Solved: Initial password's problem for LDAP account in Por...

Hi colleagues.

I have next problem.

I setuped communication between LDAP (Active Directory) and UME,

configured SSL Between the UME and an LDAP Directory and install

certificate in Visual Administrator and in Active Directory on domain

controller. As result I can manage LDAP accounts from Portal (delete

LDAP accounts, define new password for them manage them like UME

accounts).

The problem appear then in Active Directory for LDAP account I difine

password and check property user must change password at next logon.

User tried to logon with this password to Portal and have message User

authentication is faild.

Useful answers will be pointed

Regards

Dmitriy

SAP Managed Tags:
PORTAL Application Integration

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (1)

Dmitry,

Here are mine 2 cents:

1. useraccountcontrol=544

Try with 512, because 544 means also PASSWD_NOTREQD.

This is why your password change may get messed up.

From other forums I can see that initial password change in LDAP should work:

https://forums.sdn.sap.com/click.jspa?searchID=20081205&messageID=5363287

2. There is an option to activate self help at login screen for users who cannot login and need their password reset and emailed them. May be useful.

3. Open an OSS message with SAP. They should be able to help.

Ну и от себя: Дай Поинтов Маркови, старается же человек.

Regards,

Slava

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Dmitriy,

A couple more troubleshooting questions:

1. You say that users can login to AD immediately after creation. Are they prompted to change their password if they do this?

2. If a user changes their password in portal, does it change the AD password?

3. Can you please attach the UME Configuration zip file? Remember to remove any sensitive data before posting

4. What version of the portal are you running?

Thanks,

Marc

Hi Marc,

1. LDAP Users can change passwords inside portal via Personalization->User profile

2. Password change in AD too (SSL was configured and still working fine)

3. General Global

Property Value

com.sap.security.core.umap.key (Empty)

ume.acl.validate_cached_acls false

ume.admin.account_privacy true

ume.admin.addattrs (Empty)

ume.admin.allow_selfmanagement false

ume.admin.auto_password true

ume.admin.batch.export_directory (Empty)

ume.admin.create.redirect (Empty)

ume.admin.debug_internal false

ume.admin.display.redirect (Empty)

ume.admin.modify.redirect (Empty)

ume.admin.nocache false

ume.admin.orgunit.adapterid (Empty)

ume.admin.password.migration false

ume.admin.phone_check true

ume.admin.public.addattrs (Empty)

ume.admin.search_maxhits 1000

ume.admin.search_maxhits_warninglevel 200

ume.admin.self.addattrs (Empty)

ume.admin.self.addressactive false

ume.admin.self.generate_password false

ume.admin.self.privacystatement.link (Empty)

ume.admin.self.privacystatement.version 1

ume.admin.selfreg_company false

ume.admin.selfreg_guest true

ume.admin.selfreg_sus false

ume.admin.selfreg_sus.adapterid SUS

ume.admin.selfreg_sus.adminrole (Empty)

ume.admin.selfreg_sus.deletecall true

ume.admin.wd.components.umeadminapp {sap.com/tc_secume_wdkit;com.sap.security.core.wd.maintainuser.MaintainUserComp},{sap.com/tc_secume_wdkit;com.sap.security.core.wd.maintainrole.MaintainRoleComp},{sap.com/tc_secume_wdkit;com.sap.security.core.wd.maintaingroup.MaintainGroupComp}

ume.admin.wd.locales (Empty)

ume.admin.wd.table.size.large 20

ume.admin.wd.table.size.medium 10

ume.admin.wd.table.size.small 5

ume.admin.wd.tenant.identifier.all - All -

ume.admin.wd.tenant.identifier.none - None -

ume.admin.wd.url.help http://help.sap.com/saphelp_nw04s/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm

ume.admin.wdactive true

ume.allow_nested_groups true

ume.cache.acl.default_caching_time 1800

ume.cache.acl.initial_cache_size 10000

ume.cache.acl.permissions.default_caching_time 3600

ume.cache.acl.permissions.initial_cache_size 100

ume.cache.default_cache distributableCache

ume.cache.group.default_caching_time 3600

ume.cache.group.initial_cache_size 500

ume.cache.notification_time 0

ume.cache.principal.default_caching_time 3600

ume.cache.principal.initial_cache_size 500

ume.cache.role.default_caching_time 3600

ume.cache.role.initial_cache_size 500

ume.cache.user.default_caching_time 3600

ume.cache.user.initial_cache_size 500

ume.cache.user_account.default_caching_time 3600

ume.cache.user_account.initial_cache_size 500

ume.company_groups.description_template Company ume.company_groups.displayname_template ()

