Regarding SAP CUA vs Corporate LDAP for authentication purposes

Hello All:
Could anyone please give more information about SAP CUA and the corporate LDAP? Please suggest which is more advantageous and what is the cost involved in each of these. These are the options for the authentication of SAP Enterprise Portal in our system here. We want to figure out which has more advantages over the other one.
Thanks,
LBuegg

Hello all,
Appreciate your response for this query. We need to figure out the options soon. Its kind of urgent.
Thanks again..
L Buegg.

Similar Messages

SAP CUA Vs Corporate LDAP

Hello All,
Could anybody please let me know the pros and cons of the SAP CUA and Corporate LDAP?
Please this is urgent
Thanks,
Leena.

Hi All,
Can anyone please suggest the advantages/disadvantages of SAP CUA over Corporate LDAP.
I've gone through several threads and a lot has been spoken about it but still I would like to know the pros and cons of each approach so that technical consultants can decide to choose the best as per their landscape.
Please also suggest the differences in terms of complexities and costs incurred in implementing the same.
Thanks & Regards,
Anurag Gwari

External LDAP for authentication

Hi All,
I want to use external ldap for authentication purpose with Access Manager.
I tried adding this external ldap as a secondary ldap but couldn�t succeed.
If I add this ldap in the primary ldap along with the AM�s own ldap, this also fails to authenticate users from the external ldap.
How can I achieve this?
I read many topics in this forum regarding this but none of them explain how it can be achieved.
Please suggest.
Thanks in advance.

This is what the amconsole log says:
ERROR: ConsoleServletBase.onUncaughtException
java.lang.NullPointerException
     at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.constructFilter(LDAPv3Repo.java:3126)
     at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.search(LDAPv3Repo.java:1996)
     at com.iplanet.am.sdk.AMDirectoryManager.search(AMDirectoryManager.java:1938)
     at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:221)
     at com.sun.identity.console.idm.model.EntitiesModelImpl.getEntityNames(EntitiesModelImpl.java:139)
     at com.sun.identity.console.idm.EntitiesViewBean.getEntityNames(EntitiesViewBean.java:222)
     at com.sun.identity.console.idm.EntitiesViewBean.beginDisplay(EntitiesViewBean.java:177)
     at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
     at jsps.console._idm._Entities_jsp._jspService(_Entities_jsp.java:86)
     at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
     at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
     at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
     at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
     at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
     at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:471)
     at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:382)
     at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
     at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
     at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:133)
     at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:149)
     at com.sun.identity.console.idm.HomeViewBean.forwardTo(HomeViewBean.java:109)
     at com.sun.identity.console.realm.RealmPropertiesBase.nodeClicked(RealmPropertiesBase.java:90)
     at com.sun.web.ui.view.tabs.CCTabs.handleTabHrefRequest(CCTabs.java:129)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:585)
     at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
     at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
     at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
     at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
     at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
     at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
     at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
     at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
     at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:787)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
     at com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
     at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
     at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)

AD LDAP for Authentication but ABAP or IDM for Role Assignments

Hi Portal Gurus,
Is it possible to configure the UME in such as way so that it connects to the AD for authentication purposes but uses the CUA or SAP Identity Manager for role assignments?
Thanks,
Vibhu

Hi,
Thanks for the suggestion. But ours was a different problem.
The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
Best regards,
Ashok

WLC connect LDAP for Authentication, but could not connect to server

Hi Everyone, I got a problem when I use WLC 5508 connect to LDAP for authentication, but no luck there, it's a simple config, but not easy to work on my job, I got the following messgae:
Service Port - Not connected
Distrubution port include:
     Management Interface - in AP Management VLAN - 30
     Student AP interface - in Student VLAN - 20
     Staff AP interface - in Staff VLAN - 10
AD is in Staff VLAN - 10
WLC LDAP Server setting
Base DN:OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
User Attribute: sAMAccountName
User Object Type: Person
Debug aaa all enable message
*LDAP DB Task 1: Jul 09 01:40:58.969: ldapInitAndBind [1] called lcapi_init (rc = 0 - Success)
*LDAP DB Task 1: Jul 09 01:41:00.969: ldapInitAndBind [1] configured Method Anonymous lcapi_bind (rc = 1005 - LDAP bind failed)
*LDAP DB Task 1: Jul 09 01:41:00.969: ldapClose [1] called lcapi_close (rc = 0 - Success)
*LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to IDLE
*LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to RETRY
*LDAP DB Task 1: Jul 09 01:41:00.969: LDAP_OPT_REFERRALS = -1
WLC GUI Log:
*LDAP DB Task 1: Jul 09 02:56:13.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
*LDAP DB Task 1: Jul 09 02:56:11.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
*LDAP DB Task 1: Jul 09 02:56:09.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
LDP Message of LDAP BaseDN:
Expanding base 'CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
4> objectClass: top; person; organizationalPerson; user;
1> cn: Frankie F. Yeung;
1> sn: Yeung;
1> givenName: Frankie;
1> initials: F;
1> distinguishedName: CN=Frankie F. Yeung,OU=OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
1> instanceType: 0x4 = ( IT_WRITE );
1> whenCreated: 8/10/2011 10:28:14 China Standard Time China Standard Time;
1> whenChanged: 8/10/2011 10:31:26 China Standard Time China Standard Time;
1> displayName: Frankie F. Yeung;
1> uSNCreated: 3850555;
1> uSNChanged: 3850571;
1> name: Frankie F. Yeung;
1> objectGUID: 6ebfc7e9-6989-4f11-bae7-62c23af67edc;
1> userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD );
1> badPwdCount: 0;
1> codePage: 0;
1> countryCode: 0;
1> badPasswordTime: 0;
1> lastLogoff: 0;
1> lastLogon: 0;
1> pwdLastSet: <ldp error <0x0>: cannot format time field;
1> primaryGroupID: 513;
1> objectSid: S-1-5-21-3867848445-1581729766-1247451615-2172;
1> accountExpires: <ldp error <0x0>: cannot format time field;
1> logonCount: 0;
1> sAMAccountName: fckyeung;
1> sAMAccountType: 805306368;
1> userPrincipalName: [email protected];
1> objectCategory: CN=Person,CN=Schema,CN=Configuration,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
Hope I can resolve this problem ASAP, thanks!

Your AD is in the Staff Vlan so maybe the WLC uses the Staff interface instead of management to contact the AD. I don't know how you sniffed exactly.
The comment about eap methods you saw is when you use LDAP with dot1x security. It is the same as saying "You cannot do peap-mschapv2 or eap-fast-mschpv2 with LDAP".
But you can do LDAP for web authentication, that has no eap methods.
Your original problem was a binding problem from the WLC, so we can expect that the WLC really is sending traffic towards AD.

Setting up LDAP for authentication to portal:default property set named "ldap

Hi
I am trying to implement the LDAP authentication to WebLogic Portal .Iam went
thru the docmentation ( http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
mentions using the default property set named "ldap" and deploying ldapprofile.jar.My
quenstion is:
-Is there a way to look into the property using EBCC
- Apart from deploying,configuring the ldapprofile.jar,do I have to do any additional
steps in order to make my portal(say,stockportal) authenticate users from LDAP?
-If a create my own portal,should I create a similar "ldap" property set?If so,how.
Any suggestions/help is appreciated.Thanks
- Mike

