cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP Integration without samaccountname

Former Member

on ‎05-28-2008 4:36 PM

0 Kudos

Hi everybody,

first let me quickly explain the situation: The customer has different usernames in LDAP and R/3. This SAP-Usernames are stored in the DS in the attribute u201CextensionAttribute2u201D and used for the SAP-Referencesystem (works fine). The problem is, that we also need to use Federated Portal Network and this cannot work with different usernames (at least not for a double stack which is included in this scenario).

Our idea was to u201Crecurveu201D the ldap-connection to the ADS and use extensionAttribute2 instead of samaccountname. We got it working, so that the user can log in to the portal using his sap-username and his current windows password (Donu2019t bother irritation on the users side, because we are also working with Kerberos ).

The problem is however, that we get an error within the usermanagement, because the mandatory-field u201Clogon-idu201D is not filled, although it is returned by the ads-server.

Has anybody ever tried this?

Imo it should be possible, because when your working with a non-Microsoft-Ldap, there is no samaccountnameu2026

-

-

My datasourceConfiguration-File:

<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_deep_readonly_db.xml#6
$ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
<dataSources>
    <dataSource id="PRIVATE_DATASOURCE"
                className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
                isReadonly="false"
                isPrimary="true">

        <homeFor>
            <principals>
            	<principal type="group"></principal>
            	<principal type="user"></principal>
            	<principal type="account"></principal>
                <principal type="team"></principal>
                <principal type="ROOT"></principal>
                <principal type="OOOO"></principal>
            </principals>
        </homeFor>
        <notHomeFor></notHomeFor>

        <responsibleFor>
            <principals>
            	<principal type="group"></principal>
            	<principal type="user"></principal>
            	<principal type="account"></principal>
                <principal type="team"></principal>
                <principal type="ROOT"></principal>
                <principal type="OOOO"></principal>
            </principals>
        </responsibleFor>

        <privateSection>
        </privateSection>
    </dataSource>

	<dataSource id="CORP_LDAP"
			className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
			isReadonly="true"
			isPrimary="true">

		<homeFor></homeFor>

		<responsibleFor>
    		<principal type="account">
    			<nameSpace name="com.sap.security.core.usermanagement">
    				<attribute name="j_user"></attribute>
					<attribute name="j_password"></attribute>
					<attribute name="userid"></attribute>
					<attribute name="logonalias"></attribute>
				</nameSpace>
    			<nameSpace name="com.sap.security.core.authentication">
    				<attribute name="principal"></attribute>
    				<attribute name="realm"></attribute>
    				<attribute name="domain"></attribute>
    			</nameSpace>
			</principal>
			<principal type="user">
				<nameSpace name="com.sap.security.core.usermanagement">
					<attribute name="firstname" populateInitially="true"></attribute>
					<attribute name="displayname" populateInitially="true"></attribute>
					<attribute name="lastname" populateInitially="true"></attribute>
					<attribute name="fax"></attribute>
					<attribute name="email"></attribute>
					<attribute name="title"></attribute>
					<attribute name="department"></attribute>
					<attribute name="description"></attribute>
					<attribute name="mobile"></attribute>
					<attribute name="telephone"></attribute>
					<attribute name="streetaddress"></attribute>
					<attribute name="uniquename" populateInitially="true"></attribute>
				</nameSpace>
    			<nameSpace name="com.sap.security.core.usermanagement.relation">
    					<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"></attribute>
    			</nameSpace>
    			<nameSpace name="$usermapping$">
    					<attribute name="REFERENCE_SYSTEM_USER"></attribute>
    			</nameSpace>
    		</principal>
    		<principal type="group">
	    		<nameSpace name="com.sap.security.core.usermanagement">
		    		<attribute name="displayname" populateInitially="true"></attribute>
			    	<attribute name="description" populateInitially="true"></attribute>
				    <attribute name="uniquename"></attribute>
	 			</nameSpace>
 				<nameSpace name="com.sap.security.core.usermanagement.relation">
					<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"></attribute>
					<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"></attribute>
				</nameSpace>
				<nameSpace name="com.sap.security.core.bridge">
					<attribute name="dn"></attribute>
				</nameSpace>
			</principal>
		</responsibleFor>