ume.company_groups.enabled false

ume.company_groups.guestusercompany_enabled true

ume.company_groups.guestusercompany_name Guest Users

ume.db.connection_pool.j2ee.is_unicode false

ume.db.connection_pool_type SAP/BC_UME

ume.db.or_search.max_arguments 50

ume.db.parent_search.max_arguments 300

ume.db.search.max_principal_arguments 1000

ume.db.use_default_transaction_isolation false

ume.ldap.access.action_retrial 2

ume.ldap.access.additional_password.1 (Empty)

ume.ldap.access.additional_password.2 (Empty)

ume.ldap.access.additional_password.3 (Empty)

ume.ldap.access.additional_password.4 (Empty)

ume.ldap.access.additional_password.5 (Empty)

ume.ldap.access.auxiliary_naming_attribute.grup (Empty)

ume.ldap.access.auxiliary_naming_attribute.uacc (Empty)

ume.ldap.access.auxiliary_naming_attribute.user (Empty)

ume.ldap.access.auxiliary_objectclass.grup (Empty)

ume.ldap.access.auxiliary_objectclass.uacc (Empty)

ume.ldap.access.auxiliary_objectclass.user (Empty)

ume.ldap.access.base_path.grup DC=xxxx,DC=xxxxxx,DC=ru

ume.ldap.access.base_path.uacc (Empty)

ume.ldap.access.base_path.user DC=xxxx,DC=xxxx,DC=ru

ume.ldap.access.context_factory com.sun.jndi.ldap.LdapCtxFactory

ume.ldap.access.creation_path.grup (Empty)

ume.ldap.access.creation_path.uacc (Empty)

ume.ldap.access.creation_path.user (Empty)

ume.ldap.access.dynamic_group_attribute (Empty)

ume.ldap.access.dynamic_groups false

ume.ldap.access.flat_group_hierachy true

ume.ldap.access.kerberos_data_url (Empty)

ume.ldap.access.msads.control_attribute userAccountControl

ume.ldap.access.msads.control_value 512

ume.ldap.access.msads.grouptype.attribute grouptype

ume.ldap.access.msads.grouptype.value 4

ume.ldap.access.multidomain.enabled false

ume.ldap.access.naming_attribute.grup (Empty)

ume.ldap.access.naming_attribute.uacc (Empty)

ume.ldap.access.naming_attribute.user (Empty)

ume.ldap.access.objectclass.grup (Empty)

ume.ldap.access.objectclass.uacc (Empty)

ume.ldap.access.objectclass.user (Empty)

ume.ldap.access.password (Secure)

ume.ldap.access.server_name xxxxx;xxxxx;xxxxx

ume.ldap.access.server_port 636,636,636

ume.ldap.access.server_type (Empty)

ume.ldap.access.size_limit 0

ume.ldap.access.ssl true

ume.ldap.access.ssl_socket_factory com.sap.security.core.server.https.SecureConnectionFactory

ume.ldap.access.time_limit 0

ume.ldap.access.user xxxxxxxxxx.ru

ume.ldap.access.user_as_account true

ume.ldap.blocked_accounts Administrator,Guest

ume.ldap.blocked_groups Administrators,Guests

ume.ldap.blocked_users Administrator,Guest

ume.ldap.cache_lifetime 300

ume.ldap.cache_size 100

ume.ldap.connection_pool.connect_timeout 25000

ume.ldap.connection_pool.max_connection_usage_time_check_interval 120000

ume.ldap.connection_pool.max_idle_connections 5

ume.ldap.connection_pool.max_idle_time 300000

ume.ldap.connection_pool.max_size 10

ume.ldap.connection_pool.max_wait_time 60000

ume.ldap.connection_pool.min_size 1

ume.ldap.connection_pool.monitor_level 0

ume.ldap.connection_pool.retrial 2

ume.ldap.connection_pool.retrial_interval 10000

ume.ldap.default_group_member cn=DUMMY_MEMBER_FOR_UME

ume.ldap.default_group_member.enabled false

ume.ldap.record_access false

ume.ldap.unique_grup_attribute (Empty)

