How does the LDAP authentication process?

Hi All,
In SAP KB1384915(https://bosap-support.wdf.sap.corp/sap/support/notes/1384915), BOE client authentication's process is described as follows:
1. The BOXI SDK calls the login on the BOXI client plugin (passing username & password).
2. The BOXI client plugin passes the username and password to the third-party authentication server. This may be an LDAP server, or a Windows Active Directory server, or any other server that the BI Platform supports.
3. The third-party authentication server authenticates the credentials. This generates a security buffer needed by the BOXI server-side authentication plugin.
4. The SDK passes the security buffer to the CMS, which forwards it to the server-side plugin.
At this point the handshake process may be finished, or it may continue
5. This exchange continues until the server-side authentication system indicates that the authentication process has completed.
Authentication always ends on the server side.
6. The user has been authenticated. The CMS must verify that the user is a member of a mapped group before the logon process can complete.
Question about LDAP auth,
I think that the client plugin doesn't know LDAP server's hostname & portnumber at the time of step2.(BOE server only knows it)
So I think, the client will access to BOE server to get the LDAP-related informations before the step.
Would you please tell me whether the following process is correct?
1. The BOXI SDK calls the login on the BOXI client plugin.
2. The client plugin gets LDAP-related information (LDAP hostname, portnum, base DN etc) from BOE server.
   At this step, client plugin DOESN'T pass the username&password to BOE Server. Only get informations.
3. The client plugin passes the username and password to the LDAP server.
4. The LDAP server authenticates the credentials. This generates a security buffer needed by the BOXI server-side authentication plugin.
5. The SDK passes the security buffer to the CMS, which forwards it to the server-side plugin.
   At this point the handshake process may be finished, or it may continue
6. This exchange continues until the server-side authentication system indicates that the authentication process has completed.
   Authentication always ends on the server side.
7. The user has been authenticated. The CMS must verify that the user is a member of a mapped group before the logon process can complete.
Thanks&regards,
Tadashi

Hi,
in a BOE Environment the CMS does all of the authentication processes. So i would say that the Client passes the LDAP informations entered by the user to the CMS and the CMS does the authentication on behalf of the client.
If you need an official Statement, i would recommend you open a Support Message with the SAP Support.
Otherwise you could monitor the network traffic during the Authentication of the Client. There you should see if the Client communicates directly with the LDAP Host or only with the CMS.
Regards
-Seb.

Similar Messages

  • EDI-How does the Inbound File process work?

    Hi
    How does the Inbound process work in EDI
    When a file is put in the Inbound EDI directory of the App server how does the system start the process?
    Which programs are called/triggered?
    How does the Inbound process work?
    Please be brief and precise.

    Hi
    Check the links
    Check these links.
    http://help.sap.com/saphelp_erp2004/helpdata/en/dc/6b835943d711d1893e0000e8323c4f/content.htm
    http://www.sapgenie.com/sapgenie/docs/ale_scenario_development_procedure.doc
    http://edocs.bea.com/elink/adapter/r3/userhtm/ale.htm#1008419
    http://www.netweaverguru.com/EDI/HTML/IDocBook.htm
    http://www.sapgenie.com/sapedi/index.htm
    http://www.sappoint.com/abap/ale.pdf
    http://www.sappoint.com/abap/ale2.pdf
    http://www.sapgenie.com/sapedi/idoc_abap.htm
    http://help.sap.com/saphelp_erp2005/helpdata/en/0b/2a60bb507d11d18ee90000e8366fc2/frameset.htm
    http://help.sap.com/saphelp_erp2005/helpdata/en/78/217da751ce11d189570000e829fbbd/frameset.htm
    http://www.allsaplinks.com/idoc_sample.html
    http://www.sappoint.com/abap.html
    http://help.sap.com/saphelp_erp2004/helpdata/en/dc/6b835943d711d1893e0000e8323c4f/content.htm
    http://www.sapgenie.com/sapgenie/docs/ale_scenario_development_procedure.doc
    http://edocs.bea.com/elink/adapter/r3/userhtm/ale.htm#1008419
    http://www.netweaverguru.com/EDI/HTML/IDocBook.htm
    http://www.sapgenie.com/sapedi/index.htm
    http://www.allsaplinks.com/idoc_sample.html
    http://www.sapgenie.com/sapgenie/docs/ale_scenario_development_procedure.docs
    Please check this PDF documents for ALE and IDoc.
    http://www.sappoint.com/abap/ale.pdf
    http://www.sappoint.com/abap/ale2.pdf
    http://help.sap.com/printdocu/core/Print46c/en/data/pdf/BCMIDALEIO/BCMIDALEIO.pdf
    http://help.sap.com/printdocu/core/Print46c/en/data/pdf/BCMIDALEPRO/BCMIDALEPRO.pdf
    http://help.sap.com/printdocu/core/Print46c/en/data/pdf/CABFAALEQS/CABFAALEQS.pdf
    http://help.sap.com/printdocu/core/Print46c/en/data/pdf/BCSRVEDISC/CAEDISCAP_STC.pdf
    http://help.sap.com/printdocu/core/Print46c/en/data/pdf/BCSRVEDI/CAEDI.pdf
    Check below link. It will give the step by step procedure for IDOC creation.
    http://www.supinfo-projects.com/cn/2005/idocs_en/2/
    Reward points if useful
    Regards
    Anji

