06-02-2009 3:38 PM
Greetings
I have the users on the R3 systems who should change their password each period of time. Also I handle the user data base on the J2EE system using the SAP UME. This is for the webdynpro apps.
I would like to make that each time that an user change his password on R3 the J2EE system, or the webdynpro apps, for the user to change his password on the UME.
Ive been thinking on some developments to try to know when the user changed his password on R3 and use a webdynpro app to force the user to change his password on the UME.
I hope you can help me with some configuration solution or point me on the solution of the problem.
Thanks in advance
Jean Carlo
06-03-2009 12:22 PM
this would be a major development. still, i advise against it. i'd go for a SSO (even a poor mans SSO could do for a little while) or at least providing the passwords for the whole landscape using a corporate LDAP.
06-03-2009 12:22 PM
this would be a major development. still, i advise against it. i'd go for a SSO (even a poor mans SSO could do for a little while) or at least providing the passwords for the whole landscape using a corporate LDAP.
06-03-2009 12:28 PM
Why don't you just point your UME to the ABAP system as user store?
Is this impacted by single stack systems?
Cheers,
Julius
06-03-2009 12:42 PM
I agree with Julius - using ABAP as user store is an obvious solution. If you cannot do this for some reason, then you could consider using external authentication for both Java and ABAP stacks. In my experience, many companies decide to make both stacks use Active Directory as an authentication server. Then, passwords changed in Active Directory are effective when users logon to both environments and no need to do any custom development or sync passwords. There are many posts on this forum related to SSO and how to setup SSO with ABAP and JAVA environments.
Thanks,
Tim
06-03-2009 5:28 PM
thanks for the advice, but I have to deal with UME and ABAP for certains applications.
Now Im triying to at least change some UME parameters from the R3 system, on an user exit maybe
do you think this is possible?
06-04-2009 11:07 AM
I did some developments
A bapi on on the ABAP side check the password change date and on the J2EE side a function checks the password information on the UME side and then force the user to change his password if its needed
Your advice its very good, but for this one I cant change the way in wich user database were set up
Thanks
06-04-2009 11:24 AM
Out of curiosity, as you have 2 seperate user databases and the ABAP one is taking the lead here.
What happens if the user does not exist on the ABAP side?
What happens if the user voluntarily changes their password on the Java side the day before the ABAP system forces a new password?
Just some thoughts
Cheers,
Julius
06-04-2009 12:26 PM
If the user does not exist the Bapi will fail and no check would be made.
Im not checking the time the UME password has, the ABAP side is the one to be followed about the password time rule, so I will just compare time date of both to make a choice.
The idea was kind of take the User Exit of the password change on ABAP and mark the corresponding UME user as "password change needed".
06-04-2009 12:38 PM
If they anyway need to remember 2 passwords and have the possibility of them being different and can also be changed voluntarily each day, then this requirement seems rather strange to me.
What does it aim to achieve? It is not synchronizing the passwords in any way.
Cheers,
Julius
ps: Sorry for being nosey
06-04-2009 2:00 PM
The requirement its that if the ABAP password expires then the UME password should expire too.
If I could manage to keep those password synchronized then I would solve the problem and make the password management better. I couldnt accomplish this so now I just want to make the user change his UME password each time he change the ABAP one
I know there are other solutions but I have some requirements stablished and cant change it, only work around it a bit
06-05-2009 9:07 AM
As already advised previously (by Julius): configure UME to use the ABAP system as data source.
That's the only reliable way to achieve the intended behavior.
07-12-2009 8:28 PM
Hi all,
I came to this topic maybe 10th time in my 6-years professional life with SAP. And I still cannot get any reason why SAP R/3 is so unique and different that it cannot authenticate users in LDAP natively, like any other JEE or .net or Lotus or whatever else. LDAP is a must and most of organizations will never connect SAP NW systems to ABAP userstore. Hopefully someone from SAP watches...
Regards
Pavol