ADS LDAP

Similar Messages

• ACS can not access ADS-LDAP starting from "DC=..."

  Hi
  I have an ACS v4.2 from which I try to access an ADS LDAP directory. When I use "CN=Users,DC=Domain,DC=com" as the baseDN for the users and the groups everything works as it should. When I change the base DN to "DC=Domain,DC=com" only, then the ACS is not able to find any users or groups. Even when trying to configure the group mappings he claims: "LDAP Server NOT reachable. Please check the configuration.". Using an LDAP browser I don't have any issues accessing the directory from the shorter baseDN.
  Is this a v4.2 related problem or a general ACS problem?
  The point is that I need to find users in different OU's, which are based directly under the domain name, so that I need to search for them starting from "DC=Domain,DC=com". I know that with "Generic LDAP" I can make severeal "Databsae Configurations" to resolve the issue with the OU's. But not with a "RSA SecurID Token and LDAP Group Mapping" setup. There is only possible to have one LDAP group mapping configuration.
  Any input would be greatly appreciated.

  Hi
  We invested a lot of time together with TAC and development. Short answer: No it's not solved. It was an ACS bug. But development didn't realy understand the problem. We went ahead and restructured the ADS.
  The problem we had, is that a LDAP directory of a Windows is not fully accessible. Even if you connect as a Domain Administrator or to the Global Catalog. :-) And that's where the ACS fails. LDAP browsers just read over the unaccessible parts of a LDAP directory and show you all the accessible part. ACS doesn't. He stops and reports the failure. You can see that clearly when sniffing the access of the ACS and the LDAP browser to the directory. Unfortunately the unaccessible part is at the beginning of the ADS LDAP directory. :-(
  Maybe they resolved the problem nowadays. Or if you have a Windows Guru who can help you in making the directory fully accessible I would be interessted in the How-To.
  I wish you best luck with your issue.
  Kind regards
  Roberto

• Incremental index for UME ADS LDAP

  Hi,
  We are currently indexing the users in the "ume" repository in order to use a "Who Is Who" type search and using Active Directory as the data source.
  The problem is that when we change an attribute in Active Directory, TREX doesn't pick up the modification when running an incremental index, only after a full reindex. This causes the attributes displayed in the search results to be not up to date. This is a problem if we want to schedule an incremental index every night, for example.
  For user resources coming from an LDAP, the property modified is missing. Therefore you have to provide an appropriate mapping from LDAP property to User property in UME configuration xml file (see note 1239132). Otherwise changes of user data won't be recognized and updated in the index.
  In order to find changes in the resources the crawler is using several properties. The default value contains "Date" which means that "Modified" property of the resource is checked.
  This property for the user recource is retrieved from the UME IUser attribute
  {com.sap.security.core.usermanagement} LAST_MODIFIED_BY
  we set this LAST_MODIFIED_BY in our xml file (dataSourceConfiguration_ads_readonly_db_mailbox_flat_with_krb5v4.xml)
  to <attribute name="LAST_MODIFIED_BY"> <physicalAttribute name="whenchanged"/></attribute>
  but the incremental index crawler still doesn't notice that a user attribute has been changed in the LDAP.
  are we missing something??

  HI,
  Is there any api to access the ldap attributes.  Can any one provide the code to access the MS ADS?
  with regards,
  srinivas

• Reg MS ADS LDAP Directory Download

  Hi all,
  I want to configure my UME to an LDAP and look wheteher its working fine.
  But i dont have any available LDAP Directories.
  Please provide me the sites to download a free version of LDAP.
  I am looking for LDAP Of MS ADS.
  Plaese provide me your valuable inputs on this.
  Thanks & regards,
  Lokesh

  Hi GLM,
  Thanks for your quick response.
  If it is not possible,
  Any other downloads like iplanet,Novell etc.....,
  What my intension is to have an LDAp other then UME.
  If you have any idea or installing softwares reg LDAP.
  Please provide me that.
  Thanks & regards,
  Lokesh

