LDAP - CUA Mappping

Similar Messages

• LDAP CUA problem -- Could not logon to directory

  Hi Experts,
  I'm facing difficulties in accessing Active directory from SAP.
  The LDAP Connectors were setup correctly  (status with Green light).
  The System User were also setup as: UserID :DirectoryUser; Distinguished Name:"cn=DirectoryManager" (DirectoryManager is a username in my Active Directory)
  The LDAP Servers were also setup as: Hostname="sapserver001.abc.com", port number="389", Product name="MS03 Microsoft Windows 2003 Active Directory (Domain Mode)", Protocol Version="LDAP Version 3", LDAP Application="User", Base entry           ="ou=Company00", System Logon="DirectoryUser"
  But when I tried to logon the directory, system returns message:"Could not logon to directory"
  Could not logon to directory
  Message no. LDAPRC049
  Diagnosis
  The combination of user name (DN) and password transferred to the directory was not accepted by the directory.
  Procedure
  Check the set or entered data for the user and password for the directory.
  If you are using an application with which you do not need to enter this data directly, you can find the data as configuration setting in the LDAP server used ("System User" field).
  Procedure for System Administration
  Check whether you can log on to the directory with the entered data using the LDAP protocol.
  Note: A frequent error when using the Microsoft Active Directory is that the user enters their Microsoft Windows user name instead of the full Distinguished Name, since it is also possible to log on to the directory using this Microsoft Windows logon with Microsoft tools (such as ldp.exe). However, these tools do not use the user/password logon used by the SAP system.
  Could anyone help me find the solution?
  For more information, I'm using Windows server 2003 as my AD server.
  Ad server: sapserver001.abc.com
  sap server:sapserver002.abc.com
  In the control panel of sapserver001.abc.com., I open "Active Directory users and computers", within abc.com, I created an OU as "Company00", and under that OU, I created the InetOrgPerson "DirectoryManager".
  That's all the information I can provide.
  Any suggestions will be appreciated.
  Thank you very much in advance.
  Best regards,
  Nick

  Hi, all,
  Thanks for your reply.
  The problem has been solved. that's because I specified wrong user name, if I enter"DirectoryManager" instead of "cn=DirectoryManager" in the Distinguished Name field, it will be ok. or, I should input entire path "cn=DirectoryManager,OU=employees,DC=abci,DC=com".
  Just one more question: is there any tools or commands that can display the detail information of Active Directory on windows server 2003? I just wonder whether the detailed path like ""cn=DirectoryManager,OU=employees,DC=abci,DC=com"" can be shown by the tool or command.
  And I have run ABAP program RSLDAPSCHEMAEXT to get an LDIF file for SAP fields extention on AD server, after successfully imported into the Directory, where can I find out/verify the added fields which are coming from SAP?
  Sorry I'm lack of knowledge of Active Directory, any suggestions are appreciate.
  Best regards,
  Nick

• Synchronization beetween CUA x LDAP - Can it use paged queries?

  I’m using the synchronization process between LDAP (Microsoft Active Directory) and CUA (ECC 6.0). I’m having problems with a specific Microsoft best practice. This best practice allow only read 1000 objects in one query, in order to get the next 1000 objects, you should make a new query.
  I’ve already open this parameter to more than 1000 objects, then everything works well. However, when we receive a Microsoft consulters and auditors, they had hardly advice us to return this parameter to default 1000 objects due security issues.
  Then my question is “how can SAP support it”? The transaction rsldapsync_user has any configuration to support paged queries.

  Notes 1000644 807846 and 584121 which are discussing this issue.
  You can activate the paged search with the commandline parameter
  "-pagesize" as mentioned in these notes.

• SAP CUA Vs Corporate LDAP

  Hello All,
     Could anybody please let me know the pros and cons of the SAP CUA and Corporate LDAP?
  Please this is urgent
  Thanks,
  Leena.

  Hi All,
  Can anyone please suggest the advantages/disadvantages of SAP CUA over Corporate LDAP.
  I've gone through several threads and a lot has been spoken about it but still I would like to know the pros and cons of each approach so that technical consultants can decide to choose the best as per their landscape.
  Please also suggest the differences in terms of complexities and costs incurred in implementing the same.
  Thanks & Regards,
  Anurag Gwari

• Custom user name mapper needs external LDAP connection.

  I have a custom user name mapper that needs to connect to our external LDAP. Our security realm is configured to connect to the external LDAP for users and groups. Is there a way to reuse this connection in the custom user name mapper?

