on 05-28-2008 4:36 PM
Hi everybody,
first let me quickly explain the situation: The customer has different usernames in LDAP and R/3. This SAP-Usernames are stored in the DS in the attribute u201CextensionAttribute2u201D and used for the SAP-Referencesystem (works fine). The problem is, that we also need to use Federated Portal Network and this cannot work with different usernames (at least not for a double stack which is included in this scenario).
Our idea was to u201Crecurveu201D the ldap-connection to the ADS and use extensionAttribute2 instead of samaccountname. We got it working, so that the user can log in to the portal using his sap-username and his current windows password (Donu2019t bother irritation on the users side, because we are also working with Kerberos ).
The problem is however, that we get an error within the usermanagement, because the mandatory-field u201Clogon-idu201D is not filled, although it is returned by the ads-server.
Has anybody ever tried this?
Imo it should be possible, because when your working with a non-Microsoft-Ldap, there is no samaccountnameu2026
-
-
My datasourceConfiguration-File:
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_deep_readonly_db.xml#6
$ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"></principal>
<principal type="user"></principal>
<principal type="account"></principal>
<principal type="team"></principal>
<principal type="ROOT"></principal>
<principal type="OOOO"></principal>
</principals>
</homeFor>
<notHomeFor></notHomeFor>
<responsibleFor>
<principals>
<principal type="group"></principal>
<principal type="user"></principal>
<principal type="account"></principal>
<principal type="team"></principal>
<principal type="ROOT"></principal>
<principal type="OOOO"></principal>
</principals>
</responsibleFor>
<privateSection>
</privateSection>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor></homeFor>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user"></attribute>
<attribute name="j_password"></attribute>
<attribute name="userid"></attribute>
<attribute name="logonalias"></attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal"></attribute>
<attribute name="realm"></attribute>
<attribute name="domain"></attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname" populateInitially="true"></attribute>
<attribute name="displayname" populateInitially="true"></attribute>
<attribute name="lastname" populateInitially="true"></attribute>
<attribute name="fax"></attribute>
<attribute name="email"></attribute>
<attribute name="title"></attribute>
<attribute name="department"></attribute>
<attribute name="description"></attribute>
<attribute name="mobile"></attribute>
<attribute name="telephone"></attribute>
<attribute name="streetaddress"></attribute>
<attribute name="uniquename" populateInitially="true"></attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"></attribute>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER"></attribute>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname" populateInitially="true"></attribute>
<attribute name="description" populateInitially="true"></attribute>
<attribute name="uniquename"></attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"></attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"></attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn"></attribute>
</nameSpace>
</principal>
</responsibleFor>
<attributeMapping>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user">
<physicalAttribute name="extensionAttribute2"></physicalAttribute>
</attribute>
<attribute name="logonalias">
<physicalAttribute name="extensionAttribute2"></physicalAttribute>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"></physicalAttribute>
</attribute>
<attribute name="userid">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal">
<physicalAttribute name="extensionAttribute2"></physicalAttribute>
</attribute>
<attribute name="realm">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
<attribute name="domain">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname">
<physicalAttribute name="givenname"></physicalAttribute>
</attribute>
<attribute name="displayname">
<physicalAttribute name="displayname"></physicalAttribute>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"></physicalAttribute>
</attribute>
<attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber"></physicalAttribute>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="extensionAttribute2"></physicalAttribute>
</attribute>
<attribute name="loginid">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
<attribute name="email">
<physicalAttribute name="mail"></physicalAttribute>
</attribute>
<attribute name="mobile">
<physicalAttribute name="mobile"></physicalAttribute>
</attribute>
<attribute name="telephone">
<physicalAttribute name="telephonenumber"></physicalAttribute>
</attribute>
<attribute name="department">
<physicalAttribute name="ou"></physicalAttribute>
</attribute>
<attribute name="description">
<physicalAttribute name="description"></physicalAttribute>
</attribute>
<attribute name="streetaddress">
<physicalAttribute name="postaladdress"></physicalAttribute>
</attribute>
<attribute name="pobox">
<physicalAttribute name="postofficebox"></physicalAttribute>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"></physicalAttribute>
</attribute>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname">
<physicalAttribute name="displayname"></physicalAttribute>
</attribute>
<attribute name="description">
<physicalAttribute name="description"></physicalAttribute>
</attribute>
<attribute name="uniquename" populateInitially="true">
<physicalAttribute name="ou"></physicalAttribute>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
</nameSpace>
</principal>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>false</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>organizationalUnit</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>extensionAttribute2</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>extensionAttribute2</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>ou</ume.ldap.access.naming_attribute.grup>
</privateSection>
</dataSource>
</dataSources>
-
-
The Output of u201CTest component for UME objectsu201D from u201CTest component for UME objectsu201D:
Get user object by logonId took: 0ms
...