• Configuring LDAP for WEBASJAVA  with Windows ADS LDAP

  Dear All,
        I have installed Windows ADS with windows LDAP on a server and Webas java on another server. How to configure UME of WEBAS JAVA to connect  with Windows ADS. How to do the LDAP integration?
     Please guide me.
  Regards
  Arun

  HI,
     I instalIed Webas JAva NW04 SP 20.During LDAP config with Microsoft ADS,  test  connection it works, but if i try Authentication test it says authentication failed , no user found(i tried Administrator user). After i restarted now im able to see all the ads users but still Authentication failed error is there.
  Thanks n Regards
  ARun

• ADS LDAP in SP11 Sneak Preview ?

  Dear Portal Gurus,
  Can we attach Microsoft ADS to SP11 Sneak preview.
  Appreciate your help.
  Thanks.
  Nirmal

  Hi Nirmal,
  I think you can. Logon as Administrator and navigate to System Administration -> System Configuration -> UM Configuration and set up MS AD as a Data source.
  Regards
  Gregor

• Initial Load of LDAP Groups

  I am running an initial load from LDAP using the template job.
  The users have been successfully loaded into the Id store table but the group read pass does not do anything.
  What should the source and destination tabs look like for the Read groups pass.
  Thanks
  S.

  Hi
  In my case the InitialLoad-Jobs for ADS/LDAP had some information missing in the pass "ReadGroupOfUniqueNamesFromLdap".
  In the Source-Tab the LDAP URL should look like this:
  LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
  For that you should create additional repository-constants "LDAP_FILTER_GROUPS" and "LDAP_STARTING_POINT_GROUPS" which look like this in my case:
  LDAP_FILTER_GROUPS=(objectclass=group)
  LDAP_STARTING_POINT_GROUPS=ou=groups,ou=idm,dc=example,dc=com
  I didn't change anything at the Destination-tab.
  Hope this helps...

• R/3 users Authntication to LDAP?

  Hello,
  I have configured the LDAP Conenctor using Tx LDAP from R/3 4.7 running on AIX Server to MS-ADS LDAP Server.
  After making all the settigns i have run the report RSLDAPSYNC_USER for synchronizing the users between R/3 amd LDAP.
  Then the Users available in LDAP are getting Updated and Created in R/3, but the users in R/3 are not getting created. Its giving the LDAP_CREATE Failed, Restriction Violated For this I have posted in the previous thread.
  I want to know some of my assumptions are correct / wrong.
  1. If we do all these settings, when the User try to login he will be authenticated to LDAP?
  2. In MS-ADS the password length is more than 8 char we can have, but in SAP its 8 char, do we need to increase this field length.
  3. Or if the user changes the password in MS-ADS, do we need to run the synchronization again.
  4. We are assuming that if the LDAP configuration is finished then the users are not required to maintain or change their passwords in R/3 instead they can use the MS-ADS password and changes also in MS-ADS. Is this assumption right?
  Please Sugegst me.
  I am still investigating for the sync from R/3 to LDAP.
  The User available in LDAP is created in R/3 but there is no password allocated for him. Do i need to mention the password attribute also in the mapping, if so can any one please let me know the attribute and corresponding filed of R/3.
  Thanks & Regards
  Sumanth
  [email protected]

