LDAP (ADS Read-only) as UME Datasource

Similar Messages

• Configuring portal to authenticate to MS ADS read only

  I am trying to get my portal to authenticate
  I can browse the ldap from the portal UM config screen, but when i try to authenticate as a user in the LDAP, no luck.  Also when I do a search in user admin, I get no results?  There is at least one user in the ou=people
  Also I can only bind in the UM config screen as user@domain
  And the um config does not retain the password

  Hi Jeremy,
  Did u set the datasource to Read-Only Microsoft ADS (FLat hierarchy) + Database.
  Did your System admin create a permanent user account(lets say sapldap) in MS ADS with domain admin privileges.
  Switch to LDAP Tab in UM Configuration and specify
  Server Name - <LDAP Server Name>
  port - 389 (Usually)
  User - cn=sapldap,OU=Accounts,DC=<Domain name>,DC=com
  password - <sapldap password>
  User Path - OU=UserAccounts,DC=<Domain name>,DC=com
  After specifying the parameters, save the changes so as not to loose the data. Use 'Test Connection' to see whether Portal can talk to MS ADS.
  Once connection is successful, save all the changes and restart the server and you are all set.
  Hope this helps,
  Thanks,
  Praveen
  PS.Dont forget to reward points.

• Does WLS 8.1 support external ldap in read-only or full read/write?

  In previous releases (e.g. 5.1, 6.1), WLS doesn't provide support for update operations such as creating users and groups when configured to use an external LDAP.
  Has this changed in 8.1? In other words, does WLS 8.1 provide support for update operations?
  Thanks.
  Regards,
  Alan Dupuis

  Hello ,
  Like earlier releases, WLS 8.1 too provides read-only access to External LDAP user database.
  Kuldeep Singh.

• Ume + LDAP ADS lock users

  I'm working with EP6 SP12 with UME connected to an LDAP Microsoft ADS in read-write mode.
  I have set the attribute "ume.logon.security_policy.lock_after_invalid_attempts=5" and when a user fails to login with wrong password 5 times it's locked.
  The issue is that a user is locked both in UME and in LDAP. Is it right? If yes how can I unlock a user in UME and in LDAP too. When I unlock user from UME it works fine from UME side but it remains locked in LDAP. As result this user it's not able to login in portal.
  Thanks a lot in advance.
  Tiziano

  I came across the same issue with my setup.
  I authenticate off of database + MS ADS read only.  If a user locks them self out, we have to unlock in portal and ADS.
  There is the option in the UME for read-write to ADS for users to be able to change passwords in the portal and have it replicate out to ADS.  If you went that way I would do SSL for LDAP and opening port 626 on your firewall as well. 
  We do not have employees using our portal as their only means of getting to the network so, I do not allow them to change passwords via portal.  I am sure that it would be safe but, the though of opening up something else on the firewall scares me.

• UME as LDAP read only, what is the password

  Hi,
  If the portal or java instance is setup as UME = LDAP read only + database pointing to AD and the user is then assgined roles/groups in the Java UME with access to allow logon.
  1. What is the password of the users to use?
  2. I know the AD password is definitly not synchronised as it is one way encrypted. Does the user needs to be set a new password in portal to login with?
  3. Will this password be stored on the Java UME only?
  4. what happens if the users AD password changes, will it affect the password stored in the Java UME?
  Thank you.
  John

  Hello John,
  since we use that setting, too, lets see, what I can tell you. ^^
  1. What is the password of the users to use?
  > The password of their AD-account.
  2. I know the AD password is definitly not synchronised as it is one way encrypted. Does the user needs to be set a new password in portal to login with?
  > No, they can derectly use their AD-account (username and password).
  3. Will this password be stored on the Java UME only?
  > I'm not sure, but I'd say "no". I don't think it is stored in the UME (since the LDAP is connected and the information about the account and password status come from there).
  4. what happens if the users AD password changes, will it affect the password stored in the Java UME?
  > If the user changes his/her AD-password, that he/she can logon to the portal with that new password immediately. So I don't think, there is any connection to the portal UME database.
  Regards,
  Steffi.

