cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configuration of ADS and ADAM in EP 6.0

Former Member

on ‎10-26-2007 9:43 AM

0 Kudos

Dear All,

I would like to know whether can we define two different LDAP servers within portal. One LDAP(ADS Server) for kerberos authentication while other for authorization (rendering group information) which is a separate ADAM server.

The reason being I can see single LDAP server under System config > UM Config > LDAP.

This will enable proper fallback (To Basis userid/password) whenever user fails on Kerberos, specifically when we have defined ADAM server in LDAP settings.

Thanks for help

Regards,

Abhitab

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

darren_hague
Contributor
‎10-29-2007 12:19 PM
0 Kudos

Hi Abhitab,

The short answer is no, you cannot mix LDAP and ABAP data sources for information about the same users. I spent a long time trying this, because I wanted Windows authentication but with Roles coming from R/3.

What you can do is to configure the UME for type ABAP (which will give the Basis fallback situation you desire), and seperately configure the JAAS login stack in Visual Administrator to allow authentication using Kerberos and ADAM. For the ADAM authentication, you will have to write your own JAAS module, but this is only about 12 lines of code different to the standard JAAS template project.

Best regards,

Darren

<a href="http://www.fortybeans.com/">My blog</a>

Show replies
Show replies
Former Member
‎10-29-2007 1:19 PM
0 Kudos

Hi Darren,

Thanks a lot for your reply.

Just a correction to what you understood. We already have a running system wherein we authenticated User using Kerberos (spnego) from corporate LDAP (ADS) while the groups are rendered from a separate ADAM Server.

The problem we have is whenever the user fails on kerberos, the fallback(Basic Userid/password) does not work.

The reason being ADAM Server does not store passwords.

We want this basic authentication to be directed towards Corporate LDAP (ADS) and not the ADAM Server.

Currently in EP 6.0, we can enter single LDAP Server name in the UME configuration.

Best Regards,

Abhitab

darren_hague
Contributor
‎10-29-2007 1:35 PM
0 Kudos

I understand now - looks like I overcomplicated things a bit.

To solve your problem, all you need to do is insert a couple of entries at the end of your JAAS stack before the Basic and CreateTicket modules at the end.

I am guessing you currently have something like:

EvaluateTicket    Sufficient
Spnego            Optional
CreateTicket      Sufficient
BasicPassword     Requisite
CreateTicket      Optional

You need to add LdapLogin and CreateTicket to give the following:

EvaluateTicket    Sufficient
Spnego            Optional
CreateTicket      Sufficient
*LdapLogin         Optional
*CreateTicket      Sufficient
BasicPassword     Requisite
CreateTicket      Optional

The Ldap login module is the one you will have to write (unfortunately, I am not free to give you the one that I wrote for my company). However, you can find out how to write a login module in the SAP docs at <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm">Create and configure a Login Module</a>.

In your login module, the login() method should contain the code you can find in the Sun docs at <a href="http://java.sun.com/products/jndi/tutorial/ldap/security/ldap.html">LDAP authentication</a>.

I hope this helps you,

Darren

Ask a Question