Working scenario - Portal UME with LDAP

Similar Messages

• Automatic upload of roles from ECC to portal (UME with LDAP)

  Hi experts,
  This thread reopen the question asked on the following message : automatic upload of roles from BI to portal
  However, it concerns this time "UME with LDAP".
  Problematic :
  SAP Library 04s tells us that is not yet possible to automate role replication (or role assigment replication) from ABAP Based back-end to Netweaver Portal. Only manual process for initial upload is possible.
  Source = http://help.sap.com/saphelp_nw04s/helpdata/en/41/5e4d40ecf00272e10000000a155106/frameset.htm
  Questions :
  1 - Did anyone ever try to implement such an automatic tool ?
  2 - What if I'm not able to write on the Active Directory ? I am still able, at least, to automate role assignment replication from ABAP Based back-end to Netweaver Portal (ie. UME with LDAP) ? Directly from SAP R/3 to EP through UME, without passing through Active Directory since the group field is not maintained in AD.
  Many thanks for your inputs
  Alexis MARTIN

  Hello,
  As I did not read the previous thread I don't know what exactly you are trying to achieve, but I can tell you about what we have done - as far as it is not too late yet.
  We use the portal with integration to a BI system. In the ABAP stack we have lots of roles with menu items for hundreds of reports. We want the users to see these roles in the portal.
  First we have used the role migration tool of the portal to upload these roles. There is a Java API for executing role uploads from code. You need to create a webservice in the java stack to call this api, and can call the webservice from ABAP.
  However it is just a question of time and role size until this will not work at all. Standard role migration is more or less crap, stability is a problem. It also creates a lot of logs in the PCD and thus fills the database with trash. (After a few OSS messages there is now a program for deleting logs + you can turn of logging.) Also upload of larger roles takes up to an hour, and you alwasy have the problem that your portal roles are not up to date during the day.
  When I got completely fed up, I have implemented an own navigation connector. When you log on to the portal it will connect to the ABAP stack via RFC, load the role, and generate the portal menu from it. It uses caching, but on every logon it checks whether the role has been updated in ABAP since the last time it was loaded. It is up to date, faster then PCD navigation, and you need absoluetely no periodical synching at all. I cant even understand why this is not offered by SAP per standard!
  Drawback is that it will of course only work for the menu items, and only menu items with an "URL-type" are supported. I'm prettry sure however that it would be possible to implement a few other types as well.
  Let me know if you are interested in the solution, I can give you a few additional details: oliverDOTsvisztATwienerbergerDOTcom
  Oliver

• UME with LDAP

  Hi Experts,
  I've installed Portal sneak preview which is 7.0 SP9 in my Desktop and at the moment i'm using Web AS database is the user storage for portal.
  Now wanted to change the user storage to any ldap (for windows) server and wanted to look at the working scenario.
  Now ..
  1. Which is the recommended LDAP server for windows, to the above scenarion
  2. Can i use LDAP is the user storage for sneak preview versions.
  3. Any useful documents to achieve this.
  4. Please remeber i'm on Windows XP.
  Please leave your valuable suggestions
  Thanks,
  Lokesh.

