Configure LDAP Storage Options

This content describes how to configure LDAP storage options for policy stores and sessions stores.
sm1252sp1
This content describes how to configure LDAP storage options for policy stores and sessions stores.
Configure
CA Single Sign-On
to Point to an LDAP Directory Server
Use the LDAP context–sensitive storage controls in the Policy Server Management Console to point
CA Single Sign-On
to an LDAP directory server that is configured as:
  • A policy store
  • A session store
Use the Administrative UI to point to an LDAP directory server that is configured as a user directory
Configure an LDAP Database
CA Directory is the only LDAP directory server that you can use as a session store. For more information, see the 
CA Single Sign-On
 Platform Support Matrix.
To configure an LDAP database
  1. Open the Policy Server Management Console.
  2. Specify the Server name or IP address of the LDAP server in the LDAP IP Address field. For performance reasons, the IP address is preferred.
    You can specify multiple servers in this field to allow for LDAP server failover.
  3. Specify the LDAP branch under which the
    CA Single Sign-On
    schema is located in the Root DN field (for example, o=myorg.org).
  4. If your Policy Server communicates with the LDAP directory over SSL, select the Use SSL check box.
    If you select this option, you must specify a certificate database in the Netscape Certificate Database File field.
  5. Specify the DN of the LDAP directory administrator (for example, cn=Directory Manager) in the Admin Username field.
  6. Enter the administrative password for the LDAP directory in the Admin Password field.
  7. Confirm the administrative password for the LDAP directory in the Confirm Password field.
  8. Click Test LDAP Connection to verify that the parameters you entered are correct and that the connection can be made.
  9. Restart the Policy Server. The changes do not take effect until the Policy Server is restarted.
Configure LDAP Failover
If you have multiple LDAP directories, you can configure directories for failover. To enable failover, enter LDAP server IP addresses and port numbers in the LDAP Server field as a space-delimited list of LDAP server addresses. You can specify a unique port for each server. If your LDAP servers are running on a non standard port (389 for non-SSL/ 636 for SSL), append the port number to the last server IP address using a ‘:’ as a delimiter. For example, if your servers are running on ports 511 and 512, you can enter the following:
123.123.12.11:511 123.123.12.22:512
If the LDAP server 123.123.12.11 on port 511 did not respond to a request, the request is automatically passed to 123.123.12.22 on port 512.
If all of your LDAP servers are running on the same port, you can append the port number to the last server in the sequence. For example, if all of your servers are running on port 511, you can enter the following text:
123.123.12.11 123.123.12.22:511
Configure Enhanced LDAP Referral Handling
Enhancements have been made to the LDAP referral handling to improve performance and redundancy. Previous versions supported automatic LDAP referral handling through the LDAP SDK layer. When an LDAP referral occurred, the LDAP SDK layer handled the execution of the request on the referred server without any interaction with the Policy Server.
CA Single Sign-On
provides support for non automatic (enhanced) LDAP referral handling. With non automatic referral handling, an LDAP referral is returned to the Policy Server rather than the LDAP SDK layer. The referral contains all of the information necessary to process the referral. The Policy Server can detect whether the LDAP directory that is specified in the referral is operational, and can terminate a request if the appropriate LDAP directory is not functioning. This feature addresses performance issues that arise when an LDAP referral to an offline system causes a constant increase in request latency. Such an increase can cause the Policy Server to become saturated with requests.
To configure LDAP referral handling
  1. Open the Policy Server Management Console.
    sm1252sp1
    On Windows Server, if User Account Control (UAC) is enabled open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your
    CA Single Sign-On
    component.
  2. Select the Data tab.
    • Enable Enhanced Referrals
      Set this option to allow the Policy Server to use enhanced handling LDAP referrals at the Policy Server, rather than allowing LDAP referral handling by the LDAP SDK layer.
    • Max Referral Hops
      Indicates the maximum number of consecutive referrals that are allowed while attempting to resolve the original request. Since a referral can point to a location that requires additional referrals, this limit is helpful when replication is misconfigured, causing referral loops.
  3. Modify the values as required.
  4. Restart the Policy Server.
Configure the LDAP Search Timeout for Policy, Session, and Key Stores
The LDAP search timeout determines how long the Policy Server waits for the results of a search from an LDAP directory. The LDAP search timeout also determines how long the Policy Server waits for the initial load of data from an LDAP directory upon startup and for LDAP updates.
Examples of factors which influence the appropriate value for this setting include (but are not limited to) the following items:
  • The network speed
  • The size of the LDAP search query response
  • The LDAP connection state
  • The load on the LDAP server
A large enough value prevents any LDAP timeouts when fetching large amounts of data. However, too large a value increases the time the Policy Server waits (and holds the requesting worker thread) before it times out a failed request.
To resolve LDAP search timeout errors, increase the value of the following registry setting:
SearchTimeout
Specifies the LDAP search timeout, in seconds, for LDAP policy stores.
Configure this setting at one of the following registry locations:
  • Policy store:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore\SearchTimeout
  • Session store
    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapSessionServer\SearchTimeout
    This value does not affect the maintenance search timeout that is configured using the MaintenanceQueryTimeout registry setting.
  • Key store
    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapKeyStore\SearchTimeout
    Default
    : 20  (This value is also used when the registry setting does not exist.)
    Example
    : 120 
Configure the LDAP Ping Timeout for the Policy Store, Session Store, and All User Directories
The LDAP Ping timeout is used for all short operations such as connect, bind, and ping searches. Bind includes the following operations:
  • Policy server authenticating to the LDAP directory before sending search and modify requests 
  • User basic password authentications against an LDAP user directory 
The default LDAP Ping timeout value for policy stores, session stores, and user directories is 10 seconds.
: Increasing the Ping timeout increases the time that it takes for the Policy Server to detect that a network connection to a policy store, session store, or user directoriy is down.
To prevent LDAP ping timeout errors, increase the value of the following registry setting:
  • LDAPPingTimeout
    Specifies the LDAP ping timeout value in seconds.
    Configure this setting at the following registry location:
    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug\LDAPPingTimeout
    Default
    : 10
     
Increase the Administrative UI Buffer Size for Large LDAP Policy Stores
Large LDAP policy stores can cause Administrative UI performance issues.
To prevent these problems, increase the value of the following registry setting:
  • Max AdmComm Buffer Size
    Specifies the Administrative UI buffer size (the maximum amount of data, in bytes) that the Policy Server passes to the Administrative UI in one packet.
    Configure this setting at the following registry location:
    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServ\Max AdmComm Buffer Size
    CA Technologies recommend using caution when setting this value. Allocation of a larger buffer decreases overall performance.
    Range:
    256 KB to 2,097,000 KB
    Default
    :
    256 KB (also applies when this registry setting does not exist).
Configure LDAP Server Checker Interval
Once the connections with the LDAP directory servers are established, CA SSO regularly checks the availability of the LDAP servers.
LDAPServerCheckerInterval
Specifies how often (in seconds) the Policy Server polls the LDAP servers to retrieve the availability information.
Default:
30 sec (This value is also used when the registry setting does not exist.)
To configure this setting, you must add the DWORD value key LDAPServerCheckerInterval in the following registry location and update the value:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug