LDAP as a user source in UME

Similar Messages

• LDAP as data source for UME

  Trying to use a SSL enabled LDAP (Sun) for data source for UME.  It seems that I can't use SSL directly from GRC CUP 5.3. Followed the instructions in saphelp, but when I test the connection, it gives me "Connection test with user path failed". The following is the connection data in UME Config:
  Server Name:  10.56.17.20
  Server Port:     62636
  User:                cn=GMACApp_001,ou=Applications,dc=gm,dc=com
  Password:       <correct one entered>
  User path:        ou=People,dc=gm.dc=com
  Group path:      ou-Groups,dc=gm,dc=com
  Use SSL for LDAP Access is checked
  Use Unique Attribute is not checked
  I can connect to the LDAP using the same credentials with Softerra browser....Any ideas?

  Opened a message with SAP....the response was less than helpful..."we don't support SSL". When I pushed them with the responses I recieved from the forum, the replay was "we have never done this".  There must be a way.  I can't be the only person on the planet that has to connect to a corp LDAP with a secure port!! I have tried the trick of conencting a LDAP as a data source for UME, but with limited success.  Seems when the LDAP + db is enabled, the UME URL is not available (error 503). So that's not working so well either. 
  Any help will be appreciated.

• How to create a user in J2ee UME, if LDAP configured?

  Hi SAP Gurus,
  I have a question for my J2EE engine. We configured LDAP for user storage, so that our User can use there normal LDAP user ID. Now I want to create an administrative user like J2EE_ADMIN or Administrator, these are standard users and present in the UME of the J2EE engine since the installation of my portal.
  But when I go to the user admin and want to create this new admin user, I got an error message, that Im not able to create it.
  I also try to create the user via the Visual Admin and the J2EE Useradmin.
  So my question is, how can create this new user in the UME and NOT in the LDAP???
  Thanks.

  Hi Marcel Haberland ,
  If your idea is to have single Sign on , I would say the process is to create the user in LDAP itself that will be the single point of entry ,  Since the UME is configured and connected to LDAP normally with read permission your best bet will be to create the user in LDAP.
  SSO with  is configured to all your backend syst ( trusts needs to be configured between Java/Portal to all your backend systems  by Basis team), also the ids needs to exist in all the backends.
  Now to come back to your question:
  If you can login to UME of portal/Java , and create the user do not expect it to appear on your LDAP
  mainly because LDAP will never be configured in a Enterprise project  as bidirectional ( ie Read/Write ), it will be readonly.
  Also if the Basis/Portal team allow you the option to create the user in UME , they will have to restart the machine everytime you need to point to a  different data source , but I dont know if this is the case in EHP4 versions, because SAP claims with EHP4 downtimes are almost nullified.
  Edited by: Franklin Jayasim on Jun 29, 2010 6:59 PM
  Edited by: Franklin Jayasim on Jun 29, 2010 7:02 PM

• ZCM can not connect to user source - LDAP to eDir

  Hello all,
  We had some issues with our ZCM 10.3.1.0 server this AM. It looks like it was caused by no space on our /var/opt partition.
  I had logged in and manually deleted a large old image file. I then restarted the ZCM server. Everything powers on and works as it should except, my user source can not be contacted.
  When I try to login with one of my Admin users, we get the following error:
  "An error occurred while connecting to the user source. Please make sure the user source is accessible and try again."
  If I login as the Administrator of the Zone, I can see that the connection source is not connecting - unable to read contexts. The weird part is that I can connect through LDAP from other tools to the same source on port 636 - JXplorer works just fine.
  We are running ZCM on the same server as its database and I can use the LDAP browser built in to SLES 11 x64 and the same LDAP credentials work just fine.
  What else can I be looking at?
  I am really new to Linux so any help is appreciated.
  Steve D.

