on 09-16-2008 3:04 PM
Hi colleagues.
I have next problem.
I setuped communication between LDAP (Active Directory) and UME,
configured SSL Between the UME and an LDAP Directory and install
certificate in Visual Administrator and in Active Directory on domain
controller. As result I can manage LDAP accounts from Portal (delete
LDAP accounts, define new password for them manage them like UME
accounts).
The problem appear then in Active Directory for LDAP account I difine
password and check property user must change password at next logon.
User tried to logon with this password to Portal and have message User
authentication is faild.
Useful answers will be pointed
Regards
Dmitriy
Dmitry,
Here are mine 2 cents:
1. useraccountcontrol=544
Try with 512, because 544 means also PASSWD_NOTREQD.
This is why your password change may get messed up.
From other forums I can see that initial password change in LDAP should work:
https://forums.sdn.sap.com/click.jspa?searchID=20081205&messageID=5363287
2. There is an option to activate self help at login screen for users who cannot login and need their password reset and emailed them. May be useful.
3. Open an OSS message with SAP. They should be able to help.
Ну и от себя: Дай Поинтов Маркови, старается же человек.
Regards,
Slava
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dmitriy,
A couple more troubleshooting questions:
1. You say that users can login to AD immediately after creation. Are they prompted to change their password if they do this?
2. If a user changes their password in portal, does it change the AD password?
3. Can you please attach the UME Configuration zip file? Remember to remove any sensitive data before posting
4. What version of the portal are you running?
Thanks,
Marc
Hi Marc,
1. LDAP Users can change passwords inside portal via Personalization->User profile
2. Password change in AD too (SSL was configured and still working fine)
3. General Global
Property Value
com.sap.security.core.umap.key (Empty)
login.authschemes.definition.file authschemes.xml
login.serviceuser.lifetime 100
login.ticket_client 0
login.ticket_include_cert false
login.ticket_keyalias SAPLogonTicketKeypair
login.ticket_keystore TicketKeystore
login.ticket_lifetime 8
login.ticket_portalid auto
ume.acl.validate_cached_acls false
ume.admin.account_privacy true
ume.admin.addattrs (Empty)
ume.admin.allow_selfmanagement false
ume.admin.auto_password true
ume.admin.batch.export_directory (Empty)
ume.admin.create.redirect (Empty)
ume.admin.debug_internal false
ume.admin.display.redirect (Empty)
ume.admin.modify.redirect (Empty)
ume.admin.nocache false
ume.admin.orgunit.adapterid (Empty)
ume.admin.password.migration false
ume.admin.phone_check true
ume.admin.public.addattrs (Empty)
ume.admin.search_maxhits 1000
ume.admin.search_maxhits_warninglevel 200
ume.admin.self.addattrs (Empty)
ume.admin.self.addressactive false
ume.admin.self.generate_password false
ume.admin.self.privacystatement.link (Empty)
ume.admin.self.privacystatement.version 1
ume.admin.selfreg_company false
ume.admin.selfreg_guest true
ume.admin.selfreg_sus false
ume.admin.selfreg_sus.adapterid SUS
ume.admin.selfreg_sus.adminrole (Empty)
ume.admin.selfreg_sus.deletecall true
ume.admin.wd.components.umeadminapp {sap.com/tcsecumewdkit;com.sap.security.core.wd.maintainuser.MaintainUserComp},{sap.com/tcsecumewdkit;com.sap.security.core.wd.maintainrole.MaintainRoleComp},{sap.com/tcsecumewdkit;com.sap.security.core.wd.maintaingroup.MaintainGroupComp}