Thanks Dave.
"David Anderson" <[email protected]> wrote:
You should be able to view the property set for LDAP through the EBCC
if you
have the propertysetws.jar installed in your Portal domain. This provides
the ability for the EBCC to retrieve property set information from your
server.
Dave
"mike" <[email protected]> wrote in message
news:[email protected]...
Hi Adrian
Thank you for the pointers.Much appreciate it.However,one questionstill
persists.
What is the significance of the property set "ldap" mentioned in the
document(http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).Where
does this property set feature vis-a-vis setting up LDAP securityrealm;does it
mater prior to/after the setting up as mentioned in the document pointeryou just
gave .
Is it sufficinet that i follow the procedure to set up the LDAP oris
there more
to post setting,like creating a property set (similar to "ldap" orcloning
it)
apaprt frpom deploying ldapprofile.jar.
Thanks.
- Mike
"Adrian Fletcher" <[email protected]> wrote:
Mike,
The documentation that covers LDAP authentication is listed under
Weblogic
Server rather than Weblogic Portal.
See Configuring the LDAP Security Realm in Managing Security
(http://e-docs.bea.com/wls/docs61////adminguide/cnfgsec.html#1071872)
Also take a look at the FAQ - Why can't I boot WebLogic Server whenusing
the LDAP Security Realm?
(http://e-docs.bea.com/wls/docs61//faq/security.html#25833)
Hope this helps,
Sincerely,
Adrian.
Adrian Fletcher.
Senior Software Engineer,
BEA Systems, Inc.
Boulder, CO.
email: [email protected]
"mike" <[email protected]> wrote in message
news:[email protected]...
Hi
I am trying to implement the LDAP authentication to WebLogic Portal.Iam
went
thru the docmentation
http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
mentions using the default property set named "ldap" and deployingldapprofile.jar.My
quenstion is:
-Is there a way to look into the property using EBCC
- Apart from deploying,configuring the ldapprofile.jar,do I have
to
do any
additional
steps in order to make my portal(say,stockportal) authenticate usersfrom
LDAP?
-If a create my own portal,should I create a similar "ldap" propertyset?If so,how.
Any suggestions/help is appreciated.Thanks
- Mike

OWSM won't connect to ldap for authentication in policy

System: 10.1.3 on Windows with SOA Suite
I've got a web service deployed, got OWSM running, have registered the web service with a gateway component and have built a basic policy (just to log) in the Pipeline "request" and Pipeline "Response" parts of the governing policy; this basic policy works correctly. However, when I try to add an "Ldap Authenticate" step to the Pipeline "Request" part of the policy, OWSM doesn't seem to really try to connect to the LDAP. I have tried two LDAPs (Lotus Notes and OID) that are operational - I can access both of them via command line using the same credentials with which I configured the "Ldap Authenticate" step. Yet, when I invoke the web service with the "Ldap Authenticate" step configured in the policy I get the following exception:
A fault was thrown in the step Client.AuthenticationFault:Invalid username or password
I'm pretty dang sure I have entered the correct credentials in the "Ldap Authenticate" configuration (I checked it 45,000 times) - it seems that OWSM really isn't trying to connect to the LDAPs - and there's no logging that I've found that will tell me what it's really trying to do.
Anyone have any hints or know what's going on?

I have the same problem.
With the help of Vikas's instuctions for changing log level I could log the gateway's activities:
security.WSBasicCredsExtractor - Element Value:farbod
security.WSBasicCredsExtractor - Element Value:mypassword
security.WSBasicCredsExtractor - Successfully retrieved username and password
security.WSBasicCredsExtractor - Removing the UsernameToken Header
ldap.DirContextHolder - Creating new directory context
ldap.LDAPAuthenticatorStep - Failed to connect to ldap server.
I am unsure whether my LDAP settings in OWSM are correct:
my server name is nfsserver.com(OID Server) and I have this user in OID:
cn=farbod,cn=Users,dc=nfsserver,dc=com
so I think these settings should work:
LDAP host (*)      nfsserver
LDAP port (*)      389
User objectclass (*)      inetOrgPerson
LDAP baseDN (*)      cn=Users,dc=nfsserver,dc=com
LDAP adminDN (*)      cn=orcladmin,cn=Users,dc=nfsserver,dc=com
LDAP admin password      ******
LDAP admin login enabled (*)      true
Uid Attribute (*)      string      uid
User Attributes to be retrieved      uid
Is the bold part correct?
Regards
Farbod

LDAP for authentication

Hey Guys,
I noticed that when a group memebership change sin LDAP, it takes some time for the changes showup on the portal. I think that the portal caches the LDAP membership and refreshes it from time to time. Does anybody what the default value is? And is there a way to chnage this frequency of refresh?
Thank You
Madhavi

Madhavi,
Default timeout is 2.5 mins(150000 ms). You can set the PageTimeout property in Page Editor.. For more information, pls take a look at the following link.
http://help.sap.com/saphelp_nw04/helpdata/en/b4/12083e7623445ae10000000a11405a/frameset.htm
In your case, you can check the par file and change the setting..
Hope, this helps
Jojo

Retrieve parameters from LDAP using authentication module

I have existing LDAP that contains organization people and their attributes. I have several web applications that use existing LDAP for authentication and authorization. My goal is to deploy single sign-on with openSSO so that users are authenticated against existing LDAP. Changing of the existing LDAP is forbidden.
I deployed newest stable OpenSSO and Apache2 + newest policy agents to web service servers.
OpenSSO server uses LDAP authentication module to authenticate users against existing LDAP. It uses flat file data repository and realm attributes -> user profile is ignored.
This basic setup works fine. The next step is to integrate existing web applications to single sign-on system. The authentication part works fine. I just disabled old mechanism from web applications that did the LDAP authentication. OpenSSO and Apache Policy agent are handling that part.
The existing web applications are still querying existing LDAP other attributes there than uid and userpassword. Is it possible to configure OpenSSO to forward LDAP attributes to web application as cookie or header value? Or is the forwarding feature only for attributes in Data Store?
If the forwarding is not possible what is the next best alternative ?

OpenSSO forum is quite silent so I'm back with you guys.
I managed to solve the agent error log problem I mentioned before. The problem was about nonexisting attributes in AMAgent.properties com.sun.am.policy.agents.config.profile.attribute.map. I removed extra attributes and the authentication against LDAP started to work again.
The problem is that no attributes are forwarded from LDAP to web application. I have tried HTTP_COOKIE and HTTP_HEADER settings in AMAgent.properties and com.sun.am.policy.agents.config.profile.attribute.map is set to cn|common-name,mail|email.
My LDAP looks like this:
# testuser, pollo.fi
dn: cn=testuser,dc=pollo,dc=fi
cn: testuser
objectClass: organizationalPerson
objectClass: inetOrgPerson
givenName: Test
sn: User
ou: People
uid: testuser
mail: [email protected]
And my datastore configuration:
LDAP server->localhost:389
LDAP bind DN->cn=admin,dc=pollo,dc=fi
LDAP organization DN->dc=pollo,dc=fi
Attribute name mapping->empty
LDAP3 Plugin supported types and operations->agent,group,realm,user all read,create,edit,delete
LDAP3 Plugin search scope->scope_sub
LDAP Users Search Attribute->uid
LDAP Users Search Filter->(objectclass=inetorgperson)
LDAP User Object Class->organizationalPerson
LDAP User Attributes->uid, userpassword
Create User Attribute Mapping->empty
Attribute Name of User Status->inetuserstatus
User Status Active Value->Active
User Status Inactive Value->inactive
LDAP Groups Search Attribute->cn
LDAP Groups Search Filter->(objectclass=groupOfUniqueNames)
LDAP Groups container Naming Attribute->ou
LDAP Groups Container Value->groups
LDAP Groups Object Class->top
LDAP Groups Attributes->cn,description,dn,objectclass
Attribute Name for Group Membership->empty
Attribute Name of Unqiue Member->uniqueMember
Attribute Name of Group Member URL->memberUrl
LDAP People Container Naming Attribute->ou
LDAP People Container Value->people
LDAP Agents Search Attribute->uid
LDAP Agents Container Naming Attribute->ou
LDAP Agents Container Value->agents
LDAP Agents Search Filter->(objectClass=sunIdentityServerDevice)
LDAP Agents Object Class->sunIdentityServerDevice,top
LDAP Agents Attributes->empty
Identity Types That Can Be Authenticated->Agent,User
Authentication Naming Attribute->uid
Persistent Search Base DN->dc=pollo,dc=fi
Persistent Search Filter->(objectclass=*)
Persistent Search Maximum Idle Time Before Restart->0
Should I enable some setting still to get the forwarding going on? Any ideas for debugging?

Using smart card/nfc tag for authentication on Windows 8 devices NOT in a domain

Title says it all. We have Sony RC-S380 readers and Acer Iconia W510 tablets with builtin Broadcom NFC chips. We can read tags and configure them for the usual proximity stuff (URIs, mail, etc.) but we are looking for authentication purposes, however without
using ADFS or domain security. Can anyone point us in the right direction?

Hi,
By default, smart card is not available for stand alone computer and local account.
This authentication technology might be helpful to you:
EIDAuthenticate - Smart card logon on stand alone computers and local accounts
http://www.mysmartlogon.com/products/eidauthenticate.html
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Karen Hu
TechNet Community Support

Hooking LDAP with Weblogic for Authentication

I have a lot of users in an LDAP-Directory and I would like to map this directory to a Website on my Weblogic instance.
Now, I've added LDAP into my Security Realm in Weblogic, what do i add to the web.xml ? Is this sufficient?
Do I need to change anyting else in my Weblogic configuration than adding OpenLDAP Support in Authentication?
Thanks!

HI Tim,
Yes LDAP can be used trough SAP BP CMS (BO authentication).
That's means all the users has to be imported into CMS and after that BPC is using for authentication BO certificate to authenticate to CMS.
So you have also SSO.
You don't need Active directory in this case.
Any way BPC is still working also with Microsoft Active directory without CMS but you have to decide what kind of authentication satisfy better customer requirements.
You can use or Microsoft Active Directory or CMS but you cannot use both in the same time.
Kind Regards
Sorin Radulescu

Use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature?

Dear all,
I am looking to setup the use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature. We SSO to the backened ABAP AS via an SAP NW Portal to which SPNEgo kerberos authentication is setup. Today we specify R3 user id/password to digitally approvae a lot release. The idea is to have users maintain one AD password and don't have to remember the R/3 password anymore and also our Security team to avoid password maintenance.
I know there are 3 options for digital signature and
System signature with authorization by user ID and password (We use this currently)
Digital User signature with verification - (We would like to use this with AD userid/password, so the system still ask the users their AD userid/password for the authentication when they try to "sign" a document.)
User signature without verification
Do you think there is a way to configure the system in order to ask and check the active directory userid/password instead of SAP R/3 password? Where can I found documentation about it ?
I have several different versions of AS ABAP starting from NW 7.02 to NW 7.31.
My active directory is based on Windows 2008.
Thanks in advance!!
Dhee

Actually enabling Kerberos for SSO purposes and enabling Kerberos for digital signatures are two different topics although the latter is because of the former. I'm interested in the topic as well and I'm currently looking at different options. SAP provides a BAdI for the digital signature API which can be used for external authentication but they do not provide the solution to invoke Kerberos authentication based on username and password. SAP provides a semi solution with NWSSO 2.0 SP2 which works only on Windows with classic dynpros meaning SAP GUI for Windows is assumed. The solution is based on an ActiveX component which does the actual Kerberos authentication using the Secure Login Client which is part of the NWSSO suite. Extending that implementation to non-Windows and non-GUI applications would require some sort of web enabled service that could be used to authenticate the user with username and password. In case authentication is successful, a Kerberos token would be returned to SAP which would then be validated. All the required pieces are there since SAP has Kerberos support now in both stacks of the NetWeaver Application Server, some bits are still missing though which leaves customers looking at 3rd party or custom solutions.