ume.ldap.unique_uacc_attribute samaccountname

ume.ldap.unique_user_attribute samaccountname

ume.locking.enabled true

ume.locking.max_wait_time 30

ume.login.basicauthentication 1

ume.login.context ticket

ume.login.context.default ticket

ume.login.guest_user.uniqueids Guest

ume.login.mdc.hosts (Empty)

ume.logoff.redirect.silent false

ume.logoff.redirect.url (Empty)

ume.logon.allow_cert false

ume.logon.branding_image layout/branding-image.jpg

ume.logon.branding_style css/ur/ur_.css

ume.logon.branding_text layout/branding-text.gif

ume.logon.force_password_change_on_sso true

ume.logon.httponlycookie true

ume.logon.locale false

ume.logon.logon_help false

ume.logon.logon_help.name_required false

ume.logon.logon_help.securityquestion false

ume.logon.r3master.adapterid master

ume.logon.security.enforce_secure_cookie false

ume.logon.security.local_redirect_only true

ume.logon.security.relax_domain.level 1

ume.logon.security_policy.auto_unlock_time 60

ume.logon.security_policy.cert_logon_required false

ume.logon.security_policy.enforce_policy_at_logon false

ume.logon.security_policy.lock_after_invalid_attempts 99

ume.logon.security_policy.log_client_hostaddress true

ume.logon.security_policy.log_client_hostname false

ume.logon.security_policy.oldpass_in_newpass_allowed false

ume.logon.security_policy.password_alpha_numeric_required 1

ume.logon.security_policy.password_change_allowed true

ume.logon.security_policy.password_change_required TRUE

ume.logon.security_policy.password_expire_days 999

ume.logon.security_policy.password_history 0

ume.logon.security_policy.password_impermissible (Empty)

ume.logon.security_policy.password_last_change_date_default 12/31/9999

ume.logon.security_policy.password_max_idle_time 0

ume.logon.security_policy.password_max_length 14

ume.logon.security_policy.password_min_length 6

ume.logon.security_policy.password_mix_case_required 0

ume.logon.security_policy.password_special_char_required 0

ume.logon.security_policy.password_successful_check_date_default 12/31/9999

ume.logon.security_policy.userid_digits 0

ume.logon.security_policy.userid_in_password_allowed false

ume.logon.security_policy.userid_lowercase 0

ume.logon.security_policy.userid_special_char_required 0

ume.logon.security_policy.useridmaxlength 20

ume.logon.security_policy.useridminlength 1

ume.logon.selfreg false

ume.logonAuthenticationFactory com.sap.security.core.logon.imp.SAPJ2EEAuthenticator

ume.multi_tenancy.automatic_logonid_prefixing true

ume.multi_tenancy_support_enabled false

ume.notification.admin_email Adminxxxxx.ru

ume.notification.create_approval true

ume.notification.create_by_batch_performed true

ume.notification.create_denied true

ume.notification.create_performed true

ume.notification.create_request true

ume.notification.delete_performed true

ume.notification.email_asynch true

ume.notification.lock_performed true

ume.notification.mail_host lotusmail.xxxx.xxxx.ru

ume.notification.pswd_reset_performed true

ume.notification.pswd_reset_request true

ume.notification.selfreg_performed true

ume.notification.system_email Adminxxxxx.ru

ume.notification.unlock_performed true

ume.notification.update_by_batch_performed true

ume.notification.workflow_email (Empty)

ume.persistence.batch.page_size 25

ume.persistence.data_source_configuration dataSourceConfiguration_ads_readonly_password_db.xml

ume.persistence.pcd_roles_data_source_configuration dataSourceConfiguration_PCDRoles.xml

ume.persistence.ume_roles_data_source_configuration dataSourceConfiguration_UMERoles.xml

ume.principal.simple_search.attributes.account j_user

ume.principal.simple_search.attributes.action uniquename

ume.principal.simple_search.attributes.group uniquename

ume.principal.simple_search.attributes.role uniquename

ume.principal.simple_search.attributes.user uniquename,firstname,lastname

ume.r3.connection.001.TimeZoneMapping (Empty)

ume.r3.connection.001.ashost (Empty)

ume.r3.connection.001.client (Empty)

ume.r3.connection.001.group (Empty)

ume.r3.connection.001.gwhost (Empty)

ume.r3.connection.001.gwserv (Empty)

ume.r3.connection.001.lang (Empty)

ume.r3.connection.001.msghost (Empty)

