UME: LDAP + ABAP

Similar Messages

• LDAP UME for ABAP + JAVA SYSTEM

  Hi,
  I am using NW 7  SP 15 with both ABAP + JAVA stack. The UME is set to ABAP by default during installation.
  Can we change that to LDAP datasource?
  Under System Configuration -> UME Configuration -> Data Sources (TAB) -> in Data Source dropdown box -> there is only ONE option available "ABAP SYSTEM" and no other option is present.
  Any suggestion?
  Regards
  Deb

  Ups! Obviously a later change from ABAP to some other UME indeed is not supported by SAP. But this means not, that you cannot use LDAP or JAVA from the very beginning.
  Did you not have the option to choose another UME data source for the Java Add-In during the installation process? (this may make sense, because the installation sequence for double stacks is always 1. ABAP stack 2. Java stack).
  If not, then indeed LDAP as the primary UME data source is not supported for double stack installations.
  If yes, you only have the chance to re-install your system.
  In every case you can install 2 separate instances and connect them later. 1 ABAP instance with UME of course ABAP and 1 Java instance with UME LDAP or Java DB.
  But before doing that and if I were you I would open a CSN at SMP and ask the software vendor ...
  Regards,
  Volker

• Config UME with ABAP+LDAP datasource

  Hi all,
  We are implementing an EP installation. We want to reuse the abap role assignment for the portal roles and we require a SSO solution based on SPNego.
  Now we can implement each on it's own fine. The question is how we can connect the ume to use both abap and ldap datasource. I opened an OSS about it and they said it's possible, supported but I'm on my own when it comes to implementing it (or consulting offcourse).
  Anyone had experience with this configuration or can provide me with the datasource schema file?
  Thank in advance,
  Eric

  Try the following:
  1.     Download the SPNegoWizard_645.zip (for 7.0) SPNegoWizard_640 (for 6.40)from SAP Note 994791 and unzip it.
  2.     Adjust the user running the SAP system in Active Directory
  3.     Copy the EAR and XML Files from the SPNegoWizard.ZIP file to a temporary directory on the server.
  4.     Open up the Visual Administrator.  Logon with the admin ID.
  5.     SID ->Server -> Services -> Deploy
  6.     Open the Config Tool. (Yes to using DB settings)
  7.     Select UME LDAP Data
  8.     Browse to the XML file you copied earlier. (dataSourceConfiguration_ads_readonly_db_with_krb5.xml)
  Click the upload button.
  9.     Select the Configuration file you just uploaded.  Click OK on the Warning message.
  10.     Setup the Connection details as specified below:
  Server Name: xxxxxx
  Server Port: xxxxxxx
  User: SAPService<SID>@domain.com
  Password:  xxxxxx
  Use UME unique id with unique LDAP attribute (checked): samaccountname
  User Path: dc=<domain>,dc=com
  Group Path: ou=xxxxxx,ou=xxxx,dc=xxxx,dc=xxxx
  11.     Click the Test Connection button you should see:
  Click Close when done.
  12.     Click the Test Authentication button, enter NT user ID and NT password, and click the authenticate button and you should get a success message:
  13.     Select cluster-data   Global Server Configuration  services  com.sap.security.core.ume.service
  14.     Edit the ume.admin.addattrs.
  Add the values: krb5principalname;kpnprefix;dn
  Click the Set button. 
  15.     Click the Save button or File -> Apply.  
  16.     Close the Config tool and restart the JAVA engine.
  17.     After the engine is restarted, continue on with the Kerberos configuration.
  18.     Open up the SP Nego Wizard by going to the following URL: http://<server>:<port>/spnego
  19.     Logon with the Administrator user ID.
  20.     Select the check boxes for the u201CService user is created and configured in Active Directoryu201D and u201CUME configuration includes SPNego specific settingsu201D
  Click the Next button
  21.     Click the Add Kerberos Realm button and enter your domain name (e.g. company.com)
  22.     For the Realm Configurationu2019s KDCs (Key Distribution Centers) put in <KDC host> and 88 for the port (the port should already be filled in. 
  23.     In the KPN (Kerberos Principal Name) section enter the Service User Name & Password.
  Service User: SAPService<SID>          
  Password: xxxx
  Leave LDAP Host - blank
  24.     Click the Next button
  25.     Select Prefix Based for the Resolution Mode and Click Next
  26.     In Policy Configuration we want to create a new policy called spnego.  Tick Basic password Fallback (when SSO do not work) and tick SSO with Logon Tickets.  Click the Next button.
  27.     Click Finish on the Confirmation screen.
  28.     Close the browser and restart the engine.
  29.     After the engine has finished restarting, continue with the final steps.
  30.     Open up the Visual Administrator.  Logon as the Administrator ID.
  31.     SID  Server  Services  Security Provider
  32.     Go into change mode by clicking the change button.
  33.     On the Runtime tab  Policy Configurations tab  Select ticket from the Components list.
  34.     On the Authentication tab for the ticket component  select Authentication Template: spnego
  35.     Now go to the useradmin service (http://<server>:<port>/useradmin) to test the Kerberos SSO.  You should get signed on without entering a user name or password.
  You are done!

