on 02-04-2011 1:33 PM
Hi all,
I've surfed into SDN for a problem I have in my company bu I didn't find anything...so sorry in advance if I've missed it!
Scenario is the following: we currently have a SAP MDM 7.1 system running on one of our Active Directory domain (let's say DOMA), while our users get authenticated on different child domains (DOMB, DOMC, ...) belonging to the same AD structure.
Now we would like to setup the LDAP integration for our MDM. This normally is done with some setup into mds.ini file, including the UNIQUE LDAP server to connect and manage the authentication The problem is that AD is able to replicate in each sub-domain all the Global Catalog information (including User, Name, Surname, MemberOF...) but not the password, that remains only stored in the Domain Controller where the users connect. This means that in fact we need to connect, according to the user's domain, to different servers.
So my question is the following: is there some chances to support the LDAP authentication for MDM users against multiple AD domains? I can imagine 2 possible solutions:
1. include into mds.ini the list of domain controller servers, maybe divided by ";". But is it supported by MDM?
2. find a way to let MDM pass to AD not only the Username and Password, but also the domain information.
Can you help me to understand of some solution if supported by MDM to realize the described scenario?
Thanks in advance for your support.
Hello Rinox
Main goal AD - that central management users, their roles, permissions and security.
http://en.wikipedia.org/wiki/Active_Directory
IF your Ifrastructure is not correspond AD standart maybe make sense to make changes in infrastructure?
SAP MDM has own users storage if LDAP is not working all users(which saved in mdm storage) can connect to SAP MDM directly.
More about sap mdm and LDAP you can read here(page 312):
http://help.sap.com/saphelp_nwmdm71/helpdata/en/4b/71608566ae3260e10000000a42189b/MDMConsole71.pdf
Regards
Kanstantsin Chernichenka
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi and thanks for answering.
Actually our AD is not outside standard, it was designed and installed by certified MS consultants. In fact your wikipedia link talk about "Forests, trees, and domains", that is the normal structure for Active directory (usually a root domain and several child domains composing one unique hierarchical structure).
Main problem is that, as told, standald AD is able, thru its global catalog synchronization rules, to replicate users information form one domain to any other in the forrest...all but not the passwords that remain only at child domain level.
To tell you all, password centralization (and real LDAP functionalities) into the microsoft world is performed by something different from a standard AD: for this purpose, I believe, you have to setup an ADAM system (Active Directory Application Mode), but this is another story.
Regarding your second comment, actually we would like to use LDAP and not the internal MDM security for one reason that I did not specify: the connection to MDM will not be performed only thru the MDM Data Manager, but also in a remote way from our ECC systems thru the usage of the MDM ABAP API (see the MDM_TECH addon...). And consider that the "MDM ECC users" will be thousands and thousands, so it's not worth it to create them one by one inside MDM as you can understand.
Thanks again,
Rinox
Hello Rinox
1) You can ask your ms guys about AD configuration AD "de facto" global technoligy not only MS.
2) for connect from another system to mdm you should determine it's IP adress in mds.ini file. External systems may be more than one.
MDM not support SSO technology it mean this you will connect to mdm as user which already present in mdm
out mdm instance working under LDAP
We are using connection to mdm from rich clients and from ABAP and JAVA API we are working with mdm through WEB services
without problem.
For ABAP and Java connections we create special users in MDM and in ECC and that users present in AD
ECC is working under AD too.
But we spend more time for alignment ECC and mdm users.
You can open SAP OSS Note.
When we had problem with mdm perfomance under Tivoli AD we did that and guys from SAP provided patch to us.
just remind you:
"The MDM software adds no records to the LDAP directory, nor does
it otherwise manage or make any design changes to its structure. It
only performs u201Clookupsu201D from the LDAP directory to read its contents.
u2022 Single sign-on is not supported. Instead, MDM client software
prompts the user for name and password. It was done this way for
simplicity, interoperability with UNIX systems, and flexibility with
various client programs or network configurations such as VPNs.
u2022 MDM supports either LDAP users or MDM users, but not both
simultaneously.
u2022 MDM does not support connections to multiple LDAP directories."
Regards
Kanstantsin Chernichenka
Hello Rinox
That sentence is in the page 313 of the MDM Console Reference Guide:
http://help.sap.com/saphelp_nwmdm71/helpdata/en/4b/71608566ae3260e10000000a42189b/MDMConsole71.pdf
Under Basic MDM LDAP.
Regards,
Carlos
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.