The SiteMinder R12 WAM UI has the ability to use an External Admin Store, which means that when an Administrator logs into the UI, the credentials are checked against an external LDAP directory or database. Back in SiteMinder 6, this was configured on an individual basis; for each Administrator, you could select whether to use the internal store, or use one of the configured User Directories. Now it is all or nothing. Once you "flip the switch" by configuring the External Admin Store, your "legacy" internal admins can no longer login to the UI.
When you switch to External, you select a "Super User".
This is the equivalent of the "SiteMinder" Super User in the internal store, he has full rights. Also, once you flip the switch, every user under that root (LDAP) or in that table (DB) can login to the UI. But until the Super User (or some other admin who has the ability to delegate rights) configures rights for that user, they will be able to see and do almost nothing in the UI.
The info above is covered pretty well in the SiteMinder documentation. But here's a tidbit that is not covered...
Sometimes we get the question:
"How can I switch my External User Store to a different LDAP or DB than the one I originally configured?"
Answer: You can't. You have to revert back to the Internal Store, and start over.
Which leads us to:
"How do I revert back to the Internal Admin Store?"
The most common reasons are:
A) The directory that I am using as my External Admin Store is being decommissioned. B) We have decided to use a different directory now as our External Admin Store. C) When I setup the External Admin Store, I selected the wrong attribute for the Disabled Field. *(see detail below)
There is no simple click to revert to the Internal Store. Here are the steps:
- Stop the WAM UI
- On the harddrive of the UI machine, navigate to: administrative_ui_home/CA/SiteMinder/adminui/server/default/data
- Delete the entire /derby directory
- Start the WAM UI
NOTE: you do NOT have to reregister the WAM UI with the policy server.
You should now be able to login as "SiteMinder" or any other admin you had created in your Internal Admin Store. You will also notice that the "Configure Administrative Authentication" link in the WAM UI is back again, so you can go through the process again.
*For a little detail on (C) above: We get this problem most often when someone doesn't realize that the Disabled field must be an attribute that is NOT used by any other applications. Quite often someone will try to put an attribute in there that is used internally by the LDAP or DB to disable users. For instance, people try to use "UserAccountControl" in AD. The Disabled field for SiteMinder must be an unused attribute. When the Administrator tries to login to the WAM UI, this attribute is checked. If it's value is blank or 0, the user logs in ok. If it is anything else, the user is sent to the logoff page.