Revertion of Portal UME from LDAP to DB Only

Similar Messages

• Automatic upload of roles from ECC to portal (UME with LDAP)

  Hi experts,
  This thread reopen the question asked on the following message : automatic upload of roles from BI to portal
  However, it concerns this time "UME with LDAP".
  Problematic :
  SAP Library 04s tells us that is not yet possible to automate role replication (or role assigment replication) from ABAP Based back-end to Netweaver Portal. Only manual process for initial upload is possible.
  Source = http://help.sap.com/saphelp_nw04s/helpdata/en/41/5e4d40ecf00272e10000000a155106/frameset.htm
  Questions :
  1 - Did anyone ever try to implement such an automatic tool ?
  2 - What if I'm not able to write on the Active Directory ? I am still able, at least, to automate role assignment replication from ABAP Based back-end to Netweaver Portal (ie. UME with LDAP) ? Directly from SAP R/3 to EP through UME, without passing through Active Directory since the group field is not maintained in AD.
  Many thanks for your inputs
  Alexis MARTIN

  Hello,
  As I did not read the previous thread I don't know what exactly you are trying to achieve, but I can tell you about what we have done - as far as it is not too late yet.
  We use the portal with integration to a BI system. In the ABAP stack we have lots of roles with menu items for hundreds of reports. We want the users to see these roles in the portal.
  First we have used the role migration tool of the portal to upload these roles. There is a Java API for executing role uploads from code. You need to create a webservice in the java stack to call this api, and can call the webservice from ABAP.
  However it is just a question of time and role size until this will not work at all. Standard role migration is more or less crap, stability is a problem. It also creates a lot of logs in the PCD and thus fills the database with trash. (After a few OSS messages there is now a program for deleting logs + you can turn of logging.) Also upload of larger roles takes up to an hour, and you alwasy have the problem that your portal roles are not up to date during the day.
  When I got completely fed up, I have implemented an own navigation connector. When you log on to the portal it will connect to the ABAP stack via RFC, load the role, and generate the portal menu from it. It uses caching, but on every logon it checks whether the role has been updated in ABAP since the last time it was loaded. It is up to date, faster then PCD navigation, and you need absoluetely no periodical synching at all. I cant even understand why this is not offered by SAP per standard!
  Drawback is that it will of course only work for the menu items, and only menu items with an "URL-type" are supported. I'm prettry sure however that it would be possible to implement a few other types as well.
  Let me know if you are interested in the solution, I can give you a few additional details: oliverDOTsvisztATwienerbergerDOTcom
  Oliver

• Working scenario - Portal UME with LDAP

  Hi Experts,
  I've installed Portal sneak preview which is 7.0 SP9 in my laptop and at the moment i'm using Web AS database is the user storage for portal.
  Now wanted to change the user storage to any ldap (for windows) server and wanted to look at the working scenario.
  Now ..
  1. Which is the recommended LDAP server for windows, to the above scenarion
  2. Can i use LDAP is the user storage for sneak preview versions.
  3. Any useful documents to achieve this.
  4. Please remeber i'm on Windows XP.
  Please leave your valuable suggestions
  Thanks
  MMK

  Mohan,
  Here is the LDAP related documentation on the UME data source LDAP:
  http://help.sap.com/saphelp_nw04s/helpdata/en/48/d1d13f7fb44c21e10000000a1550b0/frameset.htm
  -Michael

• Sync User Locks from LDAP(Microsoft AD) to Portal UME

  Hi All,
  Currently we have our Portal UME connected to LDAP (Microsoft AD) as our data source. I can bring up all Active Directory users in Portal, however the users that are locked and disabled in Active directory are still active in portal. To be more clear the expiration date of a userid in AD does not sync with Portal UME account expiration date. Is there a way to bring in the expiration value in to portal?
  Regards,
  Junaid

  Config tool may not have expiry date as mapping in Additional LDAP prop tab, you may need to look for configuration file where you can map the logical attribute to the LDAP.
  Licensing impact depends on your contract with SAP.
  However you can check portal users with USMM at the end of URL.
  E.g.
  remove 'irj/portal' from your initial portal link and add 'usmm'

• Link ECC roles to Portal roles (Portal is using LDAP source for UME)

  Hi all,
  If a user is assigned a certain ECC ABAP role, they should also receive a related portal role.  Our portal is using LDAP.
  If our portal ume source was an ABAP system, I think it would be easy to achieve the ECC to ABAP role linkage.
  We were thinking of developing a UME java webservice and have an ABAP proxy class consume it to allow our abap system to assign the correct portal role, and delete the portal role.
  Any other ideas?

