AnsweredAssumed Answered

LDAP or AD in namespace at User Directory

Question asked by hapagola on Jul 23, 2013
Latest reply on Jul 23, 2013 by JPerlmutter
We are tuning our AD integration configuration.
We have:
Siteminder Policy Server: 12.5
Windows 2008 R2.
Agent for Sharepoint 12.5sp1
We have 1Millon users in AD that authenticate to sharepoint.



* LDAP or AD in namespace:
At TEC480272 "Pre-requisites for enhanced Active Directory integration", We could read
"Use LDAP NameSpace for the user directory definition"
(https://support.ca.com/irj/portal/anonymous/kbtech?searchID=TEC480272&docid=480272)


but at TEC490890 we read "AD in AD name apace"
(https://support.ca.com/irj/portal/kbtech?searchID=TEC490890&docid=490890)


We could see at tech notes TEC589990 and TEC581220 a couple of things to be reviewed.
We understand that the best config is LDAP with Enhaced Active Directory Integration Activated,
do you agree?


* Actual configuration:

At moment we have namespace=LDAP


Namespace:LDAP

Server:2 domains controllers

Secure Connection: True

Require Credentials: True


Ldap Search:


Root dc=etc, dc=domain, dc=com


LDAP USer DN LookUp:


Start: (&(mail=


End: )(objectclass=top)(objectclass=person))
User Attributes

UniversalID=sAMAccountName

Password=unicodePWD

Email=mail

AtributeMapping List (to be used by agent for sharepoint)
useridentifier alias=sAMAccountName

smusergroups alias=name

EmailAddress alias=mail

smuserdisplayname alias=displayName

enhanced Active Directory integration is activated

We also have: (because people picker searches from sharepoint)

Enable Paging for Searches of Active Directory User Stores (64-bit systems)

https://support.ca.com/cadocs/0/CA%20SiteMinder%20Agent%20for%20SharePoint%202010%20r12%20SP3-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?1125224.html?fromKBResultsScreen=T



Questions:

1. We need to know wich is the recomended Namespace to use at user Directory Definition.
We will use AD as TEC490890 or LDAP as TEC480272


2. could anyone validate our LDAP config? We understand that if we not use "Password Policies" of siteminder we do not need to set Disabled Flag and Password Data in user Atributes.
¿is it correct?

3. At TEC480272 for ldap namespaces it says:
"If the user store connection is configured with the LDAP namespace, disable the EnableADEnhancedReferals registry key.
Disabling this registry key prevents LDAP connection errors from occurring."

do anyone know the impact of modify EnableADEnhancedReferals registry key?

Outcomes