Skip links

Pro Tip: Supporting custom LDAP object classes in SiteMinder

A customer recently requested our assistance in integrating SiteMinder with an LDAP directory that had custom user and group objectClasses.

My users are missing in the WAMUI!

By default, the SiteMinder policy server will not return users, in the WAMUI or for policy resolution, that do not inherit one of the following standard objectClasses:

  • inetOrgPerson
  • organizationalPerson
  • person

The images below show the user search results for the policy server’s default configuration without any modification:

The default configuration does not only impact the displaying of users in the WAMUI; it also affects if users are found in the user store and how policies are applied to users and groups.

Adding Custom User/Group Object Classes to SiteMinder

To support custom user and group objectClasses, the sm.registry must be modified as outlined in the following steps.

  1. Stop the policy server.
  1. Navigate to the registry directory in the SiteMinder home directory.
  1. Make a backup copy of the sm.registry file.
  1. Open the sm.registry file for editing and search for ‘PolicyClassFilters’.
  1. On the line that follows ‘PolicyClassFilters’, insert the names of the custom objectClasses (SISUPerson/SISU_Group).
  1. Proceed to the registry entry below (PolicyResolution).
  1. Add the custom objectClasses to the list.

Note: The user objectClass must have a REG_DWORD value of 0x1 and the group objectClass must have a REG_DWORD value of 0x2.

  1. Search for ‘UserClassFilters’.
  1. Add the name of the custom objectClass to the line that follows ‘UserClassFilters’.
  1. Save your changes.
  2. Start the policy server

Verify the Configuration

  1. Login to the WAMUI.
  2. Go to the user directory that has the custom schema and select edit.
  1. Select ‘View Contents’.
  1. The groups are now visible.
  1. Enter ‘UID’ in the attribute field and a filter value in the value field, then click the Go button. (We used ‘*’ because there is a small number of users in this directory, but we recommend a more targeted search if the user store has more than a few hundred users.)

The users that have the custom objectClass are now visible.

As always, we hope that you have found this information useful. If you need IAM assistance, reach out to SIS today and we would be happy to assist you. And subscribe to our newsletter to be notified about the posting of future articles and other SIS news.

JOIN OUR NEWSLETTER

If you want to know our recent offer please subscribe to our newsletter