cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP authentication question

Former Member
0 Kudos

Hi Experts,

As I'm all new to LDAP, I would like a clearifying. According the config manual p. 121 "The approver is always authenticated and authorized using SAP NetWeaver User Management Engine (UME).

Q: Does that mean that an approver will be authenticated against UME even if LDAP is chosen as authentication source?

Q2: Is there any soulution how to use Active Directory as authentication source for approvers?

Q3: If an approver uses the PSS, is he authenticated against UME or LDAP?

Thank you

Kind Regards,

Vit Vesely

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

follow up

Former Member
0 Kudos

Hi Vit,

Approver are alway's authenticated with the SAP Netweaver UME. The purpose of defining Authetication system in Configuration -> Authentication system is for End user form users who create request from end user form. Suppose you define authentication system as LDAP in Configuration -> authentication system. Then those user that exists in LDAP will be able to submit the request for end userform screen. It is not linked to approver login. For approver to login approver should exist in UME with AE Approver UME role.

One of the solution is you can use LDAP as data source for UME.

Than UME will have all the approver that exist in LDAP. Than to corresponding approver you can define the AE Approver UME role.

For PSS User's will have to login from end user form. So they will be authenticated as per the authentication system configured in

configuration-> authentication system. Here you can use LDAP system as the authentication system.

Kind Regards,

Srinivasan

Former Member
0 Kudos

Hi Srinivasan,

Than UME will have all the approver that exist in LDAP. Than to corresponding approver you can define the AE Approver UME role.

By that you mean all LDAP users will be avaliable in UME, and for selected users I can give AEApprover role.

I have also the possibility to create new UME accounts. Because it will read both from the database and UME.

Do I understand you correct?

Kindest Regards,

Vit Vesely

Former Member
0 Kudos

Hi Vit,

I mean to say that when you integrate your UME with the Active Directory LDAP system. Than UME will have user information coming from the LDAP. Data source for UME will be LDAP. Now you assign these user the AE Approver role. Hence they will become the approver for CUP application.

Kind Regards,

Srinivasan

Former Member
0 Kudos

Hi Srinivasan,

Thanks for your kind answer.

What happens if I first creates a user account in UME, subseqently register the user in AD with the same account name, hence UME will fetch the new account to UME. Will there be data inconsistency?

I've tested a similar scenario on a dual stack with an ABAP source and any changes made in UME are reflected in the ABAP backend.

Will UME be able to write back to AD or is it read only?

Kind Regards,

Vit Vesely

Edited by: Vit Vesely on May 17, 2010 8:42 AM

Former Member
0 Kudos

Yes, Vit. There will be data incosistency. If you are making AD as data source of UME then you should refrain from creating direct accounts in UME. User Accounts should flow from AD to UME not from UME to AD.

UME can write back to AD if you have chosen the data source as writable.

Regards,

Alpesh

Former Member
0 Kudos

We will do some testings later on. I will get back with the results.

Former Member
0 Kudos

I think I found what I've been looking for:

Process documentation Configuring UME to Use an LDAP Server as Data Source

[http://help.sap.com/saphelp_nw04/helpdata/en/cc/cdd93f130f9115e10000000a155106/content.htm|http://help.sap.com/saphelp_nw04/helpdata/en/cc/cdd93f130f9115e10000000a155106/content.htm]

Former Member
0 Kudos

Hi Vit,

have a look at Note 718383 as well.

Best regards,

Christian

Former Member
0 Kudos

Dear experts,

Here is a follow-up questing regarding user data source.

All employees are registred in AD. However, external consultants are not. I need to find a way to provision them aswell (with CUP).

Is the correct to use UME as data source for CUP and point AD as a data source for UME (Read only)? Will it still be possible to create UME accounts (for consultants)?

And add UME roles to approvers and administrators?

Kind Regards,

Vit Vesely

Edited by: Vit Vesely on May 13, 2010 3:09 PM