Previous Topic: How to Configure a CA Directory User Directory ConnectionNext Topic: How to Configure a Sun Java System User Directory Connection

Policy Server GuidesPolicy Server Configuration GuideUser DirectoriesHow to Configure a CA Directory User Directory ConnectionConfigure CA Directory User Directory Connections

Configure CA Directory User Directory Connections

You can configure a user directory connection that lets the Policy Server communicate with a CA Directory user store.

To configure the user directory connection

  1. Click Infrastructure, Directory.
  2. Click User Directory, Create User Directory.

    The Create User Directory pane opens.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  3. Select LDAP from the Namespace list.

    LDAP settings open.

  4. Complete the remaining required connection information on the General and Directory Setup group boxes.

    Note: If the Policy Server is operating in FIPS mode and the directory connection is to use a secure SSL connection when communicating with the Policy Server, the certificates used by the Policy Server and the directory store must be FIPS compliant.

  5. Type the LDAP Search and LDAP User DN Lookup settings in the fields on the LDAP Settings group box.
  6. (Optional) Select Require Credentials on the Administrator Credentials group box, and type the user name and password of an administrator's account on the user directory in the fields on the group box.
  7. (Optional) Specify the user directory profile attributes that are reserved for SiteMinder's use in the fields on the User Attributes group box.
  8. (Optional) Click Create on the Attribute Mapping List group box.

    The Create Attribute Mapping pane opens.

  9. Click Submit.

    The Create User Directory task is submitted for processing.

More information:

LDAP Load Balancing and Failover

Define an Attribute Mapping

Enable User Store DSA Parameters

SiteMinder uses the Sun Java System LDAP SDK, which lets clients open one managed connection to the directory server and perform user binds under that connection. If you are using CA Directory as a user store, the Policy Server connects to CA Directory by performing a bind request for each authentication request. Configure CA Directory to handle these requests, or CA Directory runs out of connections and authentication fails.

Follow these steps:

  1. Open the .dxi file for the user store DSA.
  2. Define the following entries at the bottom of the file: 
    #SiteMinder
set mimic-netscape-for-siteminder = true;
set concurrent-bind-user = DN;
set hold-ldap-connections = true;
  3. Save and close the .dxi file.

    The user store DSA parameters are enabled.

    Note: The DN is in x500 format.

    Example: <o acme><cn smadmin>

Enable Caching for a CA Directory User Store

You can improve SiteMinder authentication and authorization performance for large user stores by enabling the CA Directory DXcache feature. A 5 MB user store is considered large.

To enable caching

  1. As the dsa user, edit the user store DSA’s DXI file (for example, <dxserver_install>\config\servers\eTrustDsa.dxi) and add the following lines to the end of the file: 
    # cache configuration
set max-cache-size = 100;
set cache-index = commonName, surname, objectClass;
set cache-attrs = all-attributes;
set cache-load-all = true;
set lookup-cache = true;

    Note: The max-cache-size entry is the total cache size in MB. Adjust this value based on the total memory available on the CA Directory server and overall size of the user store. In addition, set the cache-index fields to those fields used by SiteMinder to perform a user search in the user store. For example, if users are authenticated and authorized based on their common name (cn=*), make sure that the commonName is set in the cache-index.

  2. As the dsa user, stop and restart the user DSA to allow the DXcache configuration changes to take effect: 
    dxserver stop eTrustDsa
dxserver start eTrustDsa
Verify the CA Directory Cache Configuration

After configuring the CA DXcache feature for the user store, you can verify that the cache is enabled using the DXmanager user interface.

To verify the cache

  1. Using a Web browser, connect to the CA DXmanager Web interface.

    For example:

    http://<CA_host>:8080/dxmanager/ManagerServlet?hostgroup=All

  2. Navigate to the DSA configuration page and verify that the DXcache Status field is set to Enabled for your policy store DSA.