  Rajendra,
  Thx for your reply.  Can you provide any more details as to the design of your solution with the web service?  We are thinking of running a batch job nightly with a some mapping table in ECC to determine what ABAP role should link to the portal group then call the webservice to add the user to the portal group or delete the user from the portal group. 
  A second question is...does SAP Identity Manager offer any solution for this type of requirement?
  Thanks

• LDAP user details not showing in Portal UME

  We have implemented kerberos single sign on using the kerberos xml datasource file and have the corporate LDAP as our UME source.
  However certain user details that are maintained in LDAP (such as department, street etc) are not being pulled through to the portal UME.
  We know the connection to the LDAP is OK as we can create new users and they appear in portal UME - its just that it seems to be missing several user attributes.
  Is this related to the settings in the xml file?
  And if so, what needs changing??
  thanks
  Simon.

  Hi Simon,
  all the attributes that are available in your LDAP can be made available in the UME via the dataSourceConfiguration. The default files does not include every attribute since these may vary from directory to directory. Please take a look at http://help.sap.com/saphelp_nw70/helpdata/en/b7/14d43f2dd44821e10000000a1550b0/frameset.htm
  and especially at: http://help.sap.com/saphelp_nw70/helpdata/en/44/7d188751626fb5e10000000a155369/content.htm and http://help.sap.com/saphelp_nw70/helpdata/en/1a/2bee408a63732ae10000000a155106/frameset.htm
  Hope this helps,
  Holger.

• Custom user attribute from ABAP to Portal UME

  Hi All,
  We have choose the ABAP as the data source for portal UME. We have a custom user attribute in the abap. Now i want to bring that custom user attribute from abap to custom user attribute in the UME.
  Any help will be rewarded.
  Thanks
  Sarang.

  Any resolution to this issue?

• Portal UME data store and various options (Opinions needed!)

  We are currently exploring our options with connecting the portal (UME) to various data sources for user authentication. Per EP 101, we all know that yes, we can authenticate against (1) the portal db (2) the portal DB + an SAP system and (3) the portal db + a LDAP directory. Now, of course, in most cases, #3 is the standard option. But now, we want to explore another option.....what if we set up synchronization with the LDAP directoy (ie. http://help.sap.com/saphelp_nw04/helpdata/en/95/49cb3a663bfc70e10000000a114084/frameset.htm). For example, our process is such that now, within SAP R/3, a "new hire" is created and then this triggers the creation of their userid/password in the external LDAP directory as well. Is it possible to then have synchronization set up so that the LDAP directory will then synchronize with the portal db and create the user in the portal db itself? (the example given in the help file seems to suggest this but does not provide any detail). Then the portal could authenticate users against it's own db? (ie. no need to make a "trip" to the LDAP directory). Soooooo first off, is this possible and if so, how? Second, what are the pros/cons of this approach versus the standard option of simply using the LDAP directory for authentication and storing only portal specific attributes in the portal's own db? Lastly any "gotchas" to be aware of (ie such as "yes this works fine for NDS but no way will it work for MS-AD" haha)?
  oh...and one more...take the LDAP directory out of the picture for a moment...is it possible to "synchronize" directly from an SAP system (such as 4.6d or ECC5.0) directly with the portal db (as well as other SAP componenet systems)? (*this one is more out of curiousity than anything...past experience with CUA. haha)
  thanks BIG TIME in advance!
  Chris

