Config UME with ABAP+LDAP datasource

Hi all,
We are implementing an EP installation. We want to reuse the abap role assignment for the portal roles and we require a SSO solution based on SPNego.
Now we can implement each on it's own fine. The question is how we can connect the ume to use both abap and ldap datasource. I opened an OSS about it and they said it's possible, supported but I'm on my own when it comes to implementing it (or consulting offcourse).
Anyone had experience with this configuration or can provide me with the datasource schema file?
Thank in advance,
Eric

Try the following:
1.     Download the SPNegoWizard_645.zip (for 7.0) SPNegoWizard_640 (for 6.40)from SAP Note 994791 and unzip it.
2.     Adjust the user running the SAP system in Active Directory
3.     Copy the EAR and XML Files from the SPNegoWizard.ZIP file to a temporary directory on the server.
4.     Open up the Visual Administrator. Logon with the admin ID.
5.     SID ->Server -> Services -> Deploy
6.     Open the Config Tool. (Yes to using DB settings)
7.     Select UME LDAP Data
8.     Browse to the XML file you copied earlier. (dataSourceConfiguration_ads_readonly_db_with_krb5.xml)
Click the upload button.
9.     Select the Configuration file you just uploaded. Click OK on the Warning message.
10.     Setup the Connection details as specified below:
Server Name: xxxxxx
Server Port: xxxxxxx
User: SAPService<SID>@domain.com
Password: xxxxxx
Use UME unique id with unique LDAP attribute (checked): samaccountname
User Path: dc=<domain>,dc=com
Group Path: ou=xxxxxx,ou=xxxx,dc=xxxx,dc=xxxx
11.     Click the Test Connection button you should see:
Click Close when done.
12.     Click the Test Authentication button, enter NT user ID and NT password, and click the authenticate button and you should get a success message:
13.     Select cluster-data  Global Server Configuration  services  com.sap.security.core.ume.service
14.     Edit the ume.admin.addattrs.
Add the values: krb5principalname;kpnprefix;dn
Click the Set button.
15.     Click the Save button or File -> Apply.
16.     Close the Config tool and restart the JAVA engine.
17.     After the engine is restarted, continue on with the Kerberos configuration.
18.     Open up the SP Nego Wizard by going to the following URL: http://<server>:<port>/spnego
19.     Logon with the Administrator user ID.
20.     Select the check boxes for the u201CService user is created and configured in Active Directoryu201D and u201CUME configuration includes SPNego specific settingsu201D
Click the Next button
21.     Click the Add Kerberos Realm button and enter your domain name (e.g. company.com)
22.     For the Realm Configurationu2019s KDCs (Key Distribution Centers) put in <KDC host> and 88 for the port (the port should already be filled in.
23.     In the KPN (Kerberos Principal Name) section enter the Service User Name & Password.
Service User: SAPService<SID>
Password: xxxx
Leave LDAP Host - blank
24.     Click the Next button
25.     Select Prefix Based for the Resolution Mode and Click Next
26.     In Policy Configuration we want to create a new policy called spnego. Tick Basic password Fallback (when SSO do not work) and tick SSO with Logon Tickets. Click the Next button.
27.     Click Finish on the Confirmation screen.
28.     Close the browser and restart the engine.
29.     After the engine has finished restarting, continue with the final steps.
30.     Open up the Visual Administrator. Logon as the Administrator ID.
31.     SID  Server  Services  Security Provider
32.     Go into change mode by clicking the change button.
33.     On the Runtime tab  Policy Configurations tab  Select ticket from the Components list.
34.     On the Authentication tab for the ticket component  select Authentication Template: spnego
35.     Now go to the useradmin service (http://<server>:<port>/useradmin) to test the Kerberos SSO. You should get signed on without entering a user name or password.
You are done!

Similar Messages

UME with ABAP AS and LDAP Datasource

Hello SDN´s
We have tried very hard for the last days configuring the ume-xml for the following scenario:
-     LDAP is used to authenticate the user
-     AS ABAP is used to store the roles of the user (because they automatically becomes groups in the portal)
- the portal and the ABAP-system are on different servers
Given facts:
1)     we canu2019t synchronize the roles of the ABAP system to the LDAP
2)     we have to use the open-LDAP for the authentication
3)     DataSources are readonly
4)     User can have similar or different userid´s on the DataSources (Mapping required)
Therefore, we read the user and account information from the LDAP and groups/roles form the ABAP AS.
Result:
a)     user with similar userid on LDAP and ABAP AS: These user were no longer able to log on to the portal
b)     user with different id´s (mapped) on LDAP and ABAP: Can log on
Questions:
-     Is it true that similar userid´s leads to inherent problems of the UME Persistence Manager?
-     Did we set up a wrong config-xml?
-     Is there any other way how we could authenticate to the LDAP and having the Roles of a user read from the ABAP system dynamically?
Thank you very much for your help
Sincerely, A. Hunziker

Hi Andre,
Not sure if my remarks below can help you but I do hope that it can shine you some light.
We have LDAP as our main UME, which is configured in our Portal7.0. This means that security groups created in LDAP are "replicated" into the Portal. We created Portal Roles which are assigned to the security groups created in LDAP. We also use SSO and it was setup via the SPNego Wizard (http://help.sap.com/saphelp_nw70/helpdata/EN/45/40a0de773a7527e10000000a114a6b/frameset.htm). This way, the user only needs to login via Windows and access the Portal without having to login (when users have the same Windows userID as that of their SAP ID). If the users have a different userID between Windows and SAP, then they do a user map under personalization of the Portal.
To connect our Portal to our backend systems, we created a reference system (http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm) and we have our Portal certificates in all backend systems (http://help.sap.com/saphelp_nw70/helpdata/EN/d3/41c8efb31d11d5993800508b6b8b11/frameset.htm).
With the above, users have SSO from Windows to Portal and via the reference system, they can enjoy SSO as well into our backend systems.
Basically we have control what the users can see from the Portal (directly from LDAP security groups with users assigned to that) and what the user can do on backend is still maintain in the backend authorisation setup.
Hope that can help you.
Ray

LDAP UME for ABAP + JAVA SYSTEM

Hi,
I am using NW 7 SP 15 with both ABAP + JAVA stack. The UME is set to ABAP by default during installation.
Can we change that to LDAP datasource?
Under System Configuration -> UME Configuration -> Data Sources (TAB) -> in Data Source dropdown box -> there is only ONE option available "ABAP SYSTEM" and no other option is present.
Any suggestion?
Regards
Deb

Ups! Obviously a later change from ABAP to some other UME indeed is not supported by SAP. But this means not, that you cannot use LDAP or JAVA from the very beginning.
Did you not have the option to choose another UME data source for the Java Add-In during the installation process? (this may make sense, because the installation sequence for double stacks is always 1. ABAP stack 2. Java stack).
If not, then indeed LDAP as the primary UME data source is not supported for double stack installations.
If yes, you only have the chance to re-install your system.
In every case you can install 2 separate instances and connect them later. 1 ABAP instance with UME of course ABAP and 1 Java instance with UME LDAP or Java DB.
But before doing that and if I were you I would open a CSN at SMP and ask the software vendor ...
Regards,
Volker

