siteminder and ldap

Replies to This Discussion

Permalink Reply by Todd Clayton on February 25, 2010 at 10:14pm

What are you trying to update? Is it something last last login time? If so, you could use password services. I think you can read the password services blow now with the API to get the attributes. If it is a different value, there is no automatic way of doing this. If you are using an auth scheme like forms, it is fairly easy to create a custom auth scheme to do this. Otherwise, you could also do this logic in an active response (code) tied to an OnAuthAccept rule.

What type of LDAP is it? Can you plug in any logic there which could do something like this? That might be another approach.

Todd

• ▶ Reply

Permalink Reply by ava mell on February 25, 2010 at 10:44pm

yes. i want to capture the login time and store it in an attribute in ldap. I have a common login app(java) that is posting to the fcc file. Siteminder does its thing and then redirect the page to the original request(apps that I have no control off) upon successful authentication. You mention that I can use the API but Im not sure at where to put it in. Can you elaborate more on creating the custom auth scheme or the OnAuthAccept ?

thanks in advance

• ▶ Reply

Permalink Reply by ava mell on February 25, 2010 at 11:20pm

btw, I looked at the password services documentation and it says there :

Track Login Details Check Box

This check box enables and disables tracking of user login attempts and successful logins, including the time of the last login. If you enable this check box, the Policy Server writes the login information to the user directory.

I wonder where in ldap does sitemider store this information? can this be configured somewhere else?

• ▶ Reply

Permalink Reply by Todd Clayton on February 25, 2010 at 11:54pm

Hi,

Yes, this is the information that I was referring to that is stored in the password services blob. It is stored in the same user repository as the user. There is no way to put this information in another source. Also, this information is encrypted. So, you can't directly access the data in the password services blob. In your application, you can call the policy management API to get the specifics for a user (like last login) by calling the Sm_PolicyApi_GetUserPasswordState() function.

Alternatively, if the application is running on the web server and is protected by SiteMinder, they can use the SM_USERLASTLOGINTIME HTTP Header variable which retrieves the LASTLOGINTIME from the password services blob.

If you need the data to be in a visible field in the directory in another attribute, SiteMinder provides a set of API's that you can use. The first is an API that let's you create a custom authentication scheme. This allows you to build a custom mechanism to authenticate users. If you are doing something simple like forms, then there is very little code to write the auth scheme. In the auth scheme you can set and read attributes about the user from the user store.

Similarly, you can create active responses. This is basically custom code that allows you to create a response to a rule in SiteMinder. So, if you tie a custom active response which writes the time into the LDAP to an OnAuthAccept (the rule that fires after the user is successfully authenticated), you can use that as another way to update the directory.

I hope that helps.

Todd

• ▶ Reply

Permalink Reply by ava mell on March 2, 2010 at 4:02pm

Thanks Todd.

Im interested in creating active response. Correct me if Im wrong but from what I've gathered from your explanation, I can create a class to do the setting in LDAP that siteminder trigger upon OnAuthAccept. Is it much like a trigger in DB or a listener in java? So it doesnt have to do anything about the siteminder response object? I ask this because in the document it seems very much related to the response object (adding/updating/customising response attr). I suppose I can still use it without wanting to manipulate the response object. or can I?

• ▶ Reply

Permalink Reply by Todd Clayton on March 2, 2010 at 5:45pm

Hi,

Yes, that should work. You can just return TRUE or something like that for the actual response. I have not gone through the API in detail, but this should work. In the Active Response you have access to the Sm_Api_UserContext_t structure. So, you can use lpUserContext->fGetProp to get the value and lpUserContext->fSetProp to update the value. I haven't tried this, but I don't see why it would not work.

Todd

• ▶ Reply

Permalink Reply by Air Nasa on April 21, 2010 at 3:35pm

Hello Ava,

Am new to this group. Just come this discussion in search of solution for simillar problem, to update the user last login time into database. Can you please update if active response (OnAuthAccept) worked for you and any inputs on how to get any java listener to update into the database ?

thanks in advance

• ▶ Reply