UME+LDAP issue

Similar Messages

• UME LDAP configuration XML file

  Dear Experts-
  I am configuring multiple LDAP as ume for EP 7.0 EHP2 . I am following the the document below.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/8036faa9-3d95-2c10-e596-c7c97082f07e?QuickLink=index&overridelayout=true
  It mentions xml file to be dowloaded is  dataSourceConfiguration_multiLDAP_db.xml file but ther eis no such file. Can you please let me know where I can find this.
  The only ones I see are.
  Microsoft ADS readonly , deep and flat
  Microsoft ADS Deep & flat
  Novell LDAP Read only flat and deep
  Novell LDAP flat & deep
  DatasourceConfiguration_simens_deep_readonly_db
  Siemes LDAP servers Read flat & deep
  Just to let you know we are using MS ADS flat. Please  let me which which file I can choose to put the second LDAP data source.
  Thanks,
  John

  John,
  There is no such file (dataSourceConfiguration_multiLDAP_db.xml) delivered for configuring multiple LDAP data sources.
  You will need to download dataSourceConfiguration_ads_readonly_db.xml and modify as per your needs and upload it with your own custom name.
  1. Open the dataSourceConfiguration_ads_readonly_db.xml file using a text
  editor (other than Notepad) and locate the <dataSource.../> section for the u201CCORP_LDAPu201D.
  2. For each additional LDAP server, paste the copy into the document after the original
  </dataSourceu2026> ending tag for the CORP_LDAP source. Change the name of the data source for
  pasted copy to u201CCORP_LDAP_Xu201D or some other value. This value becomes a data source identifier
  for UME and prefixes the principal Ids.
  For each LDAP data source, locate the <privateSectionu2026> within the <dataSourceu2026> tag and
  enter the following lines if they are not present:
  <ume.ldap.access.server_name>SERVER_HOSTNAME</ume.ldap.access.server_name>
  <ume.ldap.access.server_port>SERVER_PORT</ume.ldap.access.server_port>
  <ume.ldap.access.user>DS_USER_NAME</ume.ldap.access.user>
  <ume.ldap.access.password>DS_PASSWORD</ume.ldap.access.password>
  <ume.ldap.access.base_path.user>USER_ROOT_IN_DS</ume.ldap.access.base_path.user>
  <ume.ldap.access.base_path.grup>GROUP_ROOT_IN_DS</ume.ldap.access.base_path.grup
  >
  Save this file with your custom name and upload it.
  Thanks,
  Shanti

• SAP LDAP Connector / UME LDAP and Global Site Selector (GSS)

  Hi,
  I'm wondering if SAP LDAP Connector / UME LDAP will work with Global Site Selector service, such as  CISCO GSS 4400 Series, so that GSS can provide load-balancing for LDAP access.
  If it works, is there a specific configuration on the SAP side?
  Thanks in advance.
  -denny-

  Hey Denny,
    Wondering if you ever sorted this out. I'm trying the same thing right now and UME is failing (and portal won't start) when I use the FQDN of the GSS. Behavior is strikingly similar to using the FQDN of the Active Directory domain. The only way I found to use AD as an LDAP source is to list individual DCs in the UME config. I'm hoping to use GSS instead.
  -Kevin

• LDAP issue after upgrading to SP15 from SP7 for CUP 5.3

  Hello,
  We have recently upgraded our Sandbox from SP 7 to SP15 on GRC 5.3 and Now having issues authenticating users using LDAP.
  The connections and settings are exactly same as our Dev system which in on SP7 and the connection also says successful but when we go onto the request page and type in an id it says invalid credentials.
  Am i missing something or is there a special procedure after upgrade .
  Thanks
  Uday

  Hello Frank,
  Thanks for the reply.I forgot to do it and as you said once i performed those steps it actually solved my password reset link issues as it was erroring out with 500 error and now  it is working fine .
  But to fix LDAP issue SAP has a note which says after SP13 we don't need to fill in the user path field while creating LDAP connector.
  Thanks
  Uday