ume.admin.wd.locales (Empty)
ume.admin.wd.table.size.large 20
ume.admin.wd.table.size.medium 10
ume.admin.wd.table.size.small 5
ume.admin.wd.tenant.identifier.all - All -
ume.admin.wd.tenant.identifier.none - None -
ume.admin.wd.url.help http://help.sap.com/saphelp_nw04s/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm
ume.admin.wdactive true
ume.allow_nested_groups true
ume.cache.acl.default_caching_time 1800
ume.cache.acl.initial_cache_size 10000
ume.cache.acl.permissions.default_caching_time 3600
ume.cache.acl.permissions.initial_cache_size 100
ume.cache.default_cache distributableCache
ume.cache.group.default_caching_time 3600
ume.cache.group.initial_cache_size 500
ume.cache.notification_time 0
ume.cache.principal.default_caching_time 3600
ume.cache.principal.initial_cache_size 500
ume.cache.role.default_caching_time 3600
ume.cache.role.initial_cache_size 500
ume.cache.user.default_caching_time 3600
ume.cache.user.initial_cache_size 500
ume.cache.user_account.default_caching_time 3600
ume.cache.user_account.initial_cache_size 500
ume.company_groups.description_template Company ume.company_groups.displayname_template ()
ume.company_groups.enabled false
ume.company_groups.guestusercompany_enabled true
ume.company_groups.guestusercompany_name Guest Users
ume.db.connection_pool.j2ee.is_unicode false
ume.db.connection_pool_type SAP/BC_UME
ume.db.or_search.max_arguments 50
ume.db.parent_search.max_arguments 300
ume.db.search.max_principal_arguments 1000
ume.db.use_default_transaction_isolation false
ume.ldap.access.action_retrial 2
ume.ldap.access.additional_password.1 (Empty)
ume.ldap.access.additional_password.2 (Empty)
ume.ldap.access.additional_password.3 (Empty)
ume.ldap.access.additional_password.4 (Empty)
ume.ldap.access.additional_password.5 (Empty)
ume.ldap.access.auxiliary_naming_attribute.grup (Empty)
ume.ldap.access.auxiliary_naming_attribute.uacc (Empty)
ume.ldap.access.auxiliary_naming_attribute.user (Empty)
ume.ldap.access.auxiliary_objectclass.grup (Empty)
ume.ldap.access.auxiliary_objectclass.uacc (Empty)
ume.ldap.access.auxiliary_objectclass.user (Empty)
ume.ldap.access.base_path.grup DC=xxxx,DC=xxxxxx,DC=ru
ume.ldap.access.base_path.uacc (Empty)
ume.ldap.access.base_path.user DC=xxxx,DC=xxxx,DC=ru
ume.ldap.access.context_factory com.sun.jndi.ldap.LdapCtxFactory
ume.ldap.access.creation_path.grup (Empty)
ume.ldap.access.creation_path.uacc (Empty)
ume.ldap.access.creation_path.user (Empty)
ume.ldap.access.dynamic_group_attribute (Empty)
ume.ldap.access.dynamic_groups false
ume.ldap.access.flat_group_hierachy true
ume.ldap.access.kerberos_data_url (Empty)
ume.ldap.access.msads.control_attribute userAccountControl
ume.ldap.access.msads.control_value 512
ume.ldap.access.msads.grouptype.attribute grouptype
ume.ldap.access.msads.grouptype.value 4
ume.ldap.access.multidomain.enabled false
ume.ldap.access.naming_attribute.grup (Empty)
ume.ldap.access.naming_attribute.uacc (Empty)
ume.ldap.access.naming_attribute.user (Empty)
ume.ldap.access.objectclass.grup (Empty)
ume.ldap.access.objectclass.uacc (Empty)
ume.ldap.access.objectclass.user (Empty)
ume.ldap.access.password (Secure)
ume.ldap.access.server_name xxxxx;xxxxx;xxxxx
ume.ldap.access.server_port 636,636,636
ume.ldap.access.server_type (Empty)
ume.ldap.access.size_limit 0
ume.ldap.access.ssl true
ume.ldap.access.ssl_socket_factory com.sap.security.core.server.https.SecureConnectionFactory
ume.ldap.access.time_limit 0
ume.ldap.access.user xxxxxxxxxx.ru
ume.ldap.access.user_as_account true
