cancel
Showing results for 
Search instead for 
Did you mean: 

Siteminder Policy Store Configuration

UnboundID PhilipP

Background

 

Although the UnboundID Data Store (DS) is fully qualified as a Siteminder policy and data store, CA has not provided the configuration tools to automatically configure for policy store use. This configuration needs to be performed before the DS can be used.

 

The configuration consists of changing some behavioral characteristics required by SiteMinder, adding schema, adding indexes and enabling additional LDAP controls.

 

Once these changes have been made, Siteminder may be configured to point to the DS and make use of it as a policy store.

 

Configuration

In the directory where you wish to install the LDAP server to act as policy server, place the UnboundID Data Store and the policy store configuration zip files.


Unzip the script file (attached to the end of this article):

 

unzip -qq SM-policy-setup.zip

(The -qq option suppresses a long listing of the contents being extracted.)

 

When complete, you should have something like this:

 

$ ls -l
total 144888
-rw-r--r--   1 ldap  staff     47509 Apr 12 11:26 99-siteminder.ldif
-rw-r--r--   1 ldap  staff      8802 Apr 12 14:03 SM-policy-setup.zip
-rw-r--r--@  1 ldap  staff  74101159 Apr 12 14:03 UnboundID-DS-5.2.0.0.zip
-rw-r--r--   1 ldap  staff     16367 Apr 12 13:44 policy-script.sh

 

Take a look at the SM-policy-setup.sh file, and modify the values on the first few lines to match your requirements. For example, it is unlikely that you want your base suffix to be "dc=example,dc=com". The ports for LDAP and LDAPS are another item that may need to be adjusted to match your needs.

 

Run the SM-policy-setup.sh script. It will unpack the Data Store and configure.

At the end you will have a policy-store directory containing the LDAP server (Data Store) fully configured and ready to use by SiteMinder.

 

You may remove everything except the policy-store directory once configuration is complete.

 

Explanation of The Script

It is probably somewhat important to have some insight into what the script is actually doing, especially if you ever want to modify or adapt it for any reason. What follows is an explanation of each of the steps.

Installation

Unpacking the DS zip file results in a directory named UnboundID-DS. The script renames this directory to the name configured in the script (default: policy-server).

 

The script then enters this directory and runs the setup script. This will configure the server with the parameters defined at the head of the script. it will generate and install a self-signed certificate to enable LDAPS. Self-signed certificates are usually acceptable for development and performance environment, but depending on local policies you will probably need to use other certificates for QA and Production use. See the Data Store Administration Guide for more details.

 

There is a file in the server config directory named tools.properties. This is used by most of the command-line utilities to read default values for many required parameters. A simple replacement is built and installed by this script to simplify its command-line tools use. Note that during the configuration phase (while this script is running) this file will contain the Directory Manager password. The password will be removed at the end of the script.

 

Behavioral characteristics

SiteMinder makes some assumptions about the behavioral characteristics of its LDAP policy-store, mostly based upon the behavior of older, and in some cases, less (LDAP V3) compliant servers. The first step in configuration is to make changes to accommodate these:

 

  • Set size-limit to zero: allow unlimited number of entries to be returned.
  • Set time-limit to one hour: Allow requests to run for up to one hour.
  • Enable unindexed searching globally.
  • Return full bind failure messages.
  • Allow schema with multiple structural object classes.

 

dsconfig set-global-configuration-prop --no-prompt \
 	--set size-limit:0 \
        --set "time-limit:1 h" \
 	--set disabled-privilege:unindexed-search \
 	--set return-bind-error-messages:true \
 	--set single-structural-objectclass-behavior:accept

 

Allow viewing of full schema detail

 

 

dsconfig set-backend-prop --no-prompt \
 	--backend-name schema --set show-all-attributes:true

 

Set index limit to 15,000. This is a typical number. As always with index tuning, this may need to be changed for a given implementation. This is not the maximum size of an index, it is the maximum number of entries with the same value that the index will accommodate.

 

 

dsconfig set-backend-prop --no-prompt \
      --backend-name userRoot --set index-entry-limit:15000

 

Enable extended set of LDAP controls, in particular, paged results.

 

 

set-access-control-handler-prop --no-prompt \
 --add 'global-aci:(targetcontrol="1.3.6.1.1.13.2 || 1.2.840.113556.1.4.473 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.805 || 1.2.840.113556.1.4.319") (version 3.0; acl "Authenticated access to controls used by Siteminder"; allow (all) userdn="ldap:///all";)'

NOTE that everything following --add is a single line.

 

Add the Siteminder schema file (99-siteminder.ldif) to the schema directory of the DS.

 

 

cp 99-siteminder.ldif ~policy-store/config/schema

 

Restart the server to load the new schema.

 

 

stop-ds --restart

 

Now create indexes on some of the newly installed attributes. The script builds a temporary file containing the commands to do this. The commands could simply be run individually, but that would result in an invocation of a new JVM for each, the result being a log time to run. By placing them into a single file, a single instance (and one JVM invocation) of the dsconfig command results in a much shorter execution time.

 

 

./bin/dsconfig -Q -n -F $TMP

 

Note that $TMP is a temproary file created by the script, see the script itself for details on how this is created.

 

These indexes are now configured, but are unusable until the database has been scanned to determine what entries to add to the indexes. This is fastest if performed off-line, in this case all of the indexes to build can be listed as individual arguments to the command.

 

 

stop-ds
./bin/rebuild-index -Q --baseDN $BASE_DN \
 --index vlv.createTimestamp \
 --index vlv.modifyTimestamp \
 --index vlv.xpsSortKey \
 --index smActiveExprOID5 \
...

 

Restart the DS once the indexes have been re-built.

 

 

start-ds

 

Add the policy store DIT structure that Siteminder expects. Note that we have to accommodate whatever base DN has been specified, hence the in-line commands to extract the top level attribute.

 

 

./bin/ldapmodify -a -D "$ROOT_DN" -w $PASSWD  <<+
dn: $BASE_DN
objectclass: domain
description: Default container for CA Siteminder r12 Policy Store using UnboundID DS
`echo $BASE_DN | sed -e 's/,.*//' -e 's/=/: /'`

# Netegrity, example
dn: ou=Netegrity,$BASE_DN
ou: Netegrity
objectClass: organizationalUnit
objectClass: top

# SiteMinder, Netegrity, example
dn: ou=SiteMinder,ou=Netegrity,$BASE_DN
ou: SiteMinder
objectClass: organizationalUnit
objectClass: top

# PolicySvr4, SiteMinder, Netegrity, example
dn: ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,$BASE_DN
ou: PolicySvr4
objectClass: organizationalUnit
objectClass: top

# XPS, policysvr4, siteminder, netegrity, example
dn: ou=XPS,ou=policysvr4,ou=siteminder,ou=netegrity,$BASE_DN
ou: XPS
objectClass: organizationalUnit
objectClass: top
+

 

Finally, the script re-builds the tools.properties file, this time excluding the Directory Manager password.

 

This completes the DS configuration for Siteminder Policy Store use.

Siteminder itself will need to be configured to use this DS. See the section below for guidelines on how this is done.

 

Using DS as a Siteminder user store may not require any specific configuration. However, when certain Siteminder options are used, some configuration may be necessary.