  Chris I can answer the second part of your question only, sorry!
  It is possible to automatically sync users directly from a sap system, I currently do this for relase 4.7, so it should work ECC5 on onwards (you would think). As for 4.6c/d? I just posted a new thread asking that very question, hopefully someone helps!
  with NW04 portal and about SP13 or better you get a new UME connection option - dataSourceConfiguration_abap.xml, picking this automates the link between ABAP and portal users & roles.
  Any user created in 4.7 automatically appears in portal plus (this is the good bit) dataSourceConfiguration_abap.xml makes all ABAP security roles appear as portal groups. You then simply assign one of these replicated groups to your portal roles, so a user assignment to a role in ABAP seamlessly becomes assigned to a portal role, giving you portal use managment without having to go near the portal system.
  So it's not really like CUA at all, just a mechanism that automatically replicates all ABAP users & roles into the portal in a useable form
  hope that helps a little
  danny

• CUA as data source for portal UME

  Hi all
  We want to use the CUA system as the data source for our EP6's UME.
  Obviously our end users do not login to the CUA system and therefore have no password to this system. It doesn't seem rational to provide them a password to this system, but then again which password will they use?
  I'm guessing that this is the case for most of the SAP customers.
  Does this mean that we can't use the CUA as the UME data source?
  If any of you use the CUA as the UME, we'd be very glad to hear your solution to this situation (we can't use one of the child systems as the UME).
  Thanks,
  Yeti

  Hi Yeti,
  My remarks below will not answer your question but it will help you with some decision on your UME data source.
  As far as I know, most Portal use LDAP as their main UME datasource. This is largely due to the fact that LDAP contains ALL the users that are "employee" of the company. As for CUA, it does not contain ALL your users which could pose a problem for you when you want to execute certain Portal functions (or management approval flows) which require users who does not exist in your CUA (but exist in LDAP).
  3 presentations which I think its good to have a look and share with....
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d5f57332-0a01-0010-12ab-dd472e87b8e6
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/c477de90-0201-0010-35ab-ddac4448ba9f
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/706065c4-3564-2a10-2382-a52fcbd7eefb
  But there are also setup that uses CUA as their UME. I have linked some of the past threads who use CUA as their UME. I hope they can shine some light to your question. You can do a search here in the forum with "CUA UME portal" and you will also find posts that can help answer your question.
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/706d054d-da24-2b10-f18a-fc82faf6468e
  Solution Manager as a  source for Portal UME
  Multiple SAP Systems as UME
  EP
  Something to think about if you consider SSO with CUA as UME.
  how to sso between portal and abap
  Something more interesting to read about:
  LDAP connection from ABAP to Portal
  The above are base on my experience and the Portal setup which I have done for the company. But maybe there are better suggestions from other Portal guys,Experts,Gurus out here who will contribute to answer your question. 
  Hope that helps.
  Ray

• How configure SAP IDM as EP Portal UME?

  Hi,
  I'm doing a proof of concept on the identity management 7.1
  I have established a LDAP connection using the Virtual Directory Server with another machine that contains an Active Directory, in this active directory I created users and groups that thanks to LDAP connection can be seen from the Virtual Directory Server.
  Also I have on another machine EP Portal 7.02, I got to integrate into the Portal 7.02 Identity management tab, but this is not the functionality we want to achieve.
  I want to get IDM to function as EP Portal 7.02 UME, is this possible? You have any idea how this could be done?
  Regards

  Not sure if I've understood correctly as English is not my 1st language, but..
  1) Set up a VDS service that exposes IdM data over a LDAP interface. In VDS go to "New / SAP Netweaver 7.x / Idm VDS UME 7x.xml" finish the wizard and verify the settings, set the configuration as windows service and start it, test the connectivity with LDAP browser.
  2) Once the connectivity exists and you're happy with the results, configure the Portal UME to use this datasource.

• User creation in Portal Connected to LDAP

  Hi Gurus,
     i want to know if we have LDAP connected to a Portal and someone creates a user on Portal UME , will the user get created in LDAP or portal UME.
     The situation is where any registerd user  accessing the portal should be authenticated against LDAP and he can also do a self registration from portal.So if he self registers, does his user id/Password gets created in LDAP or it stays in Portal UME.If it gets stored all the way to LDAP then we are fine, if not , then is there a way to replicate this user id password to LDAP.
  Thanks in Advance!