ume.ldap.blocked_accounts Administrator,Guest
ume.ldap.blocked_groups Administrators,Guests
ume.ldap.blocked_users Administrator,Guest
ume.ldap.cache_lifetime 300
ume.ldap.cache_size 100
ume.ldap.connection_pool.connect_timeout 25000
ume.ldap.connection_pool.max_connection_usage_time_check_interval 120000
ume.ldap.connection_pool.max_idle_connections 5
ume.ldap.connection_pool.max_idle_time 300000
ume.ldap.connection_pool.max_size 10
ume.ldap.connection_pool.max_wait_time 60000
ume.ldap.connection_pool.min_size 1
ume.ldap.connection_pool.monitor_level 0
ume.ldap.connection_pool.retrial 2
ume.ldap.connection_pool.retrial_interval 10000
ume.ldap.default_group_member cn=DUMMY_MEMBER_FOR_UME
ume.ldap.default_group_member.enabled false
ume.ldap.record_access false
ume.ldap.unique_grup_attribute (Empty)
ume.ldap.unique_uacc_attribute samaccountname
ume.ldap.unique_user_attribute samaccountname
ume.locking.enabled true
ume.locking.max_wait_time 30
ume.login.basicauthentication 1
ume.login.context ticket
ume.login.context.default ticket
ume.login.guest_user.uniqueids Guest
ume.login.mdc.hosts (Empty)
ume.logoff.redirect.silent false
ume.logoff.redirect.url (Empty)
ume.logon.allow_cert false
ume.logon.branding_image layout/branding-image.jpg
ume.logon.branding_style css/ur/ur_.css
ume.logon.branding_text layout/branding-text.gif
ume.logon.force_password_change_on_sso true
ume.logon.httponlycookie true
ume.logon.locale false
ume.logon.logon_help false
ume.logon.logon_help.name_required false
ume.logon.logon_help.securityquestion false
ume.logon.r3master.adapterid master
ume.logon.security.enforce_secure_cookie false
ume.logon.security.local_redirect_only true
ume.logon.security.relax_domain.level 1
ume.logon.security_policy.auto_unlock_time 60
ume.logon.security_policy.cert_logon_required false
ume.logon.security_policy.enforce_policy_at_logon false
ume.logon.security_policy.lock_after_invalid_attempts 99
ume.logon.security_policy.log_client_hostaddress true
ume.logon.security_policy.log_client_hostname false
ume.logon.security_policy.oldpass_in_newpass_allowed false
ume.logon.security_policy.password_alpha_numeric_required 1
ume.logon.security_policy.password_change_allowed true
ume.logon.security_policy.password_change_required TRUE
ume.logon.security_policy.password_expire_days 999
ume.logon.security_policy.password_history 0
ume.logon.security_policy.password_impermissible (Empty)
ume.logon.security_policy.password_last_change_date_default 12/31/9999
ume.logon.security_policy.password_max_idle_time 0
ume.logon.security_policy.password_max_length 14
ume.logon.security_policy.password_min_length 6
ume.logon.security_policy.password_mix_case_required 0
ume.logon.security_policy.password_special_char_required 0
ume.logon.security_policy.password_successful_check_date_default 12/31/9999
ume.logon.security_policy.userid_digits 0
ume.logon.security_policy.userid_in_password_allowed false
ume.logon.security_policy.userid_lowercase 0
ume.logon.security_policy.userid_special_char_required 0
ume.logon.security_policy.useridmaxlength 20
ume.logon.security_policy.useridminlength 1
ume.logon.selfreg false
ume.logonAuthenticationFactory com.sap.security.core.logon.imp.SAPJ2EEAuthenticator
ume.multi_tenancy.automatic_logonid_prefixing true
ume.multi_tenancy_support_enabled false
ume.notification.admin_email Adminxxxxx.ru
ume.notification.create_approval true
ume.notification.create_by_batch_performed true
ume.notification.create_denied true
ume.notification.create_performed true