  • How does the Login process work?

    Hello,
    How exactly does the default 'Login' process on the login page work?
    When the following code is executed:
    wwv_flow_custom_auth_std.login(
    P_UNAME => :P1_USERNAME,
    P_PASSWORD => :P1_PASSWORD,
    P_SESSION_ID => v('APP_SESSION'),
    P_FLOW_PAGE => :APP_ID||':2'
    Does the execution continue to the code below or is it halted and the user is redirected to the flow page?
    I need to set the username and the user id (from SQL query WHERE username = :P1_USERNAME) ONLY IF the authentication has been successful, otherwise NULL them. What's the best way to do this?
    After the wwv_flow_custom_auth_std.login(...), how can I check if the user has been authenticated?
    Thanks :)
    Pavel

    hi pavel--
    wwv_flow_custom_auth_std.login sets :APP_USER and then redirects to p_flow_page upon successful login. when you say, "I need to set the username and the user id (from SQL query WHERE username = :P1_USERNAME) *ONLY IF* the authentication has been successful, otherwise NULL them" i'm guessing that you really want your user to not be logged in upon unsuccessful credential verification. if so, that would already be handled by wwv_flow_custom_auth_std. a good way to see this in action is to examine how the Sample Application handles authentication. the login page 101 does call wwv_flow_custom_auth_std with the supplied credentials, but if you don't pass the Authentication Function check specified in the Sample Application's custom authentication scheme, the session is still invalid, and the user is still on page 101. i'm pretty sure that's the behavior you want, but please clarify if not.
    thanks,
    raj

  • How does the GR processing time affect the scheduling of the process order & the latest start date in the operation.

    Hi
    Can anyone explain  how does the GR processing time affect the scheduling of the process order & the latest start date in the operation overview.

    Hi
    GR processing time means number of workdays required after receiving the material in storage.
    Check this link:GR Processing time
    Regards,
    Anupam Sharma

  • TRFC internals - how does the async processing happen?

    tRFC internals - how does the async processing happen?
    Dear all,
    With the document "[https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f078394a-4469-2910-c4bf-853c75674694|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f078394a-4469-2910-c4bf-853c75674694]" there is an excellent place to read about SAP RFCs (remote function calls).
    Pages 94 to 96 describe in detail how tFRC (transactional RFC) works.
    However, there is still something unclear for me with the following sentence on page 94:
    "The truly exciting part happens when the program
    issues a COMMIT WORK command. The recorded calls
    are executed asynchronously in a special set of tRFC
    processing sessions created for each transaction ID..."
    Maybe someone can answer the following questions:
    a) what does exactly trigger and execute the tRFC?
    b) is it the ABAP runtime system itself, spawning the additional task in DIA?
    c) if multiple tRFC LUWs have been recorded, they are all executed in parallel by this procedure!?
    d) does the execution try to utilize all available DIA processes?
    e) how do the rdisp/rfc_... parameter come into the game?
       are they evaluated? We have seen all DIA occupied by the tRFCs executed!
    Best regards,
    Peter
    P.S.: if someone has answers to these ones, more related to error handling, would be great as well
    f) the jobs ARFC*, do they also use parallel processing?
       or is every ARFC* job responsible only for one single LUW?
       (note https://service.sap.com/sap/support/notes/366807 did not give a perfect answer)
    g) and how does the report RSARFCEX work compared to immediate execution?