  >
  Gaurav Garg wrote:
  > Hi Gurus,
  >    i want to know if we have LDAP connected to a Portal and someone creates a user on Portal UME , will the user get created in LDAP or portal UME.
  User will be created in UME only not in LDAP.
  >    The situation is where any registerd user  accessing the portal should be authenticated against LDAP and he can also do a self registration from portal.So if he self registers, does his user id/Password gets created in LDAP or it stays in Portal UME.
  No the user is created in UME database and not in LDAP. If you are setting up your user persistence in LDAP (authenticating users from LDAP) then you have to setup users in LDAP. UME has a read only access to things that it pulls from LDAP.
  Regards,
  Zaheer

• UME as LDAP read only, what is the password

  Hi,
  If the portal or java instance is setup as UME = LDAP read only + database pointing to AD and the user is then assgined roles/groups in the Java UME with access to allow logon.
  1. What is the password of the users to use?
  2. I know the AD password is definitly not synchronised as it is one way encrypted. Does the user needs to be set a new password in portal to login with?
  3. Will this password be stored on the Java UME only?
  4. what happens if the users AD password changes, will it affect the password stored in the Java UME?
  Thank you.
  John

  Hello John,
  since we use that setting, too, lets see, what I can tell you. ^^
  1. What is the password of the users to use?
  > The password of their AD-account.
  2. I know the AD password is definitly not synchronised as it is one way encrypted. Does the user needs to be set a new password in portal to login with?
  > No, they can derectly use their AD-account (username and password).
  3. Will this password be stored on the Java UME only?
  > I'm not sure, but I'd say "no". I don't think it is stored in the UME (since the LDAP is connected and the information about the account and password status come from there).
  4. what happens if the users AD password changes, will it affect the password stored in the Java UME?
  > If the user changes his/her AD-password, that he/she can logon to the portal with that new password immediately. So I don't think, there is any connection to the portal UME database.
  Regards,
  Steffi.

• User status shows active in portal for inactive LDAP users

  Hi all,
  Users listed in the LDAP as deleted or inactive are still listed in EP
  User Management as valid active users.
  1) is there any process or OSS note which can help us to get users
  inactive in portal user management to the corresponding LDAP inactive
  users?
  2) is there any chance that any inactive or deleted entries in LDAP
  should not be searchable from User admin Portal search?
  Any solution for the above problem?
  Please reply.
  Regards,
  haroon

  Hello there,
  i have the same problem: We have several domains that sometimes contain users with the same user-id. This happens, if a user is "moved" from one domain to another: A new user with the same user-id is created in the new domain and the user-status of the user in the old domain is set to "inactive".
  But SAP NetWeaver Portal (7.0 EHP 1) ignores this user-status flag and thus login (with SPNego / Integrated Windows Authentication, which does not send the domain of an identified user to the portal) fails.
  Is there a possibility to get the portal to "ignore" LDAP users (meaning no longer list them in the UME) that have their user-status flag set to "inactive"?
  Thanks for a reply in advance!
  Regards,
  René

• Assign Group from LDAP

  Hello Experts.
  We are using LDAP with the option: dataSourceConfiguration_<LDAP_directory_vendor>_deep_readonly_db.xml
  I need to assign users to groups without use User Admin --> Identity Management.
  I want to know how can I assign Groups from LDAP and not from UME datasource because we don't want use the Identity Management tool.
  The Portal Version is EP7.0 SP23
  Thanks very much.
  Regards
  Mariano

  Hello Jigar,
  thank you.
  I created groups and sub-groups in LDAP but from Portal only I can see the Groups and not the sub-groups.
  How can I config to see all the tree?
  Thanks a lot.
  Regards
  Mariano

• Difference between UME and LDAP users

  Hi,
  I am facing a strange problem. In my Webdynpro application, I am accessing the portal user properties using the normal user management APIs. IUser object. On my local server, all the users are UME users and it runs fine.
  When I deployed my application on the central server which creates LDAP users by default, the code bombs saying the user is not authorized. When I recreate the user in UME, it is fine again. Are there APIs which I can use which work for both the user stores?
  Thanks in advance,
  Kiran

  Hi Kiran,
  I User object works for both the cases. Just try the below code.
  <%@ page import = "com.sap.security.api.IUser" %>
       private void getUser() {
            user = compRequest.getUser();
            userId = user.getUniqueID();
            userName = user.getUniqueName();
  It worked for me for getting the users from LDAP.
  Regards,
  Santhosh