• UME & LDAP

  HI,
  I have two system landscape for EP ( ESS /MSS).
  For quality have done configuration as,
  UME data source is ABAP (ECC quality instance) and made two system as trusted system.
  Now,
  I would like to make to production as fully sso running .,With LDAP for Whole landscape.
  I have Domain installation already.
  My Doubts.
  1. how would i configured UME?
  2. Any crunch point in this scenario ?
  3. Any link,or doc pls.
  Thanks

  Not entirely true: when your current UME is ABAP, you cannot change this to another UME option (not supported by SAP according to note 718383). You can, however, configure the use of SPNego (LDAP). Take a look at this blog:
  Configuring SPNego with ABAP datasource
  I've configured this type of LDAP integration on several portals that are connected to ABAP backends for their UME.
  Just follow the steps, and you should be fine. Good luck.

• UME LDAP configuration XML file

  Dear Experts-
  I am configuring multiple LDAP as ume for EP 7.0 EHP2 . I am following the the document below.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/8036faa9-3d95-2c10-e596-c7c97082f07e?QuickLink=index&overridelayout=true
  It mentions xml file to be dowloaded is  dataSourceConfiguration_multiLDAP_db.xml file but ther eis no such file. Can you please let me know where I can find this.
  The only ones I see are.
  Microsoft ADS readonly , deep and flat
  Microsoft ADS Deep & flat
  Novell LDAP Read only flat and deep
  Novell LDAP flat & deep
  DatasourceConfiguration_simens_deep_readonly_db
  Siemes LDAP servers Read flat & deep
  Just to let you know we are using MS ADS flat. Please  let me which which file I can choose to put the second LDAP data source.
  Thanks,
  John

  John,
  There is no such file (dataSourceConfiguration_multiLDAP_db.xml) delivered for configuring multiple LDAP data sources.
  You will need to download dataSourceConfiguration_ads_readonly_db.xml and modify as per your needs and upload it with your own custom name.
  1. Open the dataSourceConfiguration_ads_readonly_db.xml file using a text
  editor (other than Notepad) and locate the <dataSource.../> section for the u201CCORP_LDAPu201D.
  2. For each additional LDAP server, paste the copy into the document after the original
  </dataSourceu2026> ending tag for the CORP_LDAP source. Change the name of the data source for
  pasted copy to u201CCORP_LDAP_Xu201D or some other value. This value becomes a data source identifier
  for UME and prefixes the principal Ids.
  For each LDAP data source, locate the <privateSectionu2026> within the <dataSourceu2026> tag and
  enter the following lines if they are not present:
  <ume.ldap.access.server_name>SERVER_HOSTNAME</ume.ldap.access.server_name>
  <ume.ldap.access.server_port>SERVER_PORT</ume.ldap.access.server_port>
  <ume.ldap.access.user>DS_USER_NAME</ume.ldap.access.user>
  <ume.ldap.access.password>DS_PASSWORD</ume.ldap.access.password>
  <ume.ldap.access.base_path.user>USER_ROOT_IN_DS</ume.ldap.access.base_path.user>
  <ume.ldap.access.base_path.grup>GROUP_ROOT_IN_DS</ume.ldap.access.base_path.grup
  >
  Save this file with your custom name and upload it.
  Thanks,
  Shanti