Automatic upload of roles from ECC to portal (UME with LDAP)

Hi experts,
This thread reopen the question asked on the following message : automatic upload of roles from BI to portal
However, it concerns this time "UME with LDAP".
Problematic :
SAP Library 04s tells us that is not yet possible to automate role replication (or role assigment replication) from ABAP Based back-end to Netweaver Portal. Only manual process for initial upload is possible.
Source = http://help.sap.com/saphelp_nw04s/helpdata/en/41/5e4d40ecf00272e10000000a155106/frameset.htm
Questions :
1 - Did anyone ever try to implement such an automatic tool ?
2 - What if I'm not able to write on the Active Directory ? I am still able, at least, to automate role assignment replication from ABAP Based back-end to Netweaver Portal (ie. UME with LDAP) ? Directly from SAP R/3 to EP through UME, without passing through Active Directory since the group field is not maintained in AD.
Many thanks for your inputs
Alexis MARTIN

Hello,
As I did not read the previous thread I don't know what exactly you are trying to achieve, but I can tell you about what we have done - as far as it is not too late yet.
We use the portal with integration to a BI system. In the ABAP stack we have lots of roles with menu items for hundreds of reports. We want the users to see these roles in the portal.
First we have used the role migration tool of the portal to upload these roles. There is a Java API for executing role uploads from code. You need to create a webservice in the java stack to call this api, and can call the webservice from ABAP.
However it is just a question of time and role size until this will not work at all. Standard role migration is more or less crap, stability is a problem. It also creates a lot of logs in the PCD and thus fills the database with trash. (After a few OSS messages there is now a program for deleting logs + you can turn of logging.) Also upload of larger roles takes up to an hour, and you alwasy have the problem that your portal roles are not up to date during the day.
When I got completely fed up, I have implemented an own navigation connector. When you log on to the portal it will connect to the ABAP stack via RFC, load the role, and generate the portal menu from it. It uses caching, but on every logon it checks whether the role has been updated in ABAP since the last time it was loaded. It is up to date, faster then PCD navigation, and you need absoluetely no periodical synching at all. I cant even understand why this is not offered by SAP per standard!
Drawback is that it will of course only work for the menu items, and only menu items with an "URL-type" are supported. I'm prettry sure however that it would be possible to implement a few other types as well.
Let me know if you are interested in the solution, I can give you a few additional details: oliverDOTsvisztATwienerbergerDOTcom
Oliver

Export and Import of Users with ABAP datasource to target standalone EP.

Hi Friends,
My customer is having
Source System:BS2
ABAP+ JAVA --- usage type : BW, EP
datasource -- ABAP
now, they need datasource as LDAP
so i have suggested as attached SOW
1.Install New Instance BS3 with JAVA,EP,EP Core
2.Patching BS3 to SP15 level
3.Import PCD from BS2 to BS3
4.Configure SSO between BS2 and BS3
5.Configure Data source to LDAP
6.Testing the Configurations
7. Uninstall JAVA DATABASE from BS2
Target System:
Standalone JAVA-- only EP
datasource -- LDAP configured
I have completed all steps successfully from 1 to 5
In source system, 45 users are there with ABAP datasource and ABAP roles... Now how can i import those users with ABAP roles into target System ( Standalone EP)
Any Usermapping is required to configure.
Please suggest me to workaround on this.
Regards,
Venkat.

You have to do this manually. In theory you can make a specially formatted text file to create the users and assign their portal groups, but it is quicker to just add them using the useradmin tool. If you export a user from the Java useradmin tool you can see the format of the text file. I ahve written an ABAP in the past to do the text file creation, but I can't find it now

Any issues with using LDAP on LINUX for GRC 5.2 UME?

Our company is converting our LDAP servers from AIX to LINUX. The DNS name used in our UME connection should not change. Are there any issues with using LDAP on LINUX? We are currently on GRC 5.2 SP9 (in the middle of upgrading to SP12).
Also, I have been trying to connect our test UME system to a test LDAP box that has already been converted to LINUX but keep getting a 'connection failed' error when I try to test it.
Do you have to reboot the server to test changing the LDAP connections? I've been trying it by going into UME, pulling up the LDAP tab, hitting the Modify button, entering the new userid and password for test LDAP, and hitting the Test Connection button. I've verified that this userid and password is correct for test LDAP.
Is there a way to get more information about why the connection failed?
Thanks.

I've been told by our LDAP Support group that none of the other configuration settings should have to be changed. I should only have to change the id and password to connect to a test version of LDAP instead of our regular connection to the production LDAP.
Can you test a connection for a different userid/password without having to reboot/restart the server? Do I need to change these two settings, save then, reboot/restart, and then do the Test Connection button?
Thanks.

How to create user in UME when using ABAP as datasource

hi, everyone
We are using ABAP as EP user datasource, when create user in EP, it says "Current user has user creation permissions in the UME, but cannot create users in the back-end system (data source). The original and possibly untranslated message was: "No active writeable datasource found for user creation, check your Persistence Configuration."
But we can not create in UME neither, anyone know how to do this?
Lee

Hi,
Solution would be to disconnect the UME from ABAP and reboot the portal, create the user in UME, and revert back to the UME/ABAP connection again... but this is not supported:
Changing Data Source
Once you have chosen this data source configuration, you cannot change to any other data source configuration. For details, see SAP Note 718383.
Source: http://help.sap.com/saphelp_nw70ehp1/helpdata/en/45/af3ac012d32e78e10000000a155369/frameset.htm
Ask the autorisation team of the ABAP stack that is connected to you UME to create the user for you is the only solution.
Cheers,
Benjamin

UME with LDAP

Hi Experts,
I've installed Portal sneak preview which is 7.0 SP9 in my Desktop and at the moment i'm using Web AS database is the user storage for portal.
Now wanted to change the user storage to any ldap (for windows) server and wanted to look at the working scenario.
Now ..
1. Which is the recommended LDAP server for windows, to the above scenarion
2. Can i use LDAP is the user storage for sneak preview versions.
3. Any useful documents to achieve this.
4. Please remeber i'm on Windows XP.
Please leave your valuable suggestions
Thanks,
Lokesh.

