03-22-2008 9:27 PM
Hi All,
Does anyone know if there's a User Exit for the SAP GUI Login Routine? I need to perform a quick LDAP look-up during the standard SAP Login Routine.
Thanks,
Matt
03-22-2008 10:03 PM
Hi Matt,
Check the screens of the SAPGUI logon program in SE80 for your options.
I am not sure what your requirement is, but SUSR001 (FM EXIT_SAPLSUSF_001) sounds like what you are looking for, which is located after the logon, before the menu is loaded.
Also see this thread: which might help you further, depending on your requirement.
Cheers,
Julius
Note: If you use the search for this topic, then there are some posts which will give you very bad advise about how to avoid password changes. You can seriously damage your system if you directly update SAP user tables from this exit or your own programs. </warning_about_some_posts>
03-22-2008 10:03 PM
Hi Matt,
Check the screens of the SAPGUI logon program in SE80 for your options.
I am not sure what your requirement is, but SUSR001 (FM EXIT_SAPLSUSF_001) sounds like what you are looking for, which is located after the logon, before the menu is loaded.
Also see this thread: which might help you further, depending on your requirement.
Cheers,
Julius
Note: If you use the search for this topic, then there are some posts which will give you very bad advise about how to avoid password changes. You can seriously damage your system if you directly update SAP user tables from this exit or your own programs. </warning_about_some_posts>
03-23-2008 11:05 AM
Julius,
Thanks for the reply, I appreciate your help!
Yes, looks like this User Exit (SUSR001) is executed after the logon process, as you mentioned. We're actually looking to execute some code (i.e., LDAP authentication) during the out-of-box logon in process, and depending on the LDAP authentication, log the user on accordingly or reject the logon. From what I can tell, there's not a User Exit we can use to fulfill this requirement.
Thanks,
Matt
03-24-2008 7:07 PM
Matt,
Is your LDAP server Active Directory, or some other LDAP capable server/directory ?
It seems to me that you are trying to log a user onto SAP system when using SAP GUI via a password in LDAP directory ? If so, you will find that this can be done more securely and without coding any exits.
Thanks,
Tim
03-25-2008 2:32 PM
Yes, we're looking to cut-over the SAP GUI logon process to use Active Directory. Can SAP be cut-over to use LDAP authentication? We were told by one of our consultants that the SAP logon process cannot be cut-over to LDAP (hence why we started looking into using User Exits).
03-25-2008 4:00 PM
Matt,
Other companies who want the same use SNC so that they can make SAP GUI use external authentication, and since Active Directory uses Kerberos to authenticate a user at workstation this fits very well, and is very secure. The user logs onto Windows desktop and is using Kerberos to authenticate with Active Directory when they do this. Their Kerberos credentials are stored on workstation and can be used by an SNC library when SAP GUI needs to authenticate the user to the server.
There are various solutions available, and those that are SAP certified can be found by looking at http://www.sap.com/eapcatalog and searching for Active Directory in the search box.
Please let me know if you have any more questions ? Hopefully you can see that this method is much better than coding a user exit to authenticate the user again after they have authenticated to SAP.
Thanks,
Tim
07-30-2008 10:19 AM
>
> Julius,
>
> Thanks for the reply, I appreciate your help!
>
> Yes, looks like this User Exit (SUSR001) is executed after the logon process, as you mentioned. We're actually looking to execute some code (i.e., LDAP authentication) during the out-of-box logon in process, and depending on the LDAP authentication, log the user on accordingly or reject the logon. From what I can tell, there's not a User Exit we can use to fulfill this requirement.
>
> Thanks,
>
> Matt
For security reasons (and also for stability reasons - imagine that there is a bug in your custom coding which prevents everyone from being able to logon to the system ...) no such user-exit is provided.
07-30-2008 10:27 AM
>
> Yes, we're looking to cut-over the SAP GUI logon process to use Active Directory. Can SAP be cut-over to use LDAP authentication? We were told by one of our consultants that the SAP logon process cannot be cut-over to LDAP (hence why we started looking into using User Exits).
If your ABAP server is running on the Windows OS, then have a kind look on [SAP Note 352295|https://service.sap.com/sap/support/notes/352295]: SAP provides some SNC libraries (actually: wrappers for the Microsoft SSPI) which allow you to utilize NTLM / MS-Kerberos. Most likely you refer to MS ADS when talking of "LDAP". In that case you actually refer to "(MS-)Kerberos authentication" when talking of "LDAP authentication".
If your ABAP server is running on a different OS, then you cannot use those SNC libraries provided by SAP. In that case you have to purchase a [SNC partner solution|https://service.sap.com/sap/support/notes/66687].
03-23-2008 1:41 PM
Hi Matt,
It sounds as if you are wanting to achieve a dual logon (a second authentication), which if unsuccessfull should logoff the user authenticated via the first SAPGUI logon.
I see 2 problems with your requirement if you use this exit for it.
- 1) Log on, and
- 2) Logoff.
...in that same order.
See SAP note 37724 and the attachments to SAP note 142724, and this thread here , for example, which have information about using the call 'SYST_LOGOFF' for such tasks.
The problem I see is that users do not have to complete the second logon prompt, either successfully or unsuccessfully... they can simply open a new session
Perhaps a Single-Sign-On scenario would be a better solution?
Cheers,
Julius
PS: Does this relate to your other post as well? Do you want to assign the role in the exit?
07-21-2016 3:00 PM
We can use SUSR0001 user exit for sap gui logon.
But Which exit or badi runs when user logs via web view?