Use link for knowing
How Siteminder interacts with LDAP
http://www.coreblox.com/blog/2009/06/how-siteminder-interacts-with-ldap/
Siteminder holds 3 connections open to each LDAP user directory. They are as follows:
DIR: This connection is held open by the user who is configured in the “Credentials and Connections” tab of the User Directory. The initial search for users in authentication is done over this connection, and any WRITE operations (due to Password Services) are also done over this connection. There are a lot of questions about what permissions the Admin user needs to have, and it’s simple… if you will not be using Password Services, then the user just needs to have READ permissions to the section of the user directory where your users are (whatever you put in the Root DN of the directory). If you will be using Password Services, then that user needs to at least have the same READ permissions, and also have WRITE permissions to the attributes in the User Attributes tab of the user directory.
USR: This connection is used by authentication to try the BINDs. No other data is sent across this connection. A BIND is attempted and if it works, then the user is authenticated. The connection is left in that state, owned by the user who just bound. When the next authentication attempt is made, the handling depends on the type of directory. If the directory supports REBIND, then that is what is done, meaning the connection is never broken down, it is just overtaken by the new BIND. If the directory does not support REBIND (like AD), then the connection is Unbound and then a BIND is performed with the new user.
PING: This connection is used to monitor the health of the directory. It sends a very basic search to the directory. If it gets a response, then the directory is considered healthy, so the Policy Server will continue to send requests there.
The search has a blank Root DN, a scope of “base”, and looks for objectclass=*. According to LDAP spec (
RFC 2251), all compliant LDAPs will return some basic info about itself and its capabilities when a query is received with those parameters:
ldapsearch -h <IP of directory> -b “” -s base objectclass=*