Need Tcode for Synchronization of SAP Useradministration with an LDAP

Hi Experts,
i am configuring the SAPR/3 4.7EE server with an LDAPserver( OID Oracle Intranet Directory server) by using the tcodes SM59,LDAP.
Now i Need the Tcode for Synchronization of SAP Useradministration with an LDAP
when i clicked on the ServerNames tab on the screen with Tcode LDAP,
i am not getting the Synchornization screen when i clicked on the Synchronization
can anyone provide me the info where i have to do the Synchronization of SAP User Administration with an LDAP?
Regds
Phani

Hi Olivier
To be specific, we have an application(.Net) which uses SAP as backend and retrieves the data from SAP using RFC and BAPI's. Well everything works fine with SAP R/3(where using the connection string and SAPConnector we could establish connection and call the RFC/BAPI).
When it comes to SAP ECC we have no idea about the connection string or how to connect using SAPConnector. I knew that ECC uses a secured connection so i want to know how to connect to SAP ECC using .Net Connnector.
For the SSL could you tell me how exactly can we apply that to the above described situation?
thanks
sathish

ISE Authentication Policy for RSA Securid and LDAP for VPN

We are working on replacing our existing ACS server with ISE. We have 2 groups of users, customers and employees. The employee's utilize RSA securid for authentication while the customers use Window authentication. We have integrated the AD into ISE using LDAP and this has been tested. We are now working on trying to get the rsa portion to work. We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.
Here is my question:
Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users. I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment. With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA. The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy. The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues. Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl.
Thanks,
Joe

That is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks.

Multiple LDAP directories for authentication

Hi,
I just upgraded to GroupWise 2014 (from 2012). In GW2012 I used LDAP authentication against eDir. In GW2014, I associated the GW mailboxes to Active Directory. I tested a few accounts and I can login just fine. However I also have mailboxes that have to authenticate to eDir, because (for now) they don't have AD equivalent accounts.
To achieve this, I also added the eDirectory as a directory in the GW admin console. I then enabled LDAP authentication in the Post Office security settings, without adding the "Available LDAP Servers" to the "Selected LDAP Servers" box.
When I logon to a mailbox that is associated to eDir, it allows me to logon. I do have a mailbox that doesn't allow me to logon, although it is associated to eDir. When I re-associate (remove-add) it, it works for a while only to stop working again. It's not entirely stable.
In the POA log, I see the following message: Alert: Utilize LDAP server which is not in the pool configuration! So it would seem it doesn't particularly like my setup.
Questions:
* Is what I'm trying to achieve not supported or am I configuring it wrong?
* If I add the "Available LDAP Servers" to the "Selected LDAP Servers" box will it use it a failover pool and thus mess up my mixed-directory authentication?
* Is it possible to use GroupWise authentication for some mailboxes and AD authentication for others. If so, it would take away the need to use eDir.
Iwan

It's not an error, just informational. The LDAP AUTH code for the POA has changed somewhat in 2014. Before, it used to only use LDAP servers in a pool, but now, it will first try any LDAP servers/directories in it's "Preferred list", but if it can't not find the user using that list, it will then proceed to try all other LDAP servers that are configured.
--Morris
>>> iwan<[email protected]> 1/9/2015 5:16 AM >>>
Hi,
I am able to authenticate to AD en edir within the same PO. I would like
to phase out edir as maintaining two directories is not ideal. The only
reason I still use edir is for those few GW accounts that do not have AD
counterparts and for which I do not want to create AD accounts. So using
LDAP(AD) together with GW auth would be ideal for me. I'll look into
creating a second PO for this purpose.
I just wonder why the POA log keeps displaying the following message, if
having multiple directories in a single PO is supported: "Utilize LDAP
server which is not in the pool configuration!"
Iwan
iwan
iwan's Profile: https://forums.novell.com/member.php?userid=5639
View this thread: https://forums.novell.com/showthread.php?t=481102

Regarding SAP CUA vs Corporate LDAP for authentication purposes

Similar Messages

Maybe you are looking for