• SAP LDAP Connector / UME LDAP and Global Site Selector (GSS)

  Hi,
  I'm wondering if SAP LDAP Connector / UME LDAP will work with Global Site Selector service, such as  CISCO GSS 4400 Series, so that GSS can provide load-balancing for LDAP access.
  If it works, is there a specific configuration on the SAP side?
  Thanks in advance.
  -denny-

  Hey Denny,
    Wondering if you ever sorted this out. I'm trying the same thing right now and UME is failing (and portal won't start) when I use the FQDN of the GSS. Behavior is strikingly similar to using the FQDN of the Active Directory domain. The only way I found to use AD as an LDAP source is to list individual DCs in the UME config. I'm hoping to use GSS instead.
  -Kevin

• Guide me how to automate UME LDAP Configuration

  Hello colleagues,
  I am not sure if this is the right place for putting my question.
  We wanted to automate 'UME LDAP Configuration with Microsoft AD', because we have nearly 25 portals and has to be refreshed for every 3 months from different systems. Instead of configuring UME  every time, we wanted to automate it such that
  it can be done by one click for each portal.
  I am not aware, if it can be done through Webdynpro or Java API.
  Please let me know in which way we can achieve this functionality. If it is in Java then please let me know how to access UME APIs. Moreover Configtool will not save its data at O.S level, it stores in DB.
  Please guide me on achieving this.
  Regards,
  kasi

  Hi Nivas,
  thank you very much for your answer.
  Could you please let me know any APIs to use these functions
  I googled and found APIs for User management ( creating,deleting ,etc..) only.
  I could not find any APIs for LDAP settings in Configtool.
  I wanted to set these values ( which are specified in above link ) from out side.
  Regards,
  venkat
  Edited by: Venkata Kasi G on Mar 2, 2012 2:41 PM

• UME LDAP Data - XML file not appearing

  Hi,
  I have configured the readonly ADS with DB for the user authentication. Now I want to restore back to the default datasource configuration (dataSourceConfiguration_database_only.xml). But in the dropdown box in the Configtool >> UME LDAP data under the "Directory Security" tab, I am not able see the config XML file for the DB only. I tried uploading the file, but its saying file already exists. After this I tried deleting the fils from the cluster_data\server\persistent\com.sap.security.core.ume.service and then uplaoded the XML file. Still this is not appearing in the List of Datasources available.
  Can you please let me know how shall I revert the Datasouce to DB only?
  Regards,
  Debasis

  Hi,
    Go to ConfigTool -> Global Server Configuration -> Services -> com.sap.security.core.ume.service.
  You can change the value of ume.persistence.data_source_configuration to dataSourceConfiguration_database_only.xml.
  Regards,
  Siva
  P.S: Award points if you find this useful.

• How to point UME to ABAP..

  Hi friends,
  I have configured UME to ABAP system....UME has to point to ABAP.
  I have done some steps through visual adminsitrator->UME Provider
  Under UME provider i have provided certain details like abap hostname, abap client number, sapjsf user.
  in ABAP Side, i have created roles SAP_BC_JSF_COMMUNICATION and SAP_J2EE_ADMIN for sapjsf user and profiles SAP_ALL and SAP_NEW.
  Apart from these what else has to be done in both java and abap side? I have gone through many forums but i dint find exact stuff that i needed.
  If everything is done, how to check whether UME has pointed to ABAP?
  please suggest.
  Thanks,
  KK

  Hello,
  My advice is to first check for the documentation instead search in forums:
  http://help.sap.com/saphelp_nw70/helpdata/en/9e/fdcf3d4f902d10e10000000a114084/frameset.htm
  If you've performed the steps as described there, your UME is correctly pointing to the ABAP client.
  Cheers,
  Diego.