• Guide me how to automate UME LDAP Configuration

  Hello colleagues,
  I am not sure if this is the right place for putting my question.
  We wanted to automate 'UME LDAP Configuration with Microsoft AD', because we have nearly 25 portals and has to be refreshed for every 3 months from different systems. Instead of configuring UME  every time, we wanted to automate it such that
  it can be done by one click for each portal.
  I am not aware, if it can be done through Webdynpro or Java API.
  Please let me know in which way we can achieve this functionality. If it is in Java then please let me know how to access UME APIs. Moreover Configtool will not save its data at O.S level, it stores in DB.
  Please guide me on achieving this.
  Regards,
  kasi

  Hi Nivas,
  thank you very much for your answer.
  Could you please let me know any APIs to use these functions
  I googled and found APIs for User management ( creating,deleting ,etc..) only.
  I could not find any APIs for LDAP settings in Configtool.
  I wanted to set these values ( which are specified in above link ) from out side.
  Regards,
  venkat
  Edited by: Venkata Kasi G on Mar 2, 2012 2:41 PM

• UME LDAP Data - XML file not appearing

  Hi,
  I have configured the readonly ADS with DB for the user authentication. Now I want to restore back to the default datasource configuration (dataSourceConfiguration_database_only.xml). But in the dropdown box in the Configtool >> UME LDAP data under the "Directory Security" tab, I am not able see the config XML file for the DB only. I tried uploading the file, but its saying file already exists. After this I tried deleting the fils from the cluster_data\server\persistent\com.sap.security.core.ume.service and then uplaoded the XML file. Still this is not appearing in the List of Datasources available.
  Can you please let me know how shall I revert the Datasouce to DB only?
  Regards,
  Debasis

  Hi,
    Go to ConfigTool -> Global Server Configuration -> Services -> com.sap.security.core.ume.service.
  You can change the value of ume.persistence.data_source_configuration to dataSourceConfiguration_database_only.xml.
  Regards,
  Siva
  P.S: Award points if you find this useful.

• "Calculated UME LDAP id is null" error received during runtime.

  Hello All,
  I am new to this community and this is my first post.
  Therefore please pardon me for providing inadequate explanation/resources while mentioning my problem.
  I am trying to build a SOAP webservice in SAP NetWeaver Developer Studio 7.3. This webservice will be used for integration between SAP user management  (AS Java)  with Dell's Quest Identity Management (Q1IM).
  The webservice will be used for
  Fetching
  -> All UME Users
  -> All UME Groups
  -> All UME Roles
  Add/Delete
  -> User to/from Group
  -> User to/from Role
  Change
  -> User Account Details
  The current scenario is the webservice built in Java is ready and all the functional components are working fine during runtime except for one and that is when I try to retrieve all the UME Users.
  Below mentioned piece of code is for getAllUser function
      public  SAPUser[] getAllUsers() throws UMException {
      IUserFactory userFactory = UMFactory.getUserFactory();
      IUserSearchFilter searchFilter = userFactory.getUserSearchFilter();
      searchFilter.setDisplayName("*", ISearchAttribute.LIKE_OPERATOR, false);
      ISearchResult searchResult = userFactory.searchUsers(searchFilter);
      ArrayList<SAPUser> ar = new ArrayList<SAPUser>();   
      while (searchResult.hasNext())
      String uniqueid = searchResult.next().toString();
      if (uniqueid.startsWith("USER.PRIVATE_DATASOURCE.un"))
          IUser user = userFactory.getUser(uniqueid);
          IUserAccount[] userAcc = user.getUserAccounts();
          for (int i = 0; i<userAcc.length;i++)
          ar.add(new SAPUser(userAcc[i]));
      SAPUser[] users = new SAPUser[ar.size()];
    return ar.toArray(users); 
  Similar logic have been used for Groups and Roles and they are working fine.
  During runtime it gives following error
  Web service returned error. Fault Code: "(http://schemas.xmlsoap.org/soap/envelope/)Server" Fault String: "Calculated UME LDAP id is null"
  (Screenshot has also been attached)
  I tried searching for a solution on internet and specially on SAP SCN but couldn't come across any suitable option.
  Thereby my request to member-experts of this forum to please look into my matter mentioned above and provide some appropriate solution for it.
  Thanks in advance.
  Regards,
  Tanuj Jaitly

