Symantec Access Management

Hello. We have to change the LDAP servers used for authentication.  We have two servers where the configuration appears to need changing.  One has CA SiteMinder FSS Administrative UI where this can be done and the other does not have this installed.  On the other server will I have to edit the LDAP entry in the SMDIF file and import it with smobjimport?  Thank you.

Mike_Siteminding

I am not sure which version of CA SSO Policy Server we are using, but it does seem pretty old - as we are talking FSS UI and smobjimport.

However there can be a possibility of using XPSExplorer to edit the User Directory Object (instead of doing export / import). This will be true for versions R12.0 and above. But not applicable for R6.0.

Regards

Hubert

Hi Mike,

Are both the policy servers connecting to the same Policy store ? If yes, making changes in one Policyserver will update the policy store and make it available for other one too. You don't have to update it individually from all the policy servers.

You can also use Siteminder Policy Reader  to view your policystore objects in READ-ONLY mode.

Regards

Ashok

Hi Ashok,

How would I know if both servers read from the same policy store, and how does the server without the CA SiteMinder FSS Administrative UI know how to update?  Would that simply be a reboot?

Thank you.

Check smconsole settings as shown below, this is where you configure your Policystore. You don't have to reboot anything, Object changes are updated/synced automatically if you are connecting to the same policystore.

Slight issue.  Mine is blank (both servers).  The ODBC storage does have settings though (both servers).  So I have looked in the ODBC settings in control panel which has settings to point to this source.  So LDAP is not used for the policy store then!

As you can see from my original post the question was about changing LDAP servers.  Probably I'm not understanding the configuration here in regards to the LDAP settings.  I see the server names (that I need to change) under the CA SiteMinder FSS Administrative UI  - System Tab - User Directories. On opening my user directory entry, the namespace says LDAP followed by my server names and lower down the LDAP configuration.  So this is where I can easily change the names on this server.  Where is this setting on the other server? 

Are we saying that irrelevant of the policy store type (ODBC or LDAP) that both servers will read this store and therefore I only have to make the change in the single location/one server only?

Thanks.

Policystore can be either LDAP or DB which does not matter as long as your connecting to the same store, all the Policy objects are shared among the policy servers.

And User Directory where users are getting authenticated/authorized is separate from the Policystore and has to be configured in adminUI.

Coming back to the point, Yes, irrelevant of the policystore type both the policyservers will read the same store and you just need to make this changes in any one of the Policyserver FSS AdminUI.

Hope you are clear now.

Regards

Ashok

Hi Ashok,

Thanks for the clarifications.

You have told me what I need to know.  Thank you