  Originally Posted by sjdimare
  Hello all,
  We had some issues with our ZCM 10.3.1.0 server this AM. It looks like it was caused by no space on our /var/opt partition.
  I had logged in and manually deleted a large old image file. I then restarted the ZCM server. Everything powers on and works as it should except, my user source can not be contacted.
  When I try to login with one of my Admin users, we get the following error:
  "An error occurred while connecting to the user source. Please make sure the user source is accessible and try again."
  If I login as the Administrator of the Zone, I can see that the connection source is not connecting - unable to read contexts. The weird part is that I can connect through LDAP from other tools to the same source on port 636 - JXplorer works just fine.
  We are running ZCM on the same server as its database and I can use the LDAP browser built in to SLES 11 x64 and the same LDAP credentials work just fine.
  What else can I be looking at?
  I am really new to Linux so any help is appreciated.
  Steve D.
  Try removing the user source connection in ZCC and re add it.
  Thomas

• Creation of User id in UME

  Dear All,
  I am facing with the following problem when I try to create User id using UME,
  "Current user has user creation permissions in the UME, but cannot create users in the back-end system (data source). The original and possibly untranslated message was: "No active writeable datasource found for user creation, check your Persistence Configuration.".
  Please help on this.
  Thanks & Regards,
  Venkat.

  Hi Prateek,
  Thanks for reply.
  I have assigned role SAP_BC_JSF_COMMUNICATION_RO & SAP J2EEADMIN to my user id and try to create user id in UME.But i was getting same error.
  Can you please help on this.
  Regards,
  Venkat.

• "Password has expired" for user created via UME API

  Hi,
  I have written a service that processes new user accounts and uses the UME API to create them. The code works fine on my local Sneak Preview installation of EP6 SP16, allowing the created users to logon and forcing them to change their password on first login.
  When I try and run this code on EP6 SP14 it completes without generating any exceptions but when I try and login I get the message "Password has expired" and cannot login or change the users password.
  Does anyone know why?
  I have the following UME settings for both servers:
  ume.logon.security_policy.password_change_allowed = TRUE
  ume.logon.security_policy.password_change_required = TRUE
  ume.logon.security_policy.password_expire_days = 99999
  The SP14 server also uses LDAP to authenticate users primarily  and has the following setting:
  ume.persistence.data_source_configuration = dataSourceConfiguration_ads_deep_readonly_db.xml
  There are some other UME configuration differences but none that seem relevant to this problem.
  Can anyone suggest what the problem might be?
  Cheers,
  Steve Archer

  The Xp machine is fine acessing the mb
  its the macbook that is having a problem accessing the xp machine coz it says that the password has expired
  but there is no password for the user on the xp machine that i am trying to access from my mb
  so that would be:
  xp to mb = fine all working
  mb to xp = password expired even though no password required for the xp user

• SAP IDM - User Sync to UME Not Working

  Hi All,
  Currently we're planning to implement IDM 7.1 SP05 for ESS/MSS user Password provisioning. We're done the basic configuration as per the guides and HR Employers has sync to VDS and then to SAP Master Identity Store.
  Now we wanted to sync these users back to IDM UI for setup Password provisioning as per guide 'User management for the Identity Management User Interfaceu2019.
  However every times we assign the PRIV:UME Role to users it called the Global Task Event 'Modified User'. However as we understand it should call Create UME User, Modified UME User or Delete UME user task and which will create users in IDM UME.
  Therefore users not created IDM UME and system also does not show enough log to analyse it. We've assign correct Privilege Task under PRIV:UME and it point to Create, Modified and Delete UME task as well.
  Appreciate the support on same.
  Thanks.

  Dinesh
  Thanks for the response.
  But all you mentioned has been checked.
  keys.ini is fine (I had a problem with that before), the provisioning option is set, all tasks are checked that they're enabled.
  Simply when I assign PRIV:UME to a user a "ModifyUser" log entry appears of the corresponding (ssuccesfully) IDM user modification -> but that's it. Nothing else. Not other job log, no system log, nothing in the log of the java stack. Simply nothing. I don't know why the UME provisioning tasks are neither triggered nor ANY log entry appears. It's hard to continue analyzing when a system appears alike a black box and absolutely no informations are returned.
  I also failed at several attempts to call these tasks directly/from manual created tasks.
  These tasks "simply" do not react any more ..
  Regards
  Stefan

• ZENworks user source login won't go away

  Not sure where the best place to put this is.
  ZCM 11.2.1
  Server 2008R2 - Embedded DB
  Win7 Clients - Not sure about XP, we're moving to Win7 only ASAP
  Active Directory
  When logging into a laptop and NOT connected to the domain LAN, it gets stuck on the Novell ZENworks user source login windows indefinitely. I can try logging into local machine and this happens every time.
  In my old environment, with Novell Client, I could click workstation only and get the ZENworks login and cancel.
  Not sure what to do to fix this or change the behavior.
  Suggestions? TIA!

