How Siteminder interacts with LDAP

Use link for knowing

How Siteminder interacts with LDAP

http://www.coreblox.com/blog/2009/06/how-siteminder-interacts-with-ldap/


Siteminder holds 3 connections open to each LDAP user directory.  They are as follows:
DIR: This connection is held open by the user who is configured in the “Credentials and Connections” tab of the User Directory.  The initial search for users in authentication is done over this connection, and any WRITE operations (due to Password Services) are also done over this connection.  There are a lot of questions about what permissions the Admin user needs to have, and it’s simple… if you will not be using Password Services, then the user just needs to have READ permissions to the section of the user directory where your users are (whatever you put in the Root DN of the directory).  If you will be using Password Services, then that user needs to at least have the same READ permissions, and also have WRITE permissions to the attributes in the User Attributes tab of the user directory.
USR: This connection is used by authentication to try the BINDs.  No other data is sent across this connection.  A BIND is attempted and if it works, then the user is authenticated.  The connection is left in that state, owned by the user who just bound.  When the next authentication attempt is made, the handling depends on the type of directory.  If the directory supports REBIND, then that is what is done, meaning the connection is never broken down, it is just overtaken by the new BIND.  If the directory does not support REBIND (like AD), then the connection is Unbound and then a BIND is performed with the new user.
PING: This connection is used to monitor the health of the directory.  It sends a very basic search to the directory.  If it gets a response, then the directory is considered healthy, so the Policy Server will continue to send requests there.
The search has a blank Root DN, a scope of “base”, and looks for objectclass=*.  According to LDAP spec (RFC 2251), all compliant LDAPs will return some basic info about itself and its capabilities when a query is received with those parameters:
ldapsearch -h <IP of directory> -b “” -s base objectclass=*

Siteminder Single sign on

Siteminder is the Single Sign On infrastrucuture system for NBCU, the user authentication and authorization component of an access management suite from Computer Associates (http://www.ca.com). SiteMinder provides policy-based authentication as well as single sign-on for all Web-based applicatiotion

How to enable and to configure Remote Desktop for Administration in Windows Server 2003

Remote Desktop control

http://support.microsoft.com/kb/814590

Siteminder 6.x Policy Server to LDAP User Directory Connections

Siteminder 6.x Policy Server to LDAP User Directory Connections.

Free online URL to PDF Converter

Convert any web page to PDF using our free online PDF Converter. Fast and reliable PDF generation from any URL.

use the belwo link to convert any url to PDF

http://www.html-to-pdf.net/free-online-pdf-converter.aspx

Free Online PDF Converter to convert documents into PDF

The Online PDF Converter converts documents of different formats online into PDF for free! All supported document formats are listed below. It's quite easy to convert your documents. No software installation is needed. Just upload your documents to pdf24.org and our automated converter converts the documents into PDF.

The Online PDF Converter supports the following document formates:

• HTML (htm html)
• Bilder (jpg jpeg png bmp gif tiff tif emf wmf)
• Microsoft Word (doc dot docx dotx)
• Microsoft Excel (xls xlw xlt xlsx xltx)
• Microsoft Powerpoint (ppt pps pot pptx potx)
• Open Office (odt ods odp odg ott ots otp otg)
• Postscript (ps)
• Text (rtf txt)

Convert documents online now with free Online PDF Converter

Please use our converting box below to convert documents into PDF. You can choose among the formats listed above. Just choose a document, fill in an email address und click the button "Go". The Online PDF Converter will convert your document into a pdf file for free and send it to you via mail.
Given below is the link to create the PDF
http://en.pdf24.org/onlineConverter.html

Command-Line Tools Reference for Directory Server

Command-Line Tools Reference

http://download.oracle.com/docs/cd/E19263-01/817-5235/tools.html

Im trying to uninstall directory server 5.2 because it failed with a
configuration error, and when I try to reinstall it shows all
components to be installed greyed out as 0 bytes so I cannot continue
the install as mentioned in:
http://swforum.sun.com/jive/thread.jspa?messageID=210740

They suggest using prodreg to uninstall or edit /etc/ds/versions but
prodreg fails with:

Exception in thread "main" java.lang.NoClassDefFoundError:
uninstall_dirserver

and I do not have a /etc/ds/versions file. Please help

taking out DS entries from /var/sadm/install/productregistry fixed it.