Hi,
Hi Experts,
I've installed Portal sneak preview which is 7.0 SP9 in my Desktop and at the moment i'm using Web AS database is the user storage for portal.
Now wanted to change the user storage to any ldap (for windows) server and wanted to look at the working scenario.
Now ..
1. Which is the recommended LDAP server for windows, to the above scenarion
I guess on Windows the best choice is ADS. If I get your requirement correctly you want to install a local LDAP Server on your machine correct? I don't know if it is possible to install ADS standalone on Win XP. In general you can use any LDAP Server so you should be able to get it working even with openLDAP if you are fimiliar with the LDAP protocol. I think openLDAP is not supported by SAP so maybe you should try something like SUN Directory Server (You can download a trial from the SUN Website). There is a version for Windows and it works without problems on WIN XP (I've tried a couple of times)
2. Can i use LDAP is the user storage for sneak preview versions.
I bet you can. You just have to choose the appropriate XML-File for UME Userstore that supports LDAP as UME and it should work.I've not tried with trial version but I think there are no limitations in the trial version regarding UME configuration.
3. Any useful documents to achieve this.
Check these out:
http://help.sap.com/saphelp_nw70/helpdata/EN/63/14f5b51a6eff429f2d8b2063400e82/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/48/d1d13f7fb44c21e10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/37/cfd93f130f9115e10000000a155106/frameset.htm
All you have to take care of is to choose the appropriate hierarchy supported by UME to store your user information within your directory (all this is described in the pages linked above)
4. Please remeber i'm on Windows XP.
I do
I hope this helps
Cheers

[OBPM 10gR3]How to configer a hybrid directory with Oracle LDAP Server

Hey, guys,
Does anyone have experience on configering a hybrid directory with Oracle LDAP Server? How to config the mapping conf file for Oracle LDAP in the directory of \OraBPMwlHome\conf?
Here is my conf file. But I got some LDAP mapping errors. It's really weird OBPM doesn't support Oracle's self LDAP, at least it does not provide the conf file.
-----------errors------------
Exception [javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Function Not Implemented]; remaining name '']. Reason: [LDAP: error code 53 - Function Not Implemented] fuego.directory.DirectoryRuntimeException: Exception [javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Function Not Implemented]; remaining name '']. at fuego.directory.DirectoryRuntimeException.wrapException(DirectoryRuntimeException.java:85) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.select(JNDIQueryExecutor.java:203) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.selectAllFromView(JNDIQueryExecutor.java:84) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.selectAllFromView(JNDIQueryExecutor.java:64) at fuego.directory.hybrid.ldap.Repository.selectAllFromView(Repository.java:54) at fuego.directory.hybrid.ldap.LDAPPollingEventGenerator.buildCurrentProxies(LDAPPollingEventGenerator.java:98) at fuego.directory.provider.notifiers.BasePollingEventGenerator.generateEvents(BasePollingEventGenerator.java:41) at fuego.directory.hybrid.HybridMultipleEventGenerator.generateEvents(HybridMultipleEventGenerator.java:43) at fuego.directory.provider.notifiers.DirectoryNotifier.notifyChanges(DirectoryNotifier.java:403) at fuego.server.service.DirectoryListener.updateEngineFromDirectoryImpl(DirectoryListener.java:309) at fuego.server.service.DirectoryListener$DirectoryPollingItem.execute(DirectoryListener.java:351) at fuego.server.execution.DefaultEngineExecution$AtomicExecutionTA.runTransaction(DefaultEngineExecution.java:304) at fuego.transaction.TransactionAction.startBaseTransaction(TransactionAction.java:470) at fuego.transaction.TransactionAction.startTransaction(TransactionAction.java:551) at fuego.transaction.TransactionAction.start(TransactionAction.java:212) at fuego.server.execution.DefaultEngineExecution.executeImmediate(DefaultEngineExecution.java:123) at fuego.server.execution.DefaultEngineExecution.executeAutomaticWork(DefaultEngineExecution.java:62) at fuego.server.execution.EngineExecution.executeAutomaticWork(EngineExecution.java:42) at fuego.ejbengine.ejb.EngineStartupBean.executeItem(EngineStartupBean.java:192) at fuego.ejbengine.ejb.EngineStartupBean.updateFromDirectory(EngineStartupBean.java:172) at fuego.ejbengine.ejb.engine_startup_bpmengine_wodkyx_ELOImpl.updateFromDirectory(engine_startup_bpmengine_wodkyx_ELOImpl.java:365) at fuego.ejbengine.servlet.SchedulerServlet$DirectoryPollingTask.runImpl(SchedulerServlet.java:269) at fuego.ejbengine.servlet.SchedulerServlet$ScheduledTask.run(SchedulerServlet.java:208) at java.util.TimerThread.mainLoop(Timer.java:512) at java.util.TimerThread.run(Timer.java:462) Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Function Not Implemented]; remaining name '' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3078) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2758) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1812) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1735) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248) at fuego.jndi.FaultTolerantDirContext.search(FaultTolerantDirContext.java:867) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.select(JNDIQueryExecutor.java:190) ... 23 more
-----------mapping conf file for Oracle LDAP---------
<?xml version="1.0" encoding="UTF-8"?>
<?fuego version="6.1 ALPHA" application="albpmenterprise"?>

<config>
     <object id="person">
          <object-filter>
               <![CDATA[
                    (objectclass=inetOrgPerson)
               ]]>
          </object-filter>
          <relative-dn>
               
          </relative-dn>
          <attribute id="id" value="uid"/>
          <attribute id="lastName" value="sn"/>
          <attribute id="firstName" value="givenname"/>
          <attribute id="accountLock" value="orclIsEnabled">
               <attribute-comparator operation="EQUALS" compareTo="ENABLED"/>
               <filter>
                    <![CDATA[
                         ($accountLock=ENABLED)
                    ]]>
               </filter>
          </attribute>
          <attribute id="facsimileTelephoneNumber" value="facsimileTelephoneNumber"/>
          <attribute id="displayName" value="displayName"/>
          <attribute id="mail" value="mail"/>
          <attribute id="telephoneNumber" value="telephoneNumber"/>
          <attribute id="employeeId" value="employeeNumber"/>
          <attribute id="thumbnailPhoto" value="jpegPhoto"/>
          <attribute id="manager" value="manager"/>
          <attribute id="modifyTimeStamp" value="modifytimestamp"/>
     </object>
     <object id="group">
          <object-filter>
               <![CDATA[
                    (objectclass=orclGroup)
               ]]>
          </object-filter>
          <relative-dn>
               
</relative-dn>
          <attribute id="id" value="dn"/>
          <attribute id="modifyTimeStamp" value="modifytimestamp"/>
          <attribute id="displayName" value="displayName"/>
          <attribute id="name" value="cn"/>
          <attribute id="description" value="description"/>
          <attribute id="assignedParticipants" value="uniquemember"/>
          
          <attribute id="ou" value="uniquemember"/>
     </object>
     <object id="ou">
          <object-filter>
               <![CDATA[
                    (objectclass=domain)
               ]]>
          </object-filter>
          <relative-dn>
               
</relative-dn>
          <attribute id="name" value="orclsubscriberfullname"/>
          <attribute id="description" value="description"/>
     </object>
</config>
Edited by: Lemonice on 2009-3-30 上午2:08
Edited by: Lemonice on 2009-3-30 下午7:01
Edited by: Lemonice on 2009-3-30 下午8:43

