Configuring ADAM as a SiteMinder Policy Store

Microsoft's ADAM directory provides a free, tightly integrated directory for storing SiteMinder policy information. Unfortunately, ADAM's interface is not all that easy to understand which makes the initial configuration a little more complicated than desired. Additionally, finding all the specifics on what is needed on the SiteMinder side can be a little unnerving. This article breaks down the installation and configuration of ADAM for use as a SiteMinder policy store. So, let's get started! 1. Download and Install ADAM

This is probably the most obvious step. As of writing this blog article, the latest version of ADAM can be found here:

http://www.microsoft.com/downloads/details.aspx?familyid=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en

The download at the link above contains the SP1 integrated package. So, this eliminate the need to install patches after the initial install. After the download completes, run the installer to install the base components.

2. Create a New ADAM Instance

Now that ADAM is installed, you need to create a new instance. To create a new instance select:

Programs -> ADAM -> Create an ADAM Instance

Be sure to create a Unique Instance when creating the new ADAM instance.

Next, give you ADAM instance a name. In this case, I chose to call it "MyADAM".

On the next screen, be sure to select ports available on the system where you are installing ADAM. The defaults are 50000 (unencrypted) and 50001 (SSL).

Be sure to select "Yes, create an application directory partition" on the next screen. You can name the partition something meaningful for you. I chose "dc=mycompany,dc=com" for my partition name.

You can then change the locations to store the files associated with ADAM. I left mine set at the defaults. If you want to change the account used to run ADAM, you can change that on the next screen. I recommend using the Network service account unless you are a fan of dealing with Windows permissions (which I am not). Select "Current Logged in User" for the account with administrative rights to the ADAM instance.

On the next screen be sure to import the base LDIF files to initialize the ADAM instance. While they may not all be necessary, I select all of them on this screen.

You can then complete the ADAM instance configuration.

3. Administrator Account Access

Start ADAM ADSI Edit under:

Programs -> ADAM -> ADAM ADSI Edit

If your ADAM instance in not configured, select "Connect to..." and put in the port number of your ADAM instance. In my case, I left the default of 50000.

In the console tree, expand Connection Name, where Connection Name is the connection that you used above. Next expand "CN=Configuration,CN={GUID}" where GUID is a unique 128-bit number representing the user. Then expand "CN=Services" and finally expand "CN=Windows NT".

Right-click "CN=Directory Service", and select Properties:

In the Attribute list, locate and then click msDS-Other-Settings, and then click Edit.

In the Value to add box, type ADAMAllowADAMSecurityPrincipalsInConfigPartition=1, and then click OK.

Delete the existing value of "ADAMAllowADAMSecurityPrincipalsInConfigPartition=0" and click OK to close the Directory Service Properties dialog box.

4. Create Administrator Account

The next step will be to create an administrative account for SiteMinder. Right-click on "CN=Roles" and select New -> Object...

On the next screen select "user" as the type of object:

Set the cn value to the name of the administrator and click the Next button. I chose "Administrator" for my users.

Click the "More Attributes" button on the next screen:

Set "displayName" attribute to your user display name, I picked "SiteMinder Admin". Then set the "msDS-UserAccountDisabled" attribute to FALSE and the "msDS-UserDontExpirePassword" attribute to TRUE.

You may also need to set the "ms-DS-UserPasswordNotRequired" setting to TRUE if you can not save the user due to a password policy.

Next Right-Click on the "CN=Administrators" group and select Properties. Find the "member" attribute and click the Edit button (you may want to copy the distinguishedName of your user before doing this step).

Click the "Add ADAM Account..." button and put in the DN of the user we created above.

The last step is to select the user, right-click and reset the password:

5. Configure SiteMinder Policy Store Settings

After prepping ADAM, you're finally ready to start on the SiteMinder side of things. The first step is to launch the SiteMinder Policy Server Management Console and select the Data tab. You will need to set the following items:

a. Enter IP and port number of ADAM

b. Enter partition name for root DN "dc=mycompany,dc=com"

c. Paste complete DN of ADAM administrator account you just created into "Admin Username" box

For example, the user we just created has a DN of:

CN=Administrator,CN=Roles,CN=Configuration,CN={GUID}

d. Click on Test LDAP Connection to verify connection works.

6. Set Up the Policy Store

After configuring the policy server to talk to ADAM, you will then need to configure the policy store. Open a cmd prompt and run the following commands:

a. C:> smldapsetup status

b. C:> smldapsetup ldgen -fadamschema.smdif

c. C:> smldapsetup ldmod -fadamschema.smdif

d. C:> smreg -su (NOTE: You may need to copy smreg into the siteminder bin directory to complete this step)

So, for me this looks like:

C:> smreg -su password

e. C:> smobjimport -i smpolicy.smdif -dsiteminder -w -v

So, for me this looks like:

C:> smobjimport -i"C:Program Filesnetegritysiteminderdbsmdifsmpolicy.smdif" -dsiteminder -wpassword -v

That's it! You should now be able to start the policy server and log-in to the policy server administration UI.

I hope that you found this useful. Note that this was tested with SiteMinder 6.5. Other versions may be slightly different.

Thanks,

Todd