• CUP 5.3 with SAP EP 7.0 (UME as LDAP Read Only)

  Hi experts,
  I have a simple question to figure out whether or not it's possible to :
  - use CUP 5.3 to ONLY assign UME portal groups on EP 7.0, considering the fact that my portal has UME as Read-only LDAP?
  SAP Notes and SAP docs (including How-to Configure SAP BusinessObjects Access Control .3 for SAP NetWeaver Portal 7.0) don't provide an answer for this.
  If you follow the documentation with a Portal UME as read-only, you will have an error like : "Can not modify firstname attribute on Active Directory..."
  To sum up
  - EP 7.0 has UME = Read-only LDAP
  - CUP 5.3 has UME = Read-only LDAP
  - We want to use CUP to assign portal groups without modifying users file. According to documentations and previous posts on SDN it seems that everyone has write access on the Active Directory servers What if we don't?
  Many thanks for your answers

  Problem was solved implementing patch 2 for GRC 5.3 - SP08
  VIRAE08P_2-20002300.SCA   Patch for VIRAE 530_700 SP08
  The issue mentioned in my above message was described in SAP note 1168508

• Revertion of Portal UME from LDAP to DB Only

  Hello All Portal Gurus,
  I have one query. Can i revert back my Portal UME database from LDAP read only + DB configuration to DB only. I know the default configuration of the UME after installation remains DB only. But if we change it to LDAP ADS readonly, then can we change it back to DB only by any means or by any action?
  Need the suggestions from Portal Gurus...
  Thanks in Advance
  Regards
  Srinivas

  Hi Srinivas,
  how did you try to reset the UME settings? Using portal system administration?
  If yes, go for the config tool. For further help see:
  [Configuring UME|http://help.sap.com/saphelp_nw70/helpdata/EN/eb/00954081efb90ee10000000a155106/frameset.htm]
  HTH,
  Carsten

• Access read-only LDAP for username/password, Directory Server LDAP for rest

  Hello! I keep trying to find documentation on the above, but thus far I have been unable to find something that explains this well (and my attempts at figuring out thus far have failed).
  I have a read-only LDAP that is used University wide, and I am not allowed to change how it currently operates. It uses double-bind authentication in that you search for a user to get their DN, then bind to that DN with the users password to see if it was correct.
  I'd like to use the above setup to verify a user's credential as well as return some basic information about them (name, email, etc). After this, I'd like to use another freshly installed Directory Server LDAP to manage the roles that seem to be needed for Portal Server (as I cannot write to the original LDAP).
  Any help or advice on the above would be appreciated! Thank you.

  The authentication you described is the default way LDAP authentication works.
  AM Ldap auth-module allows you to 'pull' attributes from the LDAP server you're using for authentication and store it in it's 'amSDK' Directory Server - which is leveraged by Portal Server (if you're talking about Sun's Portal Server).
  However this is only done if the profile is created (set 'dynamic profile generation' in auth - service).
  As Portal Server does not support the new 'identity repsoistory API' of AM you have to stick to AM's legacy mode when using Portal Server.
  To keep the the data in sync (if needed) you have to write a post-auth class.
  -Bernhard

• MS Active Directory 2008 as UME datasource for AS Java

  Hello,
  We are running SAP EP on top of a SAP AS Java using LDAP certification, so users
  from MS Active Directory 2003 domain are trusted by the Portal
  I've now a problem with the version upgrade of MS Active Directory from 2003 to 2008,
  it seems only SAP AS ABAP supports MS AD 2008, and our instance is JAVA only
  Note 983808 - "Certified LDAP servers" also confirm this
  Do you know if AD 2008 is supported, if any note has been released about this and
  any document to help me wiith this issue?
  thanks in advance!
  Rafael

  Hi Patrick, thanks for the answer
  I checked the note and it refers about Windows 2008 and a scenario with SSO, that's not our case.
  We just have AD as a LDAP UME datasource, users must still pass user and password which
  is then checked and then login is authorized
  you mentioned AD 2008 is supported for Netweaver AS Java, could you send me any document
  or note with procedures or anything for configuring it ?
  kind regards,
  Rafael

• LDAP as data source for UME

  Trying to use a SSL enabled LDAP (Sun) for data source for UME.  It seems that I can't use SSL directly from GRC CUP 5.3. Followed the instructions in saphelp, but when I test the connection, it gives me "Connection test with user path failed". The following is the connection data in UME Config:
  Server Name:  10.56.17.20
  Server Port:     62636
  User:                cn=GMACApp_001,ou=Applications,dc=gm,dc=com
  Password:       <correct one entered>
  User path:        ou=People,dc=gm.dc=com
  Group path:      ou-Groups,dc=gm,dc=com
  Use SSL for LDAP Access is checked
  Use Unique Attribute is not checked
  I can connect to the LDAP using the same credentials with Softerra browser....Any ideas?