    That's the problem, it won't.
    internal static string GetAvailabilityGroupFromConnection(SPDatabase db)
    if (!UsesAvailabilityConnection(db))
    return null;
    string dataSource = db.ConnectionString.DataSource;
    string cmdText = string.Format(CultureInfo.InvariantCulture, "\r\n SELECT name FROM sys.availability_groups g\r\n JOIN sys.availability_group_listeners l ON g.group_id = l.group_id\r\n WHERE dns_name = '{0}'\r\n ", new object[] { dataSource });
    string str3 = null;
    using (SqlCommand command = new SqlCommand(cmdText))
    ULS.SendTraceTag(0x302263, ULSCat.msoulscat_WSS_Database, ULSTraceLevel.Medium, "Looking up availability group for listener: {0}", new object[] { cmdText });
    using (SqlDataReader reader = GetSessionFromDatabase(db).ExecuteReader(command))
    while (reader.Read())
    str3 = reader.GetString(0);
    ULS.SendTraceTag(0x302280, ULSCat.msoulscat_WSS_Database, ULSTraceLevel.Medium, "Found group {0} for listener {1}", new object[] { str3, dataSource });
    This piece of code looks at the SPDatabase's connection string (the SQL alias, for example) and executes a T-SQL query looking for that name within SQL Server. Since the SQL alias does not exist within the SQL Server's configuration, it will return a null
    value, and you won't be able to set up the AG config using the AG cmdlets.
    Also, since mobility exists by the very nature of using an AG Listener, using a SQL Alias is redundant.
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • How does the sync process work?

    Hello all,
    I want to know what will happen if both the local and network homes have been modified for a period of two weeks and then the user chooses to synch? Will the sync process ask which 'home' is the most recent or will it replace older files with newer files?
    How does the sync process manage the task of keeping both sides the same?
    Thanks,
    -Andrew G

    If a file exists on both the local and the network directory it will pop up with a conflict and ask how to resolve it.
    If the file is only on the local machine and in a place you have not excluded from syncing it just syncs.
    If the file has been previously synced but there has been no change to the file since last sync I think it just rewrites the file to the server homedir... (Don't quote me on this one... it might not even bother with it, I'm not sure how smart the sync service is)
    You can set automatic conflict resolution within WGM but as far as I know you have to do it by clicking on preferences then switching to the details tab, then click on Home Sync....com.apple.homesync. Click on the Always drop down and click the add new key button then change the new key to either Login or Logout Non-Preference sync conflict resolution and or Background sync conflict resolution and decide if MobileHome or NetworkHome Wins...or copy. In most cases I would think that you would want the MobileHome to Win.. of course there is always potential for someone to make a huge mistake on a file and pray its still fine on the server but... your call.

  • How does the repair process work

    how does the repair process work, currently broke my iPhone, water damage, and still have a warranty until july 30.

    http://www.apple.com/support/iphone/repair/other/

  • How long does the number porting process take?

    Hello Everybody! I just got my iphone (witch I LOVE it by the way) but I was wondering, how long does the number porting process take?
    I ported my phone number over from SprintPCS last night at around 7pm EST and right now it's 8am EST and my Palm seems to still be working... Is this normal?
    I'm still receiving incoming calls to my Palm, Text messages to my Palm, but yet I can do outgoing calls from my iphone... I'm kinda confused...
    I mean I received the text on my iphone from sprint telling me: "Welcome to AT&T" as well as receiving the e-mail saying my new phone number is the same one I've had for 6 years now... Is 13 hours considered normal?
    Thanx! :-D

    QueenYvette,
    If it continues to be an issue tomorrow, I would recomend calling again, and getting in contact with AT&T's porting department. They are familiar with resolving any issues that may arise.
    Powering off both phones is to make sure that the old phone is not maintaining an active connection with the old carrier that can interfere with the last steps of the porting process. If at all possible its a good idea to leave the old phone powered off, and restart the new phone about once an hour so that it will resync with the towers.
    Hope this helps,
    Nathan C.