  Hi Prakas,
  I Logged the OSS Message for Checking the Issues of Authentication to LDAP from SAP R/3.
  Please find the Below Clarifications and SAP Replies along with the SAP Notes.
  Questions Posted in OSS Message:
  We need to get confirmation that, is this LDAP is for Authenticating like EP or only for Having the Sync Data between both systems?
  Secondly when the Users are getting created in Active Directory, they are in Deactivate Mode, To make it automatically aactive do we need to set any settings in R/3 or Directory, for this we searched the Notes and Documentation, but could not succeeded.
  Please Suggest. Our main concern is can we achieve the Authentication From LDAP as like in EP -> LDAP in this R/3 or not? The Users are expecting to do authentication, instead to maintain the passwords at different
  places.
  Replies from SAP
  - login in this manner is not possible, see note 603208
  - syncing the password is also not possible.
  - in general, please read note 448360 about features provided in the
  LDAP area.
  0000448360  Requests in the LDAP environment (directory integration) 
  0000603208  Passwords during the LDAP user master synchronization 
  But, I think we can achieve Authentication in Another Way, NTLM Authentication, For this You Need to Do SAP GUI Client Maintenance Also.
  I am in Collection of More DEtails in this Area. Once I get all info and procedure i will update you.
  Regards
  Sumanth

• Configuring more than one LDAP as data source

  Hi Portal Gurus,
  We have requiremnt to configure  MS ADS LDAP-> DEEP HIERARCHY  & Sun one LDAP->FLAT HIERRARCHY as PORTAL Datra Source.we have already configured MS ADS LDAP.
  for  merging these 2 LDAPS as a data source can anybody having experiece ...
  we  tried to configure with the below server  parameters for  2nd lDAP merging as per  below reference
  Configuration of More Than One LDAP Data Source"http://help.sap.com/saphelp_nw04/helpdata/en/4e/4d0d40c04af72ee10000000a1550b0/frameset.htm".But
  we could not suceeded.
  Server parameters:
  Server:  xxxx:23xx
  LDAP Search root:  dv=hub, o=vds
  Connection ID:  cn=Directory Manager
  password: xxxxx
  we dont have user path or group path for the above 2nd LDAP.
  anybody can help in this ..
  Regards
  Tag

  Tag,
  It sounds like this issue might be releated to the fact that your second LDAP connection is to SUN One.   Maybe one of these links will help
  http://help.sap.com/saphelp_erp2005vp/helpdata/en/aa/8f10f1e2bae346bef2853aa0f88f4c/frameset.htm
  or
  http://help.sap.com/saphelp_erp2005vp/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/frameset.htm
  Regards,
  Keith
  Message was edited by: Keith Crossett

• LDAP in SP11 Sneak Preview

  Portal Champs,
  Can we configure ADS LDAP with EP SP11 Sneak preview.
  I installed ADS myself (have no prior exp. on ADS).If we can configure SP11Sneak preview pls let me now how I can get the user and group path.Currently I have a folder called Users (as in Standard ADS) which has all the groups and users.Do I need to create any folder etc.
  Would appreciate your help.
  Thanks.
  Nirmal

  a handy way to read path info is to download some freeware lDAP reader.. .ie. (softeras ldap browser)
  once setup you can select id's groups  etc and view properties to see path info you'd use in EP to connect etc.
  http://www.ldapbrowser.com/download/index.php?PHPSESSID=0ecd1818db69fcbaa48e3013437db0e2
  Setup.
    File\new profile
    General Tab.
       name
       host: corp.dn?.dn.com
       port: 389  protocol 3
       base  DC=dn?,DC=dc,DC=com
    Credentials tab
       userDN:Directory [email protected]?.dn.com
    or userDN:cn=Directory Manager
       password: *****
    check 'save pwd' and apply.
  this should connect you to the LDAP and let you see the path info etc.
  you can point EP(um config) to the root of the LDAP for users & groups to see all unless you want to only see a portion then point to the specific OU or group etc.
  hope this helps.
  regards
  Andrew [email protected]

• Configuring one LDAP domain with two OU (one RO, another RW)