ume.notification.create_request true
ume.notification.delete_performed true
ume.notification.email_asynch true
ume.notification.lock_performed true
ume.notification.mail_host lotusmail.xxxx.xxxx.ru
ume.notification.pswd_reset_performed true
ume.notification.pswd_reset_request true
ume.notification.selfreg_performed true
ume.notification.system_email Adminxxxxx.ru
ume.notification.unlock_performed true
ume.notification.update_by_batch_performed true
ume.notification.workflow_email (Empty)
ume.persistence.batch.page_size 25
ume.persistence.data_source_configuration dataSourceConfiguration_ads_readonly_password_db.xml
ume.persistence.pcd_roles_data_source_configuration dataSourceConfiguration_PCDRoles.xml
ume.persistence.ume_roles_data_source_configuration dataSourceConfiguration_UMERoles.xml
ume.principal.simple_search.attributes.account j_user
ume.principal.simple_search.attributes.action uniquename
ume.principal.simple_search.attributes.group uniquename
ume.principal.simple_search.attributes.role uniquename
ume.principal.simple_search.attributes.user uniquename,firstname,lastname
ume.r3.connection.001.TimeZoneMapping (Empty)
ume.r3.connection.001.ashost (Empty)
ume.r3.connection.001.client (Empty)
ume.r3.connection.001.group (Empty)
ume.r3.connection.001.gwhost (Empty)
ume.r3.connection.001.gwserv (Empty)
ume.r3.connection.001.lang (Empty)
ume.r3.connection.001.msghost (Empty)
ume.r3.connection.001.passwd (Empty)
ume.r3.connection.001.poolmaxsize 10
ume.r3.connection.001.poolmaxwait (Empty)
ume.r3.connection.001.r3name (Empty)
ume.r3.connection.001.receiverid 1
ume.r3.connection.001.receiverid_guest 1
ume.r3.connection.001.snc_lib (Empty)
ume.r3.connection.001.snc_mode (Empty)
ume.r3.connection.001.snc_myname (Empty)
ume.r3.connection.001.snc_partnername (Empty)
ume.r3.connection.001.snc_qop (Empty)
ume.r3.connection.001.sysnr (Empty)
ume.r3.connection.001.user (Empty)
ume.r3.connection.001.userole false
ume.r3.connection.002.TimeZoneMapping (Empty)
ume.r3.connection.002.ashost (Empty)
ume.r3.connection.002.client (Empty)
ume.r3.connection.002.group (Empty)
ume.r3.connection.002.gwhost (Empty)
ume.r3.connection.002.gwserv (Empty)
ume.r3.connection.002.lang (Empty)
ume.r3.connection.002.msghost (Empty)
ume.r3.connection.002.passwd (Empty)
ume.r3.connection.002.poolmaxsize 10
ume.r3.connection.002.poolmaxwait (Empty)
ume.r3.connection.002.r3name (Empty)
ume.r3.connection.002.receiverid 2
ume.r3.connection.002.receiverid_guest 2
ume.r3.connection.002.snc_lib (Empty)
ume.r3.connection.002.snc_mode (Empty)
ume.r3.connection.002.snc_myname (Empty)
ume.r3.connection.002.snc_partnername (Empty)
ume.r3.connection.002.snc_qop (Empty)
ume.r3.connection.002.sysnr (Empty)
ume.r3.connection.002.user (Empty)
ume.r3.connection.002.userole false
ume.r3.connection.003.TimeZoneMapping (Empty)
ume.r3.connection.003.ashost (Empty)
ume.r3.connection.003.client (Empty)
ume.r3.connection.003.group (Empty)
ume.r3.connection.003.gwhost (Empty)
ume.r3.connection.003.gwserv (Empty)
ume.r3.connection.003.lang (Empty)
ume.r3.connection.003.msghost (Empty)
ume.r3.connection.003.passwd (Empty)
ume.r3.connection.003.poolmaxsize 10
ume.r3.connection.003.poolmaxwait (Empty)
ume.r3.connection.003.r3name (Empty)
ume.r3.connection.003.receiverid 3
ume.r3.connection.003.receiverid_guest 3
ume.r3.connection.003.snc_lib (Empty)
ume.r3.connection.003.snc_mode (Empty)
ume.r3.connection.003.snc_myname (Empty)
ume.r3.connection.003.snc_partnername (Empty)
ume.r3.connection.003.snc_qop (Empty)
