How SiteMinder Interacts with LDAP

Ever wonder what LDAP calls SiteMinder is really making to your directory? After reading this post you will understand the basics behind View Contents, Authentication and Authorization, and you will be able to mimic these functions using a command line ldapsearch.  You will also know about all the connections that SiteMinder holds open to the LDAP and what those connections are used for.

First the basics on ldapsearch:
ldapsearch is always in the format:

• ldapsearch <switches such as -h, -b, etc> <search filter> <attribute(s)>

The search filter must appear after all of the switches, and is not prefixed by a switch of its own.  After that, if you do not want the entire record, you can specify what attribute(s) you do want returned.

The letters in the following pics will be used throughout the doc when illustrating how to mimic SiteMinder functions with a command line ldapsearch.

Fig. 1

Fig. 2

View Contents:
NOTE:  Clicking “View Contents” while inside a User Directory is identical to the behavior when you click the “Add/Remove” button while inside a Policy.

This function ONLY uses the Server field and the Root field, it does NOT use the LDAP User DN Lookup fields.
By default, it executes 5 ldap searches against the directory:
objectclass=organization
objectclass=organizationalunit
objectclass=group
objectclass=groupofnames
objectclass=groupofuniquenames
This is ONLY to populate the first window that comes up for View Contents.  Any other objects can be found using the binoculars, and doing a search.

To mimic “View Contents” with ldapsearch:

ldapsearch -h A -b B -D E -w F (objectclass=organization) dn
ldapsearch -h A -b B -D E -w F (objectclass=organizationalunit) dn
etc.

Read Entire Article Here...