on 10-26-2007 9:43 AM
Dear All,
I would like to know whether can we define two different LDAP servers within portal. One LDAP(ADS Server) for kerberos authentication while other for authorization (rendering group information) which is a separate ADAM server.
The reason being I can see single LDAP server under System config > UM Config > LDAP.
This will enable proper fallback (To Basis userid/password) whenever user fails on Kerberos, specifically when we have defined ADAM server in LDAP settings.
Thanks for help
Regards,
Abhitab
Hi Abhitab,
The short answer is no, you cannot mix LDAP and ABAP data sources for information about the same users. I spent a long time trying this, because I wanted Windows authentication but with Roles coming from R/3.
What you can do is to configure the UME for type ABAP (which will give the Basis fallback situation you desire), and seperately configure the JAAS login stack in Visual Administrator to allow authentication using Kerberos and ADAM. For the ADAM authentication, you will have to write your own JAAS module, but this is only about 12 lines of code different to the standard JAAS template project.
Best regards,
Darren
<a href="http://www.fortybeans.com/">My blog</a>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Darren,
Thanks a lot for your reply.
Just a correction to what you understood. We already have a running system wherein we authenticated User using Kerberos (spnego) from corporate LDAP (ADS) while the groups are rendered from a separate ADAM Server.
The problem we have is whenever the user fails on kerberos, the fallback(Basic Userid/password) does not work.
The reason being ADAM Server does not store passwords.
We want this basic authentication to be directed towards Corporate LDAP (ADS) and not the ADAM Server.
Currently in EP 6.0, we can enter single LDAP Server name in the UME configuration.
Best Regards,
Abhitab
I understand now - looks like I overcomplicated things a bit.
To solve your problem, all you need to do is insert a couple of entries at the end of your JAAS stack before the Basic and CreateTicket modules at the end.
I am guessing you currently have something like:
EvaluateTicket Sufficient
Spnego Optional
CreateTicket Sufficient
BasicPassword Requisite
CreateTicket Optional
You need to add LdapLogin and CreateTicket to give the following:
EvaluateTicket Sufficient
Spnego Optional
CreateTicket Sufficient
*LdapLogin Optional
*CreateTicket Sufficient
BasicPassword Requisite
CreateTicket Optional
The Ldap login module is the one you will have to write (unfortunately, I am not free to give you the one that I wrote for my company). However, you can find out how to write a login module in the SAP docs at <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm">Create and configure a Login Module</a>.
In your login module, the login() method should contain the code you can find in the Sun docs at <a href="http://java.sun.com/products/jndi/tutorial/ldap/security/ldap.html">LDAP authentication</a>.
I hope this helps you,
Darren
User | Count |
---|---|
94 | |
11 | |
11 | |
10 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.