LDAP - CUA Mappping
Hello,
This is regarding configuration of Microsoft Active directory and SAP CUA (on Solman 7.01)
I have multiple OU (Organization Units) under root in Windows Active Directory.
E.g.;
Root: u201CDC=CompanyName,DC=comu201D
OU: Country 1
OU: Country 2
OU: Country 3.
I want to synchronize users from all above OU (Country 1, Country 2, Country 3) into SAP CUA using LDAP.
See below cases:
Case 1:
I maintain u201CBASE ENTRYu201D in LDAP configuration (LDAPMAP) as below:
BASE ENTRY: OU= Country 1,DC= companyname,DC=com
Result: I get all users of Country 1.
Case 2:
I maintain u201CBASE ENTRYu201D in LDAP configuration (LDAPMAP) as below:
BASE ENTRY: OU= Country 2,DC= companyname,DC=com
Result: I get all users of Country 2.
Case 3:
I maintain u201CBASE ENTRYu201D in LDAP configuration (LDAPMAP) as below:
BASE ENTRY: OU= Country 3,DC= companyname,DC=com
Result: I get all users of Country 3.
Case 4:
I maintain u201CBASE ENTRYu201D in LDAP configuration (LDAPMAP) as below:
BASE ENTRY: DC= companyname,DC=com
Result: I do not get all users of country 1+ country 2+ country 3.
My Question:
Can I set base entry to root level (as in case 4) and get all users? Is that supported in SAP?
If yes, please guide steps required.
Regards.
Hi Martin,
Thanks for the reply.
I can define multiple enteris. And then will have to create multiple synchronization background jobs.
But, the problem is that if client is then defining new country then client has to create one more entry.
Requirement is that if we can have root entry as in case 4 (mentioned in earlier mail) so that all countries are covered.
Is this possible?
Thanks.
Similar Messages
-
LDAP CUA problem -- Could not logon to directory
Hi Experts,
I'm facing difficulties in accessing Active directory from SAP.
The LDAP Connectors were setup correctly (status with Green light).
The System User were also setup as: UserID :DirectoryUser; Distinguished Name:"cn=DirectoryManager" (DirectoryManager is a username in my Active Directory)
The LDAP Servers were also setup as: Hostname="sapserver001.abc.com", port number="389", Product name="MS03 Microsoft Windows 2003 Active Directory (Domain Mode)", Protocol Version="LDAP Version 3", LDAP Application="User", Base entry ="ou=Company00", System Logon="DirectoryUser"
But when I tried to logon the directory, system returns message:"Could not logon to directory"
Could not logon to directory
Message no. LDAPRC049
Diagnosis
The combination of user name (DN) and password transferred to the directory was not accepted by the directory.
Procedure
Check the set or entered data for the user and password for the directory.
If you are using an application with which you do not need to enter this data directly, you can find the data as configuration setting in the LDAP server used ("System User" field).
Procedure for System Administration
Check whether you can log on to the directory with the entered data using the LDAP protocol.
Note: A frequent error when using the Microsoft Active Directory is that the user enters their Microsoft Windows user name instead of the full Distinguished Name, since it is also possible to log on to the directory using this Microsoft Windows logon with Microsoft tools (such as ldp.exe). However, these tools do not use the user/password logon used by the SAP system.
Could anyone help me find the solution?
For more information, I'm using Windows server 2003 as my AD server.
Ad server: sapserver001.abc.com
sap server:sapserver002.abc.com
In the control panel of sapserver001.abc.com., I open "Active Directory users and computers", within abc.com, I created an OU as "Company00", and under that OU, I created the InetOrgPerson "DirectoryManager".
That's all the information I can provide.
Any suggestions will be appreciated.
Thank you very much in advance.
Best regards,
NickHi, all,
Thanks for your reply.
The problem has been solved. that's because I specified wrong user name, if I enter"DirectoryManager" instead of "cn=DirectoryManager" in the Distinguished Name field, it will be ok. or, I should input entire path "cn=DirectoryManager,OU=employees,DC=abci,DC=com".