  Hi,
  Hi Experts,
  I've installed Portal sneak preview which is 7.0 SP9 in my Desktop and at the moment i'm using Web AS database is the user storage for portal.
  Now wanted to change the user storage to any ldap (for windows) server and wanted to look at the working scenario.
  Now ..
  1. Which is the recommended LDAP server for windows, to the above scenarion
  I guess on Windows the best choice is ADS. If I get your requirement correctly you want to install a local LDAP Server on your machine correct? I don't know if it is possible to install ADS standalone on Win XP. In general you can use any LDAP Server so you should be able to get it working even with openLDAP if you are fimiliar with the LDAP protocol. I think openLDAP is not supported by SAP so maybe you should try something like SUN Directory Server (You can download a trial from the SUN Website). There is a version for Windows and it works without problems on WIN XP (I've tried a couple of times)
  2. Can i use LDAP is the user storage for sneak preview versions.
  I bet you can. You just have to choose the appropriate XML-File for UME Userstore that supports LDAP as UME and it should work.I've not tried with trial version but I think there are no limitations in the trial version regarding UME configuration.
  3. Any useful documents to achieve this.
  Check these out:
  http://help.sap.com/saphelp_nw70/helpdata/EN/63/14f5b51a6eff429f2d8b2063400e82/frameset.htm
  http://help.sap.com/saphelp_nw70/helpdata/EN/48/d1d13f7fb44c21e10000000a1550b0/frameset.htm
  http://help.sap.com/saphelp_nw70/helpdata/EN/37/cfd93f130f9115e10000000a155106/frameset.htm
  All you have to take care of is to choose the appropriate hierarchy supported by UME to store your user information within your directory (all this is described in the pages linked above)
  4. Please remeber i'm on Windows XP.
  I do
  I hope this helps
  Cheers

• Revertion of Portal UME from LDAP to DB Only

  Hello All Portal Gurus,
  I have one query. Can i revert back my Portal UME database from LDAP read only + DB configuration to DB only. I know the default configuration of the UME after installation remains DB only. But if we change it to LDAP ADS readonly, then can we change it back to DB only by any means or by any action?
  Need the suggestions from Portal Gurus...
  Thanks in Advance
  Regards
  Srinivas

  Hi Srinivas,
  how did you try to reset the UME settings? Using portal system administration?
  If yes, go for the config tool. For further help see:
  [Configuring UME|http://help.sap.com/saphelp_nw70/helpdata/EN/eb/00954081efb90ee10000000a155106/frameset.htm]
  HTH,
  Carsten

• To use UME with OpenLDAP

  Hello everybody,
  i have some problems.
  My initial position:
  Installed dual stack SAP NetWeaver Portal 2004s
  --> Datasource for UME: ABAP-System
  Installed OpenLDAP
  Have anybody some guidelines for the configuration a UME with LDAP.
  I had read all SAP help entries. Not so helpful.
  I couldnt change DataSource, i dont know why ;-(
  Please help
  rene

  Hi,
  If you are using SAP Web AS ABAP User Management as datasource, you cannot change to any other data source configuration. For details, see SAP Note [718383|https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/oss_notes/sdn_oss_bc_jas/~form/handler].
  http://help.sap.com/saphelp_nw04/helpdata/en/49/9dd53f779c4e21e10000000a1550b0/frameset.htm
  Regards,
  Praveen Gudapati

• Portal integration with Agile systems

  Hi All,
  Has anybody worked on Portal integration with Agile systems. I mean pulling data from Agile systems.
  Any specific documentation would be of help.
  Regards,
  Tom

  Tom,
  you may want to check this
  https://www.sdn.sap.com/irj/scn/advancedsearch?query=agile&cat=sdn_all
  Thanks
  Bala Duvvuri

• UME with ABAP AS and LDAP Datasource

  Hello SDN´s
  We have tried very hard for the last days configuring the ume-xml for the following scenario:
  -     LDAP is used to authenticate the user
  -     AS ABAP is used to store the roles of the user (because they automatically becomes groups in the portal)
  - the portal and the ABAP-system are  on different servers
  Given facts:
  1)     we canu2019t synchronize the roles of the ABAP system to the LDAP
  2)     we have to use the open-LDAP for the authentication
  3)     DataSources are readonly
  4)     User can have similar or different userid´s on the DataSources (Mapping required)
  Therefore, we read the user and account information from the LDAP and groups/roles form the ABAP AS.
  Result:
  a)     user with similar userid on LDAP and ABAP AS: These user were no longer able to log on to the portal
  b)     user with different id´s (mapped) on LDAP and ABAP: Can log on
  Questions:
  -     Is it true that similar userid´s leads to inherent problems of the UME Persistence Manager?
  -     Did we set up a wrong config-xml?
  -     Is there any other way how we could authenticate to the LDAP and having the Roles of a user read from the ABAP system dynamically?
  Thank you very much for your help
  Sincerely, A. Hunziker