  Hi Soumya,
  Thanks for the valuable suggestion.
  Now I have another situation and this I would like to share with you and other experts in this forum.
  Apart from above scenario I was trying to fetch all the LDAP users as well, but due to large number of employees in my organization I received Connection Time Out. We thus changed our requirement.
  We now want to display those LDAP users which have UME roles and groups associated with their accounts. In other words LDAP users who can login to SAP Java portal to access their roles and groups.
  From UME API as getLastSuccessfulLogonDate()  and getPreviousSuccessfulLogonDate() are already deprecated I am unable to find any concrete solution.
  Request to please help. Thanks in advance.
  Tanuj Jaitly

• Ume + LDAP ADS lock users

  I'm working with EP6 SP12 with UME connected to an LDAP Microsoft ADS in read-write mode.
  I have set the attribute "ume.logon.security_policy.lock_after_invalid_attempts=5" and when a user fails to login with wrong password 5 times it's locked.
  The issue is that a user is locked both in UME and in LDAP. Is it right? If yes how can I unlock a user in UME and in LDAP too. When I unlock user from UME it works fine from UME side but it remains locked in LDAP. As result this user it's not able to login in portal.
  Thanks a lot in advance.
  Tiziano

  I came across the same issue with my setup.
  I authenticate off of database + MS ADS read only.  If a user locks them self out, we have to unlock in portal and ADS.
  There is the option in the UME for read-write to ADS for users to be able to change passwords in the portal and have it replicate out to ADS.  If you went that way I would do SSL for LDAP and opening port 626 on your firewall as well. 
  We do not have employees using our portal as their only means of getting to the network so, I do not allow them to change passwords via portal.  I am sure that it would be safe but, the though of opening up something else on the firewall scares me.

• DNS/LDAP Issue for Trusted Domain

  Hi
  I'm trying to configure  Configuration Manager 2012 R2 Forest Discovery to a trusted domain.
  Objects from the trusted domain (users/computers) show up in the Collections, but when I check under Administration\Active Directory Forests I can see Discovery Status "Failed to connect using default account" and Publishing status "Cannot
  Contact LDAP Server".
  I've added the SCCM server to local admin at the trusted domain via GPO and have also created the system Management container.
  When I check the log ADForestDisc.log I get this error message:
  "Failed to connect to forest X. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted."
  I have setup Conditional Forwarders in DNS in both domains.
  I have also read other forums about this issue and should have the answer:
  "This error occurs for all of the domains that you mentioned and is typical when SRV records for DCs in those remote domains cannot be found. Forest discovery relies on DNS name resolution of SRV records to locate a suitable DC to communicate with."
  "The site server performing the forest discovery must be able to resolve the SRV records for the DCs or root domain of the other forest."
  We are using Windows AD integrated DNS in both domains.
  I'm not so familiar with DNS configuration so I appreciate if someone could tell more specific how to fix this.
  Thanks in advance

  Hi
  Thank you for your answer. This issue is solved. I've missed to open some ports in the router/firewall between the LANs.
  The status under Active Directory Forests is Succeded now, but when I check under boundaries, I can only see the "Default-First-Site-Name" site for the first domain (same LAN as CM Server) and I can only see the IP address range for that LAN.
  I don't Think  this is a big issue, but shouldn't the site name and address range for the other LAN (where the trusted domain is) be automatically found to during forest Discovery when I've checked the options to create site and ip boundaries automatically?