Hi,
in my case, I am trying to configure the OBPM directory using ALUI and its native LDAP service.
Now, I found that the first name and the last name in BPM are retrieved from the ALUI display name : provided we enter the display name in the format %first name% + %last name% we get them into BPM. But the display name is not always in this format...
In addition, it's the portal telephone number information which is retrieved into BPM Telephone and Fax numbers.
And, the email adress remains blank
I have installed the latest patch for OBPM (Version: 10.3.1.0.0 Build: #97172)
Would you have any documentation about creating a Profile Web Service in ALUI and specifying which LDAP attributes to map to which ALUI properties in the Profile Source ?
Thanks !
Edited by: vVince on May 6, 2009 3:46 PM

Working scenario - Portal UME with LDAP

Hi Experts,
I've installed Portal sneak preview which is 7.0 SP9 in my laptop and at the moment i'm using Web AS database is the user storage for portal.
Now wanted to change the user storage to any ldap (for windows) server and wanted to look at the working scenario.
Now ..
1. Which is the recommended LDAP server for windows, to the above scenarion
2. Can i use LDAP is the user storage for sneak preview versions.
3. Any useful documents to achieve this.
4. Please remeber i'm on Windows XP.
Please leave your valuable suggestions
Thanks
MMK

Mohan,
Here is the LDAP related documentation on the UME data source LDAP:
http://help.sap.com/saphelp_nw04s/helpdata/en/48/d1d13f7fb44c21e10000000a1550b0/frameset.htm
-Michael

To use UME with OpenLDAP

Hello everybody,
i have some problems.
My initial position:
Installed dual stack SAP NetWeaver Portal 2004s
--> Datasource for UME: ABAP-System
Installed OpenLDAP
Have anybody some guidelines for the configuration a UME with LDAP.
I had read all SAP help entries. Not so helpful.
I couldnt change DataSource, i dont know why ;-(
Please help
rene

Hi,
If you are using SAP Web AS ABAP User Management as datasource, you cannot change to any other data source configuration. For details, see SAP Note [718383|https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/oss_notes/sdn_oss_bc_jas/~form/handler].
http://help.sap.com/saphelp_nw04/helpdata/en/49/9dd53f779c4e21e10000000a1550b0/frameset.htm
Regards,
Praveen Gudapati

Connecting EP to an ABAP+Java datasource

Hi,
I am a SAP newbie.
I have EP on a standalone Java (I implemented the EP using rapid installer), and right now, it is using the file dataSourceConfiguration_database_only.xml as its datasource configuration. I want to change the datasource to an existing ABAP system. However, this existing ABAP system has a ASJava-Addin (BW was installed on this ABAP). If I want to use different users for each of the two Java systems, how should I deal with the communication, administrator, and guest users on both of the J2EE engines? (ie. Do I need to change the admin and guest usernames (ie. j2ee_admin) for the portal to avoid conflicting with that of the Java-Addin for the ABAP? How do I change the j2ee adminstrator username btw? And if I were to change it, do I need to change it in other places as well, such as in the connection factories of the default JMS provider?)
Thanks for all your help, this is quite urgent, and points will be awarded
Charles

Hi Charles,
<<1>>
We are having the same problem for other users(for normal uses),since some of the portal users are already existing in the ABAP System.When we try to login on to the portal server using one User ID which is already existing on both the ABAP System and Portal System then we will get "User authentication Failed" message.
The same error message is being displayed for those portal users which are included in the J2EE Administrators Group and are in the ABAP System.So i think, this exception may arise in your case also.In our landscape, unfortunately the Portal System is stand alone java(administrator) and backend system is stand alone ABAP system.Just create another user and add this user in the Administrator group before doing this configuration.
<<2>>
While doing this configuration, it is mandatory to mention a system user and password for the communication between UME and the ABAP Stack.In the case of dual stack installation this user will be created automatically during the installation time.For dual stack installations this system user is SAPJSF by default with SAP_BC_JSF_COMMUNICATION_RO role.In your case this user will be there. But if the ABAP System is a stand alone system, then we will have to manually create the user and assign the role.(either SAP_BC_JSF_COMMUNICATION or SAP_BC_JSF_COMMUNICATION_RO).The naming convention for the user is SAPJSF__<SAPSID_of_AS_Java>.
The first role will give the read/write capability to the system user and the second role can only give read permission.When the AS Java starts, the UME checks the roles assigned to the system user and if it finds no roles or only the role SAP_BC_JSF_COMMUNICATION_RO, the UME switches to read-only access for users located in the ABAP system.
Just refer this link also
http://help.sap.com/saphelp_nw04s/helpdata/en/49/9dd53f779c4e21e10000000a15
50b0/content.htm
If you are changing the role for your system user in the ABAP system, then it is recommended to restart the J2EE server (UME).
If your system user has the read/write permission on UME, then u can create/modify/delete the users both from the Portal and ABAP stack.<b>But the modification to the particular Portal user(already there) will be going to Java Stack(UME - Portal server) and the modification to the ABAP user will be going to the ABAP Stack(Dual Stack Server.). But all the new users created from both the portal and ABAP(dual stack) sever will only be going to ABAP Stack(Dual Stack).Just keep this thing in your mind.</b>
<<In the SAP Library, they recommand the SAP_BC_JSF_COMMUNICATION_RO role, but didn't give reasons for it.
>>
If we assign the SAP_BC_JSF_COMMUNICATION role to the system user, then we can change the UME data from both the Java System and from the ABAP system.In that case conflicts can arise.Inorder to keep the data consistency it is recommended to assign this read only role to the system user. Even in the case of dual stack installations, by default for the system user(SAPJSF) only this read-only role is present.
<<
understand that if I use user mapping for SSO, I can delete either one of the identical users from the portal or the backend as I will be m
>>
The main thing you have to keep in your mind is, for SSO using logon-ticket, in normal case (without this configuration), the user names in both the systems (Portal and R/3) should be same.
For example , If the Portal User ID = testuser , then R/3 user name should be testuser.For one portal user, if there is no identical R/3 name , then SSO using logon ticket will not work. In this case you will have to use SSO using User ID/Password Mapping.In this case your portal user can only access those back end objects(like RFC) on which your mapped user has got authorization.I think this part is clear to you.
Then after this configuration(UME as ABAP Datasource), if the same userid is existing in both portal and ABAP system, you can see 2 identical users while doing a user search in portal .(one portal user and one abap user) ,provided u have logged on to portal using another user with User Admin. If you try to login on to portal using this ID, then you will get 'User Authentication Failed' error message,since the same user is both in portal and ABAP.So your this scenario wont make any sense.. Right?...
If the user ID is coming from the ABAP system, then in the portal you will have to enter the ABAP user name and password to login on to the portal.This time, this user will acts as the portal user and the back end user is already there. So SSO using logon-ticket would works here. Hope you got it!!!!!...
If you have very large number of portal users, then it is better to go for SSO using logon-ticket rather than SSO using User/Password, since you will have to do the User mapping for all the users.You will have to change the Mapping details in the portal once we change the ABAP user's password.This is a very bad approach.SSO using logon-ticket is a one time configuration. So this is the best option for you...
I could also improve my knowledge on this after answering your question.I have also gone through so many help links to find out best answers to your doubts..ha ha..
From the help,
<i>Existing users in the AS Java database remain in the database after you configure the AS ABAP as the data source. When you log on to the AS Java, the UME searches both data sources simultaneously. Before you configure UME to use the AS ABAP as the data source, make sure the AS ABAP user management does not include any users with the same logon ID as users in the AS Java database. <b>The UME refuses to authenticate any user with a nonunique logon ID</b>.</i>
http://help.sap.com/saphelp_nw04s/helpdata/en/9e/fdcf3d4f902d10e10000000a114084/content.htm
Regards,
Kishor Gopinathan