  Hi Team,
  My client is implementing NW 7.0 Enterprise Portal on SP14, AIX 5.3 & Oracle 10.2.0.4.
  We're using MS-ADS LDAP as an UME data source. The client wishes to configure UME for one single ADS LDAP (domain) with two OU (NOT domains) such that:
      1. One OU has read only access
      2. Second OU has read/write access
  Following is an illustration of the LDAP tree structure:
  CORP_DOM
  -- INT_USERS    (CN=IntUsers, DC=CORP_DOM, DC=NET) - read-only
  -- INT_GROUPS  (CN=IntUsers, DC=CORP_DOM, DC=NET) - read-only
  -- EXT_USERS    (CN=ExtUsers, DC=CORP_DOM, DC=NET) - read/write
  -- EXT_GROUPS  (CN=ExtGrp, DC=CORP_DOM, DC=NET) - read/write
     |-- SAccounts
     |--
     |--
  Note the single LDAP domain, multiple user and group paths with different access privileges.
  Based on what I've read so far, this does not seem feasible as the datasource configuration file has to have unique datasource id and the private section allows only one tag for user path and group path.
  I checked OSS, SDN but could only find information on configuring multiple domain/LDAP and not one LDAP domain but two OU/CN.
  Kindly let me know if anyone has come across or done such a configuration.
  Thanks.

  Hi GLM,
  You are right, access permissions to the OU are given to the service account used to access the directory from the portal.
  The issue I have is not about granting permissions - its more about whether it is possible at all to configure UME for one single ADS LDAP (domain) containing two OU (NOT domains). I'd need to access the directory with two different service users having differen access privileges.
  I don't see how it can be done, since the datasource id in the portal datasource configuration file has to be same as the domain and the private section allows only one tag for user path and group path.
  Thanks.

• WIA (ADS) and UME

  Hi All
  We are trying to implement Windows Integrated Authentication (ADS) for employees with a domain logon, and a regular portal username/password logon for persons without a domain logon.
  I specify a non-ADS data source for the UME. The LDAP structure of this non-ADS is not the same as ADS LDAP structure. Would this cause a problem? If yes, can this be overcome in any way?
  Thanks
  Oj

  hi OJ,
  this will be one method to follow
  Windows Integrated Authentication via Kerberos on an LDAP data source
  mean while i wll try find the more for u
  ravindra

• Pl help me to create User DN for ADS

  Hi,
  i'm pretty new to ADS/LDAP.
  i wanted to know how can do i create UserDN.
  this information i have
  server name:tkfsdcdvad1
  Domain name:dev-mizro-sc
  active directory:dev-mizro-sc.net
  user name: onwards
  Password: welcome
  and my user names are created under default users folder
  i create my user DN as
  "cn=onward,cn=users,dc=tkfsdcdvad1,dc=dev-mizro-sc,dc=net"
  but i'm an authentication exception, this is code
  String user = "cn=onwards,cn=users,dc=tkfsdcdvad1,dc=dev-mizro-sc,dc=net";
  Hashtable env = new Hashtable();
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PRINCIPAL, user);
  env.put(Context.SECURITY_CREDENTIALS, "welcome");
  env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL, "ldap://tkfsdcdvad1.dev-mizro-sc.net:389/");
  ///env.put(Context.PROVIDER_URL, "ldap://10.104.0.10:389/");
  DirContext ctx = new InitialDirContext(env);
  System.out.println("Connected sucessfully " );
  any suggestion, how can get out of this problem.

  I'm pretty new to this and I'm experiencing the same problem. I want to be able to query the LDAP for the "memberOf" attribute. I now query the cn, but this is set to the full name. On my web application all I have is the userid or sAMAccount name. Is there a way to query not for the sAMAccount name not knowing the full name in order to retrieve that "memberOf" attribute?
  This is part of my code:
  // Define username and password (hard-wired in this example)
       public int RetrieveLDAPAttributes() {          
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.SECURITY_PRINCIPAL, "CN=Administrator,CN=Users,DC=ITSSINC,DC=com");
            env.put(Context.SECURITY_CREDENTIALS, "robin");           
            env.put(Context.PROVIDER_URL,"ldap://"+LDAP_server + ":" + LDAP_serverPort + "/" + LDAP_serverBaseDN);
       try {
                 DirContext ctx = new InitialDirContext(env);
  //here is where I query based upon the cn
                 Attributes attrs = ctx.getAttributes("CN=" + LDAP_user);
  LDAP_userAttributeValue = attrs.get(LDAP_userAttribute).toString();
                 ctx.close();
                 return 0;
            } catch (Exception z) {
                 System.err.println(z.getMessage());
                 return 1;
       //public ArrayList GetUserAttr() {
  public String GetUserAttr(){
            return LDAP_userAttributeValue;
  Please Help