ume.r3.connection.001.passwd (Empty)

ume.r3.connection.001.poolmaxsize 10

ume.r3.connection.001.poolmaxwait (Empty)

ume.r3.connection.001.r3name (Empty)

ume.r3.connection.001.receiverid 1

ume.r3.connection.001.receiverid_guest 1

ume.r3.connection.001.snc_lib (Empty)

ume.r3.connection.001.snc_mode (Empty)

ume.r3.connection.001.snc_myname (Empty)

ume.r3.connection.001.snc_partnername (Empty)

ume.r3.connection.001.snc_qop (Empty)

ume.r3.connection.001.sysnr (Empty)

ume.r3.connection.001.user (Empty)

ume.r3.connection.001.userole false

ume.r3.connection.002.TimeZoneMapping (Empty)

ume.r3.connection.002.ashost (Empty)

ume.r3.connection.002.client (Empty)

ume.r3.connection.002.group (Empty)

ume.r3.connection.002.gwhost (Empty)

ume.r3.connection.002.gwserv (Empty)

ume.r3.connection.002.lang (Empty)

ume.r3.connection.002.msghost (Empty)

ume.r3.connection.002.passwd (Empty)

ume.r3.connection.002.poolmaxsize 10

ume.r3.connection.002.poolmaxwait (Empty)

ume.r3.connection.002.r3name (Empty)

ume.r3.connection.002.receiverid 2

ume.r3.connection.002.receiverid_guest 2

ume.r3.connection.002.snc_lib (Empty)

ume.r3.connection.002.snc_mode (Empty)

ume.r3.connection.002.snc_myname (Empty)

ume.r3.connection.002.snc_partnername (Empty)

ume.r3.connection.002.snc_qop (Empty)

ume.r3.connection.002.sysnr (Empty)

ume.r3.connection.002.user (Empty)

ume.r3.connection.002.userole false

ume.r3.connection.003.TimeZoneMapping (Empty)

ume.r3.connection.003.ashost (Empty)

ume.r3.connection.003.client (Empty)

ume.r3.connection.003.group (Empty)

ume.r3.connection.003.gwhost (Empty)

ume.r3.connection.003.gwserv (Empty)

ume.r3.connection.003.lang (Empty)

ume.r3.connection.003.msghost (Empty)

ume.r3.connection.003.passwd (Empty)

ume.r3.connection.003.poolmaxsize 10

ume.r3.connection.003.poolmaxwait (Empty)

ume.r3.connection.003.r3name (Empty)

ume.r3.connection.003.receiverid 3

ume.r3.connection.003.receiverid_guest 3

ume.r3.connection.003.snc_lib (Empty)

ume.r3.connection.003.snc_mode (Empty)

ume.r3.connection.003.snc_myname (Empty)

ume.r3.connection.003.snc_partnername (Empty)

ume.r3.connection.003.snc_qop (Empty)

ume.r3.connection.003.sysnr (Empty)

ume.r3.connection.003.user (Empty)

ume.r3.connection.003.userole false

ume.r3.connection.master.TimeZoneMapping (Empty)

ume.r3.connection.master.abap_debug (Empty)

ume.r3.connection.master.ashost (Empty)

ume.r3.connection.master.client (Empty)

ume.r3.connection.master.group (Empty)

ume.r3.connection.master.gwhost (Empty)

ume.r3.connection.master.gwserv (Empty)

ume.r3.connection.master.lang EN

ume.r3.connection.master.msghost (Empty)

ume.r3.connection.master.msserv (Empty)

ume.r3.connection.master.passwd (Empty)

ume.r3.connection.master.poolmaxsize 10

ume.r3.connection.master.poolmaxwait (Empty)

ume.r3.connection.master.r3name (Empty)

ume.r3.connection.master.receiverid master

ume.r3.connection.master.receiverid_guest master

ume.r3.connection.master.snc_lib (Empty)

ume.r3.connection.master.snc_mode (Empty)

ume.r3.connection.master.snc_myname (Empty)

ume.r3.connection.master.snc_partnername (Empty)

ume.r3.connection.master.snc_qop (Empty)

ume.r3.connection.master.sysnr (Empty)

ume.r3.connection.master.trace (Empty)

ume.r3.connection.master.user (Empty)