ume.r3.connection.003.sysnr (Empty)
ume.r3.connection.003.user (Empty)
ume.r3.connection.003.userole false
ume.r3.connection.master.TimeZoneMapping (Empty)
ume.r3.connection.master.abap_debug (Empty)
ume.r3.connection.master.ashost (Empty)
ume.r3.connection.master.client (Empty)
ume.r3.connection.master.group (Empty)
ume.r3.connection.master.gwhost (Empty)
ume.r3.connection.master.gwserv (Empty)
ume.r3.connection.master.lang EN
ume.r3.connection.master.msghost (Empty)
ume.r3.connection.master.msserv (Empty)
ume.r3.connection.master.passwd (Empty)
ume.r3.connection.master.poolmaxsize 10
ume.r3.connection.master.poolmaxwait (Empty)
ume.r3.connection.master.r3name (Empty)
ume.r3.connection.master.receiverid master
ume.r3.connection.master.receiverid_guest master
ume.r3.connection.master.snc_lib (Empty)
ume.r3.connection.master.snc_mode (Empty)
ume.r3.connection.master.snc_myname (Empty)
ume.r3.connection.master.snc_partnername (Empty)
ume.r3.connection.master.snc_qop (Empty)
ume.r3.connection.master.sysnr (Empty)
ume.r3.connection.master.trace (Empty)
ume.r3.connection.master.user (Empty)
ume.r3.connection.tpd.adapterid value of ume.r3.connection.tpd.systemid
ume.r3.connection.tpd.systemid SUS
ume.r3.mastersystem MBDCLNT200
ume.r3.mastersystem.uid.mode 1
ume.r3.orgunit.adapterid (Empty)
ume.r3.sync.sender SAPMUM
ume.r3.use.role false
ume.replication.adapters.001.companies (Empty)
ume.replication.adapters.001.scope (Empty)
ume.replication.adapters.002.companies (Empty)
ume.replication.adapters.002.scope (Empty)
ume.replication.adapters.003.companies (Empty)
ume.replication.adapters.003.scope (Empty)
ume.replication.adapters.index_1 (Empty)
ume.replication.adapters.index_2 (Empty)
ume.replication.adapters.index_3 (Empty)
ume.replication.adapters.master.companies (Empty)
ume.replication.adapters.master.scope (Empty)
ume.replication.crm_sup_register_check BBP_SUS_BUPA_REGID_CHECK
ume.replication.messaging.active false
ume.replication.sync.display_all_doc false
ume.roles.pcd_roles_with_actions (Empty)
ume.roles.xml_files *role.xml
ume.secaudit.get_object_name false
ume.secaudit.log_actor true
ume.spml.schema_name schema.xml
ume.superadmin.activated FALSE
ume.superadmin.password (Empty)
ume.supergroups.anonymous_group.description Built-in Group Anonymous Users
ume.supergroups.anonymous_group.displayname Anonymous Users
ume.supergroups.anonymous_group.uniquename Anonymous Users
ume.supergroups.authenticated_group.description Built-in Group Authenticated Users
ume.supergroups.authenticated_group.displayname Authenticated Users
ume.supergroups.authenticated_group.uniquename Authenticated Users
ume.supergroups.everyone.description Built-in Group Everyone
ume.supergroups.everyone.displayname Everyone
ume.supergroups.everyone.uniquename Everyone
ume.testum false
ume.tpd.classloader (Empty)
ume.tpd.companies 0
ume.tpd.imp.class com.sap.security.core.tpd.SimpleTPD
ume.tpd.prefix STPD_
ume.trace.external_trace_class com.sap.security.core.util.imp.UMTrace_630
ume.usermapping.admin.pwdprotection true
ume.usermapping.key.protection TRUE
ume.usermapping.refsys.mapping.type internal
ume.usermapping.unsecure false
ume.users.displayname_template ,
ume.users.email_pattern ?@?.?*
ume.virtual_groups.description_template Virtual group ume.virtual_groups.displayname_template
ume.virtual_groups.group_names_separator ;
ume.virtual_groups.name_prefix (Empty)
ume.virtual_groups.names (Empty)
ume.virtual_groups.trim_group_names true
ume.virtual_groups.user_attribute (Empty)