• SSL Connectivity to LDAP

  Hi gurus,
  I am using Netweaver CE Portal. I am supposed to connect to Microsoft ADS LDAP with read write access which needs mandatory SSL encryption. Can anyone suggest me how can I download the trusted SSL certificate from LDAP server. Also, Netweaver CE portal has no Visual Admin. Please let me know an alternative where I can put this certificate in the engine.
  Helpful answers would be awarded!
  Regards,
  Pawan.

  Hi,
  Check this to know how to Importing the Root Certificate of the LDAP Directory:
  http://help.sap.com/saphelp_nwce10/helpdata/en/fa/dc74a374ec4b91a9e8eb84966d3329/frameset.htm
  http://help.sap.com/saphelp_nwce10/helpdata/en/7d/77fa735e5f47a2a50b5336fd1b5a61/frameset.htm
  Regards,
  Praveen Gudapati

• Questions on user security etc

  Hello, we are getting ready to implement an SOA strategy within our company and have decided to use XI as the interface to SAP from any other system.  We have some (I have) questions on what some of the different approaches are for security. If anyone could help me with the following info (I have searched and searched and just not clear)
  So before reading the scenario's here is the main thing I am trying to accomplish. Have webservices that take in a userID and password that is not stored in XI but on our LDAP server (like we have in the portal) and pass this to the back end ensuring user has writes to do desired function in sap. We want every user id so we can track if someone creates an purchase request etc, (instead of setting up a system id, audit puposes) So with that background I have the following scenarios
  Scenario 1: Have a single sign on like the portal, so the user signs on with there normal account and XI accepts and forwards the request (this would mainly be a webservice) (I have seen some single sign on documentation but curious if it works in XI as it does in the portal)
  Scenario 2: Same as one, but use ADS/LDAP as our authentication engine.
  Scenario 3: Have userid put in, but no authentication is done on the front end but user is authenticated against the sap system and if allowed rfc/proxy is executed otherwise error message unauth is returned.
  Scenario 4: Is the propagate principle mainly just to ensure the user has all rights to run all calls within internal XI procedures and wouldn't really apply to just ensuring user has rights in the backend?
  I am sorry for the long question, I do reward points and I am just trying to get started on the right path with XI
  Cheers
  Devlin

  Hi,
  For your above cocern XI have provided the feature of Principal propagation with SSO ie.e Single sign On.
  refer
  Principal Propagation in SAP XI
  /people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/808d3048-638c-2a10-35a6-faa48e50ad59
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/808d3048-638c-2a10-35a6-faa48e50ad59
  /people/sap.user72/blog/2004/11/30/user-mapping-based-single-sign-on
  http://help.sap.com/saphelp_nw04/helpdata/en/32/1c1041a0f6f16fe10000000a1550b0/frameset.htm
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/69d95112-0d01-0010-8297-fa31feea26e0
  also you could provide SSL Configuration across the firewall
  You need to setup SSL layer for HTTPS endpoint.
  Possible HTTP security levels are (in ascending order):
  HTTP without SSL
  HTTP with SSL (= HTTPS), but without client authentication
  HTTP with SSL (= HTTPS) and with client authentication
  HTTPS comes in two flavors, both ensuring the confidentiality of data sent over the network
  Thanks
  Swarup