  • How does the boot-process assemble the raid?

    Hi everyone,
    I just switched from Debian and CentOS to archlinux on all my machines and I really love it so far!
    Now I feel that I can really customize my OS the way I want.
    But I was thinking about one thing that I don't really understand yet, and of what I have
    read on this forum I'm certain that someone knows the answer.
    On my primary machine I have an mdadm-raid.
    And the partitions looks like this:
    /dev/sda                          /dev/sdb
    Disk1                              Disk2
    /dev/sda1                        /dev/sdb1
    100mb ext2 (boot)            100mb empty (I did empty partition so that the disks looks the same.)
    /dev/sda2  <- RAID0 ->   /dev/sdb2            /dev/md0
    2500MB ext3 (root)          2500MB ext3
    /dev/sda3  <- RAID0 ->   /dev/sdb3            /dev/md1
    2250MB (swap)                2250MB swap
    /dev/sda4  <- RAID0 ->   /dev/sdb4            /dev/md2
    245150MB ext3 (home)    245150MB ext3
    So there was a little tricky to get it installed and assemble the raid at boot, but now it's working like a dream again.
    And what I did what except loading mdadm-hook of course I used the kernel parameter: ro root=/dev/md0 md=0,/dev/sda2,/dev/sdb2 a.s.o. to
    tell the initrd how to assemble the raid at boot.
    But before archlinux i've done this setup in the installer, and after I've installed for example Debian, the system boots correctly and
    assemble the raid at boot, but without the kernel-parameters, how does the system know how the raid should be assembled?
    I've tried to include the mdadm.conf but with no success, does the initrd contain the raid information is some way?

    To obtain that file, run:
    abs
    This will provide the abs tree of core,extra, and community in /var/abs.
    Then you can get the file:
    # vim: set ft=sh:
    run_hook ()
        input="$(cat /proc/cmdline)"
        mdconfig="/etc/mdadm.conf"
        # for partitionable raid, we need to load md_mod first!
        modprobe md_mod 2>/dev/null
        # if no config file is present create one from command line parameters
        if ! [ -e $mdconfig ]; then
            #Create initial mdadm.conf
            # scan all devices in /proc/partitions
            echo DEVICE partitions > $mdconfig
            for i in $input; do
            case $i in
                    # raid
                    md=[0-9]*,/*)
                        device="$(/bin/replace -s,/ "$i" "=" "")"
                        array="$(/bin/replace -s/ "$device" "," " devices=")"
                        echo "ARRAY /dev/$array" >> $mdconfig
                        RAID_FOUND=1
                    # partitionable raid
                    md=d[0-9]*,/*)
                        device="$(/bin/replace -s=d "$i" "md=" "md_")"
                        array="$(/bin/replace -s/ "$device" "," " devices=")"
                        echo "ARRAY /dev/$array" >> $mdconfig
                        RAID_FOUND=1
                    # raid UUID
                    md=[0-9]*,[0-9,a-z]*)
                        device="$(/bin/replace -s,/ "$i" "=" "")"
                        array="$(/bin/replace -s/ "$device" "," " uuid=")"
                        echo "ARRAY /dev/$array" >> $mdconfig
                        RAID_FOUND=1
                    # partitionable raid UUID
                    md=d[0-9]*,[0-9,a-z]*)
                        device="$(/bin/replace -s=d "$i" "md=" "md_")"
                        array="$(/bin/replace -s/ "$device" "," " uuid=")"
                        echo "ARRAY /dev/$array" >> $mdconfig
                        RAID_FOUND=1
                esac
            done
        else
            RAID_FOUND=1
        fi
        if [ "$RAID_FOUND" = 1 ]; then
            # assemble everything
            /sbin/mdassemble.static
        fi
    The above is what is provided in mine............

  • How Does the scheduler works with ODI engine

    Hi All,
    I am new to the ODI and I was going through the documents over the web regarding the scheduling.
    Can anyone please let me know how does the Scheduler in ODI is coupled with the ODI engine.
    How does the internal scheduler works and how does the external one works. What are the processes the it calls while invoking the scheduler.
    Your help will be highly appreciated.
    Thanks,
    Sumit

    Scheduling in ODI is controlled by a special type of ODI agent, strangley called the ODI scheduling agent. This agent is installed as a service and as well as being responsible for all tasks associated with a normal agent is also responsible for managing ODI jobs based on any scheduling information associated with an ODI scenario. All scheduling information is stored in the ODI repository and the scheduler agent reads from this to determine which jobs/scenarios need to be executed and when.