http://compgroups.net/comp.unix.solaris/Directory-server-5.2-uninstall-problem

Policy Server on Solaris with Apache Web Server

Policy Server on Solaris with Apache Web ServerJoyce Hampson 5/19/00; Elyse Salberg updated 3/16/01
Problem Description:Certain changes need to be made to the httpd.conf file in order to run the SiteMinder Admin UI on an Apache Web Server. Also, some modules such as mod_alias, mod_cgi, and mod_env must be compiled into Apache or called in the httpd.conf.
Other modules may be necessary for certain instructions; for example, mod_access is needed to use the "Order allow,deny" and "Allow from all" lines (comment them out otherwise).
Additions needed in httpd.conf:NOTE: Make sure to edit the paths to reflect the configuration of the specific system.
Alias /siteminder/ "/opt/siteminder/admin/"
Alias /sitemindercgi/ "/opt/siteminder/admin/"
Alias /SMReports/ "/opt/siteminder/reports/"

<Directory "/opt/siteminder/admin">
Options Indexes MultiViews ExecCGI
AllowOverride None
Order allow,deny
Allow from all
</Directory>

<Directory "/opt/siteminder/reports">
Options Indexes MultiViews ExecCGI
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /sitemindercgi/ "/opt/siteminder/admin/"

<Directory "/opt/siteminder/admin">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>

SetEnv SM_ADM_UDP_PORT "44444"
SetEnv SM_ADM_TCP_PORT "44444"
SetEnv LD_LIBRARY_PATH /lib:/usr/lib:/opt/siteminder/bin:
If not already added:
AddHandler cgi-script .exe

Post information to the login.fcc file

Title:  Post information to the login.fcc file (Legacy_Onyx KB Id: 190481)

Description:
We're trying to implement a simple functionality on our website. We would like to notify a user, which provides the wrong login credentials for the login with some text: "Invalid username or password was specified." but we don't want that the user gets redirected to a different page than the login.fcc page.

We tried different approaches with the DynamicRetry.fcc/DynamicRetry.unauth or with providing the clients browser with the SM_HTTP_ONJRECTTEXT variable or even the usage of the SMTEXT cookie...

But we failed in all 3 different approaches!

Could you please assist?

Solution:
We are generating our own cookie and grabbing the cookie through the javascript.
Below are the steps to configure:

1) Set a rule depending on what is your requirement.
--> OnAuthAttempt (This would be user not found in user store)
--> OnAuthReject (This would be the user password is incorrect)
--> OnAccessReject (This would be the user not authorized).

2) Set a response with the type "Webagent HTTP Cookie Variable".
--> You can set the cookie name to "NotAuthCookie"
--> The value, you can customize by putting something like "You are not authenticated, please try to login again".

3) Under the policy, bind the rule to the response together.

4) The next step would be to customize your login.fcc page.
--> You would need to add in javascript to grab the cookie called "NotAuthCookie" and its value.
--> Below is the sample javascript to be embedded to your login.fcc:

<SCRIPT LANGUAGE="JavaScript">
function resetCredFields()
{
document.Login.PASSWORD.value = "";
}

function submitForm()
{
document.Login.submit();
}

function getCookie(name)
{
var dc = document.cookie;
var prefix = name + "=";
var begin = dc.indexOf("; " + prefix);
if (begin == -1)
{begin = dc.indexOf(prefix);
if (begin != 0) return null;
}
else
{
begin += 2;
}
var end = document.cookie.indexOf(";", begin);
if (end == -1)
{
end = dc.length;
}
return unescape(dc.substring(begin + prefix.length, end));
}

document.write(getCookie("NotAuthCookie"));

</SCRIPT>

------------------------------
The above script has a function called getCookie which would grab the cookie that you wish to get the value.
Next, the document.write would be to display the output of the value returned from function getCookie.

What is CSN ( Change Sequence Number )

Sun Java[TM] System Directory Server - Change Sequence Numbers [ID 1008938.1]
--------------------------------------------------------------------------------

  Modified 07-JAN-2010     Type HOWTO     Migrated ID 212298     Status PUBLISHED  
Description
This document contains information about Change Sequence Numbers (CSN),
and their format, for customers who have deployed servers running Sun
Java[TM] System Directory Server
Steps to Follow
In Sun Java System Directory Server software, a master server needs to keep track of changes made to an entry, prior to replicating those changes to other masters (in an MMR environment) and/or downstream consumers (in a cascaded environment).
The logical order in which these changes are
applied to entries on the consumer server, may be important, as there could
be logical interdependencies between each change made. These changes are
stored in the changelogs of a Sun Java System Directory Server instance,
and are marked with a Change Sequence Number(CSN), which is used to resolve
replication conflicts should the need arise.
Format of a CSN
===============
A CSN is basically a sequence of numbers, consisting of a time-stamp and
the ID of the master replica, on which the change was originally made.
To be precise, it is a ten-byte structure, where the first four bytes
contain a timestamp expressed as seconds after UTC 1st January 1970.
The next two bytes form a sequence number, used when more than one CSN is
generated within one second. Two bytes then follow, with the ID of the
replica for which the CSN is generated, and the remaining two bytes
contain a sub-sequence number
eg. 3cadb52d000000010000
^       ^   ^   ^
------- --- --- ----
Date    Seq Rep Sub-Seq
No  ID  Number
where:
a. the string ?3cadb52d? translates to 05 Apr 2002 07:30:46. This string
is a hexadecimal value of the number of seconds since 01 Jan 1970 (UTC).
b. the next portion, ?0000?, denotes this is the first CSN generated
this second.
c. the string "0001" denotes the replica ID of the master generating
the CSN and should be unique to each server in the topology.
d. the last portion of the string, "0000? represents the subsequence
number. This is currently reserved and is always set to zero.
The format should ensure that servers operating in a replicated
environment, and replicating changes to one another, will generate unique
CSNs, so that changes are ordered in a computable manner. If a consumer
does not receive the changes from its multiple suppliers in the right
order, it is able to determine what the right order is, via the Update
Resolution Procedure (URP), that is, by comparing the CSN of each change
it receives and replaying them in the correct order.