• OES11SP1 LDAP issue on a node

  Hi,
  I have a 2 node cluster that we have upgraded from OES11 to OES11 sp1 at the beginning of august
  Last week we create a new ressource on the primary node (let's say NODE 1), but when we want to migrate this new ressource to the other node (let's say NODE 2), the ressource became comatose.
  On node 2 what i can see in /var/log/messages is the following
  Aug 20 16:42:17 node2 ncs-resourced: Try LDAP for POOLDATA20_SERVER
  Aug 20 16:42:17 node2 ncs-resourced: LDAP failed: <class 'ldap.SERVER_DOWN'>
  Aug 20 16:42:53 node2 ncs-resourced: Error preprocessing script POOLDATA20_SERVER.load
  Aug 20 16:42:53 node2 ncs-resourced: POOLDATA20_SERVER.load: CRM: Tue Aug 20 16:42:53 2013
  Aug 20 16:42:53 node2 ncs-resourced: POOLDATA20_SERVER.load: /bin/sh: /var/run/ncs/POOLDATA20_SERVER.load: No such file or directory
  Aug 20 16:42:53 node2 ncs-resourced: resourceMonitor: POOLDATA20_SERVER load status=127
  Aug 20 16:42:54 node2 ncs-resourced: Error preprocessing script POOLDATA20_SERVER.unload
  Aug 20 16:42:54 node2 ncs-resourced: POOLDATA20_SERVER.unload: CRM: Tue Aug 20 16:42:54 2013
  Aug 20 16:42:54 node2 ncs-resourced: POOLDATA20_SERVER.unload: /bin/sh: /var/run/ncs/POOLDATA20_SERVER.unload: No such file or directory
  Aug 20 16:42:54 node2 ncs-resourced: resourceMonitor: POOLDATA20_SERVER unload status=127
  I try to change the configuration using a new.conf file liket it is in the documentation :
  CONFIG_NCS_CLUSTER_DN="cn=svr1_oes2_cluster.o=cont ext"
  CONFIG_NCS_LDAP_INFO="ldaps://10.1.1.102:636,ldaps://10.1.1.101:636"
  CONFIG_NCS_ADMIN_DN="cn=admin.o=context"
  CONFIG_NCS_ADMIN_PASSWORD="password"
  As the root user, enter the following command at a command prompt:
  /opt/novell/ncs/install/ncs_install.py -l -f new.conf on node1 and on node2
  and then cluster exec "/opt/novell/ncs/bin/ncs-configd.py -init"
  I reboot node2 but it is exaclty the same.
  Any idea ?
  Stphane

  Originally Posted by changju
  Hi Stphane,
  This is the key of the failure,
  Aug 20 16:42:17 node2 ncs-resourced: LDAP failed: <class 'ldap.SERVER_DOWN'>
  Somehow, looks like the Python LDAP on node2 couldn't connect the LDAP servers (10.1.1.102:636 or 10.1.1.101:636).
  Please first make sure that LDAP is up and running on the two servers.
  Please check file "/etc/opt/novell/ncs/clstrlib.conf" to make sure that you have something like this,
  p4
  S'ldaps://10.1.1.102:636,ldaps://10.1.1.101:636'
  If not, you need to modify file "new.conf" and run command "/opt/novell/ncs/install/ncs_install.py -l -f new.conf" on node2 again.
  You can then check the result of the installation in file "/var/opt/novell/install/ncslog", or you can simply run command "/opt/novell/ncs/bin/ncs-configd.py -init" on node2 to try to pull down the latest NCS configuration.
  If "/opt/novell/ncs/bin/ncs-configd.py -init" churns out a bunch of "dos2unix" messages (and pulls down the scripts for the new resources at "/var/opt/novell/ncs"), you should be able to migrate the resource.
  Regards,
  Changju
  Thank you very much Changju.
  I was not aware of this log file it was very helpfull.
  Apparently a tls issue for my 2 ldap server. I change it to ldap instead of ldaps and it is working now.
  Strange because i was able to connect using ldaps with ldap browser to the 2 nodes.
  Again, thank you
  Stphane