Just one more question: is there any tools or commands that can display the detail information of Active Directory on windows server 2003? I just wonder whether the detailed path like ""cn=DirectoryManager,OU=employees,DC=abci,DC=com"" can be shown by the tool or command.
And I have run ABAP program RSLDAPSCHEMAEXT to get an LDIF file for SAP fields extention on AD server, after successfully imported into the Directory, where can I find out/verify the added fields which are coming from SAP?
Sorry I'm lack of knowledge of Active Directory, any suggestions are appreciate.
Best regards,
Nick -
Synchronization beetween CUA x LDAP - Can it use paged queries?
Im using the synchronization process between LDAP (Microsoft Active Directory) and CUA (ECC 6.0). Im having problems with a specific Microsoft best practice. This best practice allow only read 1000 objects in one query, in order to get the next 1000 objects, you should make a new query.
Ive already open this parameter to more than 1000 objects, then everything works well. However, when we receive a Microsoft consulters and auditors, they had hardly advice us to return this parameter to default 1000 objects due security issues.
Then my question is how can SAP support it? The transaction rsldapsync_user has any configuration to support paged queries.Notes 1000644 807846 and 584121 which are discussing this issue.
You can activate the paged search with the commandline parameter
"-pagesize" as mentioned in these notes. -
Hello All,
Could anybody please let me know the pros and cons of the SAP CUA and Corporate LDAP?
Please this is urgent
Thanks,
Leena.Hi All,
Can anyone please suggest the advantages/disadvantages of SAP CUA over Corporate LDAP.
I've gone through several threads and a lot has been spoken about it but still I would like to know the pros and cons of each approach so that technical consultants can decide to choose the best as per their landscape.
Please also suggest the differences in terms of complexities and costs incurred in implementing the same.
Thanks & Regards,
Anurag Gwari -
Custom user name mapper needs external LDAP connection.
I have a custom user name mapper that needs to connect to our external LDAP. Our security realm is configured to connect to the external LDAP for users and groups. Is there a way to reuse this connection in the custom user name mapper?
I have a custom user name mapper that needs to connect to our external LDAP. Our security realm is configured to connect to the external LDAP for users and groups. Is there a way to reuse this connection in the custom user name mapper?
-
Security:090802 PKI Credential Mapper has got an LDAP exception
Weblogic Server 10.3, Oracle Service Bus, Red Hat Enterprise, AD integration, PKI infrastructure.
I have the small erorr message that somewhere exists LDAP error, but cant understand how to read full text of exception or another additional information.
OSB Security:387078Failed to bind key-pair credential for service key provider Troika.Domain.IC.ClientRegistry.Signature.20090521/IC.CR.WEbServiceUser.ServiceKeyProvider and purpose Encryption: Security:090802PKI Credential Mapper has got an LDAP exception.
This error appears when i tried to browse encryption key from my identity keystore to service key provider.I had the exact same problem with an Oracle 10g Enterprise 10.2.0.1.0 database used as a security store under OSB 10.3.
Fixed it by dropping the table and recreate it with all VARCHAR256 fields set to VARCHAR2048.
In my case the CN and RN fields where probably the problem but I'll leave all fields to 2048 for now. -
Regarding SAP CUA vs Corporate LDAP for authentication purposes
Hello All:
Could anyone please give more information about SAP CUA and the corporate LDAP? Please suggest which is more advantageous and what is the cost involved in each of these. These are the options for the authentication of SAP Enterprise Portal in our system here. We want to figure out which has more advantages over the other one.
Thanks,
LBueggHello all,
Appreciate your response for this query. We need to figure out the options soon. Its kind of urgent.
Thanks again..
L Buegg. -
LDAP security authentication in weblogic sp4 (URGENT)
We have a web application which interacts to the D/B to authenticate a user during our login process. Now we are trying to change the login to LDAP authentication. Here is the List I did on weblogic configuration correct me if this is correct or if am missing any thing.