		<attributeMapping>
			<principal type="account">
				<nameSpace name="com.sap.security.core.usermanagement">
					<attribute name="j_user">
						<physicalAttribute name="extensionAttribute2"></physicalAttribute>
					</attribute>
					<attribute name="logonalias">
						<physicalAttribute name="extensionAttribute2"></physicalAttribute>
					</attribute>
					<attribute name="j_password">
						<physicalAttribute name="unicodepwd"></physicalAttribute>
					</attribute>
					<attribute name="userid">
						<physicalAttribute name="*null*"></physicalAttribute>
					</attribute>
				</nameSpace>
    			<nameSpace name="com.sap.security.core.authentication">
    				<attribute name="principal">
    					<physicalAttribute name="extensionAttribute2"></physicalAttribute>
    				</attribute>
    				<attribute name="realm">
    					<physicalAttribute name="*null*"></physicalAttribute>
    				</attribute>
    				<attribute name="domain">
    					<physicalAttribute name="*null*"></physicalAttribute>
    				</attribute>
    			</nameSpace>				
			</principal>

			<principal type="user">
				<nameSpace name="com.sap.security.core.usermanagement">
					<attribute name="firstname">
						<physicalAttribute name="givenname"></physicalAttribute>
					</attribute>
					<attribute name="displayname">
						<physicalAttribute name="displayname"></physicalAttribute>
					</attribute>
					<attribute name="lastname">
						<physicalAttribute name="sn"></physicalAttribute>
					</attribute>
					<attribute name="fax">
						<physicalAttribute name="facsimiletelephonenumber"></physicalAttribute>
					</attribute>
					<attribute name="uniquename">
						<physicalAttribute name="extensionAttribute2"></physicalAttribute>
					</attribute>
					<attribute name="loginid">
						<physicalAttribute name="*null*"></physicalAttribute>
					</attribute>
					<attribute name="email">
						<physicalAttribute name="mail"></physicalAttribute>
					</attribute>
					<attribute name="mobile">
						<physicalAttribute name="mobile"></physicalAttribute>
					</attribute>
					<attribute name="telephone">
						<physicalAttribute name="telephonenumber"></physicalAttribute>
					</attribute>
					<attribute name="department">
						<physicalAttribute name="ou"></physicalAttribute>
					</attribute>
					<attribute name="description">
						<physicalAttribute name="description"></physicalAttribute>
					</attribute>
					<attribute name="streetaddress">
						<physicalAttribute name="postaladdress"></physicalAttribute>
					</attribute>
					<attribute name="pobox">
						<physicalAttribute name="postofficebox"></physicalAttribute>
					</attribute>
				</nameSpace>
				<nameSpace name="com.sap.security.core.usermanagement.relation">
					<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
						<physicalAttribute name="*null*"></physicalAttribute>
					</attribute>
				</nameSpace>
				<nameSpace name="$usermapping$">
					<attribute name="REFERENCE_SYSTEM_USER">
						<physicalAttribute name="sapusername"></physicalAttribute>
					</attribute>
				</nameSpace>
			</principal>
			<principal type="group">
				<nameSpace name="com.sap.security.core.usermanagement">
					<attribute name="displayname">
						<physicalAttribute name="displayname"></physicalAttribute>
					</attribute>
					<attribute name="description">
						<physicalAttribute name="description"></physicalAttribute>
					</attribute>
					<attribute name="uniquename" populateInitially="true">
						<physicalAttribute name="ou"></physicalAttribute>
					</attribute>
				</nameSpace>
				<nameSpace name="com.sap.security.core.usermanagement.relation">
					<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
						<physicalAttribute name="*null*"></physicalAttribute>
					</attribute>
					<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
						<physicalAttribute name="*null*"></physicalAttribute>
					</attribute>
				</nameSpace>
				<nameSpace name="com.sap.security.core.bridge">
					<attribute name="dn">
						<physicalAttribute name="*null*"></physicalAttribute>
					</attribute>
				</nameSpace>
			</principal>
		</attributeMapping>
		<privateSection>
			<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
			<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
			<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
			<ume.ldap.access.flat_group_hierachy>false</ume.ldap.access.flat_group_hierachy>
			<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
			<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
			<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
			<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
			<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
			<ume.ldap.access.objectclass.grup>organizationalUnit</ume.ldap.access.objectclass.grup>
			<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
			<ume.ldap.access.auxiliary_naming_attribute.user>extensionAttribute2</ume.ldap.access.auxiliary_naming_attribute.user>
			<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
			<ume.ldap.access.auxiliary_naming_attribute.uacc>extensionAttribute2</ume.ldap.access.auxiliary_naming_attribute.uacc>
			<ume.ldap.access.naming_attribute.grup>ou</ume.ldap.access.naming_attribute.grup>
		</privateSection>
	</dataSource>
</dataSources>

-

-

The Output of u201CTest component for UME objectsu201D from u201CTest component for UME objectsu201D:

Get user object by logonId took: 0ms

...

