I’ve seen it time and time again from the number of organizations that we’ve worked with in the past – security auditing is treated with low priority – specifically firewalls between intermediary components and devices and in some extreme cases data encryption between those same devices. So it goes without saying that any component accessing the corporate directory, i.e. LDAP, should be treated the same as any user accessing directory information. As a standard practice in ANY of our SiteMinder deployments, we generally follow the same access and security policy that accesses (search, create, delete) to the underlying store must be done using a named account (i.e. uid=ssoadmin,ou=people rather than using a generic account or using the native LDAP superuser account “cn=Directory Manager”) for audit and security purposes.
By configuring the above, this will provide:
- Additional audit information and data from the underlying component.
- From a troubleshooting standpoint this enables the directory administrators to quickly narrow down and locate potentially “erroneous” connections originating from the policy server.