Problem:
When configuring the default Siteminder variables : %SM_USERGROUPS or %SM_USERNESTEDGROUPS, the value returned is empty. What could be the problem ?
Environment:
Policy Server 12.52SP1 on windows 2008 R2 Web Agent 12.52SP1 on windows 2008 R2 / IIS 7.5
Resolution:
Check the LDAP Search done when evaluating the response. We can find the query results in the Policy Server traces (enabling all component/data) during the Authorization stage when response is evaluated:
[Start of call GetGroups.][SmDsUser.cpp:313][CSmDsUser::GetGroups][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][User ='cn=u1,dc=ca,dc=com'][][][][][][][][][]
[search filter is : (|(&(objectclass=groupOfNames)(member=cn=u1,dc=ca,dc=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=cn=u1,dc=ca,dc=com))(&(objectclass=group)(member=cn=u1,dc=ca,dc=com)))][SmDsLdapProvider.cpp:1783][CSmDsLdapProvider::SearchImpl][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[LDAP search of (|(&(objectclass=groupOfNames)(member=cn=u1,dc=ca,dc=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=cn=u1,dc=ca,dc=com))(&(objectclass=group)(member=cn=u1,dc=ca,dc=com))) took 0 seconds and 15600 microseconds][SmDsLdapConnMgr.cpp:1201][CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[Ldap Search callout succeeds.][SmDsLdapProvider.cpp:2311][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][(Search) Base: 'dc=pstore,dc=com', Filter: '(|(&(objectclass=groupOfNames)(member=cn=u1,dc=pstore,dc=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=cn=u1,dc=pstore,dc=com))(&(objectclass=group)(member=cn=u1,dc=pstore,dc=com)))'. Status: 2 entries][][][][][][][][][]
Based on the LDAP results, we can see the number of groups associated with the user, and we can check with an external LDAP client the LDAP query executed if this can be due to a bad RootDN (base DN) definition in the User Directory setup.
Additional Information: