on 08-27-2008 2:05 PM
I'm trying to set up an LDAP data source as an xMII data server in order to retrieve user attributes from our company's Active Directory. I downloaded an LDAP jdbc driver from Novell and deployed it. I set up an IDBC data server with the following parameters:
JDBC Driver: com.novell.sql.LDAPDriver
Server Package: com.sap.xmii.Illuminator.connectors.IDBC
ServerURL: jdbc:ldap://DCSERVER.na.com:389/dc=na,dc=com?SEARCH_SCOPE:=subTreeScope
I used the same AD account that we used in xMII 11.5 to authenticate to LDAP to authenticate users to xMII. (We're still using Netweaver accounts in 12.0.4 but will migrate to LDAP in the next month or so.)
When I check the data server status I get 'Error'.
Any ideas?
David Macindoe
Hi David,
We connect to LDAP with our own driver that's not meant for jdbc access. The question I suppose is how does the jdbc-ldap driver work, does it do similar namespace browsing? Perhaps you could connect somehow, but I have not seen it done nor have I run into a similar issue. I was hoping the log file would provide more meaningful information - maybe you could try changing the log level, not sure if that would help at all. You could also review the Default Trace log. Sorry I can't be of better help.
Regards,
Diana
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Just getting back to this issue (after getting distracted by several others!)
I am now able to connect to our LDAP data source. My server URL (which I copied from xMII 11.5 where we were authenticating with LDAP) was not comptabile with the Novell jdbc-ldap driver I'm using in 12.0.
I changed the server URL to: 'jdbc:ldap://<server>.na.com:389;useCleartext=true' and I got connected. (I needed the 'useClearText parameter as our LDAP source doesn't utililize SSL.) In the workbench I can see "tables" and "columns" suitable for a SELECT query.
The current problem is when I run a query, for example:
SELECT organization.adminDescription from organization
I get the following error:
java.sql.SQLException: [Novell][LDAP JDBC Driver] LDAPStatement.setMaxRows() is not suppported.
I'm not trying to limit the number of rows I'm getting back so I'm not sure why this error is being generated.
Any ideas? I'll query the Novell forums to find an answer.
David Macindoe
I'm not sure how to disable it. I made sure the 'Limit Number of Rows' is unchecked when I run the query i the workbench. Just as a test, I put the query in a transaction and ran it from there but it had the same result.
Any ideas on how to prevent the query from issuing the max rows request? Should I be looking for another LDAP driver?
David
That's just it - you can't disable it. All IDBC connections do this, for SQL queries to Oracle, SQLServer, MySQL, DB2, etc. Our query engine treats all of these Data Server connections the same way when issuing requests, and expects the JDBC driver to honor the statments or handle them accordingly.
I don't know if another driver will be the answer, since you really don't know until you try it out.
Regards,
Jeremy
Hi David,
I've done some asking around here in the office - the LDAP server is not a relational database, and uses a different protocol, so there does not appear to be a way to connect to it as such.
Kind Regards,
Diana Hoppe
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi David,
Have you checked the Netweaver logs? I would suggest you recreate the issue, noting the time you did so, and then peruse the logs for more detailed information as to why the connection is failing.
Kind Regards,
Diana Hoppe
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Diana. The last two entries in the logs are:
Reload request for server NAOXY
Stopping Server [name=NAOXY,className=com.sap.xmii.Illuminator.connectors.IDBC.IDBC,description=null,enabled=true,connected=true,holder=com.sap.xmii.Illuminator.tools.database.ConnectionHolder@6b676b67]
No reason why the server was being stopped.
David
We're still using Netweaver accounts in 12.0.4 but will migrate to LDAP in the next month or so.
If this is the goal, then I would suggest wait , because you would anyway be confiuguring the LDAP on the Netweaver UME. Once that is done you can easily access user attributes as defined in LDAP.
Two things -
1) Diana - While LDAP isn't a true relational database, the jdbc driver should allow us to treat it as one - albeit with limited SELECT functionality.
The 11.5 help on 'LDAP User Configuration' says - "The Lightweight Directory Access Protocol (LDAP) connector allows Security Manager to query the user and role information from any LDAP version 3 compliant server. It uses simple SQL statements. Since the LDAP server is not a true relational database, the driver supports limited SELECT capabilities."
I had hoped the same concept applied to setting up LDAP as a 12.0 data server.
2) Udayan - when you say 'you can easily access user attributes as defined in LDAP', are you saying all of the characteristics pertaining to a specific LDAP user object are visible to Netweaver and thus to MII? For example, I'd like to be able to retrieve the user's LDAP group memberships as we'll be using that to assign permissions to certain aspects of MII projects.
If all the user's LDAP characteristics can be defined as user attributes then yes, I'll pull them in through the authentication process. If not, then I'll need to pull them in later through a data server query.
David
The User Attributes I was referring to were the common user information like Email,telefone,address etc.
Now I have very little knowledge on the AD side but as I understand, these are the most common user attributes apart from which I am sure AD would allow you to define more.
As far as the AD Group is concerned , I am not sure if this could be defined as an attribute, I may be wrong. Moreover in my experience so far I have not come accross any instance wherein I was able to see the AD group info in xMII although it is very much accessible from the Netweaver UME.
Also, are you not thinking of defining Netweaver Roles (which should be mapped to the AD groups) for assigning the permissions in MII? As far as I know this is the cleanest way to secure your application because as far as the Navigation is concerned you will be able to see only the Users and the Netweaver Roles in MII.
User | Count |
---|---|
11 | |
6 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.