1. Created a Realm
2. Created a NOVELL LDAP Authenticator (configured user, groups, members, Novell LDAP, Details)
3. Created a X.509 certificates ????? Do I need to create this one for authentication. The only question is I am confused by these parameters and help me out in figuring out these:
a. filter attributes = cn=$subj.cn
b. username attribute = cn
c. userCertificate;binary ??? ( I have a certificate idmtree.der where do I add configuration about this certificate in the console)>>>>>>>>
d. certificate mapping : ou=user,ou=$subj.ou,o=$subj.o,c=$subj.c (IS THIS CORRECT)
4. created a new Weblogic Default Authorizer...
5. created a new Weblogic Default Role Mapper...
6. created a new Weblogic Default Credential Mapper ...(Do I need to setup my certificate inside this credential mapper or not.)
7. I made this realm as the DEFAULT realm and started the server
I get the following exception.
Initializing RoleMapper provider using LDIF template file C:\bea\user_projects\domains\mydomain\.\DefaultRoleMapperInit.ldift.>
The RoleMapper provider has had its LDIF information loaded from: C:\bea\user_projects\domains\mydomain\.\DefaultRoleMapperInit.ldift>
Initializing Authorizer provider using LDIF template file C:\bea\user_projects\domains\mydomain\.\DefaultAuthorizerInit.ldift.>
The Authorizer provider has had its LDIF information loaded from: C:\bea\user_projects\domains\mydomain\.\DefaultAuthorizerInit.ldift>
Loading trusted certificates from the jks keystore file C:\bea\weblogic81\server\lib\DemoTrust.jks.>
Loading trusted certificates from the jks keystore file C:\bea\JDK142~1\jre\lib\security\cacerts.>
Loading trusted certificates from the jks keystore file C:\bea\weblogic81\server\lib\DemoTrust.jks.>
Loading trusted certificates from the jks keystore file C:\bea\JDK142~1\jre\lib\security\cacerts.>
Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure.>
Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
[java.lang.reflect.InvocationTargetException - with target exception:
[netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]
weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
[java.lang.reflect.InvocationTargetException - with target exception:
[netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:205)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:262)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.doATN(SecurityServiceManagerDelegateImpl.java:581)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealm(SecurityServiceManagerDelegateImpl.java:420)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.loadRealm(SecurityServiceManagerDelegateImpl.java:700)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealms(SecurityServiceManagerDelegateImpl.java:733)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initialize(SecurityServiceManagerDelegateImpl.java:876)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:734)
at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:822)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:670)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:344)
at weblogic.Server.main(Server.java:32)
>
####<Apr 6, 2006 10:42:55 AM CDT> <Emergency> <WebLogicServer> <DXPCHI029398> <myserver> <main> <<WLS Kernel>> <> <BEA-000342> <Unable to initialize the server: weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
[java.lang.reflect.InvocationTargetException - with target exception:
[netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]>
ANY HELP on this would be greatly appreciated am totally exhausted seeing these error messages from morning.
I would like to know if I need a client for connecting to this LDAP authenticator. As am using the Novell API to access the LDAP directory. Let me know, and if so can some one provide me a snippet code.\
Waiting for response.
thanks in advance
kiranHi Christoper,
Based on your description, this seems to be more of a security related question than a workshop one.
Please post to the security newsgroup at http://forums.bea.com/bea/category.jspa?categoryID=2011
with information on service pack installed
Thanks
Raj -
I am implementing CUA for my SAP landscape and would like to incorporate our portal but I am unsure how to do this.
I have changed my portal UME to point to the ABAP system as it's datasource.
I am unsure how I can get my portal roles assigned to my portal users from the ABAP system.
When I create a user I need the ERP users creating with ABAP roles and the Portal user creating with Portal roles, which are not the same in both systems.
How can I acheive this. I do not have an LDAP.