  Hi Andre,
  Not sure if my remarks below can help you but I do hope that it can shine you some light.
  We have LDAP as our main UME, which is configured in our Portal7.0. This means that security groups created in LDAP are "replicated" into the Portal. We created Portal Roles which are assigned to the security groups created in LDAP. We also use SSO and it was setup via the SPNego Wizard (http://help.sap.com/saphelp_nw70/helpdata/EN/45/40a0de773a7527e10000000a114a6b/frameset.htm). This way, the user only needs to login via Windows and access the Portal without having to login (when users have the same Windows userID as that of their SAP ID). If the users have a different userID between Windows and SAP, then they do a user map under personalization of the Portal.
  To connect our Portal to our backend systems, we created a reference system (http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm) and we have our Portal certificates in all backend systems (http://help.sap.com/saphelp_nw70/helpdata/EN/d3/41c8efb31d11d5993800508b6b8b11/frameset.htm).
  With the above, users have SSO from Windows to Portal and via the reference system, they can enjoy SSO as well into our backend systems.
  Basically we have control what the users can see from the Portal (directly from LDAP security groups with users assigned to that) and what the user can do on backend is still maintain in the backend authorisation setup.
  Hope that can help you.
  Ray

• Parent / Child Groups in Portal with LDAP

  Heya,
  we are using EP 7 on SP 10 (NW 7), for User Authentication we use the UME with a configured (writable) LDAP
  Server as backend with a flat hierarchie. We have a Federated Portal Landscape with
  3 Portals connected to one "main" portal and using Remote Role Assignement on the main portal for
  our right managenemt.
  Remote Roles which are added to Groups are working fine, but as soon as we try to use
  the parent/child group functionality we are facing the problem that the user who logs on
  has no access to anything in this group.
  According to http://help.sap.com/saphelp_nw04s/helpdata/en/af/0cfc3f09c2c442e10000000a1550b0/frameset.htm
  the only restriction for the use of child / parent groups is that:
  "If user management is set up with write access to an LDAP directory, the following restriction applies:
  When assigning members to a group that is stored in the LDAP directory, you can only assign users or
  groups that are also stored in the LDAP directory. You cannot assign users or groups from the database
  to groups from the LDAP directory. "
  We fullfill the above condition (everything is LDAP based) - sooo: Any Hints for me / Someone facing
  the same problem.
  Thanks,
  Marco

  Hi Murali,
  User Configuration
  A particular company has the following setup:
  ●      Two roles: External and Internal
  ●      The role Internal contains users who also belong to two user groups: N.America and Asia
  ●      User A belongs to both the role Internal and the user group N.America
  ●      User B belongs to both the role Internal and the user group Asia
  ●      User C belongs to the role External
  Conditions Defined in Portal Display Rules
  1. If Group = N.America
     Then Portal Desktop = Orange Flavor
  2. If Role = Internal
     Then Portal Desktop = Green Flavor
  3. If Group = Asia
     Then Portal Desktop = Blue Flavor
  4. If Role = External
     Then Portal Desktop = Red Flavor
  Note that user A matches conditions 1 and 2; (ii) user B matches conditions 2 and 3; and (iii) user C matches condition 4.
  Results
  According to the list of priorities, these are the results:
  ●      User A receives portal desktop "Orange Flavor" (according to condition 1 which has priority over rule 2)
  ●      User B receives portal desktop "Green Flavor" (according to condition 2 which has priority over rule 3)
  ●      User C receives portal desktop "Red Flavor" (according to condition 4)
  still any help on portal disktop rules to can see this link http://help.sap.com/saphelp_nw70/helpdata/EN/4b/29cf122f414721964269e1b675d62c/frameset.htm
  if helpful don't to give points
  thanks
  best regards
  ep

