AnsweredAssumed Answered

SM LDAP Search Filters default to "objectclass=*"

Question asked by Makesh.T Employee on May 21, 2018
Latest reply on May 21, 2018 by Ujwol Shrestha

This is on SSO 12.7 SP2 (RHEL 7.x), AD 2012 as the user Store.

 

SMTrace log has several LDAP search queries related to "objectclass=*", its not reading global search filters from sm.registry file as below.  Active Directory server team mentioned they saw queries that try to find 6 million+ entries. I would think it might be SiteMinder sending a broader query "objectclass=*". 

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\UserClassFilters=599500353

LDAP:=                  inetOrgPerson,organizationalPerson,person;      REG_SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\GroupClassFilters=1022604861

LDAP:=                  groupOfNames,groupOfUniqueNames,group;  REG_SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\OrgClassFilters=769973378

LDAP:=                  organization,organizationalUnit;        REG_SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\ClassFilters=535339799

LDAP:=                  organization,organizationalUnit,groupOfNames,groupOfUniqueNames,group;  REG_SZ

 

 

Both the "User Object", "User Class" properties are BLANK in the user Directory definition.

Any idea why SM defaults its search filter: "objectclass=*" and not using filters from registry settings ?

Outcomes