Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Assigning a login module to a single WebDynpro to authenticate against LDAP

Former Member

‎05-11-2007 10:00 AM

0 Kudos

Hi there,

we are running the J2EE Engine 7.0 within XI on SAP NetWeaver 2004s / Linux x86_64.

Basically, i want to Authenticate a Java WebDynpro against an LDAP (Active Directory). With the XI Usage installed, I can not customize the UME to authenticate against an LDAP (not supported and not possible).

Thus, I want to use a custom login module or, if suitable, a standard login module to authenticate against LDAP. I know that all WebDynpro Apps use the default authentication scheme that in turn references the authentication template "ticket".

1) Can I use a predefined Login Module to authenticate against Active Directory LDAP or do I have to write a custom login module?

2) Is it possible to assign a login module to a single WebDynpro and how can I do this?

Thanks a lot in advance,

Oliver Kalkofen

3 REPLIES 3

Former Member

‎05-11-2007 11:58 AM

0 Kudos

Sorry but WebDynpro uses an all or nothing approach. You have to change the default login stack in authschemes.xml (or change the ticket login stack, as this is the default target in authschemes.xml).

but changing this will change the authentication for ALL ebDynpro Java apps.

You have to use a custom buiild login modult to authenticate, as the default modules use the UME to verify the users password.

Regards,

Patrick

tim_alsop
Active Contributor

‎05-11-2007 1:00 PM

0 Kudos

> Thus, I want to use a custom login module or, if

> suitable, a standard login module to authenticate

> against LDAP.

We have developed a custom login module which does this. It looks to the user like the BasicPasswordLoginModule provided with SAP, but the userid and password entered has to be a valid accountpassword from the Active Director domain. We use the Kerberos protocol to perform this useridpassword validation, not LDAP. The userid can be just a name, in which case the default domain (realm in Kerberos terminology) or it can be specified as user@REALM in which case a non-default realm can be used to authenticate. Once the authentication is complete, we look in USRACL table to map this Kerberos principal name onto a SAP userid so we can then create an SSO2 ticket.

If you interested to evaluate, or get a quote for purchasing this, please contact me offline. Of course, you can develop your own if you are happy to do so. I just thought you might be interested to know of an alternative.

Thanks,

Tim

Former Member

‎05-14-2007 12:53 PM

0 Kudos

Thanks for your help,

now I will start to develop a new LoginModule or purchase the existing one mentioned here.