ume.virtual_groups.user_attribute.multivalue true
ume.virtual_groups.user_attribute.namespace (Empty)
4. We use Portal 7.0 SPS16
Regards
Dmitriy
1. useraccountcontrol=544
Try with 512, because 544 means also PASSWD_NOTREQD.
This is why your password change may get messed up.
From other forums I can see that initial password change in LDAP should work:
https://forums.sdn.sap.com/click.jspa?searchID=20081205&messageID=5363287
2. There is an option to activate self help at login screen for users who cannot login and need their password reset and emailed them. May be useful.
3. Open an OSS message with SAP. They should be able to help.
Hi Slavik,
1) I already tried to setuped value 512 for LDAP attribute useraccountcontrol. (this attribute is the Property User must change password at next logon and if it have this value I have the sutuation during logon process Authentication is failed)
Link is rather useful, thanks a lot.
2) Where I can find this option?
3) I already open 2 mesages. Result is not so good.
Regards
Dmitriy
Where I can find this option?
Logon Help
http://help.sap.com/saphelp_nw04s/helpdata/en/43/fc3ae22adb025fe10000000a1553f7/frameset.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/45/7e6313d8780dece10000000a11466f/frameset.htm
Regards,
Slava
HI Dmitriy,
I am facing the same issue.
If you have able resolve the issue.
Than please help me with your document or suggestion.
Reffing the above discussion i have done all changes accordingly.
But still i am not able to get the Change password prompt.
Please help with your valuable suggestion it's urgent for me.
Your help will be always appreciable .
Thanks in Advance :
Prashant krishen.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Have you tried altering the date on the property:
ume.logon.security_policy.password_last_change_date_default 12/31/9999 to 12/31/1999?
Edited by: Laura Duffy on Mar 23, 2009 7:18 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dmitriy,
Two further questions:
1. You say that users can login to AD immediately after creation. Are they prompted to change their password if they do this?
2. When a user logs onto the portal for the first time, are they able to get into the portal without being forced to change their password?
Thanks,
Marc
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Marc
1 LDAP User can logon to the Portal after creation if Property User must change password at next logon is switch off. Inside Portal user have ability to change password, but we want that user change password forced. Unfortunatley this option isn't work yet.
2 If Property User must change password at next logon is switch off, user is able to get into the portal without being forced to change their password. If Property User must change password at next logon is switch on, user unable to logon to the portal
Regards
Dmitriy
Dmitriy,
A couple more troubleshooting questions:
1. You say that users can login to AD immediately after creation. Are they prompted to change their password if they do this?
2. If a user changes their password in portal, does it change the AD password?
3. Can you please attach the UME Configuration zip file? Remember to remove any sensitive data before posting
4. What version of the portal are you running?
Thanks,
Marc
Dmitriy,
When an account is created in Active Directory, it is normally disabled by default. The parameter msDS-UserAccountDisabled may initially be set to TRUE. This needs to be set to false to be used as a login.