  I have a custom user name mapper that needs to connect to our external LDAP. Our security realm is configured to connect to the external LDAP for users and groups. Is there a way to reuse this connection in the custom user name mapper?

• Security:090802 PKI Credential Mapper has got an LDAP exception

  Weblogic Server 10.3, Oracle Service Bus, Red Hat Enterprise, AD integration, PKI infrastructure.
  I have the small erorr message that somewhere exists LDAP error, but cant understand how to read full text of exception or another additional information.
  OSB Security:387078Failed to bind key-pair credential for service key provider Troika.Domain.IC.ClientRegistry.Signature.20090521/IC.CR.WEbServiceUser.ServiceKeyProvider and purpose Encryption: Security:090802PKI Credential Mapper has got an LDAP exception.
  This error appears when i tried to browse encryption key from my identity keystore to service key provider.

  I had the exact same problem with an Oracle 10g Enterprise 10.2.0.1.0 database used as a security store under OSB 10.3.
  Fixed it by dropping the table and recreate it with all VARCHAR256 fields set to VARCHAR2048.
  In my case the CN and RN fields where probably the problem but I'll leave all fields to 2048 for now.

• Regarding SAP CUA vs Corporate LDAP for authentication purposes

  Hello All:
     Could anyone please give more information about SAP CUA and the corporate LDAP? Please suggest which is more advantageous and what is the cost involved in each of these. These are the options for the authentication of SAP Enterprise Portal in our system here. We want to figure out which has more advantages over the other one.
  Thanks,
  LBuegg

  Hello all,
     Appreciate your response for this query. We need to figure out the options soon. Its kind of urgent.
  Thanks again..
  L Buegg.

• LDAP security authentication in weblogic sp4 (URGENT)

  We have a web application which interacts to the D/B to authenticate a user during our login process. Now we are trying to change the login to LDAP authentication. Here is the List I did on weblogic configuration correct me if this is correct or if am missing any thing.
  1. Created a Realm
  2. Created a NOVELL LDAP Authenticator (configured user, groups, members, Novell LDAP, Details)
  3. Created a X.509 certificates ????? Do I need to create this one for authentication. The only question is I am confused by these parameters and help me out in figuring out these:
  a. filter attributes = cn=$subj.cn
  b. username attribute = cn
  c. userCertificate;binary ??? ( I have a certificate idmtree.der where do I add configuration about this certificate in the console)>>>>>>>>
  d. certificate mapping : ou=user,ou=$subj.ou,o=$subj.o,c=$subj.c (IS THIS CORRECT)
  4. created a new Weblogic Default Authorizer...
  5. created a new Weblogic Default Role Mapper...
  6. created a new Weblogic Default Credential Mapper ...(Do I need to setup my certificate inside this credential mapper or not.)
  7. I made this realm as the DEFAULT realm and started the server
  I get the following exception.
  Initializing RoleMapper provider using LDIF template file C:\bea\user_projects\domains\mydomain\.\DefaultRoleMapperInit.ldift.>
  The RoleMapper provider has had its LDIF information loaded from: C:\bea\user_projects\domains\mydomain\.\DefaultRoleMapperInit.ldift>
  Initializing Authorizer provider using LDIF template file C:\bea\user_projects\domains\mydomain\.\DefaultAuthorizerInit.ldift.>
  The Authorizer provider has had its LDIF information loaded from: C:\bea\user_projects\domains\mydomain\.\DefaultAuthorizerInit.ldift>
  Loading trusted certificates from the jks keystore file C:\bea\weblogic81\server\lib\DemoTrust.jks.>
  Loading trusted certificates from the jks keystore file C:\bea\JDK142~1\jre\lib\security\cacerts.>
  Loading trusted certificates from the jks keystore file C:\bea\weblogic81\server\lib\DemoTrust.jks.>
  Loading trusted certificates from the jks keystore file C:\bea\JDK142~1\jre\lib\security\cacerts.>
  Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure.>
  Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
  [java.lang.reflect.InvocationTargetException - with target exception:
  [netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]
  weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
  [java.lang.reflect.InvocationTargetException - with target exception:
  [netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:205)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:262)
  at weblogic.security.service.SecurityServiceManagerDelegateImpl.doATN(SecurityServiceManagerDelegateImpl.java:581)
  at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealm(SecurityServiceManagerDelegateImpl.java:420)
  at weblogic.security.service.SecurityServiceManagerDelegateImpl.loadRealm(SecurityServiceManagerDelegateImpl.java:700)
  at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealms(SecurityServiceManagerDelegateImpl.java:733)
  at weblogic.security.service.SecurityServiceManagerDelegateImpl.initialize(SecurityServiceManagerDelegateImpl.java:876)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:734)
  at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:822)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:670)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:344)
  at weblogic.Server.main(Server.java:32)
  >
  ####<Apr 6, 2006 10:42:55 AM CDT> <Emergency> <WebLogicServer> <DXPCHI029398> <myserver> <main> <<WLS Kernel>> <> <BEA-000342> <Unable to initialize the server: weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
  [java.lang.reflect.InvocationTargetException - with target exception:
  [netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]>
  ANY HELP on this would be greatly appreciated am totally exhausted seeing these error messages from morning.
  I would like to know if I need a client for connecting to this LDAP authenticator. As am using the Novell API to access the LDAP directory. Let me know, and if so can some one provide me a snippet code.\
  Waiting for response.
  thanks in advance
  kiran

