Although the UnboundID Data Store (DS) is fully qualified as a Siteminder policy and data store, CA has not provided the configuration tools to automatically configure for policy store use. This configuration needs to be performed before the DS can be used.
The configuration consists of changing some behavioral characteristics required by SiteMinder, adding schema, adding indexes and enabling additional LDAP controls.
Once these changes have been made, Siteminder may be configured to point to the DS and make use of it as a policy store.
In the directory where you wish to install the LDAP server to act as policy server, place the UnboundID Data Store and the policy store configuration zip files.
Unzip the script file (attached to the end of this article):
unzip -qq SM-policy-setup.zip
(The -qq option suppresses a long listing of the contents being extracted.)
When complete, you should have something like this:
Take a look at the SM-policy-setup.sh file, and modify the values on the first few lines to match your requirements. For example, it is unlikely that you want your base suffix to be "dc=example,dc=com". The ports for LDAP and LDAPS are another item that may need to be adjusted to match your needs.
Run the SM-policy-setup.sh script. It will unpack the Data Store and configure.
At the end you will have a policy-store directory containing the LDAP server (Data Store) fully configured and ready to use by SiteMinder.
You may remove everything except the policy-store directory once configuration is complete.
Explanation of The Script
It is probably somewhat important to have some insight into what the script is actually doing, especially if you ever want to modify or adapt it for any reason. What follows is an explanation of each of the steps.
Unpacking the DS zip file results in a directory named UnboundID-DS. The script renames this directory to the name configured in the script (default: policy-server).
The script then enters this directory and runs the setup script. This will configure the server with the parameters defined at the head of the script. it will generate and install a self-signed certificate to enable LDAPS. Self-signed certificates are usually acceptable for development and performance environment, but depending on local policies you will probably need to use other certificates for QA and Production use. See the Data Store Administration Guide for more details.
There is a file in the server config directory named tools.properties. This is used by most of the command-line utilities to read default values for many required parameters. A simple replacement is built and installed by this script to simplify its command-line tools use. Note that during the configuration phase (while this script is running) this file will contain the Directory Manager password. The password will be removed at the end of the script.
SiteMinder makes some assumptions about the behavioral characteristics of its LDAP policy-store, mostly based upon the behavior of older, and in some cases, less (LDAP V3) compliant servers. The first step in configuration is to make changes to accommodate these:
Set size-limit to zero: allow unlimited number of entries to be returned.
Set time-limit to one hour: Allow requests to run for up to one hour.
Enable unindexed searching globally.
Return full bind failure messages.
Allow schema with multiple structural object classes.
Set index limit to 15,000. This is a typical number. As always with index tuning, this may need to be changed for a given implementation. This is not the maximum size of an index, it is the maximum number of entries with the same value that the index will accommodate.
Enable extended set of LDAP controls, in particular, paged results.
set-access-control-handler-prop --no-prompt \
--add 'global-aci:(targetcontrol="22.214.171.124.1.13.2 || 1.2.840.1135126.96.36.1993 || 2.16.840.1.1137188.8.131.52 || 1.2.840.1135184.108.40.2065 || 1.2.840.1135220.127.116.119") (version 3.0; acl "Authenticated access to controls used by Siteminder"; allow (all) userdn="ldap:///all";)'
NOTE that everything following --add is a single line.
Add the Siteminder schema file (99-siteminder.ldif) to the schema directory of the DS.
cp 99-siteminder.ldif ~policy-store/config/schema
Restart the server to load the new schema.
Now create indexes on some of the newly installed attributes. The script builds a temporary file containing the commands to do this. The commands could simply be run individually, but that would result in an invocation of a new JVM for each, the result being a log time to run. By placing them into a single file, a single instance (and one JVM invocation) of the dsconfig command results in a much shorter execution time.
./bin/dsconfig -Q -n -F $TMP
Note that $TMP is a temproary file created by the script, see the script itself for details on how this is created.
These indexes are now configured, but are unusable until the database has been scanned to determine what entries to add to the indexes. This is fastest if performed off-line, in this case all of the indexes to build can be listed as individual arguments to the command.