If this parameter is false, please paste the datasource.xml you are using and I'll take a look.
Cheers,
Marc
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Marc,
I Create users in Active Directory from employee data stored in SAP HR.By default this new accounts are disable. I map some data from HR to corresponding AD attribute, as result I have enable LDAP account with full information, which I map from HR. (if attribute userAccountControl have value 546 - account is disable, if it have value 544 account is enable). Beside I assign to LDAP attribute pwdLastSet (property User must change password at next logon) value 0, but when user tried to logon in portal appear the Problem - Authentication is faild, as result user can't login to portal. I think portal don't recieve this attribute and it's value. I tried to edit xml file but unsuccessfuly.
Have a look on xml file, I hope you can help me
Thanks in advance
Dmitriy
<?xml version="1.0" encoding="UTF-8" ?>
- <!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_writeable_db.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $)
-->
- <dataSources>
- <dataSource id="PRIVATE_DATASOURCE" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
- <homeFor>
- <principals>
- <principal type="account">
- <nameSpace name="$serviceUser$">
- <attribute name="SERVICEUSER_ATTRIBUTE">
- <values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
- <principal type="user">
- <nameSpace name="$serviceUser$">
- <attribute name="SERVICEUSER_ATTRIBUTE">
- <values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
<principal type="team" />
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor />
- <responsibleFor>
- <principals>
<principal type="group" />
<principal type="user" />
<principal type="account" />
<principal type="team" />
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<notResponsibleFor />
<attributeMapping />
<privateSection />
</dataSource>
- <dataSource id="CORP_LDAP" className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence" isReadonly="false" isPrimary="true">
- <homeFor>
<principal type="account" />
<principal type="user" />
<principal type="group" />
</homeFor>
- <notHomeFor>
- <principal type="user">
- <nameSpace name="$serviceUser$">
- <attribute name="SERVICEUSER_ATTRIBUTE">
- <values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
- <principal type="account">
- <nameSpace name="$serviceUser$">
- <attribute name="SERVICEUSER_ATTRIBUTE">
- <values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
</notHomeFor>
- <responsibleFor>
- <principal type="account">
- <nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user" />
<attribute name="logonalias" />
<attribute name="j_password" />
<attribute name="userid" />
</nameSpace>
- <nameSpace name="com.sap.security.core.authentication">
<attribute name="principal" />
<attribute name="realm" />
<attribute name="domain" />
</nameSpace>
</principal>
- <principal type="user">
- <nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname" populateInitially="true" />
<attribute name="displayname" populateInitially="true" />
<attribute name="lastname" populateInitially="true" />
<attribute name="fax" />
<attribute name="email" />
<attribute name="title" />
<attribute name="department" />
<attribute name="description" />
<attribute name="mobile" />
<attribute name="telephone" />
<attribute name="streetaddress" />
<attribute name="uniquename" populateInitially="true" />
</nameSpace>
- <nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE" />
</nameSpace>
- <nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER" />
</nameSpace>
</principal>
- <principal type="group">
- <nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname" populateInitially="true" />
<attribute name="description" populateInitially="true" />
<attribute name="uniquename" />
</nameSpace>
- <nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE" />
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE" />
</nameSpace>
- <nameSpace name="com.sap.security.core.bridge">
<attribute name="dn" />
</nameSpace>
</principal>
</responsibleFor>
- <attributeMapping>
- <principal type="account">
- <nameSpace name="com.sap.security.core.usermanagement">
- <attribute name="j_user">
<physicalAttribute name="samaccountname" />
</attribute>
- <attribute name="logonalias">
<physicalAttribute name="samaccountname" />