• "Calculated UME LDAP id is null" error received during runtime.

  Hello All,
  I am new to this community and this is my first post.
  Therefore please pardon me for providing inadequate explanation/resources while mentioning my problem.
  I am trying to build a SOAP webservice in SAP NetWeaver Developer Studio 7.3. This webservice will be used for integration between SAP user management  (AS Java)  with Dell's Quest Identity Management (Q1IM).
  The webservice will be used for
  Fetching
  -> All UME Users
  -> All UME Groups
  -> All UME Roles
  Add/Delete
  -> User to/from Group
  -> User to/from Role
  Change
  -> User Account Details
  The current scenario is the webservice built in Java is ready and all the functional components are working fine during runtime except for one and that is when I try to retrieve all the UME Users.
  Below mentioned piece of code is for getAllUser function
      public  SAPUser[] getAllUsers() throws UMException {
      IUserFactory userFactory = UMFactory.getUserFactory();
      IUserSearchFilter searchFilter = userFactory.getUserSearchFilter();
      searchFilter.setDisplayName("*", ISearchAttribute.LIKE_OPERATOR, false);
      ISearchResult searchResult = userFactory.searchUsers(searchFilter);
      ArrayList<SAPUser> ar = new ArrayList<SAPUser>();   
      while (searchResult.hasNext())
      String uniqueid = searchResult.next().toString();
      if (uniqueid.startsWith("USER.PRIVATE_DATASOURCE.un"))
          IUser user = userFactory.getUser(uniqueid);
          IUserAccount[] userAcc = user.getUserAccounts();
          for (int i = 0; i<userAcc.length;i++)
          ar.add(new SAPUser(userAcc[i]));
      SAPUser[] users = new SAPUser[ar.size()];
    return ar.toArray(users); 
  Similar logic have been used for Groups and Roles and they are working fine.
  During runtime it gives following error
  Web service returned error. Fault Code: "(http://schemas.xmlsoap.org/soap/envelope/)Server" Fault String: "Calculated UME LDAP id is null"
  (Screenshot has also been attached)
  I tried searching for a solution on internet and specially on SAP SCN but couldn't come across any suitable option.
  Thereby my request to member-experts of this forum to please look into my matter mentioned above and provide some appropriate solution for it.
  Thanks in advance.
  Regards,
  Tanuj Jaitly

  Hi Soumya,
  Thanks for the valuable suggestion.
  Now I have another situation and this I would like to share with you and other experts in this forum.
  Apart from above scenario I was trying to fetch all the LDAP users as well, but due to large number of employees in my organization I received Connection Time Out. We thus changed our requirement.
  We now want to display those LDAP users which have UME roles and groups associated with their accounts. In other words LDAP users who can login to SAP Java portal to access their roles and groups.
  From UME API as getLastSuccessfulLogonDate()  and getPreviousSuccessfulLogonDate() are already deprecated I am unable to find any concrete solution.
  Request to please help. Thanks in advance.
  Tanuj Jaitly

• UME with ABAP AS and LDAP Datasource

  Hello SDN´s
  We have tried very hard for the last days configuring the ume-xml for the following scenario:
  -     LDAP is used to authenticate the user
  -     AS ABAP is used to store the roles of the user (because they automatically becomes groups in the portal)
  - the portal and the ABAP-system are  on different servers
  Given facts:
  1)     we canu2019t synchronize the roles of the ABAP system to the LDAP
  2)     we have to use the open-LDAP for the authentication
  3)     DataSources are readonly
  4)     User can have similar or different userid´s on the DataSources (Mapping required)
  Therefore, we read the user and account information from the LDAP and groups/roles form the ABAP AS.
  Result:
  a)     user with similar userid on LDAP and ABAP AS: These user were no longer able to log on to the portal
  b)     user with different id´s (mapped) on LDAP and ABAP: Can log on
  Questions:
  -     Is it true that similar userid´s leads to inherent problems of the UME Persistence Manager?
  -     Did we set up a wrong config-xml?
  -     Is there any other way how we could authenticate to the LDAP and having the Roles of a user read from the ABAP system dynamically?
  Thank you very much for your help
  Sincerely, A. Hunziker