I need some help with Portal - LDAP connection

Hello...
Can some one please help me with an issue I have when I try to connect a Portal in version EP6.0, with an LDAP, I go to System Admin --> System Config --> UM Config --> LDAP Server, Test the connection, it's successful, then restarted the server, but I still can't see the users at the LDAP.
Hope some one can help me soon.
Miguel

Hi Miguel,
After Configuring LDAP to UME portal,You need to create users in the LDAP.Then only you can see the users when you go to user admin->users->search for the user
1. What happens when you give * to search users?
2. Are you sure that you have mapped attributes of the user properly in data source configuration Xml file..
3 Which LDAP server you are using.
Cheers
Rani A

Show Stopper today with eDirectory (LDAP)

We are currently setting up Sun IDM 5.5 and are trying to do
reconciliation with an eDirectory 8.6.2 (10350.29) but are experiencing
severe performance issues. The directory contains groups with large scale
membership base, some groups 25.000+ members.
Same scenario occurs with Sun IDM 5.0 SP5.
When isolating to a single OU as baseDN with 10 accounts, a full clean
reconciliation takes 6-10 minutes. The network has thoroughly been
debugged, and no errors or issues have been found. Manual browsing in the
eDirectory with various ldap-tools without any issues. The total case
involves a total of more than 30.000+ accounts.
A test with identical user data in a Sun Directory Server 5.2 does the reconciliation take approx 2-3 seconds.
The eDirectory LDAP RA adapter can be viewed below. Any insight, or similar experiences are of great value and importance! Anything that can help me get this on track...
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Resource PUBLIC 'waveset.dtd' 'waveset.dtd'>