  Originally Posted by farmeunitWPSD
  Sorry, gave up on getting help with this.
  After logging into AD, a "User Source Login" box appears in the upper left. There are no buttons or prompts at that point. Just the box. The box NEVER goes away. If we put the laptops to sleep instead of shutting down, then they can login normally. I found ONE thread about holding SHIFT down before hitting enter after entering login credentials. If they hold SHIFT until the ZENworks login box comes up, then they can cancel that and are logged in fine.
  Any chance they're using wireless adapter and have it set to auto-connect?
  We have the same thing, but only on Windows XP being reported. Seems it only happens if the person has added a wireless network (XP has slightly diff. options than Windows 7) AND have it set to auto-login/connect.

• 2 users sources

  Hi all, we have a environment with 2 user sources, 1 ad and one e-dir same users in both synked with IDM. The ad is used for vdi users who has windows 7 vdi computer with zenworks client logging in seamless and Novell client loging in the background. Everything well and fine but now i would like to use e-dir as the user source in the vdi environment to.
  It's no problem logging in as e-dir user in zenworks but I'm unable to get the seamless login to work.
  I have set preferred realm and seamless login in the registry (HKLM) but no joy still logs in as the AD user insted of E-dir.
  Is there a other way to force which realm to use?
  Best regards
  Lennart

  I would recommend an SR.
  I'm guessing that the preferred user source key is not being picked up
  and honored on your VDI setup.
  On 5/15/2014 5:06 AM, lelle wrote:
  >
  > Hi all, we have a environment with 2 user sources, 1 ad and one e-dir
  > same users in both synked with IDM. The ad is used for vdi users who has
  > windows 7 vdi computer with zenworks client logging in seamless and
  > Novell client loging in the background. Everything well and fine but now
  > i would like to use e-dir as the user source in the vdi environment to.
  > It's no problem logging in as e-dir user in zenworks but I'm unable to
  > get the seamless login to work.
  > I have set preferred realm and seamless login in the registry (HKLM) but
  > no joy still logs in as the AD user insted of E-dir.
  > Is there a other way to force which realm to use?
  >
  > Best regards
  >
  > Lennart
  >
  >
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Technical Support Engineer
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• Moved user in User Source login prompt

  After moving a user in our AD User Source, that user gets prompted for ZCM credentials. I thought this was fixed in a previous version?
  ZCM 11.2.4
  Server 2012 AD

  Originally Posted by farmeunitWPSD
  After moving a user in our AD User Source, that user gets prompted for ZCM credentials. I thought this was fixed in a previous version?
  ZCM 11.2.4
  Server 2012 AD
  Try this: https://www.novell.com/support/kb/doc.php?id=7012424
  You might need to do a registry change.
  Thomas

• Link ECC roles to Portal roles (Portal is using LDAP source for UME)

  Hi all,
  If a user is assigned a certain ECC ABAP role, they should also receive a related portal role.  Our portal is using LDAP.
  If our portal ume source was an ABAP system, I think it would be easy to achieve the ECC to ABAP role linkage.
  We were thinking of developing a UME java webservice and have an ABAP proxy class consume it to allow our abap system to assign the correct portal role, and delete the portal role.
  Any other ideas?

  Rajendra,
  Thx for your reply.  Can you provide any more details as to the design of your solution with the web service?  We are thinking of running a batch job nightly with a some mapping table in ECC to determine what ABAP role should link to the portal group then call the webservice to add the user to the portal group or delete the user from the portal group. 
  A second question is...does SAP Identity Manager offer any solution for this type of requirement?
  Thanks

• Editing LDAP User attributes from UME interface

  Hi Gurus,
  We want to develop a solution with user management screens in WD. These screens will provide password reset and unlock functionality for users. Our users are stored in LDAP. Current connection to LDAP is in Read Only manner.
  I want to know
  1. How to enable the connection from UME to LDAP in read/write manner?
  2. What certificates need to be exchanged for write access? if any?
  3. What changes needs to be done in config file of UME?
  4. Which permissions should be granted for communication user to edit LDAP user attributes?
  Even after performing the change to read LDAP in read/write manner, will it be sure: If we lock user from UME, it will lock LDAP user? please comment.
  regards
  Kedar Kulkarni