Regards
GrahamHi,
interesting questions. Portal is running on top of Netweaver platform (Java stack). Hence no Apache web server. I doubt that it supports any Apache modules. You can use Apache as reversed proxy in front of SAP portal. Check note 480520 with attached configuration guide. I don't know answer for your question regarding REMOTE_USER setting.
SAP portal supports all standard [authentication methods|http://help.sap.com/saphelp_nw70/helpdata/en/8a/cb136e68592f478266d19bb2b89766/frameset.htm] supported by Netweaver. Probably the only possible way is to use [SAML|http://help.sap.com/saphelp_nw70/helpdata/en/94/695b3ebd564644e10000000a114084/frameset.htm]. [Here|http://www.ibm.com/developerworks/tivoli/library/t-cssosap/index.html] is a how-to guide how to set up SSO based on SAML between Tivoli and Netweaver applicaiton server.
Also search on net. I found links to interesting presentations (e.g. [this one|http://www.switch.ch/aai/support/presentations/ws-sap-2010/ETHZ_AAI_SAP_SAML_Artifact.pdf]).
Cheers -
We have a landscape with SRM 5.0 and CUA in two different systems and intend to use BBPMAININT to create Users and need the user to be replicated or created in CUA.
We already implemented note 402592, but the user is created only in SRM and without any Role.
Regards, RobertoHi Robert
We are creating user -ids in CUA which replicates the user ids in SRM / R3 and CRM and other systems.
After that through Users_gen we map the user -id to the Org structute in SRM .
We tried creating users in SRM and replicating to CUA but it didnt went well.
SO now userid for the first time are created in CUA and replicated to all systems and after that we use Users_gen option Create users from Existing SU01 and mapp the user to SRM Org Struture.
regards,
Nimish Sheth -
Mapping LDAP Groups to SAP Roles
Hi there,
i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
In Web AS ABAP it seems impossible to assign roles to groups.
<b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
Or is there another way to administrate users in different systems?
Thanks alot for your answers,
stefanHi
in this case u have to use the concept of central user administration. use the following links
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
hope this helps u to get fair bit of idea
don,t forget to give points
With regards
subrato kundu -
How to pull data from Active Directory in ABAP (non-CUA approach)?
All,
We have a requirement to pull information from AD into a WAS 6.20 system.
I know there is the standard CUA/UME LDAP synchronization discussed at length in this forum but this in not what we are looking for. We would like to connect from an ABAP program (BAPI/RFC) to AD and pull a specific field and store it in a custom table.
I found one thread that describes how to do this with WebDynpro in Java, but this would be our last resort since we wouldn't be able to do that from the actual 6.20 WAS but would have to use another 2004s system which would extend the architecture of the current design.
Any thoughts?
Thanks
GSHi,
1. First configure the LDAP properties in transaction LDAP
2.You can use the functions LDAP_SYSTEMBIND and LDAP_SEARCH to retrieve the info you want
you can read <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/906061c5-176b-2910-5091-e23baa4e7038">this document</a> for more help -
LDAP user authentication on EP6 built on NW04 abap+java
Hello,
Our customer insisted we install is EP6 system as a ABAPJAVA system. He asked that users login to the portal will be authenticated (username password) from their directory service via LDAP. Because the EP6 is built on a ABAPJAVA, and not only JAVA, I cannot use the portal or visual adiministrator tools to make the LDAP be the source User Management system.
I have been looking all day in the sap online help and I do not see any instructions on how to configure user+password logon authentication via LDAP on an ABAP based UME system. The most I have managed was to setup the connection from the EP6 system to ldap via transaction LDAP and bring up the ldap connector.
I need to know how to proceed from here.
Thanks
BoazHello,
I add a notion that this configuration is not supported.
However, please look at the following link, which relates to an ABAP system, I refer to the bolded section.
http://help.sap.com/saphelp_nw2004s/helpdata/en/aa/a17941601b050de10000000a1550b0/frameset.htm
The following is mentioned in this link:
The user password is not transferred from the SAP Web AS to the LDAP directory during the synchronization of the user data. You must therefore maintain the user password with one of the following options:
You specify the passwords centrally in the LDAP server. The users must log on using the UME, are authenticated with the LDAP server, receive a logon ticket and can then access all systems with Single Sign-On. In this case, all systems must be configured so that they accept logon tickets.