  Hi Christoper,
  Based on your description, this seems to be more of a security related question than a workshop one.
  Please post to the security newsgroup at http://forums.bea.com/bea/category.jspa?categoryID=2011
  with information on service pack installed
  Thanks
  Raj

• Portal Integration with CUA

  I am implementing CUA for my SAP landscape and would like to incorporate our portal but I am unsure how to do this.
  I have changed my portal UME to point to the ABAP system as it's datasource.
  I am unsure how I can get my portal roles assigned to my portal users from the ABAP system.
  When I create a user I need the ERP users creating with ABAP roles and the Portal user creating with Portal roles, which are not the same in both systems.
  How can I acheive this.  I do not have an LDAP.
  Regards
  Graham

  Hi,
  interesting questions. Portal is running on top of Netweaver platform (Java stack). Hence no Apache web server. I doubt that it supports any Apache modules. You can use Apache as reversed proxy in front of SAP portal. Check note 480520 with attached configuration guide. I don't know answer for your question regarding REMOTE_USER setting.
  SAP portal supports all standard [authentication methods|http://help.sap.com/saphelp_nw70/helpdata/en/8a/cb136e68592f478266d19bb2b89766/frameset.htm] supported by Netweaver. Probably the only possible way is to use [SAML|http://help.sap.com/saphelp_nw70/helpdata/en/94/695b3ebd564644e10000000a114084/frameset.htm]. [Here|http://www.ibm.com/developerworks/tivoli/library/t-cssosap/index.html] is a how-to guide how to set up SSO based on SAML between Tivoli and Netweaver applicaiton server.
  Also search on net. I found links to interesting presentations (e.g. [this one|http://www.switch.ch/aai/support/presentations/ws-sap-2010/ETHZ_AAI_SAP_SAML_Artifact.pdf]).
  Cheers

• BBPMAININT with CUA

  We have a landscape with SRM 5.0 and CUA in two different systems and intend to use BBPMAININT to create Users and need the user to be replicated or created in CUA.
  We already implemented note 402592, but the user is created only in SRM and without any Role.
  Regards, Roberto

  Hi Robert
  We are creating user -ids in  CUA which replicates the user ids in SRM / R3 and CRM and other systems.
  After that through Users_gen we map the user -id to the Org structute  in SRM .
  We tried creating users in SRM and replicating to CUA but it didnt went well.
  SO now userid for the first time are created in CUA and replicated to all systems and after that we use Users_gen option Create users from Existing SU01 and mapp the user to SRM Org Struture.
  regards,
  Nimish Sheth

• Mapping LDAP Groups to SAP Roles

  Hi there,
  i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
  My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
  In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
  In Web AS ABAP it seems impossible to assign roles to groups.
  <b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
  Or is there another way to administrate users in different systems?
  Thanks alot for your answers,
  stefan

  Hi
  in this case u have to use the concept of central user administration. use the following links
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
  hope this helps u to get fair bit of idea
  don,t forget to give points
  With regards
  subrato kundu

• How to pull data from Active Directory in ABAP (non-CUA approach)?

