verify that the Oracle client has libclntsh.so installed in $ORACLE_HOME/lib. Refer to the Oracle documentation for installation and rebuilding instructions.
3. Make sure that LD_LIBRARY_PATH references the Oracle client library directory $ORACLE_HOME/lib.

If you get the following log message:

[MERANT][ODBC Oracle 8 driver][Oracle 8] ORA-03106: fatal two-task communication protocol error

add an entry to the affected data source in system_odbc.ini in the <install directory>/db directory:

ArraySize=<value_greater_than 60000>

This increases the size of the multi-row fetch buffer to eliminate the error. The default value of this variable is 60000 bytes. The maximum allowed value is 4 Gigabytes.

ODBC Connection Pooling

The following criteria apply to ODBC connection pooling:

• Connections are pooled by the ODBC data source. If one or more user directories use a data source, and the following criteria are met, the number of connections available can reach the total of the individual values specified for user directories and stores:
  • The policy store uses the data source.
  • Another store on the Policy Server uses the data source.
• SQL Server is more limited than Oracle in how connections may be shared. Two callers may not share an open result set while the results are being fetched to the client. Although the Policy Server uses server side cursors for SQL Server, there are limitations to concurrent activity, especially on multi-processor machines. Increasing the number of connections will generally improve concurrency.
• Oracle allows for multiple callers to share a connection, but may serialize calls internally. Again, you may see improved concurrency by increasing the number of connections allowed.
• If connections are shareable, the number of active requests will be balanced across the connections in a pool.
• Once a connection is opened, it is not closed until the Policy Server is shut down.