  Opened a message with SAP....the response was less than helpful..."we don't support SSL". When I pushed them with the responses I recieved from the forum, the replay was "we have never done this".  There must be a way.  I can't be the only person on the planet that has to connect to a corp LDAP with a secure port!! I have tried the trick of conencting a LDAP as a data source for UME, but with limited success.  Seems when the LDAP + db is enabled, the UME URL is not available (error 503). So that's not working so well either. 
  Any help will be appreciated.

• Read only access to J2EE related tools

  Hello,
  I would like to help our auditors access everything they need to check in the Java systems, but I am not ready to give them ADMIN accounts. That`s why I need some kind of read only access for them.
  So I would like to ask you if there is a SAP Note about the read only access roles for J2EE/ Java AS?
  I am afraid there is no such note available, so can anybody share any experience with granting read only access to the Java system? I know how to grant access to the whole NWA, but what about the rest?
  Examples:
  - is there a way how to grant read only access only to the UME?
  - is there a role for read only access to the portal PCD?
  - is there something similar for KM access?
  Or has anybody ever tried to split the admin roles into smaller pieces? Is there a description/ document how to do such thing?
  Thank you for your time and effort,
  cheers Otto

  Hi,
  thanks for trying, but I can use help.sap.com and was on that page before.
  Maybe if there were any examples there or better: if the whole thing would be more granular (I see no point in using roles starting with SUPER, containing ADMIN or ending with ALL). I am looking for roles for surgery or for auditing. I don`t want to give anybody these super/admin/all roles just like that.
  If you can suggest how to use that page, that would be cool. Otherwise I see no use.
  By the way: another question of mine about surgery: How to restrict access to download/ upload UME configuration file
  I would like to know how to controla access to this specific feature, nothing else.
  Thanks for the time and effort,
  cheers Otto

• Re: Read only List-Field

  I'm not sure if this is what you're asking, but here it goes...
  Create a custom domain with IntegerNullable as the SuperClass
  From the properties of the custom domain, select Droplist or scrollistas the formwidget. Click on properties beside the formwidget label
  and datafill the matrix. Male 1
  Female 2
  Your widget will then popup with the choices Male and Female for your
  users to chose from. You can also dynamically set the contents of
  the list by using SetElementList? method on the droplist or scrollist.
  Check out the documentation for more info on manipulating the contents
  of the list.
  I use Express, so I would set this in the Business Model.
  If you use straight Forte, you probably select a DomainWidget from the
  Window workshop once you've created the custom domain.
  Hope this helps.
  Regards,
  Peter Kelly
  ____ \ / ____ CrossKeys Systems Corporation
  ___ \ X / ___
  \ X X / Crosskeys Centre Peter Kelly
  X X X 350 Terry Fox Drive Software Designer
  ___/ X X \___ Kanata, Ontario
  ____/ X \____ Canada K2K 2W5 [email protected]
  _____/ \_____ (613) 591-1600 Ext. 8247
  [email protected] wrote:
  >
  HI Folks
  It seems to me that there should be an easy answer to the following
  problem, so much so that I feel foolish for submitting it. However, since
  this is my first posting, it is usually o.k. to be an dimwitted idiot.
  Is there any way to have a list field (i.e. scroll list or drop list) that
  doesn't display the icon at the right side of the box (the drop arrow or
  scroll icon).
  We wish to display an item from the list in a read-only fashion, thus is
  not any need to display the list, just the corresponding item from the
  list.
  Since we are displaying the records in an array and the array field is
  mapped to an object that corresponds to the database table, extra fields
  for translation, including virtual attributes, in that object fowl up the
  writing to that database table. And, of course, the Drop list adds some
  vertical height to the array field, screwing up the esthetic beauty of the
  screen.
  Thanks for reading this.
  -later
  -labeaux
  [email protected]

  Gediminas 
  Datasource, extract structure and append structure(if any) not transported properly.
  Try to collect again and retransport and replicate.
  Check at RSA3 in QA system, now fields are visible or not.
  Srini

• Address Book in Lion Server....Read Only

  Hi,
  Is there a way on how to making the addressbook server read only (meaning can't be edited)?
  Last year, I setup a Lion Server for a company that will serve as an Addressbook server for them and at the same time
  configuring their devices via Profile manager. Problem is every now and then, clients unintentionally sometimes adding address or deleting
  some of the address (phone numbers) in that addressbook resulting to frequent remake of the companies shared addressbook.
  Here is my desired setup:
  An addressbook that only the admin can made a change (add/delete contacts).
  Im looking into LDAP as a addressbook but Im not familiar with it.
  Thanks in advance...