<Resource id='#ID#F77594225BD088E0:775121:1065E88DBC9:-7FE5' name='NDS' creator='Configurator' createDate='1126879507899' lastModifier='Configurator' lastModDate='1126886340268' lastMod='19' class='com.waveset.adapter.LDAPResourceAdapter' typeString='LDAP' typeDisplayString='com.waveset.adapter.RAMessages:RESTYPE_LDAP' hasId='true' facets='provision' timeLastExamined='0' reconcileTime='0' syncSource='true' startupType='Disabled'>
<ResourceAttributes>
    <ResourceAttribute name='host' displayName='com.waveset.adapter.RAMessages:RESATTR_HOST' description='RESATTR_HELP_240' value='130.243.85.109'>
    </ResourceAttribute>
    <ResourceAttribute name='port' displayName='com.waveset.adapter.RAMessages:RESATTR_PORT' description='RESATTR_HELP_264' value='389'>
    </ResourceAttribute>
    <ResourceAttribute name='ssl' displayName='com.waveset.adapter.RAMessages:RESATTR_SSL' description='RESATTR_HELP_281' value='0'>
    </ResourceAttribute>
    <ResourceAttribute name='principal' displayName='com.waveset.adapter.RAMessages:RESATTR_USERDN' description='RESATTR_HELP_271' value='cn=admin,ou=nds,ou=res,o=mdh'>
    </ResourceAttribute>
    <ResourceAttribute name='credentials' displayName='com.waveset.adapter.RAMessages:RESATTR_PASSWORD' type='encrypted' description='RESATTR_HELP_219' value='izkkkM1YJto='>
    </ResourceAttribute>
    <ResourceAttribute name='baseContext' displayName='com.waveset.adapter.RAMessages:RESATTR_BASE_CTXS' description='com.waveset.adapter.RAMessages:RESATTR_BASE_CTX_DESC' multi='true' value='ou=06,ou=STUDENT,ou=ANV,o=mdh'>
    </ResourceAttribute>
    <ResourceAttribute name='Object Class' displayName='com.waveset.adapter.RAMessages:RESATTR_OBJECT_CLASS' description='RESATTR_HELP_253' multi='true'>
      <value>top</value>
      <value>person</value>
      <value>organizationalPerson</value>
      <value>inetorgperson</value>
      <value>ndsLoginProperties</value>
    </ResourceAttribute>
    <ResourceAttribute name='ldapSearchFilter' displayName='com.waveset.adapter.RAMessages:RESATTR_LDAP_SEARCH_FILTER' description='com.waveset.adapter.RAMessages:RESATTR_HELP_LDAP_SEARCH_FILTER'>
    </ResourceAttribute>
    <ResourceAttribute name='includeObjClassesInSearchFilter' displayName='com.waveset.adapter.RAMessages:RESATTR_INCL_OBJCLASSES_IN_SEARCH_FILTER' type='boolean' description='com.waveset.adapter.RAMessages:RESATTR_HELP_INCL_OBJCLASSES_IN_SEARCH_FILTER' value='true'>
    </ResourceAttribute>
    <ResourceAttribute name='wsname' displayName='com.waveset.adapter.RAMessages:RESATTR_WSNAME' description='RESATTR_HELP_292' value='cn'>
    </ResourceAttribute>
    <ResourceAttribute name='Display Name Attribute' displayName='com.waveset.adapter.RAMessages:RESATTR_DISPLAY_NAME_ATTR' description='RESATTR_HELP_41'>
    </ResourceAttribute>
    <ResourceAttribute name='Use blocks' displayName='com.waveset.adapter.RAMessages:RESATTR_USE_BLOCKS' description='RESATTR_HELP_192' value='1'>
    </ResourceAttribute>
    <ResourceAttribute name='blockCount' displayName='com.waveset.adapter.RAMessages:RESATTR_BLOCKCOUNT' description='RESATTR_HELP_34' value='100'>
    </ResourceAttribute>
    <ResourceAttribute name='groupMemberAttr' displayName='com.waveset.adapter.RAMessages:RESATTR_GRP_MBR_ATTR' description='RESATTR_HELP_233' value='groupMembership'>
    </ResourceAttribute>
    <ResourceAttribute name='Password Hash Algorithm' displayName='com.waveset.adapter.RAMessages:RESATTR_PASSWORD_HASH_ALG' description='RESATTR_HELP_49'>
    </ResourceAttribute>
    <ResourceAttribute name='changeNamingAttr' displayName='com.waveset.adapter.RAMessages:RESATTR_MOD_NAMING_ATTR' description='RESATTR_HELP_47' value='0'>
    </ResourceAttribute>
    <ResourceAttribute name='Object Classes to Synchronize' displayName='com.waveset.adapter.RAMessages:RESATTR_ACTIVE_SYNC_OBJECT_CLASSES' description='com.waveset.adapter.RAMessages:RESATTR_HELP_ACTIVE_SYNC_OBJECT_CLASSES' multi='true' facets='activesync'>
      <value>person</value>
      <value>organizationalPerson</value>
      <value>inetorgperson</value>
    </ResourceAttribute>
    <ResourceAttribute name='LDAP Filter for Accounts to Synchronize' displayName='com.waveset.adapter.RAMessages:RESATTR_ACTIVE_SYNC_LDAP_FILTER' description='com.waveset.adapter.RAMessages:RESATTR_HELP_ACTIVE_SYNC_LDAP_FILTER' facets='activesync'>
    </ResourceAttribute>
    <ResourceAttribute name='Attributes to synchronize' displayName='com.waveset.adapter.RAMessages:RESATTR_ATTRIBUTE_FILTER' description='com.waveset.adapter.RAMessages:RESATTR_HELP_ATTRIBUTE_FILTER' multi='true' facets='activesync'>
    </ResourceAttribute>
    <ResourceAttribute name='When reset, ignore past changes' displayName='com.waveset.adapter.RAMessages:RESATTR_RESET_TO_TODAY' description='com.waveset.adapter.RAMessages:RESATTR_HELP_LDAPAS_RESET_TO_TODAY' facets='activesync' value='1'>
    </ResourceAttribute>
    <ResourceAttribute name='Change Log Blocksize' displayName='com.waveset.adapter.RAMessages:RESATTR_BLOCKSIZE' description='com.waveset.adapter.RAMessages:RESATTR_HELP_36' facets='activesync' value='100'>
    </ResourceAttribute>
    <ResourceAttribute name='Change Number Attribute Name' displayName='com.waveset.adapter.RAMessages:RESATTR_CHANGE_NUMBER_ATTRIBUTE_NAME' description='com.waveset.adapter.RAMessages:RESATTR_HELP_37' facets='activesync' value='changenumber'>
    </ResourceAttribute>
    <ResourceAttribute name='Filter Changes Made By' displayName='com.waveset.adapter.RAMessages:RESATTR_FILTER_CHANGES_BY' description='com.waveset.adapter.RAMessages:RESATTR_HELP_FILTER_CHANGES_BY' multi='true' facets='activesync'>
    </ResourceAttribute>
    <ResourceAttribute name='Proxy Administrator' displayName='com.waveset.adapter.RAMessages:RESATTR_PROXY_ADMINISTRATOR' description='com.waveset.adapter.RAMessages:RESATTR_HELP_30' value='Configurator'>
    </ResourceAttribute>
    <ResourceAttribute name='Input Form' displayName='com.waveset.adapter.RAMessages:RESATTR_FORM' description='com.waveset.adapter.RAMessages:RESATTR_HELP_26'>
    </ResourceAttribute>
    <ResourceAttribute name='Pre-Poll Workflow' displayName='com.waveset.adapter.RAMessages:RESATTR_PREPOLL_WORKFLOW' description='com.waveset.adapter.RAMessages:RESATTR_PREPOLL_WORKFLOW_HELP'>
    </ResourceAttribute>
    <ResourceAttribute name='Post-Poll Workflow' displayName='com.waveset.adapter.RAMessages:RESATTR_POSTPOLL_WORKFLOW' description='com.waveset.adapter.RAMessages:RESATTR_POSTPOLL_WORKFLOW_HELP'>
    </ResourceAttribute>
    <ResourceAttribute name='Maximum Archives' displayName='com.waveset.adapter.RAMessages:RESATTR_MAX_ARCHIVES' description='com.waveset.adapter.RAMessages:RESATTR_HELP_MAX_ARCHIVES' value='3'>
    </ResourceAttribute>
    <ResourceAttribute name='Maximum Age Length' displayName='com.waveset.adapter.RAMessages:RESATTR_MAX_LOG_AGE' description='com.waveset.adapter.RAMessages:RESATTR_HELP_MAX_LOG_AGE'>
    </ResourceAttribute>
    <ResourceAttribute name='Maximum Age Unit' displayName='com.waveset.adapter.RAMessages:RESATTR_MAX_LOG_AGE_UNIT' description='com.waveset.adapter.RAMessages:RESATTR_HELP_MAX_LOG_AGE_UNIT'>
    </ResourceAttribute>
    <ResourceAttribute name='Log Level' displayName='com.waveset.adapter.RAMessages:RESATTR_LOG_LEVEL' description='com.waveset.adapter.RAMessages:RESATTR_HELP_27' value='2'>
    </ResourceAttribute>
    <ResourceAttribute name='Log File Path' displayName='com.waveset.adapter.RAMessages:RESATTR_LOG_PATH' description='com.waveset.adapter.RAMessages:RESATTR_HELP_28'>
    </ResourceAttribute>
    <ResourceAttribute name='Maximum Log File Size' displayName='com.waveset.adapter.RAMessages:RESATTR_LOG_SIZE' description='com.waveset.adapter.RAMessages:RESATTR_HELP_29'>
    </ResourceAttribute>
    <ResourceAttribute name='Scheduling Interval' displayName='com.waveset.adapter.RAMessages:RESATTR_SCHEDULE_INTERVAL' description='com.waveset.adapter.RAMessages:RESATTR_HELP_51'>
    </ResourceAttribute>
    <ResourceAttribute name='Poll Every' displayName='com.waveset.adapter.RAMessages:RESATTR_SCHEDULE_INTERVAL_COUNT' description='com.waveset.adapter.RAMessages:RESATTR_HELP_52'>
    </ResourceAttribute>
    <ResourceAttribute name='Polling Start Time' displayName='com.waveset.adapter.RAMessages:RESATTR_SCHEDULE_START_TIME' description='com.waveset.adapter.RAMessages:RESATTR_HELP_56'>
    </ResourceAttribute>
    <ResourceAttribute name='Polling Start Date' displayName='com.waveset.adapter.RAMessages:RESATTR_SCHEDULE_START_DATE' description='com.waveset.adapter.RAMessages:RESATTR_HELP_54'>
    </ResourceAttribute>