  All,
  We have a requirement to pull information from AD into a WAS 6.20 system.
  I know there is the standard CUA/UME LDAP synchronization discussed at length in this forum but this in not what we are looking for. We would like to connect from an ABAP program (BAPI/RFC) to AD and pull a specific field  and store it in a custom table.
  I found one thread that describes how to do this with WebDynpro in Java, but this would be our last resort since we wouldn't be able to do that from the actual 6.20 WAS but would have to use another 2004s system which would extend the architecture of the current design.
  Any thoughts?
  Thanks
  GS

  Hi,
  1. First configure the LDAP properties in transaction LDAP
  2.You can use the functions LDAP_SYSTEMBIND and LDAP_SEARCH to retrieve the info you want
  you can read <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/906061c5-176b-2910-5091-e23baa4e7038">this document</a> for more help

• LDAP user authentication on EP6 built on NW04 abap+java

  Hello,
  Our customer insisted we install is EP6 system as a ABAPJAVA system. He asked that users login to the portal will be authenticated (username password) from their directory service via LDAP. Because the EP6 is built on a ABAPJAVA, and not only JAVA, I cannot use the portal or visual adiministrator tools to make the LDAP be the source User Management system.
  I have been looking all day in the sap online help and I do not see any instructions on how to configure user+password logon authentication via LDAP on an ABAP based UME system. The most I have managed was to setup the connection from the EP6 system to ldap via transaction LDAP and bring up the ldap connector.
  I need to know how to proceed from here.
  Thanks
  Boaz

  Hello,
  I add a notion that this configuration is not supported.
  However, please look at the following link, which relates to an ABAP system, I refer to the bolded section.
  http://help.sap.com/saphelp_nw2004s/helpdata/en/aa/a17941601b050de10000000a1550b0/frameset.htm
  The following is mentioned in this link:
  The user password is not transferred from the SAP Web AS to the LDAP directory during the synchronization of the user data. You must therefore maintain the user password with one of the following options:
  You specify the passwords centrally in the LDAP server. The users must log on using the UME, are authenticated with the LDAP server, receive a logon ticket and can then access all systems with Single Sign-On. In this case, all systems must be configured so that they accept logon tickets.
  ·        You specify the passwords in a decentralized way, both in the CUA and in the LDAP directory (or in the UME). In this case, the CUA systems do not need to accept logon tickets.
  What is the meaning behind this?
  Thanks
  Boaz

• RoleMapper with an external LDAP

  Dear friends,
  We use an external LDAP to store information related to users, groups and roles. We have managed to configure an out of box LDAP Authenticator within our realm for authentication. We wanted some guidance on configuring or writing RoleMapper.
  1) What is good practise in terms of storing and managing roles? Is it a common practise to store roles in an external LDAP or do people use Admin console to created roles within the embedded LDAP? The advantage with the Embedded LDAP is definitely that you could use out of the box RoleMapper and the disadvantage is that we could not extend LDAP schema to store hierarchical roles.
  2) If we store and manage roles in an external LDAP store, the same one where we store users and groups, could we still use the out of the box role mapper? If not, could someone provide a sample role mapper that uses an external LDAP store.
  3) Why WebLogic doesn't provide an out of the box Role Mapper that connects to an external LDAP?

  All Users Filter: (&(&(uid=*)(objectclass=person))(!(quitdate=*)))
  User From Name Filter: (&(&(uid=%u)(objectclass=person))(!(quitdate=*)))
  User Name Attribute: uid
  Here you're configuring that uid is the key of your users in OID. And in your case user A and B has the same uid, so the webcenter can login using user B, but when realize a search uid=jack ldap returns the first one.
  Make any sense for you?
  Hope that I help you

• External LDAP + Roles in portal

  Folks,
  I use weblogic 8.1 portal.
  Can we use an external LDAP for storing portal roles? If so, what is supported,
  recommended, etc. Does BEA have a recommendation/document on how to support an
  environment with multiple domains that share a common LDAP so that we don’t have
  to keep them all sync.
  Thanks
  - Lara

  Lara,
  The WLS SSPI (plug-in provider architecture) allows you to add additional
  role mappers, however the WLS out-of-the-box authorizer and role mapper are
  still required for WLP. Also, in a WLS domain/cluster each managed server
  has a copy of the LDAP which is automatically kept in sync by the admin
  server.
  -Phil
  "Lara Man" <[email protected]> wrote in message
  news:3f78852c$[email protected]..
  >
  Folks,
  I use weblogic 8.1 portal.
  Can we use an external LDAP for storing portal roles? If so, what issupported,
  recommended, etc. Does BEA have a recommendation/document on how tosupport an
  environment with multiple domains that share a common LDAP so that wedon't have
  to keep them all sync.
  Thanks
  - Lara