  Did anybody answer back to you yet about how to setup READ/CREATE/EDIT/DELETE rights on the Address Book Server ! We have had poeple in our company ereasing entries on shared address books so many times that we are thinking about switching back to windows.... I mean come on people at apple, these where the basics back in the days of DBase, how can they be missing today... I have trouble comprehending this way of thinking!
  I found this site on the net wich looks somewhat what I am looking for, but this seems to influence the whole server, I need this on address book level though:
  http://jumboframe.net/jumboframe/making-the-apple-address-book-server-a-read-o
  Help!

• InDesign lock files, read only permissions...

  I've had this strange problem for over a year now, unsure as to why it was happening. Now I've realized what the problem is, but I don't know how to fix it.
  We build ads in InDesign. Production, who builds the ads, has basically full control to the ads network drive. Sales, on the other hand, has only read access. They want to print ads out on occasion, but I don't want them to be able to screw the ad up by mistake (they know just enough to get the ad to print).
  Here's the problem...
  Someone one sales opens an ad. Well, they don't have create or write permissions (Win 2003 server, XP workstations). So the InDesign lock file is never created. But they do obtain a read lock on the file on a Windows/OS level.
  So what happens is, the production staff opens the ad while the sales person opens the ad. There's no lock file, so the production person isn't warned that the file is open. But because there's an OS lock on the ad, the ad opens for the production staff, but it opens as read only.
  My first problem is that I don't know how to fix this without giving our sales people full access, which I cannot do. The second problem is that any app that happens to access those files (shadow copy perhaps???) will cause the same headache for the production staff, as there is contention to the file.
  So I'm in a catch-22 here. I'm wondering if any of you have been in the same boat and know if there is a work around.
  We're using InDesign 3 (CS) on XP.

  Or export to PDF every time the ad is updated, and only give them access to the PDFs through Reader - keep them away from InDesign completely. If you are only giving them InDesign to view ads, you could save money on unnecessary InDesign licenses.
  k

• Is the Get View  of  Workflow Service really read-only?

  Hi all,
  When I dragged 'Get View' from Workflow Services to the workflow panel, its comments says: Get a read-only view, however, I did create a simple workflow to update user's information, using getView instead of checkoutView to fetch user view, it seems the 'Get View' return a updatable user view, here I post part of that workflow, please help me to get it clear!
        <Activity id='3' name='Get User View' hidden='true'>       
          <Variable name='view'/>
          <Action id='0' application='com.waveset.session.WorkflowServices'>
            <Argument name='op' value='getView'/>
            <Argument name='viewId'>
              <concat>
                <s>User:</s>
                <ref>accountId</ref>
              </concat>
            </Argument>
            <Argument name='type' value='User'/>
            <Return from='view' to='user'/>
          </Action>
          <Transition to='Update User Info'/>
          <WorkflowEditor x='249' y='100'/>
        </Activity>
        <Activity id='4' name='Update User Info'>       
          <Action id='0' name='set user department'>
            <expression>
              <set name='user.waveset.organization'>
                <ref>user.accounts[SDCHR].department</ref>
              </set>
            </expression>
          </Action>
          <Action id='1 application='com.waveset.session.WorkflowServices'>
            <Argument name='op' value='checkinView'/>
            <Argument name='view' value='$(user)'/>
          </Action>
          <Transition to='end'/>
          <WorkflowEditor x='378' y='143'/>
        </Activity>Thanks,
  R.
  Thurm

  That is my understanding as well. Technically you can modify Get View and check it back in, but this is bad practice for the reasons stated above (no lock placed on the user). Get View is better used if you need to read information about a user that is unlikely to change, but do not plan on modifying the user (for example: to check to see if the user has a certain LDAP object class which allows them access to some requested resource/activity).