Symantec Access Management

  • 1.  SM LDAP Search Filters default to "objectclass=*"

    Broadcom Employee
    Posted May 21, 2018 02:51 PM

    This is on SSO 12.7 SP2 (RHEL 7.x), AD 2012 as the user Store.

     

    SMTrace log has several LDAP search queries related to "objectclass=*", its not reading global search filters from sm.registry file as below.  Active Directory server team mentioned they saw queries that try to find 6 million+ entries. I would think it might be SiteMinder sending a broader query "objectclass=*". 

     

     

    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\UserClassFilters=599500353

    LDAP:=                  inetOrgPerson,organizationalPerson,person;      REG_SZ

     

    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\GroupClassFilters=1022604861

    LDAP:=                  groupOfNames,groupOfUniqueNames,group;  REG_SZ

     

    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\OrgClassFilters=769973378

    LDAP:=                  organization,organizationalUnit;        REG_SZ

     

    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\ClassFilters=535339799

    LDAP:=                  organization,organizationalUnit,groupOfNames,groupOfUniqueNames,group;  REG_SZ

     

     

    Both the "User Object", "User Class" properties are BLANK in the user Directory definition.

    Any idea why SM defaults its search filter: "objectclass=*" and not using filters from registry settings ?



  • 2.  Re: SM LDAP Search Filters default to "objectclass=*"

    Broadcom Employee
    Posted May 21, 2018 03:13 PM

    Makesh,

     

    I believe those queries are from LDAP ping as mentioned in the below KB article which is triggered every 10secs by default.

     

    LDAP Stores :: Ping Search - CA Knowledge 

     

    Regards

    Ashok



  • 3.  Re: SM LDAP Search Filters default to "objectclass=*"

    Broadcom Employee
    Posted May 21, 2018 03:58 PM

    Its happening for all LDAP search calls not just Ping.

     

    [05/21/2018][14:47:13.689][14:47:13][67375][140297556178688][SmDsUser.cpp:144][CSmDsUser::CSmDsUser][][][][][][][][][][][][][][][][][][][About to initialize User 'CN=A211147,OU=Users,OU=RCA,OU=SOHO,OU=People,DC=corp,DC=abc,DC=com' in dir 'OcoeMembers'][][Start of call InitUser.][][][][][][][][][][][][][][][]
    [05/21/2018][14:47:13.689][14:47:13][67375][140297556178688][SmDsLdapProvider.cpp:1901][CSmDsLdapProvider::SearchImpl][][][][][][][][][][][][][][][][][][][][][search filter is : objectclass=*][][][][][][][][][][][][][][][]
    [05/21/2018][14:47:13.691][14:47:13][67375][140297556178688][SmDsLdapConnMgr.cpp:1218][CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][][][][][][][][LDAP search of objectclass=* took 0 seconds and 1978 microseconds][][][][][][][][][][][][][][][]
    [05/21/2018][14:47:13.691][14:47:13][67375][140297556178688][SmDsLdapProvider.cpp:2344][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][(Search) Retrieving attributes for: 'CN=A211147,OU=Users,OU=RCA,OU=SOHO,OU=People,DC=hncorp,DC=abc,DC=com', Filter: 'objectclass=*'. Status: 1 matching objects.][][Ldap Search callout succeeds.][][][][][][][][][][][][][][][]
    [05/21/2018][14:47:13.691][14:47:13][67375][140297556178688][SmDsUser.cpp:154][CSmDsUser::CSmDsUser][][][][][][][][][][][][][][][][][][][][][Return from call InitUser.][][][][][][][][][][][][][][][]



  • 4.  Re: SM LDAP Search Filters default to "objectclass=*"
    Best Answer

    Posted May 21, 2018 05:50 PM

    This is working as designed. What it is doing is reading all attributes for a specific userdn.


    Retrieving attributes for: 'CN=A211147,OU=Users,OU=RCA,OU=SOHO,OU=People,DC=hncorp,DC=abc,DC=com', Filter: 'objectclass=*'. Status: 1 matching objects