· You specify the passwords in a decentralized way, both in the CUA and in the LDAP directory (or in the UME). In this case, the CUA systems do not need to accept logon tickets.
What is the meaning behind this?
Thanks
Boaz -
RoleMapper with an external LDAP
Dear friends,
We use an external LDAP to store information related to users, groups and roles. We have managed to configure an out of box LDAP Authenticator within our realm for authentication. We wanted some guidance on configuring or writing RoleMapper.
1) What is good practise in terms of storing and managing roles? Is it a common practise to store roles in an external LDAP or do people use Admin console to created roles within the embedded LDAP? The advantage with the Embedded LDAP is definitely that you could use out of the box RoleMapper and the disadvantage is that we could not extend LDAP schema to store hierarchical roles.
2) If we store and manage roles in an external LDAP store, the same one where we store users and groups, could we still use the out of the box role mapper? If not, could someone provide a sample role mapper that uses an external LDAP store.
3) Why WebLogic doesn't provide an out of the box Role Mapper that connects to an external LDAP?All Users Filter: (&(&(uid=*)(objectclass=person))(!(quitdate=*)))
User From Name Filter: (&(&(uid=%u)(objectclass=person))(!(quitdate=*)))
User Name Attribute: uid
Here you're configuring that uid is the key of your users in OID. And in your case user A and B has the same uid, so the webcenter can login using user B, but when realize a search uid=jack ldap returns the first one.
Make any sense for you?
Hope that I help you -
External LDAP + Roles in portal
Folks,
I use weblogic 8.1 portal.
Can we use an external LDAP for storing portal roles? If so, what is supported,
recommended, etc. Does BEA have a recommendation/document on how to support an
environment with multiple domains that share a common LDAP so that we don’t have
to keep them all sync.
Thanks
- LaraLara,
The WLS SSPI (plug-in provider architecture) allows you to add additional
role mappers, however the WLS out-of-the-box authorizer and role mapper are
still required for WLP. Also, in a WLS domain/cluster each managed server
has a copy of the LDAP which is automatically kept in sync by the admin
server.
-Phil
"Lara Man" <[email protected]> wrote in message
news:3f78852c$[email protected]..
>
Folks,
I use weblogic 8.1 portal.
Can we use an external LDAP for storing portal roles? If so, what issupported,
recommended, etc. Does BEA have a recommendation/document on how tosupport an
environment with multiple domains that share a common LDAP so that wedon't have
to keep them all sync.
Thanks
- Lara
Maybe you are looking for
-
My itunes freezes whenever I connect my ipod classic
Hello, I have a 7th gen 160 GB ipod classic, the latest version of itunes (10.6.3), and I've been having a lot of problems trying to put music on it lately. Whenever I try to connect it to the computer, my itunes just freezes up and I can't do anythi
-
how to implement a chart that shows the top 5 customers in a pie chart and then have a special slice that accumulates all the remaining customers.
-
Problems between a WCS and a Location 2710.
I have a Location 2710 that was being seen by the WCS. It worked fine for almost a day. But strangely it started to being not seen by the WCS. I tried to associate again the 2700 with the WCS but I received a message from the WCS: No response from Lo
-
Hi, Is it possible to reverse a single document after APP is completed? We have picked up 50 invoices for payment thru APP, after APP is completed, payment for 3 invoices were to be reversed. Please let me know, is it possible to reverse only the 3
-
OMG - A Nokia 6280 with 36x optical zoom...
I just fund this super cool thing and had to share it with other Nokia users/lovers... A Nokia 6280 with 36x optical zoom... http://www.c-h-a-o-s.com/2007/06/01/nokia-6280-with-slr-optics/ Regards Kaspersky