  Hi,
  We are half way into our application between UME and LDAP. We have developed screens and tested in our internal server. In internal landscape, UME is connected to LDAP in read only fashion. So when we try to create User, it gets created in UME.
  But when we deploy same application into client landscape, we receive error as below:
  No data source feels responsible for principal. Please check the data source configuration
  Now we are not sure why this error is getting displayed.
  In client landscape there are 2 LDAPs connected to UME, with only one LDAP in read/ write access.
  Is there any way we can check which LDAP is being accessed by our code? Is there any concept of Default LDAP?
  Any code to access LDAP details will help us lot.
  regards
  Kedar Kulkarni

• Adding LDAP User store to UME

  We need to authenticate users against an LDAP server.  This works fine from the workbench where the UME ContentSource is database_only.  However, the central WebAs (Netweaver 2004) was installed with ContentSource of r3_rw.  According to the documentation, a prerequisite to adding an LDAP user store is: "You have installed a SAP Web Application Server Java where the UME is configured to use the database of the J2EE Engine as data source."  Since our WebAS Java is not configured this way, is there any way, short of re-installing the server, to add an LDAP user store?  TIA,
  Steve

  Hi Steve,
  Once you choose an ABAP data source, there is no going back.
  You can however synchronize the ABAP with the LDAP server. Have the ABAP user management periodically import users from the LDAP server.
  -Michael

• Ume + LDAP ADS lock users

  I'm working with EP6 SP12 with UME connected to an LDAP Microsoft ADS in read-write mode.
  I have set the attribute "ume.logon.security_policy.lock_after_invalid_attempts=5" and when a user fails to login with wrong password 5 times it's locked.
  The issue is that a user is locked both in UME and in LDAP. Is it right? If yes how can I unlock a user in UME and in LDAP too. When I unlock user from UME it works fine from UME side but it remains locked in LDAP. As result this user it's not able to login in portal.
  Thanks a lot in advance.
  Tiziano

  I came across the same issue with my setup.
  I authenticate off of database + MS ADS read only.  If a user locks them self out, we have to unlock in portal and ADS.
  There is the option in the UME for read-write to ADS for users to be able to change passwords in the portal and have it replicate out to ADS.  If you went that way I would do SSL for LDAP and opening port 626 on your firewall as well. 
  We do not have employees using our portal as their only means of getting to the network so, I do not allow them to change passwords via portal.  I am sure that it would be safe but, the though of opening up something else on the firewall scares me.

• LDAP Config File - data source not initialized

  Hi,
  We have altered our LDAP config xml file to deal with an LDAP with multiple branches. This was done previously and was working fine. We have just changed again as another branch was added. Now if some enters the wrong password on the login screen they get this error message
  Unknown message (ID = data source CORP_LDAP_CONSULTANTS not initialized
  rather then the usual try again message. Looking in the ume logs there are also lots of warnings about the new data sourse id (CORP_LDAP_CONSULTANTS)not being initialized. And we also can no longer add new groups or users.
  Any thoughts?
  <b>Think we may have fixed that problem. Wrong authorizations? But now we get a whole new problem. During startup of portal our error_logs get a whole series of messages about NameNotFoundException around groups and users. Looking closely some of the user domains don't even exist in the LDAP any more.
  Also when we try and add a user we get an error saying "PersistanceException: No Data Source feels Repsonsible for principal!"</b>
  ANY PEARLS OF WISDOM
  We are on EP6 SP2
  Message was edited by: Luke Collier
  Message was edited by: Luke Collier

  Hi guys,
  I'm running into exactly the same issue. The problem seems to occur only when the report being accessed by guest is a file data source. The only other option I could think of is setting up SSO for BIP and the application issuing the URL to the report.
  Could'nt find anything else in the documentation or known issues list that might fix this without having to setup Single Sign On. Any further luck with your investigation? I'd appreciate any feedback.
  Thanks
  Jonathan Cruz