• OBIEE 11g Security LDAP Issue

  Hi,
  I have an issue where certain LDAP users who were once able to log into OBI 11g now cannot.
  This has only happened for those users who I have used the proxy ('Act As') functionality on ie. If UserA can login, and the Administration Act's As UserA, after an OBI restart UserA cannot log in anymore.
  I have narrowed this issue down to the presenation catalog. If I swap the current catalog with the SampleAppLite catalog for example, the problem goes away i.e. the LDAP user (UserA in the example above) can log in fine.
  I have also noticed while accessing the catalog via catalog manager, the Administrator cannot access the 'System' folder. This is with reference to the original catalog (which causes the issue with UserA above) that was upgrade from 10g to 11g.
  Any ideas?
  Thanks.

  This is going to be almost impossible to diagnose without being logged in, in front of your application.
  As a starting point I would recommend you check the permissions on each catalog element. Go to Catalog link > Change view to 'Admin View' > Catalog Root and then use the permissions link for that item and everything below. Ticking 'Show Hidden Items' will let you see the System folders.
  Also check the privileges (Administration > Manage Privileges) as I seem to remember that the 'Act as Proxy' privilege is denied out of the box. Maybe something here is amiss.
  It might be easiest to bite the bullet and create a new web catalog from scratch!
  Paul

• Flash Builder 4 LDAP issue on IIS 7 with Coldfusion 8

  I have a cfc that returns empty strings back into my project when I attempt an auto login through LDAP. The same files perform correctly on a different server with IIS 6. I set up a simple cfm  on the IIS 7 server and received the appropriate data. I set up a cfm on the IIS 7 server  to invoke the very same cfc that fails in the flash builder and received the appropriate data. Both servers are inside the company firewall.
  The web folder is set up as an application with windows authentication enabled, disabling and enabling the anonymous authentication seems to have no impact on any of the scenarios. I am assuming I am missing some configuration in the ColdFusion Flex integration but I am not sure what it is. Anyone have a shot in the dark on this one?
  Enable Flash Remoting support  &
  Enable Remote Adobe LiveCycle Data Management access  are both checked
  SSL connections are not being used.

  I absolutly did read the guidance notes and it was based in them that we installed.
  Quote:
  "Now that we have had an opportunity to undertake further testing with the final release of Mac OS X 10.7, we are pleased to report that there are only minor usability issues when using Flash Builder 4.5.1 on Mac OS X 10.7 and, as such, we will be updating our previous statement to confirm compatibility of these releases"
  What I am now experiencing on two different machines is what appears to be outside the scope of these notes and either a new issue that is reproducible, or a Java issue related to 10.7. Not being a Java guy I'm not sure were to begin short of trying Eclipse on its own.
  I am able to produce a crash of FB 4.5.1 by just trying to close an MXML file by clicking the close button of the tab, or by closing a project. This is on two seperate machines now.

