Ankur is 100% correct.

If there are two users with the same user id in the whole set of user stores connected to UME, that is: multiple LDAPS and local UME DB, user will see "Authentication failed" error with no explanation.

It does make sense, because EP does not know which user it is.

A way to resolve it would be to make sure only one user id is active in all the user stores at a time and filter out inactive accounts in the datasource config file, using negative filter, like in example below (inactive accounts and computer accounts are excluded):

<ume.ldap.negative_user_filter>
  useraccountcontrol=[514,530,546,66050];objectclass=[computer]
</ume.ldap.negative_user_filter>

What EP cannot see does not confuse it.

Regards,

Slava

Hello Slava,

Nice tip, but in your example:

useraccountcontrol=[514,530,546,66050];objectclass=[computer]

The numbers are user_id's? and this line must be in the .xml file on the private section?

Thanks in advace!

Kind regards,

1.

useraccountcontrol is not the same as user id.

It is a binary mask of attributes, one of which indicates that account is disable ACCOUNTDISABLE, value 2 :

http://support.microsoft.com/kb/305144

Since SAP negative filter does not support regexp, we have to use a set of combinations of ACCOUNTDISABLE (2) with other values, like NORMAL_ACCOUNT (512), which make it 514, etc. You will get the idea from MS KB.

2.

Correct. It should be in

<privateSection>

</privateSection>

Link:

http://help.sap.com/saphelp_nw04s/helpdata/EN/9a/f43541b9cc4c0de10000000a1550b0/content.htm

Regard$,

Slava

Hi,

I have posted one message a month back , regarding almost similar reqirement. Can you pls guide me how to proceed in my cae.

we have a case where we need to connect to multiple LDAP servers and configure SPNego for Kerberos authentication of portal. we have a problem in case of user names. some user names are same in both LDAPs. LDAPs are portal are positioned as (Landscape convension)

LDAP1: xxxx.yyyy

LDAP2: ssss.yyyy

Portal : pppp.gggg.yyyy

where as gggg.yyyy is a trusted domain for both xxxx.yyyy and ssss.yyyy.

we have login problem in same user case. (same user exist in xxxx.yyyy and ssss.yyyy). I haven't gone into details yet like logs and all troubleshooting stuff. Before doing all this just want to know your views whether I can do this or not. If I can achieve any suggentions how to proceed further?

Adding to this LDAp guys gave a me an user attribute flags which they are using to define duplicate users on other LDAP.

I tried to define this in Datasource XML in private bsection like

<com.sap.ldap.user.negative_filter>flags=1</com.sap.ldap.negative_filter>

But when i search for the user I am able to see user from both LDAPs, which means filter is not effective.

For this do I need to do mapping of attribute as this is custom attribute?

Or am i doing anything wrong. Or as you mentioned do I need to find out other way to do this like user control values. Exteninf this requirement eventhough I will be able to filter the users the same filter will be valid for SPNEGO also.