  • Question - How does the Priority feature of the Send Port work?

    How does the Priority feature of the Send Port work?

    The Priority setting of the Transport Advanced Options controls the order in which messages are removed from the messageBox. Ports with higher priority will be processed earlier than the ports with lower prioirty making the higher priority ports more important
    relative to other send ports within a single host.
    Refer:
    Send Port Priority
    The highest prioirty is 1, and the lowest is 10. The default value is 5.
    Rachit

  • How does the content repository differ from the ECM plugin capability

    How does the content repository differ from the ECM plugin capability suh as Documentum. What are the different use cases. Which is the best to use for managing document uploads by user for association with user's personal products/services ?

    Content Repository is a standards-based, fully featured repository, included in all the editions of the Adobe Digital Enterprise Platform and Solutions. You can use it to store and access content, execute rich set of content services like search, authorization, etc. As such, it's ideally suited for all the content/document/asset-related needs of your applications. It offers the JCR API, plus access through RESTful interface and WebDAV network drive (among others). Additionally, managing content in the Content Repository makes it immediately availble for all the solutions that run of the platform.
    In essence, Content Repository is your go-to place to store and manage content in the Digital Enterprise Platform/Solutions. It is well suited to cater to your use case.
    The ECM Plugins (Connectors) are used if you have existing LiveCycle document services, and you have one of the ECM systems in your infrastructure used as archive. It allows you then to connect to such a 3rd-party system, and retrieve document for processing, as well as store them back for archiving.

  • How does the servlet implement the multi-thread feature?

    There is only one instance of every servlet in one wep application.
    When several clients invoke the doPost() method of the same servlet,the servlet can process their request respectively.
    So there much multi threads of one servelt.
    But the Servlet doesn't implement the Runnable interface of extends the Thread class.
    I wan't to know,how does the servlet/servlet container implement the multi-thread feature?

    Hi johnnylzb
    There is only one servlet instance existing.
    (assuming u have <load-on-startup>1</load-on-startup>)
    The server creates a thread for every request ..
    and all the threads access the same servlet instance.
    For this its not necessary for the Servlet to extend Thread or Runnable.
    hope this helps

  • How does the time machine work

    how does the time machine work....I need to find an older version of a document...

    Hi mogburn,
    Time Machine is part of the System software, not a feature of the word processing and page layout application, Pages, the topic in this community.
    That said, Time Machine is pretty easy to get into.
    In the Finder, open the folder containing the current version of the file.
    Select the file, then click on the Time Machine icon in the menu bar and choose Enter Time machine.
    The folder window will move to the center of the screen, and two arrows will appear near the lower right corner of the window.
    Click the one pointing back to go back in time, and the one pointing toward the front (of the computer) to return to the present. The display will stop at each saved version of the file along the way.
    Need more details? Try asking in the Mac OS X v10.6 Snow Leopard community.
    Regards,
    Barry

  • How does the server authenticate a print user?

    I don't fully understand how my XServe authenticates my clients for print access. If the XServe user account differs from the account on the client machine, does it still work? For example, if server account John Smith is allowed to print to a queue, will it still work if the client machine account is Johnny Smith?
    How does the XServe get the authentication info?

    Hi
    I might be able to shed some light on this. Is the printer you are managing a networked printer on the same IP address range as server and clients?
    If thats the case then you can print to the printer directly and bypass the server’s print server anyway. You have to use different methods if you really want to lock the printer down and have users print to it by using the accounts specified in WorkGroup Manager – and by implication using either PasswordServer or Kerberos authentication.
    You can do this a number of ways. If your server has two ethernet ports – which yours has – then place the printer on the other ethernet port that is currently not in use. There is no way for any of your clients to access this printer other than through the Server. If you have more than one networked printer, again utilise the other ethernet port, this time attach a small switch/hub 5-8 ports (depending on how printers you have) to the port and work it the same way.
    Hope this helps.

Maybe you are looking for