ume.r3.connection.tpd.adapterid value of ume.r3.connection.tpd.systemid

ume.r3.connection.tpd.systemid SUS

ume.r3.mastersystem MBDCLNT200

ume.r3.mastersystem.uid.mode 1

ume.r3.orgunit.adapterid (Empty)

ume.r3.sync.sender SAPMUM

ume.r3.use.role false

ume.replication.adapters.001.companies (Empty)

ume.replication.adapters.001.scope (Empty)

ume.replication.adapters.002.companies (Empty)

ume.replication.adapters.002.scope (Empty)

ume.replication.adapters.003.companies (Empty)

ume.replication.adapters.003.scope (Empty)

ume.replication.adapters.index_1 (Empty)

ume.replication.adapters.index_2 (Empty)

ume.replication.adapters.index_3 (Empty)

ume.replication.adapters.master.companies (Empty)

ume.replication.adapters.master.scope (Empty)

ume.replication.crm_sup_register_check BBP_SUS_BUPA_REGID_CHECK

ume.replication.messaging.active false

ume.replication.sync.display_all_doc false

ume.roles.pcd_roles_with_actions (Empty)

ume.roles.xml_files *role.xml

ume.secaudit.get_object_name false

ume.secaudit.log_actor true

ume.spml.schema_name schema.xml

ume.superadmin.activated FALSE

ume.superadmin.password (Empty)

ume.supergroups.anonymous_group.description Built-in Group Anonymous Users

ume.supergroups.anonymous_group.displayname Anonymous Users

ume.supergroups.anonymous_group.uniquename Anonymous Users

ume.supergroups.authenticated_group.description Built-in Group Authenticated Users

ume.supergroups.authenticated_group.displayname Authenticated Users

ume.supergroups.authenticated_group.uniquename Authenticated Users

ume.supergroups.everyone.description Built-in Group Everyone

ume.supergroups.everyone.displayname Everyone

ume.supergroups.everyone.uniquename Everyone

ume.testum false

ume.tpd.classloader (Empty)

ume.tpd.companies 0

ume.tpd.imp.class com.sap.security.core.tpd.SimpleTPD

ume.tpd.prefix STPD_

ume.trace.external_trace_class com.sap.security.core.util.imp.UMTrace_630

ume.usermapping.admin.pwdprotection true

ume.usermapping.key.protection TRUE

ume.usermapping.refsys.mapping.type internal

ume.usermapping.unsecure false

ume.users.displayname_template ,

ume.users.email_pattern ?@?.?*

ume.virtual_groups.description_template Virtual group ume.virtual_groups.displayname_template

ume.virtual_groups.group_names_separator ;

ume.virtual_groups.name_prefix (Empty)

ume.virtual_groups.names (Empty)

ume.virtual_groups.trim_group_names true

ume.virtual_groups.user_attribute (Empty)

ume.virtual_groups.user_attribute.multivalue true

ume.virtual_groups.user_attribute.namespace (Empty)

4. We use Portal 7.0 SPS16

Regards

Dmitriy

1. useraccountcontrol=544

Try with 512, because 544 means also PASSWD_NOTREQD.

This is why your password change may get messed up.

From other forums I can see that initial password change in LDAP should work:

https://forums.sdn.sap.com/click.jspa?searchID=20081205&messageID=5363287

2. There is an option to activate self help at login screen for users who cannot login and need their password reset and emailed them. May be useful.

3. Open an OSS message with SAP. They should be able to help.

Hi Slavik,

1) I already tried to setuped value 512 for LDAP attribute useraccountcontrol. (this attribute is the Property User must change password at next logon and if it have this value I have the sutuation during logon process Authentication is failed)

Link is rather useful, thanks a lot.

2) Where I can find this option?

3) I already open 2 mesages. Result is not so good.

Regards

Dmitriy


Where I can find this option?

Logon Help

http://help.sap.com/saphelp_nw04s/helpdata/en/43/fc3ae22adb025fe10000000a1553f7/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/45/7e6313d8780dece10000000a11466f/frameset.htm

Regards,

Slava

Hi Dmitry,

I am having same issue of LDAP account in locked status, even after Admin has reset password from Portal.

How did you manage to unlock LDAP Accounts? do unlock it from Portals or ABAP or LDAP ?

Kumar

Answers (4)

HI Dmitriy,

I am facing the same issue.

If you have able resolve the issue.

Than please help me with your document or suggestion.

Reffing the above discussion i have done all changes accordingly.

But still i am not able to get the Change password prompt.

Please help with your valuable suggestion it's urgent for me.

Your help will be always appreciable .

Thanks in Advance :

Prashant krishen.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Have you tried altering the date on the property:

ume.logon.security_policy.password_last_change_date_default 12/31/9999 to 12/31/1999?

Edited by: Laura Duffy on Mar 23, 2009 7:18 PM

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Dmitriy,

Two further questions:

1. You say that users can login to AD immediately after creation. Are they prompted to change their password if they do this?

2. When a user logs onto the portal for the first time, are they able to get into the portal without being forced to change their password?

Thanks,

Marc

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Marc

1 LDAP User can logon to the Portal after creation if Property User must change password at next logon is switch off. Inside Portal user have ability to change password, but we want that user change password forced. Unfortunatley this option isn't work yet.

2 If Property User must change password at next logon is switch off, user is able to get into the portal without being forced to change their password. If Property User must change password at next logon is switch on, user unable to logon to the portal

Regards

Dmitriy

Dmitriy,

A couple more troubleshooting questions:

1. You say that users can login to AD immediately after creation. Are they prompted to change their password if they do this?

2. If a user changes their password in portal, does it change the AD password?

3. Can you please attach the UME Configuration zip file? Remember to remove any sensitive data before posting

4. What version of the portal are you running?

Thanks,

Marc

Dmitriy,

When an account is created in Active Directory, it is normally disabled by default. The parameter msDS-UserAccountDisabled may initially be set to TRUE. This needs to be set to false to be used as a login.

If this parameter is false, please paste the datasource.xml you are using and I'll take a look.

Cheers,

Marc

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Marc,

I Create users in Active Directory from employee data stored in SAP HR.By default this new accounts are disable. I map some data from HR to corresponding AD attribute, as result I have enable LDAP account with full information, which I map from HR. (if attribute userAccountControl have value 546 - account is disable, if it have value 544 account is enable). Beside I assign to LDAP attribute pwdLastSet (property User must change password at next logon) value 0, but when user tried to logon in portal appear the Problem - Authentication is faild, as result user can't login to portal. I think portal don't recieve this attribute and it's value. I tried to edit xml file but unsuccessfuly.

Have a look on xml file, I hope you can help me

Thanks in advance

Dmitriy

<?xml version="1.0" encoding="UTF-8" ?>

- <!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_writeable_db.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $)

-->

- <dataSources>

- <dataSource id="PRIVATE_DATASOURCE" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">

- <homeFor>

- <principals>

- <principal type="account">

- <nameSpace name="$serviceUser$">

- <attribute name="SERVICEUSER_ATTRIBUTE">

- <values>

<value>IS_SERVICEUSER</value>

</values>

</attribute>

</nameSpace>

</principal>

- <principal type="user">

- <nameSpace name="$serviceUser$">

- <attribute name="SERVICEUSER_ATTRIBUTE">

- <values>

<value>IS_SERVICEUSER</value>

</values>

</attribute>

</nameSpace>

</principal>

</principals>

</homeFor>

- <responsibleFor>

- <principals>

</principals>

</responsibleFor>

</dataSource>

- <dataSource id="CORP_LDAP" className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence" isReadonly="false" isPrimary="true">

- <homeFor>

</homeFor>

- <notHomeFor>

- <principal type="user">

- <nameSpace name="$serviceUser$">

- <attribute name="SERVICEUSER_ATTRIBUTE">

- <values>

<value>IS_SERVICEUSER</value>

</values>

</attribute>

</nameSpace>

</principal>

- <principal type="account">

- <nameSpace name="$serviceUser$">

- <attribute name="SERVICEUSER_ATTRIBUTE">

- <values>

<value>IS_SERVICEUSER</value>

</values>

</attribute>

</nameSpace>

</principal>

</notHomeFor>

- <responsibleFor>

- <principal type="account">

- <nameSpace name="com.sap.security.core.usermanagement">

</nameSpace>

- <nameSpace name="com.sap.security.core.authentication">

</nameSpace>

</principal>

- <principal type="user">

- <nameSpace name="com.sap.security.core.usermanagement">

</nameSpace>

- <nameSpace name="com.sap.security.core.usermanagement.relation">

</nameSpace>

- <nameSpace name="$usermapping$">

</nameSpace>

</principal>

- <principal type="group">

- <nameSpace name="com.sap.security.core.usermanagement">

</nameSpace>

- <nameSpace name="com.sap.security.core.usermanagement.relation">

</nameSpace>

- <nameSpace name="com.sap.security.core.bridge">

</nameSpace>

</principal>

</responsibleFor>

- <attributeMapping>

- <principal type="account">

- <nameSpace name="com.sap.security.core.usermanagement">

- <attribute name="j_user">

</attribute>

- <attribute name="logonalias">

</attribute>

- <attribute name="j_password">

</attribute>

- <attribute name="userid">

</attribute>

</nameSpace>

- <nameSpace name="com.sap.security.core.authentication">

- <attribute name="principal">

</attribute>

- <attribute name="realm">

</attribute>

- <attribute name="domain">

</attribute>

</nameSpace>

</principal>

- <principal type="user">

- <nameSpace name="com.sap.security.core.usermanagement">

- <attribute name="firstname">

</attribute>

- <attribute name="displayname">

</attribute>

- <attribute name="lastname">

</attribute>

- <attribute name="fax">

</attribute>

- <attribute name="uniquename">

</attribute>

- <attribute name="loginid">

</attribute>

- <attribute name="email">

</attribute>

- <attribute name="mobile">

</attribute>

- <attribute name="telephone">

</attribute>

- <attribute name="department">

</attribute>

- <attribute name="description">

</attribute>

- <attribute name="streetaddress">

</attribute>

- <attribute name="pobox">

</attribute>

</nameSpace>

- <nameSpace name="com.sap.security.core.usermanagement.relation">

- <attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">

</attribute>

</nameSpace>

- <nameSpace name="$usermapping$">

- <attribute name="REFERENCE_SYSTEM_USER">

</attribute>

</nameSpace>

</principal>

- <principal type="group">

- <nameSpace name="com.sap.security.core.usermanagement">

- <attribute name="displayname">

</attribute>

- <attribute name="description">

</attribute>

- <attribute name="uniquename" populateInitially="true">

</attribute>

</nameSpace>

- <nameSpace name="com.sap.security.core.usermanagement.relation">

- <attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">

</attribute>

- <attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">

</attribute>

</nameSpace>

- <nameSpace name="com.sap.security.core.bridge">

- <attribute name="dn">

</attribute>

</nameSpace>

</principal>

</attributeMapping>

- <privateSection>

<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>

<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>

<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>

<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>

<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>

<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>

<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>

<ume.ldap.access.pwd.via.usercontext>true</ume.ldap.access.pwd.via.usercontext>

<ume.ldap.access.set_pwd>true</ume.ldap.access.set_pwd>

<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>

<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>

<ume.ldap.access.objectclass.grup>Group</ume.ldap.access.objectclass.grup>

<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>

<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>

<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>

<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>

<ume.ldap.access.naming_attribute.grup>cn</ume.ldap.access.naming_attribute.grup>

<ume.ldap.access.auxiliary_naming_attribute.grup>samaccountname</ume.ldap.access.auxiliary_naming_attribute.grup>

</privateSection>

</dataSource>

</dataSources>

Dmitry,

From the xml file you have posted, it appears that you should add the following two lines to the <privateSection>:


<ume.ldap.access.msads.control_attribute>msds-useraccountdisabled</ume.ldap.access.msads.control_attribute>
<ume.ldap.access.msads.control_value>FALSE</ume.ldap.access.msads.control_value>

Some additional troubleshooting questions:

1. Are the users able to log into the AD immediately after creation?

2. Are the users able to change their passwords from the portal?

3. Are you using SSL connections between the systems?

Thanks,

Marc

Hi Marc,

A add this 2 lines to the end of private section but unfortunately the result is the same, user can not change password .

Answers on your questions

1. Users able to log into the AD immediately after creation

2. Users able to change their passwords from the portal (AD property User must chage password at next logon is switch off, user can change password via Personalize)

3. I use SSL connection between the systems

Regards

Dmitriy

Ask a Question

Top Q&A Solution Author

User

Count

Initial password's problem for LDAP account in Portal

Accepted Solutions (1)

Accepted Solutions (1)

Answers (4)

Answers (4)

Need to reduce the gap between bars of Bar chart i...

Re: Object Page Not Displaying Table

Re: sap mdk object table getSelectedItems binding ...

Re: sap mdk action bar style navigating from objec...

SAP CAP - Access HDI in a different cloud foundry ...