|
|
|
SiteMinder supports user directories on the Microsoft Active Directory platform. Although the configuring Active Directory (AD) and LDAP namespaces in the Policy Server User Interface is similar, there are several functional differences.
The advantages of using the LDAP namespace for an Active Directory user store include:
The disadvantages include:
The LDAP namespace does not support native Windows SASL, which allows native secure LDAP bind operations to support native Windows authentication methods such as NTLM.
Microsoft Active Directory uses a non-standard method for identifying object classes. As a result, the objectclass attribute in Active Directory is not indexed by default. This lack of indexing can cause the Policy Server User Interface to timeout when it searches through an Active Directory LDAP implementation that includes large numbers of users or groups.
For SiteMinder to run efficiently with an Active Directory user directory, you must index the objectClass attribute in Active Directory. For more information, see your Active Directory documentation.
Microsoft Active Directory requires an SSL connection to change stored user passwords. So that Password Services can work with Active Directory user directories, configure an SSL connection to any Active Directory LDAP user directory to which password policies are applied.
Additionally, define a specific Password Attribute, unicodePWD, to enable Password Services to work with Active Directory user directories.
Note: For complete information about configuring Microsoft Active Directory, see your Active Directory documentation.
A SiteMinder Web Agent can run in a Windows user security context for accessing Web resources on IIS Web servers. So that SiteMinder can provide the Windows user security context, configure a session store and enable persistent sessions on a per realm basis. (See How SiteMinder Is Configured to Provide a Windows User Security Context.) Also enable this feature on the Credentials and Connection tab. (See User Directory Dialog.)
SiteMinder uses a Netscape LDAP SDK to communicate with LDAP directories. You might be required to install a Certificate Authority for your Active Directory instance. You can use a third-party certificate utility to manage your SSL certificates. One such utility is the Network Security Services (NSS) utility (version 3.2.2). You can download the respective file for your operating system from Mozilla. Documentation for the utility is located on the Mozilla NSS project page.
Complete the following using the utility:
Important! When using this tool on Windows Server 2003, specify the full path to the executable file.
Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions, even if you are logged into the system as an Administrator. For more information, see the release notes for your SiteMinder component.
Example: C:\Program Files\Netscape\users\default\cert7.db
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |