LDAP authentification with R/3
hi!
after a long long search I could not found out how to implement LDAP authentification for SAP R/3. To be honest I'm not an expert in R/3 basic, for Web AS / EP i would know how to do it
Due to several network&security reasons we don't like to use the single-sign or the ldap syncronization functionality.
The only thing we would use ldap for is to just authentificate the user. Unfortunately, our LDAP-users are not the same than the SAP-users (8 chars in sap, longer in ldap). What the system should do is:
- ask for username (sap 8-char) and password (ldap)
- map sap-username and ldap-username (e.g. by the sap-aliasname or external username in USR15)
- connect to the ldap-directory, find out whether user/pass is correct
- if correct, log the sap-user in
- that's all
Any Ideas?
Thanks,
Markus
Hi,
It can be done. It all depends a bit on what kind of platforms you want to use it.
We're currently in the middle of introducing a shibolet CUA for all our systems, SAP or non SAP. That means that one needs to authenticate to a central server and via SSO, you will have access to the applications.
For SAP, that'll mean that we no longer will login via a SAP Gui, but via the EP that authenticates against this CUA. Once logged in, one can launch a SAP Gui script that allows you to work on the SAP R/3 server.
Have also a look at http://shib.kuleuven.be/
Alternatively, you can set up an UME. See http://help.sap.com/saphelp_nw2004s/helpdata/en/cc/cdd93f130f9115e10000000a155106/frameset.htm for this.
Eddy
PS.
Put yourself on the SDN world map (http://sdn.idizaai.be/sdn_world/sdn_world.html) and earn 25 points.
Spread the wor(l)d!
Similar Messages
-
Ldap connection with weblogic console and authentification with java
Hello,
I want that my web application use ldap authentification for users and that all parameters (host, port, base, ...) are configured by weblogic console.
I managed to do it by security-->realms-->.... , but now, I want to perform authentification in my java code.
I don't know how realized it because I don't know how use my ldap connection in java code without redefine parameters into my code...
can anyone help me please?
thanks a lot for your help.Hey,
on a windows server system you have to put the target system CA Certificate in the local Trusted System Certificate Store of Microsoft Server. Then the connection should work.
On a Java System you have to put the CA in the Key Storage of the SAP System.
I think on Unix you could use the SAPCRYPTOLIB to place the CA in the abap system.
Kind regards,
Sven Walter -
LDAP Synchronisation with CUCM with multiple forest
Hello,
We have CUCM 10.5.
We want to add in CUCM multiple forest (we have multiple company with different domain name) using LDAP authentification so all the user/password sync with CUCM.
We have as distinguished name CN=xxxx,CN=Users,DC=xxx,DC=local and for search base CN=xxxx,CN=Users,DC=xxx,DC=local.
Can we add in the distinguished name and search base the information for multiple forest using the same username/password?
If it not possible is there an easy way to achieve that?
Any help would be appreciate.
Thank youhttp://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/directry.html#pgfId-1133454
-
Create external LDAP authentification to SAP via Web Dynpro
Hi Guys,
I have a requirement where I have to create access to SAP via external LDAP authentification. It is similiar how the Enterprise Portal works, but I want to achieve it with out the portal.
The user will enter his LDAP user and password and I will check via LDAP connector to grant access to SAP.
The only Problem I have is to switch to SAP user without knowing the SAP Password. Thats why I need external authentification.
I have been told by an basis expert that I could use java to achieve this. I have also got the java coding what the Enterprise Portal uses.
Am I on the right way? Can anybody advice me.
Thanks and best regards
AliHi,
Refer this link and SAP Note
[SAP GUI for HTML|http://help.sap.com/saphelp_nw04s/helpdata/en/47/4b0902d84818c9e10000000a114a6b/frameset.htm]
SNote: 517484
Regards
Preethish -
EN4093R LDAP authentification and authorization
Hi,i want to configure ldap authentification and authorization. Can anyone help me to configure this. In my test environment – I want to give our Domain Admins access to our switches. I found only basic configuration in the user manual but I got now information to configure groups. Could I configure two or more groups to access the switch?
What thype of ldap server are you using? Microsoft Windows 2012 or 2008. I got a problem with 2012 not give the groups back with some users.
Same problem as
https://supportforums.cisco.com/message/3866327#3866327
debug ldap 255
shows correct value with one user that is workin:
[196] Authentication successful for Administrator to 192.168.20.80
[196] Retrieved User Attributes:
[196] objectClass: value = top
[196] objectClass: value = person
[196] objectClass: value = organizationalPerson
[196] objectClass: value = user
[196] cn: value = Administrator
[196] description: value = Vordefiniertes Konto f..r die Verwaltung des Computers bzw. der Dom..ne
[196] distinguishedName: value = CN=Administrator,CN=Users,DC=xxxx,DC=local
[196] instanceType: value = 4
[196] whenCreated: value = 20081201134058.0Z
[196] whenChanged: value = 20131126141559.0Z
[196] displayName: value = Administrator
[196] uSNCreated: value = 12298
[196] memberOf: value = CN=G_SSLVPN,OU=Service,OU=Groups,OU=XXXXX,DC=XXXX,DC=local
[196] mapped to Group-Policy: value = ssl_admin
[196] mapped to LDAP-Class: value = ssl_admin
One user that is not working:
no entries with memberOf in debug
[190] Authentication successful for sdag to 192.168.20.80
[190] Retrieved User Attributes:
[190] objectClass: value = top
[190] objectClass: value = person
[190] objectClass: value = organizationalPerson
[190] objectClass: value = user
[190] cn: value = sdag
[190] distinguishedName: value = CN=sdag,OU=Lieferanten,OU=Users,OU=xxxx,DC=xxxxxx,DC=local
[190] displayName: value = sdag
[190] homeMTA: value = CN=Microsoft MTA,CN=SRVSBS01,CN=Servers,CN=erste administrative gruppe,CN=Admini
[190] proxyAddresses: value = smtp:sdag@xxxx
[190] proxyAddresses: value = SMTP:sdag@xxxxx -
How to configure ldap.ora with multiple ldap contexts
Hello.
My company has recently taken on another environment with it's own LDAP configuration. It's a bit tedious to have to keep switching my ldap.ora for both ldap configurations. Are there any good suggestions for either allowing me to search both LDAP configurations (2 separate LDAP setups, with 2 default context)? Or is there a smooth way to populate 1 LDAP with the others data? Or perhaps some form of redirect on one LDAP to the other LDAP server for queries?
Some basic info: LDAP is Oracle OID version 10gR2
Please let me know if you have any useful ideas...Hi,
Here is the of OVD benefits :
1-Easy to setup and manage via our Management client; 2-Unifies multiple directories into a single access point; 3-Normalize and Unify multiple directories; 4-Directly accesses remote repositories;
5-Allows a unified view of an entry using data from multiple repositories;6-Can act as an LDAP proxy and firewall;
Why you can not use OVD to improve these? Read, LDAP to the other LDAP server for queries, allowing you to search both LDAP?
I hope this helps.
Thiago L Guimaraes -
Error in authentication with ldap server with certificate
Hi,
i have a problem in authentication with ldap server with certificate.
here i am using java API to authenticate.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
I issued the new certificate which is having the up to 5 years valid time.
is java will authenticate up to one year only?
Can any body help on this issue...
Regards
Rangasorry i am gettting ythe same error
javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
here when i am using the old certificate and changing the system date means i can get the authentication.
can you tell where we can concentrate and solve the issue..
where is the issue
1. need to check with the ldap server only
2. problem in java code only.
thanks in advance -
OIM 11g R1 LDAP Synch with OID.
Hi,
We are doing an LDAP Synch with OID directly. The users from various organisations in OIM needs to be synched to different OU's in OID, instead of a single container. How do we acheive this? would it be easy if we involve OVD also?Here is some sample code configuration which may give you a start - hope it helps.
Sample code that can be called in a pre-process event handler to copy the users organinisation to the LDAP Organization Unit
HashMap<String, Serializable> parameters = orchestration.getParameters();
Serializable param = parameters.get("act_key");
String act_key = null;
if (param instanceof ContextAware) {
act_key = ((ContextAware) param).getObjectValue().toString();
} else {
act_key = param.toString();
if (act_key != null) {
OrganizationManager orgMgr = Platform.getService(OrganizationManager.class);
Set<String> retAttrs = new HashSet<String>();
retAttrs.add("Organization Name");
Organization org = null;
try {
org = orgMgr.getDetails(act_key, retAttrs, false);
} catch (OrganizationManagerException e) {
} catch (AccessDeniedException e) {
String orgName = (String) org.getAttribute("Organization Name");
orchestration.addParameter("LDAP Organization Unit", orgName);
Sample container mapping rule
<rule>
<expression>LDAP Organization Unit=Test Organization</expression>
<container>ou=Test Organization,ou=users,o=org</container>
<description>Add user to the Test Organization OU in LDAP if their OU is set to Test Organization</description>
</rule>
Sample change in /db/LDAPUser
<!-- Two act_key entries in the <reconFields> section to set RECON_ACT_KEY. -->
<!-- The first sets RECON_ACT_KEY to the default value from the scheduled job -->
<!-- The second overwrites RECON_ACT_KEY with an OU value if supplied in the LDAP User data. -->
<reconAttr>
<oimFormDescriptiveName>act_key</oimFormDescriptiveName>
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Organization Name</reconFieldName>
<reconColName>RECON_ACT_KEY</reconColName>
<emDataType>number</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="act_key"/>
</reconAttr>
<reconAttr>
<oimFormDescriptiveName>act_key</oimFormDescriptiveName>
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ou</reconFieldName>
<reconColName>RECON_ACT_KEY</reconColName>
<emDataType>number</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="act_key"/>
</reconAttr> -
Authentification with user and password
hello experts,
Someone knows, what steps are necessary to carry out in XI for Authentification with user and pasword in SOAP adapter receiver?.
It's necesary put something in visual administrator?
thanks for alluser/pwd need to be provided by the Soap client. You'll need to store it there and maintain whenever the pwd is changed in XI.
As of best practices:
- The minimum requirements here should be SSL, so that no one can get the pwd;
- Also, as to avoid this, you could take a look at client authentication with certificates.
Regards,
Henrique. -
Errors in LDAP configuration with Shared Services
Dear sirs,
we are getting errors in LDAP configuration with Shared Services.
Base DN is ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo East
The group cn is cn=AH
In LDAP log you can see the applications is searching the group:
"ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo"
When it should be:
“ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo East”
We think the problem is with space in Base DN "o=Grupo East", it is not properly considered.
Error Codes
EPMCSS-05145
Thanks in advanceHi.
Could you try to define the Base DN as :
ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo\ East
I don't know if will work fine.. but you can use special characteres using with the "\"
Good luck.
Best regards! -
LDAP setup with SSL - Can't use tls auth type
I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
# ldapclient mod -a authenticationMethod=tls:simple
Cannot specify LDAP port with tls
# ldapclient mod -a authenticationMethod=tls
Unable to set value: invalid authenticationMethod (tls)
Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
NS_LDAP_SERVERS= 10.10.1.14:636
NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SERVER_PREF= 10.10.1.14:636
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
Thanks,
JayWhen using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
Also, you need to setup up your client to use FQN as well (/etc/hosts). -
Usage of external LDAP server with Portal
Hi All,
We are in a situation to use external LDAP server with WLP 8.1. These are the
constraints we have to deal with:
1. Only read is allowed from this LDAP server.
2. This would be used for authentication purpose
If thats the case, how can we use Visitor Entitlements/Delegated Admin and Group
creation using Portal Admin tool since this will write to the configured LDAP
server.
Can somebody answer my question:
1. Can we use external LDAP server - just for authetication (I know this is possible
by using JAAS LoginModule, but I just want to get confirmed on this ) and
2. Use default and embedded LDAP server for all others like Group/Visitor Entitlements/DAs.
Any relevant pointers are also welcome.
TIA,
Prashanth Bhat.Thanks for th ereply. Some of your answers are not clear. Can you pls eloborate
on this?? Pls see my comments below.
"Johnson" <[email protected]> wrote:
>
Phil,
Can I use embedded LDAP for production?
Thanks
Lawrence
"Phil Griffin" <BEA> wrote:
"Prashanth " <[email protected]> wrote in message
news:[email protected]..
Hi All,
We are in a situation to use external LDAP server with WLP 8.1. Theseare
the
constraints we have to deal with:
1. Only read is allowed from this LDAP server.
2. This would be used for authentication purpose
If thats the case, how can we use Visitor Entitlements/Delegated Adminand
Group
creation using Portal Admin tool since this will write to the configuredLDAP
server.
Can somebody answer my question:
1. Can we use external LDAP server - just for authetication (I knowthis
is possible
by using JAAS LoginModule, but I just want to get confirmed on this) and
>
You can add the external LDAP server just for authentication, but in
versions through
8.1 SP2 WLP will want to verify the user exists (via the UserReaderMBean)
during
the login process (this check has been removed in SP3). A work around
is to
duplicate
the user in a provider that does impl UserReaderMBean.
Prashanth : You mean to say we have to duplicate the User in embedded LDAP server
also??
>>
2. Use default and embedded LDAP server for all others like Group/VisitorEntitlements/DAs.
>
Yes, the default/embedded LDAP can still be used for DA/visitor
entitlements. In the current
release, the Portal Admin Tools can only be configured to use a single
authentication provider
while forming entitlements. In SP3, all configured providers are
listed/usable by the tools.Prashanth : How can we configure Portal Admin tool to use authentication provider
for entitlements??
>>
Any relevant pointers are also welcome.
TIA,
Prashanth Bhat. -
LDAP Intigration with Oracle BPM 10.3.0.0.0
Hi,
I want to know about integration with LDAP connectivity with Oracle BPM suite.
We don’t have any knowledge between the integration on Oracle BPM suit & LDAP.
Please do the needful on the same as soon as possible.
With Best Regards,
Ratna Prasad.I configured LDAP directory, and I was able to see the participants. However the group information is not retrieved properly. Here is the error
(cont) ] Main: Invalid characters found for attribute [OU name].
[ (cont) ] Main: Detail:Attribute [OU name] cannot be assigned the following value: [Dev/Test].
[ (cont) ] Main: The invalid character is: [].
[ (cont) ] Main:
[ (cont) ] Main: fuego.directory.exception.InvalidAttributeValueException: Invalid characters found for attribute [OU name].
[ (cont) ] Main: Detail:Attribute [OU name] cannot be assigned the following value: [Dev/Test].
[ (cont) ] Main: The invalid character is: [].
[ (cont) ] Main:
Any ideas on what can be the possible solution?
Thanks -
Setting up LDAP realm with WLI 7
Any pointer to Step by step instruction on to how to set up LDAP realm for Access Control with Weblogic integration 7
Pramit Basu <[email protected]> wrote:
Any pointer to Step by step instruction on to how to set up LDAP realm
for Access Control with Weblogic integration 7In order to use LDAP realm with WLI 7.0, you need to do the following steps:
1) In WebLogic server level, you need to create a Caching Realm and a LDAP realm.
First, please backup your original config.xml file. Then, you can start configure
the realms. You can do this by modifying the config.xml file, or through WLS console.
After you have done this, your config.xml file should contain the following:
<LDAPRealm AuthProtocol="none"
Credential="{3DES}rYiW/DkUxq4UPwR0XLbM9w=="
GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://jpengdesk:389"
Name="LDAPRealmForNetscapeDirectoryServer" Principal="cn=admin"
UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
--- You can also do this in Console. Please make sure the "UserDN" and "GroupDN"
values are correct according to the groups and users stored on your LDAP server.
In my example here, "beasys.com" is my root entry, and I have all the users created
underneath of OU "People", and I have all the groups created in OU "Groups".
<CachingRealm BasicRealm="LDAPRealmForNetscapeDirectoryServer" Name="MyCaching
Realm"/>
--- You can do this in console by clicking on "Caching Realms", then click on
the link of "Configure a new Caching Realm". Name it as "MyCaching Realm", and
select "LDAPRealmForNetscapeDirectoryServer" as the BasicRealm.
<Realm CachingRealm="MyCaching Realm" FileRealm="myFileRealm" Name="myRealm"/>
--- you can do this in console by clicking on "Compatibility Security", then click
on the "Filerealm" tab, then, in the "Caching Realm" field, select MyCaching Realm"
from the pull down comb box.
Please make sure all the names are related. See above example, the value in blue
color should match, and the value in red color should match too.
Please see the attached config.xml file for reference.
2) Create the users in LDAP server. In my example, I simply created 3 users underneath
of OU “People”, they are:
weblogic
wlisystem
admin
“weblogic” is the user I used as my system administrator user, which
I used to boot my WLS server and access my WLS console.
“wlisystem” and “admin” are the users created for WLI
component.
3) Create 11 groups in LDAP server. In my example, as I mentioned above, I create
all these groups underneath of OU “Groups”. These groups are:
ConfigureComponents
Administrators
wlpiUsers
MonitorInstance
ExecuteTemplate
CreateTemplate
UpdateTemplate
DeleteTemplate
AdminsterUser
ConfigureSystem
wlpiAdministrators
Also, add the users created in step 2 into all of these groups.
4) Clean up the fileRealm.properties file.
Backup your original fileRealm.properties file. Then, remove all the entries starting
with “user.xxx” and “group.xxx”, only leave those entries
starting with “acl.xxx”.
Please see the attached “fileRealm.properties” file for reference.
5) Restart your WLI server. Verify the users and groups you defined in LDAP server
are displayed in WLS console correctly. You can see the user and group information
in “Compatibility Security” à “Users”, and “Compatibility
Security” à “Groups” respectively.
6) Start your studio to design a simple Workflow. When you login, the authentication
of your username and password is against the LDAP server, since you don’t
have any user entries in your fiel realm any more.
7) Start your Worklist to execute the workflow. Also, When you login, the authentication
of your username and password is against the LDAP server, since you don’t
have any user entries in your fiel realm any more.
Once you execute the workflow, you can verify that workflow instance in Studio.
You can monitor the instance, and delete the instance. -
Configuring one LDAP domain with two OU (one RO, another RW)
Hi Team,
My client is implementing NW 7.0 Enterprise Portal on SP14, AIX 5.3 & Oracle 10.2.0.4.
We're using MS-ADS LDAP as an UME data source. The client wishes to configure UME for one single ADS LDAP (domain) with two OU (NOT domains) such that:
1. One OU has read only access
2. Second OU has read/write access
Following is an illustration of the LDAP tree structure:
CORP_DOM
-- INT_USERS (CN=IntUsers, DC=CORP_DOM, DC=NET) - read-only
-- INT_GROUPS (CN=IntUsers, DC=CORP_DOM, DC=NET) - read-only
-- EXT_USERS (CN=ExtUsers, DC=CORP_DOM, DC=NET) - read/write
-- EXT_GROUPS (CN=ExtGrp, DC=CORP_DOM, DC=NET) - read/write
|-- SAccounts
|--
|--
Note the single LDAP domain, multiple user and group paths with different access privileges.
Based on what I've read so far, this does not seem feasible as the datasource configuration file has to have unique datasource id and the private section allows only one tag for user path and group path.
I checked OSS, SDN but could only find information on configuring multiple domain/LDAP and not one LDAP domain but two OU/CN.
Kindly let me know if anyone has come across or done such a configuration.
Thanks.Hi GLM,
You are right, access permissions to the OU are given to the service account used to access the directory from the portal.
The issue I have is not about granting permissions - its more about whether it is possible at all to configure UME for one single ADS LDAP (domain) containing two OU (NOT domains). I'd need to access the directory with two different service users having differen access privileges.
I don't see how it can be done, since the datasource id in the portal datasource configuration file has to be same as the domain and the private section allows only one tag for user path and group path.
Thanks.
Maybe you are looking for
-
I try to open Mail and this is the pop-up that I get: "Mail cannot update your mailboxes because your home directory is full. You must free up space in your home folder before using Mail. Delete unneeded documents or move documents to another volume.
-
Acrobat x pro doesn't recognize epson scanner
Acrobat x pro doesn't recognize my epson perfection 1670 scanner. Other applications recognize this scanner. What can I do? All software and drivers are updated. Acrobat x pro ver10.1.4 Mac os x 10.8.1, mountian lion
-
Saving Lightroom Mobile synced photos to existing library system?
This should be really straightforward but I can't figure it out. When I import photos from my DSLR, Lightroom saves them into a library structure (Pictures > 2104 > 08 > 07). This works for me, as it keeps everything together in the one place, easy t
-
How do I open the door to my Optical Network Terminal (ONT) to replace the backup battery
I have an ONT that looks like this: http://www.verizon.com/cs/groups/public/documents/adacct/bbux400-open.jpg How do I open the door to it to replace the battery? Thanks Ben Solved! Go to Solution.
-
What are techniques used for tuning query performance? Please explain in detail? What are short dumps how can we check? What methodologies we follow for the PSA cleansing? Where exactly is the PSA change log where we can delete the request based on t