UME User toString

Transient data: No transient data set. Persistent data: *************************************************************************** * com.sap.security.core.persistence.imp.PrincipalDatabag Wed May 28 17:26:39 CEST 2008 * UniqueID: USER.CORP_LDAP.cn=fpn-user,ou=special-users,ou=bae-users,dc=customer,dc=de * Type: USER * Home data source: CORP_LDAP * Private id part: cn=fpn-user,ou=special-users,ou=bae-users,dc=customer,dc=de * * Principal exists. * * Direct parents: * GRUP: GRUP.SUPER_GROUPS_DATASOURCE.EVERYONE * GRUP.SUPER_GROUPS_DATASOURCE.AUTHENTICATED_USERS * ROLE: * "com.sap.portal.dsm"|->"DebugControlFlag" (no time limit)= * "com.sap.security.core.usermanagement"|->"accessibilitylevel" (no time limit)= * "com.sap.security.core.usermanagement"|->"unlockdate" (no time limit)= * "com.sap.security.core.usermanagement"|->"uniquename" (no time limit)="fpn-user2" * "com.sap.security.core.usermanagement"|->"ps_link" (no time limit)= * "com.sap.security.core.usermanagement"|->"lockmessage" (no time limit)= * "com.sap.security.core.usermanagement"|->"lockperson" (no time limit)= * "com.sap.security.core.usermanagement"|->"salutation" (no time limit)= * "com.sap.security.core.usermanagement"|->"displayname" (no time limit)="FPN-User" * "com.sap.security.core.usermanagement"|->"APPROVAL_REQUEST_COMPANYID" (no time limit)= * "com.sap.security.core.usermanagement"|->"company" (no time limit)= * "com.sap.security.core.usermanagement"|->"lastname" (no time limit)="User" * "com.sap.security.core.usermanagement"|->"locale" (no time limit)= * "com.sap.security.core.usermanagement"|->"unlockperson" (no time limit)= * "com.sap.security.core.usermanagement"|->"ps_timestamp" (no time limit)= * "com.sap.security.core.usermanagement"|->"unlockmessage" (no time limit)= * "com.sap.security.core.usermanagement"|->"firstname" (no time limit)="FPN" * "com.sap.security.core.usermanagement"|->"email" (no time limit)="fpn-useru2019AT-Signu2019customer.de" * "com.sap.security.core.usermanagement"|->"ps_version" (no time limit)= * "com.sap.security.core.usermanagement"|->"lockReason" (no time limit)= * "$serviceUser$"|->"SERVICEUSER_ATTRIBUTE" (no time limit)= * "com.sapportals.portal.navigation"|->"uipmode" (no time limit)= ***************************************************************************

-

-

Any help or hint will be appreciated and of course points will be given

Thanks and greets,

Jörg Schröder

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎01-28-2009 9:04 AM
0 Kudos

Hy,

we are facing a similar problem while trying to connect a cua to the MS Active Directory.

[Session ID: AGS351 User Management and Authorizations - The Details|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d5f57332-0a01-0010-12ab-dd472e87b8e6]

Page 62 ff

They try to map the attribute uid to the username, but MS ADS has no uid but MS ADS use samaccountname.

I cannot believe that no one solved this problem.

Show replies
Show replies
Former Member
‎05-29-2008 8:15 AM
0 Kudos

Hallo Suraj,

neither the kerberos-configuration nor the ads-connection itself is my problem, as I have done both many times before.

My problem is, that I do not want to use the samaccountname as usernameattribute and SAP tells me, that it this not documented, therefore not supported and therefore this community is my last hope

I do not know that it is possible, I simply have the strong feeling that it should be possible...

Greets,

Jörg

Show replies
Show replies
Former Member
‎05-28-2008 9:52 PM
0 Kudos

HI Jörg Schröder,

I have done with kerberos authentication with MS ADS server.

Check with below link it may help you.

http://help.sap.com/saphelp_nw04/helpdata/en/cc/cdd93f130f9115e10000000a155106/content.htm

Thanks,

Suraj

Show replies
Show replies
Ask a Question