</attribute>
- <attribute name="j_password">
<physicalAttribute name="unicodepwd" />
</attribute>
- <attribute name="userid">
<physicalAttribute name="null" />
</attribute>
</nameSpace>
- <nameSpace name="com.sap.security.core.authentication">
- <attribute name="principal">
<physicalAttribute name="samaccountname" />
</attribute>
- <attribute name="realm">
<physicalAttribute name="null" />
</attribute>
- <attribute name="domain">
<physicalAttribute name="null" />
</attribute>
</nameSpace>
</principal>
- <principal type="user">
- <nameSpace name="com.sap.security.core.usermanagement">
- <attribute name="firstname">
<physicalAttribute name="givenname" />
</attribute>
- <attribute name="displayname">
<physicalAttribute name="displayname" />
</attribute>
- <attribute name="lastname">
<physicalAttribute name="sn" />
</attribute>
- <attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber" />
</attribute>
- <attribute name="uniquename">
<physicalAttribute name="samaccountname" />
</attribute>
- <attribute name="loginid">
<physicalAttribute name="null" />
</attribute>
- <attribute name="email">
<physicalAttribute name="mail" />
</attribute>
- <attribute name="mobile">
<physicalAttribute name="mobile" />
</attribute>
- <attribute name="telephone">
<physicalAttribute name="telephonenumber" />
</attribute>
- <attribute name="department">
<physicalAttribute name="ou" />
</attribute>
- <attribute name="description">
<physicalAttribute name="description" />
</attribute>
- <attribute name="streetaddress">
<physicalAttribute name="postaladdress" />
</attribute>
- <attribute name="pobox">
<physicalAttribute name="postofficebox" />
</attribute>
</nameSpace>
- <nameSpace name="com.sap.security.core.usermanagement.relation">
- <attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="memberof" />
</attribute>
</nameSpace>
- <nameSpace name="$usermapping$">
- <attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername" />
</attribute>
</nameSpace>
</principal>
- <principal type="group">
- <nameSpace name="com.sap.security.core.usermanagement">
- <attribute name="displayname">
<physicalAttribute name="displayname" />
</attribute>
- <attribute name="description">
<physicalAttribute name="description" />
</attribute>
- <attribute name="uniquename" populateInitially="true">
<physicalAttribute name="cn" />
</attribute>
</nameSpace>
- <nameSpace name="com.sap.security.core.usermanagement.relation">
- <attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<physicalAttribute name="member" />
</attribute>
- <attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="memberof" />
</attribute>
</nameSpace>
- <nameSpace name="com.sap.security.core.bridge">
- <attribute name="dn">
<physicalAttribute name="null" />
</attribute>
</nameSpace>
</principal>
</attributeMapping>
- <privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.pwd.via.usercontext>true</ume.ldap.access.pwd.via.usercontext>
<ume.ldap.access.set_pwd>true</ume.ldap.access.set_pwd>
<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>Group</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>cn</ume.ldap.access.naming_attribute.grup>
<ume.ldap.access.auxiliary_naming_attribute.grup>samaccountname</ume.ldap.access.auxiliary_naming_attribute.grup>
</privateSection>
</dataSource>
</dataSources>
Dmitry,
From the xml file you have posted, it appears that you should add the following two lines to the <privateSection>:
<ume.ldap.access.msads.control_attribute>msds-useraccountdisabled</ume.ldap.access.msads.control_attribute>
<ume.ldap.access.msads.control_value>FALSE</ume.ldap.access.msads.control_value>
Some additional troubleshooting questions:
1. Are the users able to log into the AD immediately after creation?
2. Are the users able to change their passwords from the portal?
3. Are you using SSL connections between the systems?
Thanks,
Marc
Hi Marc,
A add this 2 lines to the end of private section but unfortunately the result is the same, user can not change password .
Answers on your questions
1. Users able to log into the AD immediately after creation
2. Users able to change their passwords from the portal (AD property User must chage password at next logon is switch off, user can change password via Personalize)
3. I use SSL connection between the systems
Regards
Dmitriy
User | Count |
---|---|
81 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.