UME with LDAP(Active Directory)

Former Member · ‎09-08-2009

Hello

Currently we have the data source set as ABAP system in the UME config at System Administration --> System Configuration --> UME Configuration.Even if I select to modify the config, there is no other choice but ABAP.

We would like to use our LDAP(Microsoft Active Directory ) as our source. We did not have AD installed at the time of our go-live. Is there a way to change our current config to use our LDAP (Active Directory) as a way to authenticate for the portal?

I have reviewed SAP note 718383 and see this is not supported. Has anyone else had this issue and how did you resolve it to have continued support from SAP?

On the ABAP side, we know we use transaction LDAP for ABAP but any help would be appreciated.

Thanks!

robert

Former Member · ‎09-08-2009

Which releases are you on?

There is a workaround by syncing a CUA with the AD and then pointing the UME to the CUA, which is an ABAP system. But that was back in 46C.

I am sure that there must be a solution for this to switch to the IDM user and role management, which is not an ABAP system, so perhaps you want to look into that, and the procedure.

Cheers,

Julius

Former Member · ‎09-08-2009

Hi Julius

Thanks so much for your reply.

Here are the releases NW 7.0 EhP1 SP03 and ERP ERP 6.0 Stack 15 EhP4 SP03.

When you say the IDM user and role management you are referring to SAP IDm product correct?

koehntopp · ‎09-09-2009

Robert,

if you started with a dual stack install, it seems you're out of luck. From a different forum post:

http://help.sap.com/saphelp_nw04s/helpdata/en/f5/8fdc3fca21eb06e10000000a1550b0/content.htm

During Installation

During installation of the SAP NetWeaver Application Server (AS), you can choose among the following data sources for the UME:

1. Database of the AS Java

This data source is selected if you choose the usage type AS-Java without the usage type AS-ABAP during installation.

1. User management of the AS ABAP

This data source is selected if you choose the usage type AS-ABAP in addition to AS-Java during installation.

After Installation

After installation, you can change the data source of the UME. The following data source changes are supported:

1. From the AS Java database to user management of an AS ABAP

2. From the AS Java database to a directory serve

Once you have selected a data source other than the AS Java database, you cannot change the data source of the UME. Under certain circumstances you can make modifications to the data source as follows:

1. For a directory service as data source, you can change the directory service structure or change to another directory service.

2. For an AS ABAP data source, you can change which data source configuration file is used or change the AS ABAP used as the data source.

If you installed AS Java standalone, you should be able to switch to a different user source in Configtool. LDAP is one of the options.

But the best time to do that is during installation....

Frank.

Former Member · ‎09-09-2009

> But the best time to do that is during installation....

For a very usefull presentation on your current and future options see [Dual stack vs. Single stacks|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/d074d7de-8d55-2b10-1e94-fb2e9d2893d1&overridelayout=true]

To my knowledge this document is authorative, so it is not "just another blog"...

Cheers,

Julius

tim_alsop · ‎09-08-2009

Robert,

If you are wanting to change UME data source to Active Directory so that you can authenticate users using Active Directory accounts and passwords, you can do this using Kerberos instead of using LDAP authentication. Then, you don't need to change data source and can continue to use ABAP as UME data source.

Thanks,

Tim

Former Member · ‎09-10-2009

Thank you for the presentation and answers Julius.

Tim, I see the answer you presented about Kerebos. So you are saying the UME(portal) will still authenticate against the ABAP stack and then the ABAP stack will authenticate to AD using Kerebos correct? Through SNC correct? It ups the ante I beleive if we are using a UNIX server as I don't believe a certified SNC Library is avaialable for UNIX. I researched more after your post and this seems to be the case according to notes. Can you elaborate any more?

Former Member · ‎09-10-2009

Specifically for SNC support of authentication on UNIX systems there are certificed 3rd party vendor products.

One of them is Tim's, but you can also find others in the EcoHub (see the tabs at the top of the page to find the partner EcoHub).

Cheers,

Julius

tim_alsop · ‎09-10-2009

Robert,

No, you don't need to use SNC and you don't need to use ABAP stack for authenticating users with Active Directory userid and password when they logon to portal (e.g. java stack). The method used involves a login module installed in Java stack, which implements the kerberos protocol and either uses Integrated Windows Authentication to authenticate the user, or shows a signon screen and allows the user to enter a userid and password which is then checked with AD using kerberos protocol (not ldap authentication). The Kerberos protocol will be used between java stack (e.g. login module) and the domain controllers and ABAP stack is not used. Once the user has authenticated, an SSO2 ticket will be created for them, and this will involve UME so the user authenticated in AD must exist in UME. The important point to note though is that the users password in ABAP/UME is not used.

Thanks,

Tim

Former Member · ‎09-10-2009

Julius

Thanks again for your answers! Awesome!

Former Member · ‎09-10-2009

Yes, Tim is correct. On the Java side the login module stack is configurable. This is not the case on the ABAP side - so you have to use SNC for the ABAP system - at least at the moment.

Cheers,

Julius