    <ResourceAttribute name='useInputForm' displayName='com.waveset.adapter.RAMessages:RESATTR_USE_INPUT_FORM' type='boolean' description='com.waveset.adapter.RAMessages:RESATTR_USE_INPUT_FORM_HELP' facets='activesync' value='true'>
    </ResourceAttribute>
    <ResourceAttribute name='parameterizedInputForm' displayName='com.waveset.adapter.RAMessages:RESATTR_PARAMETERIZED_INPUT_FORM' description='com.waveset.adapter.RAMessages:RESATTR_PARAMETERIZED_INPUT_FORM_HELP' facets='activesync'>
    </ResourceAttribute>
    <ResourceAttribute name='activeSyncPostProcessForm' displayName='com.waveset.adapter.RAMessages:RESATTR_SYNC_POST_PROCESS_FORM' description='com.waveset.adapter.RAMessages:RESATTR_SYNC_POST_PROCESS_FORM_HELP' facets='activesync'>
    </ResourceAttribute>
    <ResourceAttribute name='activeSyncConfigMode' displayName='com.waveset.adapter.RAMessages:RESATTR_SYNC_CONFIG_MODE' description='com.waveset.adapter.RAMessages:RESATTR_SYNC_CONFIG_MODE_HELP' facets='activesync' value='basic'>
    </ResourceAttribute>
    <ResourceAttribute name='processRule' displayName='com.waveset.adapter.RAMessages:RESATTR_PROCESS_RULE' description='com.waveset.adapter.RAMessages:RESATTR_PROCESS_RULE_HELP' facets='activesync'>
    </ResourceAttribute>
    <ResourceAttribute name='correlationRule' displayName='com.waveset.adapter.RAMessages:RESATTR_CORRELATION_RULE' description='com.waveset.adapter.RAMessages:RESATTR_CORRELATION_RULE_HELP' facets='activesync' value='CORRELATION_RULE_NONE'>
    </ResourceAttribute>
    <ResourceAttribute name='confirmationRule' displayName='com.waveset.adapter.RAMessages:RESATTR_CONFIRMATION_RULE' description='com.waveset.adapter.RAMessages:RESATTR_CONFIRMATION_RULE_HELP' facets='activesync' value='CONFIRMATION_RULE_NONE'>
    </ResourceAttribute>
    <ResourceAttribute name='deleteRule' displayName='com.waveset.adapter.RAMessages:RESATTR_DELETE_RULE' description='com.waveset.adapter.RAMessages:RESATTR_DELETE_RULE_HELP' facets='activesync'>
    </ResourceAttribute>
    <ResourceAttribute name='createUnmatched' displayName='com.waveset.adapter.RAMessages:RESATTR_CREATE_UNMATCHED' description='com.waveset.adapter.RAMessages:RESATTR_CREATE_UNMATCHED_HELP' facets='activesync' value='true'>
    </ResourceAttribute>
    <ResourceAttribute name='resolveProcessRule' displayName='com.waveset.adapter.RAMessages:RESATTR_RESOLVE_PROCESS_RULE' description='com.waveset.adapter.RAMessages:RESATTR_RESOLVE_PROCESS_RULE_HELP' facets='activesync'>
    </ResourceAttribute>
    <ResourceAttribute name='populateGlobal' displayName='com.waveset.adapter.RAMessages:RESATTR_POPULATE_GLOBAL' description='com.waveset.adapter.RAMessages:RESATTR_POPULATE_GLOBAL_HELP' facets='activesync' value='false'>
    </ResourceAttribute>
</ResourceAttributes>
<AccountAttributeTypes nextId='15'>
    <AccountAttributeType id='2' name='accountId' syntax='string' mapName='cn' mapType='string' required='true'>
      <AttributeDefinitionRef>
        <ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:accountId' name='accountId'/>
      </AttributeDefinitionRef>
    </AccountAttributeType>
    <AccountAttributeType id='3' name='password' syntax='encrypted' mapName='userPassword' mapType='string'>
      <AttributeDefinitionRef>
        <ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:password' name='password'/>
      </AttributeDefinitionRef>
    </AccountAttributeType>
    <AccountAttributeType id='4' name='firstname' syntax='string' mapName='givenname' mapType='string'>
      <AttributeDefinitionRef>
        <ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:firstname' name='firstname'/>
      </AttributeDefinitionRef>
    </AccountAttributeType>
    <AccountAttributeType id='5' name='lastname' syntax='string' mapName='sn' mapType='string' required='true'>
      <AttributeDefinitionRef>
        <ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:lastname' name='lastname'/>
      </AttributeDefinitionRef>
    </AccountAttributeType>
    <AccountAttributeType id='8' name='loginDisabled' syntax='string' mapName='loginDisabled' mapType='string'>
    </AccountAttributeType>
    <AccountAttributeType id='9' name='fullname' syntax='string' mapName='fullname' mapType='string'>
    </AccountAttributeType>
    <AccountAttributeType id='10' name='email' syntax='string' mapName='mail' mapType='string'>
    </AccountAttributeType>
    <AccountAttributeType id='11' name='ssn' syntax='string' mapName='workforceId' mapType='string'>
    </AccountAttributeType>
    <AccountAttributeType id='12' name='description' syntax='string' mapName='description' mapType='string'>
    </AccountAttributeType>
</AccountAttributeTypes>
<Template>
    <text>cn=</text>
    <ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:accountId' name='accountId'/>
    <text>,ou=06,ou=STUDENT,ou=ANV,o=mdh</text>
</Template>
<Retries max='0' delay='10' emailThreshold='5'/>
<ObjectTypes>
    <ObjectType name='Group' nameKey='UI_RESOURCE_OBJECT_TYPE_GROUP' icon='group'>
      <ObjectClasses primary='groupOfUniqueNames' operator='OR'>
        <ObjectClass name='groupOfNames'/>
        <ObjectClass name='groupOfUniqueNames'/>
      </ObjectClasses>
      <ObjectFeatures>
        <ObjectFeature name='create'/>
        <ObjectFeature name='update'/>
        <ObjectFeature name='delete'/>
        <ObjectFeature name='rename'/>
        <ObjectFeature name='saveas'/>
      </ObjectFeatures>
      <ObjectAttributes idAttr='dn' displayNameAttr='cn' descriptionAttr='description' objectClassAttr='objectclass'>
        <ObjectAttribute name='cn' type='string'/>
        <ObjectAttribute name='description' type='string'/>
        <ObjectAttribute name='owner' type='distinguishedname' namingAttr='cn'/>
        <ObjectAttribute name='uniqueMember' type='distinguishedname' namingAttr='cn'/>
      </ObjectAttributes>
    </ObjectType>
    <ObjectType name='Domain' nameKey='UI_RESOURCE_OBJECT_TYPE_DOMAIN' icon='folder' container='true'>
      <ObjectClasses operator='AND'>
        <ObjectClass name='domain'/>
      </ObjectClasses>
      <ObjectFeatures>
        <ObjectFeature name='find'/>
      </ObjectFeatures>
      <ObjectAttributes idAttr='distinguishedName' displayNameAttr='dc' objectClassAttr='objectclass'>
        <ObjectAttribute name='dc' type='string'/>
      </ObjectAttributes>
    </ObjectType>
    <ObjectType name='Organization' nameKey='UI_RESOURCE_OBJECT_TYPE_ORGANIZATION' icon='folder_with_org' container='true'>
      <ObjectClasses operator='AND'>
        <ObjectClass name='organization'/>
      </ObjectClasses>
      <ObjectFeatures>
        <ObjectFeature name='create'/>
        <ObjectFeature name='delete'/>
        <ObjectFeature name='rename'/>
        <ObjectFeature name='saveas'/>
        <ObjectFeature name='find'/>
      </ObjectFeatures>
      <ObjectAttributes idAttr='dn' displayNameAttr='o' objectClassAttr='objectclass'>
        <ObjectAttribute name='o' type='string'/>
      </ObjectAttributes>
    </ObjectType>
    <ObjectType name='Organizational Unit' nameKey='UI_RESOURCE_OBJECT_TYPE_ORGANIZATIONALUNIT' icon='folder_with_orgunit' container='true'>
      <ObjectClasses operator='AND'>
        <ObjectClass name='organizationalUnit'/>
      </ObjectClasses>
      <ObjectFeatures>
        <ObjectFeature name='create'/>
        <ObjectFeature name='delete'/>
        <ObjectFeature name='rename'/>
        <ObjectFeature name='saveas'/>
        <ObjectFeature name='find'/>
      </ObjectFeatures>
      <ObjectAttributes idAttr='dn' displayNameAttr='ou' objectClassAttr='objectclass'>
        <ObjectAttribute name='ou' type='string'/>
      </ObjectAttributes>
    </ObjectType>
</ObjectTypes>
    <LoginConfigEntry name='com.waveset.security.authn.WSResourceLoginModule' type='LDAP' displayName='com.waveset.adapter.RAMessages:RES_LOGIN_MOD_LDAP'>
      <AuthnProperties>
        <AuthnProperty name='ldap_uid' displayName='com.waveset.adapter.RAMessages:UI_USERID_LABEL' isId='true' formFieldType='text' dataSource='user'/>
        <AuthnProperty name='ldap_password' displayName='com.waveset.adapter.RAMessages:UI_PWD_LABEL' formFieldType='password' dataSource='user'/>
      </AuthnProperties>
      <SupportedApplications>
        <SupportedApplication name='Administrator Interface'/>
        <SupportedApplication name='User Interface'/>
      </SupportedApplications>
    </LoginConfigEntry>
    <ResourceUserForm>
      <ObjectRef type='UserForm' id='#ID#LDAP User Form'/>
    </ResourceUserForm>
<MemberObjectGroups>
    <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
</MemberObjectGroups>
</resource>