  Hi Andre,
  Not sure if my remarks below can help you but I do hope that it can shine you some light.
  We have LDAP as our main UME, which is configured in our Portal7.0. This means that security groups created in LDAP are "replicated" into the Portal. We created Portal Roles which are assigned to the security groups created in LDAP. We also use SSO and it was setup via the SPNego Wizard (http://help.sap.com/saphelp_nw70/helpdata/EN/45/40a0de773a7527e10000000a114a6b/frameset.htm). This way, the user only needs to login via Windows and access the Portal without having to login (when users have the same Windows userID as that of their SAP ID). If the users have a different userID between Windows and SAP, then they do a user map under personalization of the Portal.
  To connect our Portal to our backend systems, we created a reference system (http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm) and we have our Portal certificates in all backend systems (http://help.sap.com/saphelp_nw70/helpdata/EN/d3/41c8efb31d11d5993800508b6b8b11/frameset.htm).
  With the above, users have SSO from Windows to Portal and via the reference system, they can enjoy SSO as well into our backend systems.
  Basically we have control what the users can see from the Portal (directly from LDAP security groups with users assigned to that) and what the user can do on backend is still maintain in the backend authorisation setup.
  Hope that can help you.
  Ray

• UME Configuration - Abap System as userstore, can it be reversed?

  Hi,
  according to SAP note: 718383 (Supported UME datasources and change options), you cannot change the datasource once you start to use dataSourceConfiguration_abap.xml (Abap system) as datasource.
  Is this correctly understood? Does this mean I could never change back to i.e. "Database only" or any LDAP alternative?
  I would thus have to do a fresh portal installation?
  Best Regards
  Olof

  HI,
  Once I planned to do the same, chnaging my Data Source from ABAP, but dropped my plan after  analysis.
  Please check this link,
  [http://help.sap.com/saphelp_nw04s/helpdata/en/45/af3ac012d32e78e10000000a155369/frameset.htm]
  also this the following link might be useful,
  [http://help.sap.com/saphelp_nw04s/helpdata/en/b7/14d43f2dd44821e10000000a1550b0/frameset.htm]
  Thanks,
  Vamshi

• UME - Ldap Server ( Downtime )

  SAP EP7 SP 10
  We are using IBM Tivoli Directory Server (ITDS) for User Management.  We want to stop the Directory Server to make certain changes to the schema files. 
  Is it necessary to stop sap j2ee engine / ep, in case if we want to stop ldap server. 
  How to go about it ?
  Pls. help.

  Realistically - id shut your portal environment down.  The portal reacts very badly in my experience when the UME components are taken down (ABAP, LDAP or otherwise) without the portal being shutdown first.
  At the very best, no further users can logon and users already logged on will be prompted for password.  Most likely the environment will simply seem to become unresponsive - meaning no access for anyone doing anything!!
  Haydn

• Access UME in ABAP

  Hello experts!
  How can i access to the UME database from ABAP program ?
  Thanks!

  mariano,
  well the easiest way would be expose the needed funtions as web services on the java-stack and use them in your abap-programm
  kr, achim

• UME problem - ABAP roles not showing up in UME

  Hello,
  I'm having a problem where the ABAP roles (UME groups)  for my PI system are not showing up as assigned to a user in the UME.  The roles assigned to the user are not reflecting the roles (UME groups) that are in the ABAP side.  But, other users are showing up fine.    The user is shown to have only the standard basic roles.
  This works fine on my development and AS system.  Any help would be greatly appreciated. Thanks.

  Hi George,
  There is a 30 minute delay before these roles/groups show up in the Java system. Could that be the problem in your case?
  See the [documentation|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/45/af3ac012d32e78e10000000a155369/frameset.htm].
  -Michael