Solved: Netweaver UME and LDAP sync ( user data)

Hi Experts,

We have a requirement to support the offiline availability for one of the netweaver servers in the landscape . We are planning to integrate all the java netwevaer systems with LDAP and is there any possibility to sync all the user data including password to the netweaver UME in case of LDAP not available. So, users can do some tasks in offline mode with LDAP .

Any information regarding would be greatly appreciated.

SAP Managed Tags:
SAP Identity Management

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (1)

Hi,

When you refer to LDAP, are you referring to Active Directory, or another LDAP directory ?

Also, when you refer to "offline", can I assume you want to logon via Internet, and therefore users will not be logged onto the company domain before they open browser ?

Thanks,

Tim

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

When you refer to LDAP, are you referring to Active Directory, or another LDAP directory ?

We don't have that option filled but i don't think there will be any restrictions based on the above selection. Let me know your suggestion.

Also, when you refer to "offline", can I assume you want to logon via Internet, and therefore users will not be logged onto the company domain before they open browser ?

Not exaclty. Our company has some customers where we need to maintain physical netweaver based servers in their locations. In order to access SAP Back end data they will connect through LDAP and if for some reason they are not able to access the LDAP we want to provide some authentication mechanism in the netweaver system to proceed with the local functionalites with out SAP backend involvement.

1. My challenge is to sync LDAP the user data into the Netwever UME including password if possible

2. UME has to be active if LDAP goes offline.

Let me know if you still have questions and thanks for the quick reply ..

Hi Rao,

Is the following correct:

customer workstation with browser ~~> sap system at customer location <~~ authentication of user --> LDAP directory at your location

With above you want to allow the user to logon using ldap protocol, so you can maintain users in the ldap directory, but if the connection between their SAP system and the directory is down you want them to be able to log on using local user store.

Can you confirm this understnading is correct ?

Thanks,

Tim

You got it right but not necessarily end user logging through browser but some other devices. I don't think that makes difference .

sap Netweaver system at customer location .

I just want the end user to login using one user id password to LDAP or local netweaver server?

Do you have any suggestions for this type of security model ?

Is the following correct:

customer workstation with browser > sap system at customer location < authentication of user --> LDAP directory at your location

Can you confirm this understnading is correct ?

Rao,

To use different authentication methods with NetWeaver, you MUST use the J2EE engine since this has the capability to add and configure different login modules that support different methods of user authentication. If the application is on ABAP stack then you need to use redirection so that the user is authenticated on j2ee stack and then redirected to the abap application afterwards.

I am not aware of any LDAP authentication login module being available, and even if there was it would not be very secure since LDAP is not a secure method to authenticate across a network. The ldap connector provided by SAP only syncs user info and not passwords.

What you need is a cryptographic authentication method which works locally as well as over a network. It is certainly not common for an LDAP directory to allow you to read a password and copy it across the network, because of the security issues this presents, so password sync is not very secure and not very easy to implement.

Of course you could contract somebody to develop a solution for you to do what you want, but in a secure way, but I think you will find there is not a solution already available that does this already.

Thanks,

Tim

Tim,

Thanks very much.. You have almost answered my question and now i am in right direction may be we need to contact SAP regarding the solution.

Thanks again..

Rao

Rao,

Yes, I think it would be useful to ask SAP for help. It would also be useful to ask a SAP partner for help, since SAP can't always provide solutions to all usage scenarios.

Thanks,

Tim

Thanks again for the quick replies and i appreciate your time..

Rao,

May I suggest that you mark this thread as "answered" if you are satisifed with the responses given ?

Have a nice weekend.

Regards,

Tim

Hi Rao and Tim,

with SAP NW IdM SP2 you can find a way to even synchronize passwords. It comes with a small tool called Password Hook, which gets every changed password in Active Directory to pass it further, e.g. to the SAP NW Identity Center.

The Identity Center can keep this PW encrypted in a metadirectory and distribute it to various systems like Web AS ABAP / Java based on events.

It's important to secure the transfer of these passwords and the SAP NW IdM itself.

There is a document about the Password Hook (unfortunalety the PDF version was damaged).

[SAP NetWeaver Identity Management Password Hook|https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.highlightedcontent?documenturi=%2flibrary%2fsecurity-and-identity-management%2fidentity-and-access-management%2fidentityCenter-ActiveDirectoryPasswordHook.pdf]

Best regards,

Nils

This tool looks interesting, and might be useful to Rao, but it would need some improvements to make it secure. I suggest using cryptographically secured session between the domain controller and the SAP system so that password changes can be send to SAP, and then captured by an RFC function module, and written into SAP user store. Since RFCs in SAP can be secured using SNC, and AD uses Kerberos, it would be good/easy to use Kerberos to secure the session between the DC and SAP ABAP when passing the password over the network. Then, the J2EE engine can be configured to use ABAP as the user store via UME. The end result is that Active Directory can be used to authenticate to SAP, and if AD is not available, or wide area network is not available the ABAP/UME password can be used locally.

One issue worth considering, is what happens when there is no network connection from the domain controller to the SAP system ? The software would have to queue the request so that when network connection is back, the password change is pushed to SAP system, and then the two password stores will be in sync at all times. Without this queuing system there is a chance the password will get out of sync.

Obviously, a lot of work to do in order to make this work, especially if you want it to work securely and reliably. However, it has some possibilities.

Take care,

Tim

Nils and Tim,

Now we are very close and i think password hook is the piece we are missing in the solution. Tim, you are right i need to deep dive and need to consider security policies and the sync process when the WAN is not available.

Thanks ..

Rao

Rao,

I hope you find a solution that works for you.

If you need any more help on this, please don't be afraid to ask. I look forward to hearing how you get on with this.

Take care,

Tim

Answers (0)

Ask a Question

Top Q&A Solution Author

User

Count

Netweaver UME and LDAP sync ( user data)

Accepted Solutions (1)

Accepted Solutions (1)

Answers (0)

Re: Cloud Transport Management configuration betwe...

Is it possible to change the worker-id in S/4HANA ...

Re: How to quantify memory usage of an ABAP instan...

Re: Table DDNTF is not active in the dictionary er...

Splitting commaseperated value and passing it to d...