few questions....are you getting any errors on the ldap side? object class errors perhaps?
what app server are you using and what version of java?
--Dana Reed

Problem with JNDI/LDAP AND connection pool

I'm a newbie to Java but am attempting to write a servlet that retrieves info use to populate the contents of drop down menus. I'd like to only have to do this once. The servlet also retrieves other data (e.g. user profile info, etc ...). I'd like to be able to use the connection pool for all of these operations but I'm getting a compile error:
public class WhitePages extends HttpServlet {
ResourceBundle rb = ResourceBundle.getBundle("LocalStrings");
public static String m_servletPath = null;
public static String cattrs = null;
public static String guidesearchlist[] = {};
public static int isLocalAddr = 0;
private int aeCtr;
private String[] sgDNArray;
private HashMap sgDN2DNLabel = new HashMap();
private HashMap sgDN2SearchGuide = new HashMap();
private String strport;
private int ldapport;
private String ldaphost;
private String ldapbinddn;
private String ldapbindpw;
private String ldapbasedn;
private int maxsearchcontainers;
private int maxsearchkeys;
private String guidesearchbases;
private String guidecontainerclass;
private String strlocaladdr;
private String providerurl;
// my init method establishes the connection
// pool and then retrieve menu data
public void init(ServletConfig config) throws ServletException {
super.init(config);
String strport = config.getInitParameter("ldapport");
ldapport = Integer.parseInt(strport);
String strconts = config.getInitParameter("maxsearchcontainers");
maxsearchcontainers = Integer.parseInt(strconts);
String strkeys = config.getInitParameter("maxsearchkeys");
maxsearchkeys = Integer.parseInt(strkeys);
ldaphost = config.getInitParameter("ldaphost");
ldapbinddn = config.getInitParameter("ldapbinddn");
ldapbindpw = config.getInitParameter("ldapbindpw");
ldapbasedn = config.getInitParameter("ldapbasedn");
guidesearchbases = config.getInitParameter("guidesearchbases");
guidecontainerclass = config.getInitParameter("guidecontainerclass");
strlocaladdr = config.getInitParameter("localaddrs");
providerurl = "ldap://" + ldaphost + ":" + ldapport;
/* Set up environment for creating initial context */
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, providerurl.toString());
/* Enable connection pooling */
env.put("com.sun.jndi.ldap.connect.pool", "true");
StringTokenizer st = new StringTokenizer(guidesearchbases, ":" );
String guidesearchlist[] = new String[st.countTokens()];
for ( int i = 0; i < guidesearchlist.length; i++ ) {
guidesearchlist[i] = st.nextToken();
// Get a connection from the connection pool
// and retrieve the searchguides
StringBuffer asm = new StringBuffer(""); // This is the advanced search menu htmlobject buffer
StringBuffer strtmpbuf = new StringBuffer(""); // This is the simple search menu htmlobject buffer
try {
StringBuffer filter = new StringBuffer("");
filter.append("(objectclass=" + guidecontainerclass + ")");
String[] attrList = {"dn","cn","searchguide"};
SearchControls ctls = new SearchControls();
ctls.setReturningAttributes(attrList);
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String attrlabelkey;
sgDNArray = new String[guidesearchlist.length];
for( int i = 0; i < guidesearchlist.length; i++ ) {
// Search each of the namingspaces where
// searchguides exist then build
// the dynamic menus from the result
DirContext ctx = new InitialDirContext(env);
NamingEnumeration results = ctx.search(guidesearchlist, filter, ctls);
I get a compile error:
WhitePages.java:164: cannot resolve symbol
symbol : method search (java.lang.String,java.lang.StringBuffer,javax.naming.directory.SearchControls)
location: interface javax.naming.directory.DirContext
NamingEnumeration results = ctx.search(guidesearchlist[i], filter, ctls);
^
WhitePages.java:225: cannot resolve symbol
symbol : variable ctx
location: class OpenDirectory
ctx.close();
^
Can anyone help? If there is someone out there with JNDI connection pool experience I would appreciate your assistance!

Manish
The issue may not be related to the number of connections or the initial
connections. Check your heap size (ms, mx). Turn on verbosegc. Your heap may
not be big enough to accept the 25,000 rows.
Bernie
"Manish Kumar Singh" <[email protected]> wrote in message
news:3e6c34ca$[email protected]..
We are creating the result set with 25000 rows(each row has 56 columns) bygetting the connection using data source. With the initial capacity of the
connection pool is 5 and the max capacity as 30 and grow connection as 1,
the server gets out of memory exception, when we issue a new request, even
after closing the previous connections.
Now, if we change the initial capacity to 1 and rest all the things assame, the issue gets resolved and the server works fine.
Could you please help me out in this regard????
thanks in advance
manish

Config UME with ABAP+LDAP datasource

Similar Messages

Maybe you are looking for