Symantec Access Management

  • 1.  How is the default header SM_USERGROUPS fetched from LDAP

    Posted Jul 28, 2016 08:30 AM

    Hi All,

     

    I would like to understand, how is the Siteminder default header SM_USERGROUPS is being fetched from LDAD user directory.

     

    In ODBC user directory we do have a appropriate SQS section to fetch the values from DB. But I am not sure about how the products works on LDAP on the default headers.

     

    Is there any document which explains how the Siteminder default  header being fetched from LDAP?

    Can anyone share some idea?



  • 2.  Re: How is the default header SM_USERGROUPS fetched from LDAP

    Broadcom Employee
    Posted Jul 29, 2016 12:01 AM

    Hi,

     

    Unfortunately, I cannot find out any documentation on LDAP search for SM_USERGROUPS.  However, I found a past case regarding SM_USERGROUPS.

     

    In smtracedefault.log, following series of messages were written (with no sensitive data). They are for 'user1'.

     

    Line-1:

    [Start of call GetGroups.][][][][][][][][][SmDsUser.cpp:285][16:48:22.535][CSmDsUser::GetGroups][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][User ='uid=user1,ou=Users,dc=ca,dc=com'][][][][][][][]

    Line-2:

    [LDAP search of (|(&(objectclass=groupOfNames)(member=uid=user1,ou=Users,dc=ca,dc=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=uid=user1,ou=Users,dc=ca,dc=com))(&(objectclass=group)(member=uid=user1,ou=Users,dc=ca,dc=com))) took 0 seconds and 15624 microseconds][][][][][][][][][SmDsLdapConnMgr.cpp:1159][16:48:22.550][CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

    Line-3:

    [Ldap Search callout succeeds.][][][][][][][][][SmDsLdapProvider.cpp:2145][16:48:22.550][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][(Search) Base: 'dc=ca,dc=com', Filter: '(|(&(objectclass=groupOfNames)(member=uid=user1,ou=Users,dc=ca,dc=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=uid=user1,ou=Users,dc=ca,dc=com))(&(objectclass=group)(member=uid=user1,ou=Users,dc=ca,dc=com)))'. Status: 150 entries][][][][][][][]

     

    In the Line-2, LDAP search is done for three expressions with OR operator '|'.

    1. (&(objectclass=groupOfNames)(member=uid=user1,ou=Users,dc=ca,dc=com))
    2. (&(objectclass=groupOfUniqueNames)(uniqueMember=uid=user1,ou=Users,dc=ca,dc=com))
    3. (&(objectclass=group)(member=uid=user1,ou=Users,dc=ca,dc=com))

     

    I hope this would help.

     

    Regards,

    Koichi



  • 3.  Re: How is the default header SM_USERGROUPS fetched from LDAP

    Posted Jul 29, 2016 01:09 AM

    Hi Saravanan Velusamy ,

     

    Following two registry defines the LDAP query for SM_USERGROUPS:

     

    • HKEY_LOCAL_MACHINE\software\wow6432node\netegrity\SiteMinder\CurrentVersion\Ds\GroupClassFilters
    • HKEY_LOCAL_MACHINE\software\wow6432node\netegrity\SiteMinder\CurrentVersion\Ds\LdapMatchUserDN

     

    And, the query format is like :

    (|

    (&(objectclass = <GroupClassFilter1_From_GroupsClassFilters>) (<Attribute_Name_From_LdapMatchUserDN_Corresponding_To_GroupClassFilter1>=<USERDN>))

     

    (&(objectclass = <GroupName_From_GroupClassFilter_2>) (<Attribute_Name_From_LdapMatchUserDN_Corresponding_To_GroupClassFilter2>=<USERDN>))

     

    (&(objectclass = <GroupName_From_GroupClassFilter_3>) (<Attribute_Name_From_LdapMatchUserDN_Corresponding_To_GroupClassFilter3>=<USERDN>))

     

    and so on..

     

    )

     

    From Koichi e.g.:

     

    (|

    (&(objectclass=groupOfNames)(member=uid=user1,ou=Users,dc=ca,dc=com))

    (&(objectclass=groupOfUniqueNames)(uniqueMember=uid=user1,ou=Users,dc=ca,dc=com))

    (&(objectclass=group)(member=uid=user1,ou=Users,dc=ca,dc=com))

    )

     

     

     

     

     

    Hope this clarifies your query.

     

    Regards,

    Ujwol



  • 4.  Re: How is the default header SM_USERGROUPS fetched from LDAP



  • 5.  Re: How is the default header SM_USERGROUPS fetched from LDAP
    Best Answer

    Posted Jul 31, 2016 10:14 PM

    Does this clarify your question Saravanan ? If yes, please mark this question as answered.



  • 6.  Re: How is the default header SM_USERGROUPS fetched from LDAP

    Posted Aug 04, 2016 01:13 AM

    Thanks Ujwal. This helps a lot!!!