Scripts for deleting sso profiles and verfiy the records in the LDAP

Delete the uids

echo `date` >> /tmp/log/deleted.log
echo `date` >> /tmp/log/notdeleted.log
echo `date` >> /tmp/log/idnotexit.txt
for i in `cat /tmp/$1`
do
rv=`ldapsearch -h <Hostname> -p 41389 -D "cn=Directory Manager" -w xxxx -b o
u=geworker,o=ge.com  uid=$i | grep gessostatus | cut -f2 -d"="`
if [  -n "$rv" ]
then
   gessouid=`ldapsearch -h <Host Name> -p 41389 -D "cn=Directory Manager" -w xxxx -b ou=geworker,o=ge.com  uid=$i |grep -v  'manager'|grep ou=geworker,o=ge.com`
 ldapdelete -h <Host Name> -p 41389 -D "cn=Directory Manager" -w xxxx $gessou
id
 if [ $? -eq  0 ]
   then
      echo $i "has been deleted">>/tmp/log/deleted.log
   else
      echo $i "has not been deleted" >>/tmp/log/notdeleted.log
  fi
else
echo $i" does not exits in LDAP">>/tmp/log/idnotexit.txt
fi
done


Scripts to search the records through uids

echo `date` >> /tmp/log/NBCU400added.txt
echo `date` >> /tmp/log/NBCU400notadded.txt
echo `date` >> /tmp/log/idnotexit.txt
for i in `cat /tmp/$1`
do
rv=`ldapsearch -h <Host Name> -p 41389 -D "cn=Directory Manager" -w xxxxx -b o
u=geworker,o=ge.com  uid=$i | grep gessostatus | cut -f2 -d"="`
if  [ ! -z "$rv"  ]
then
out=`ldapsearch -h <Host Name> -p 41389 -D "cn=Directory Manager" -w xxxxxx -b
ou=geworker,o=ge.com  uid=$i gessolinkedbu | grep -c NBCUS400`
     if [ $out -ge 1 ]
      then
        echo $i" has added NBCUS400">>/tmp/log/NBCU400added.txt
      else
       echo $i" has not added NBCUS400">>/tmp/log/NBCU400notadded.txt
     fi
else
  echo $i" does not exits in NBCU LDAP">>/tmp/log/idnotexit.txt
fi
done
~

Directory Server 5.2 details

Link for the Directory Server 5.2 Documentation and more details

http://www.oracle.com/technetwork/documentation/legacy-sun-identity-mgmt-193462.html

Find the link for getting services related to train

http://www.indianrail.gov.in/railzone.html

Load Balancing Method

Load Balancing

Most commonly, the term load balancing refers to distributing incoming HTTP requests across Web servers in a server farm, to avoid overloading any one server. Because load balancing distributes the requests based on the actual load at each server, it is excellent for ensuring availability and defending against denial of service attacks.

The F5 BIG-IP^® Local Traffic Manager performs load balancing across servers in a single data center.

The F5 BIG-IP^® Global Traffic Manager uses topology-based load balancing to inspect a user's IP and determine the most efficient data center.

The term load balancing can also refer to file servers, when file protocol requests are distributed across file servers to overcome the capacity, bandwidth, or CPU limitations of any single system. The F5 ARX^®series switch performs capacity balancing for file servers.

F5 products that support Load Balancing:

• BIG-IP Local Traffic Manager (LTM)
• BIG-IP Global Traffic Manager  (GTM)
• F5 ARX Series

 

Siteminder federation doc

Please find below the link for siteminder federation document

https://support.ca.com/cadocs/0/CA%20Federation%20Manager%20r12%201-ENU/Bookshelf.html