UME User toString
Transient data: No transient data set. Persistent data: *************************************************************************** * com.sap.security.core.persistence.imp.PrincipalDatabag Wed May 28 17:26:39 CEST 2008 * UniqueID: USER.CORP_LDAP.cn=fpn-user,ou=special-users,ou=bae-users,dc=customer,dc=de * Type: USER * Home data source: CORP_LDAP * Private id part: cn=fpn-user,ou=special-users,ou=bae-users,dc=customer,dc=de * * Principal exists. * * Direct parents: * GRUP: GRUP.SUPER_GROUPS_DATASOURCE.EVERYONE * GRUP.SUPER_GROUPS_DATASOURCE.AUTHENTICATED_USERS * ROLE: * "com.sap.portal.dsm"|->"DebugControlFlag" (no time limit)= * "com.sap.security.core.usermanagement"|->"accessibilitylevel" (no time limit)= * "com.sap.security.core.usermanagement"|->"unlockdate" (no time limit)= * "com.sap.security.core.usermanagement"|->"uniquename" (no time limit)="fpn-user2" * "com.sap.security.core.usermanagement"|->"ps_link" (no time limit)= * "com.sap.security.core.usermanagement"|->"lockmessage" (no time limit)= * "com.sap.security.core.usermanagement"|->"lockperson" (no time limit)= * "com.sap.security.core.usermanagement"|->"salutation" (no time limit)= * "com.sap.security.core.usermanagement"|->"displayname" (no time limit)="FPN-User" * "com.sap.security.core.usermanagement"|->"APPROVAL_REQUEST_COMPANYID" (no time limit)= * "com.sap.security.core.usermanagement"|->"company" (no time limit)= * "com.sap.security.core.usermanagement"|->"lastname" (no time limit)="User" * "com.sap.security.core.usermanagement"|->"locale" (no time limit)= * "com.sap.security.core.usermanagement"|->"unlockperson" (no time limit)= * "com.sap.security.core.usermanagement"|->"ps_timestamp" (no time limit)= * "com.sap.security.core.usermanagement"|->"unlockmessage" (no time limit)= * "com.sap.security.core.usermanagement"|->"firstname" (no time limit)="FPN" * "com.sap.security.core.usermanagement"|->"email" (no time limit)="fpn-useru2019AT-Signu2019customer.de" * "com.sap.security.core.usermanagement"|->"ps_version" (no time limit)= * "com.sap.security.core.usermanagement"|->"lockReason" (no time limit)= * "$serviceUser$"|->"SERVICEUSER_ATTRIBUTE" (no time limit)= * "com.sapportals.portal.navigation"|->"uipmode" (no time limit)= ***************************************************************************
-
-
Any help or hint will be appreciated and of course points will be given
Thanks and greets,
Jörg Schröder
Hy,
we are facing a similar problem while trying to connect a cua to the MS Active Directory.
[Session ID: AGS351 User Management and Authorizations - The Details|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d5f57332-0a01-0010-12ab-dd472e87b8e6]
Page 62 ff
They try to map the attribute uid to the username, but MS ADS has no uid but MS ADS use samaccountname.
I cannot believe that no one solved this problem.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hallo Suraj,
neither the kerberos-configuration nor the ads-connection itself is my problem, as I have done both many times before.
My problem is, that I do not want to use the samaccountname as usernameattribute and SAP tells me, that it this not documented, therefore not supported and therefore this community is my last hope
I do not know that it is possible, I simply have the strong feeling that it should be possible...
Greets,
Jörg
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI Jörg Schröder,
I have done with kerberos authentication with MS ADS server.
Check with below link it may help you.
http://help.sap.com/saphelp_nw04/helpdata/en/cc/cdd93f130f9115e10000000a155106/content.htm
Thanks,
Suraj
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
89 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.