• Same old LDAP issue

  hey folks,
  i am trying to validate an user from my LDAP db
  here are my LDAP entries..
  dn: cn=jim,o=attinfo,c=us
  objectclass: inetOrgPerson
  objectclass: ePerson
  objectclass: organizationalPerson
  objectclass: person
  objectclass: top
  cn: jim
  sn: robinson
  userpassword: {iMASK}>1e5rd9bCaqTnz9oQQSVhFYekLSoUp2vAnOWaZIKO8LfBBW1RuAJi2mvu 4dwcQ+4r5TPYQIFnQyT6QKGV4LEnQvpSLb7vckUjmt2FyrTKtVfJghCZiLvH61oXB1eEawkLFQOi cfjP2lYQYi0LdA5a4mS03I1JrdVdbF<
  uid: jim
  description:: and here is the java code to access that..
  import javax.naming.ldap.*;
  import javax.naming.*;
  import javax.naming.directory.*;
  import java.util.*;
  public class TestLdap2{     
  public TestLdap2(){     
  try{     
  DirContext ctx = null;
  Hashtable ht = new Hashtable(2);
  ht.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");     
  ht.put(Context.PROVIDER_URL, "ldap://dbipaddr:389/o=attinfo");
       ctx = new InitialDirContext(ht);        SearchControls ctls = new SearchControls();        ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);        NamingEnumeration ne = ctx.search("o=attinfo","(sn=robinson)",ctls);
          while(ne.hasMore()){
               SearchResult sr = (SearchResult) ne.next();
              System.out.println("DN: "+sr.getName());
  Attributes attrbs = sr.getAttributes();          
     for (NamingEnumeration nE = attrbs.getAll();nE.hasMoreElements();)
                  Attribute attr = (Attribute) nE.next();
                  String attrID = attr.getID();                   System.out.println("ID: "+attrID);            
  for (Enumeration vals = attr.getAll();vals.hasMoreElements();)
                   System.out.println("Vals: "+vals.nextElement());
  ctx.close();     
  } catch (Exception e){
            e.printStackTrace();     
  public static void main(String args[]){
       new TestLdap2();     
  }I am getting following error..
  javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; rema
  ining name 'o=attinfo'
  is it some kind of binding issue...
  any help is appreciated..
  thanx..

  Hello, it isn't necessarily a 'binding' issue -- that indicates permissions issues. The problem is that you are searching for Jim in 'o=attinfo,o=attinfo', and ignoring the root ('c=us'). The easiest way to solve the problem is to change the line:
  ht.put(Context.PROVIDER_URL, "ldap://dbipaddr:389/o=attinfo");
  To the following:
  ht.put(Context.PROVIDER_URL, "ldap://dbipaddr:389/c=us");
  Thus, your initial context will be at the root, and when you search your context will change to 'o=attinfo,c=us' which should contain your entry.
  Good luck,
  Derek

• UME: LDAP + ABAP

  Hi,
  There are similar threads to this and I have read both thread IDs 187875 and 476229.  We have been able to customize the datasource XML file to include LDAP, ABAP and the private UME database.  The portal can be started, and we are able to logon with administrator access.  On the portal, we can even see users from all three datasources.  However, user authentication is not working for us.  At the moment, we have a USERA in LDAP and in ABAP. 
  1. Is it possible that because USERA is NOT UNIQUE in the user datasources, authentication is failing?
  2. How do we go about having USERA authenticate using LDAP but gets the ABAP roles assigned to him from ABAP?
  I will also post a follow up message with the owner of thread ID 476229.  In the meantime, any feedback would be welcomed.
  Thank You.

  Hi,
  Please note that we have verified that USERA is not able to logon because his login ID is not unique on the portal (since USERA exists in both the LDAP and ABAP datasources).
  Thank You.

• ISE 1.3 Upgrade LDAP Issue

  We recently upgraded to 1.3 and everything seems fine except that we noticed that the catalyst switches we use AD authentication through ISE for stopped dropping us automatically in enable mode. I did rejoin the device to AD as required post upgrade and have since unjoined and rejoined. When I run the test user option for the AD Identity store I get an error saying its unable to fetch LDAP attributes, see attached. There is also a similar error in the syslog anytime a user logs into the switch. I went back on the syslogs and these errors were not happening until the upgrade. I am assuming this somehow correlates to my issue. Anyone else experienced this post upgrade? Thanks.

  Are you using LDAP or native AD join ?
  There are some issues with LDAP and quotes in the group names, which is not supported. I also have had issues with 1.3 and using comma and users names, so something like Doe, John. is not possible as the name of a user in AD.
  As for native AD, i have not had any issues with ISE 1.3