• Config UME with ABAP+LDAP datasource

  Hi all,
  We are implementing an EP installation. We want to reuse the abap role assignment for the portal roles and we require a SSO solution based on SPNego.
  Now we can implement each on it's own fine. The question is how we can connect the ume to use both abap and ldap datasource. I opened an OSS about it and they said it's possible, supported but I'm on my own when it comes to implementing it (or consulting offcourse).
  Anyone had experience with this configuration or can provide me with the datasource schema file?
  Thank in advance,
  Eric

  Try the following:
  1.     Download the SPNegoWizard_645.zip (for 7.0) SPNegoWizard_640 (for 6.40)from SAP Note 994791 and unzip it.
  2.     Adjust the user running the SAP system in Active Directory
  3.     Copy the EAR and XML Files from the SPNegoWizard.ZIP file to a temporary directory on the server.
  4.     Open up the Visual Administrator.  Logon with the admin ID.
  5.     SID ->Server -> Services -> Deploy
  6.     Open the Config Tool. (Yes to using DB settings)
  7.     Select UME LDAP Data
  8.     Browse to the XML file you copied earlier. (dataSourceConfiguration_ads_readonly_db_with_krb5.xml)
  Click the upload button.
  9.     Select the Configuration file you just uploaded.  Click OK on the Warning message.
  10.     Setup the Connection details as specified below:
  Server Name: xxxxxx
  Server Port: xxxxxxx
  User: SAPService<SID>@domain.com
  Password:  xxxxxx
  Use UME unique id with unique LDAP attribute (checked): samaccountname
  User Path: dc=<domain>,dc=com
  Group Path: ou=xxxxxx,ou=xxxx,dc=xxxx,dc=xxxx
  11.     Click the Test Connection button you should see:
  Click Close when done.
  12.     Click the Test Authentication button, enter NT user ID and NT password, and click the authenticate button and you should get a success message:
  13.     Select cluster-data   Global Server Configuration  services  com.sap.security.core.ume.service
  14.     Edit the ume.admin.addattrs.
  Add the values: krb5principalname;kpnprefix;dn
  Click the Set button. 
  15.     Click the Save button or File -> Apply.  
  16.     Close the Config tool and restart the JAVA engine.
  17.     After the engine is restarted, continue on with the Kerberos configuration.
  18.     Open up the SP Nego Wizard by going to the following URL: http://<server>:<port>/spnego
  19.     Logon with the Administrator user ID.
  20.     Select the check boxes for the u201CService user is created and configured in Active Directoryu201D and u201CUME configuration includes SPNego specific settingsu201D
  Click the Next button
  21.     Click the Add Kerberos Realm button and enter your domain name (e.g. company.com)
  22.     For the Realm Configurationu2019s KDCs (Key Distribution Centers) put in <KDC host> and 88 for the port (the port should already be filled in. 
  23.     In the KPN (Kerberos Principal Name) section enter the Service User Name & Password.
  Service User: SAPService<SID>          
  Password: xxxx
  Leave LDAP Host - blank
  24.     Click the Next button
  25.     Select Prefix Based for the Resolution Mode and Click Next
  26.     In Policy Configuration we want to create a new policy called spnego.  Tick Basic password Fallback (when SSO do not work) and tick SSO with Logon Tickets.  Click the Next button.
  27.     Click Finish on the Confirmation screen.
  28.     Close the browser and restart the engine.
  29.     After the engine has finished restarting, continue with the final steps.
  30.     Open up the Visual Administrator.  Logon as the Administrator ID.
  31.     SID  Server  Services  Security Provider
  32.     Go into change mode by clicking the change button.
  33.     On the Runtime tab  Policy Configurations tab  Select ticket from the Components list.
  34.     On the Authentication tab for the ticket component  select Authentication Template: spnego
  35.     Now go to the useradmin service (http://<server>:<port>/useradmin) to test the Kerberos SSO.  You should get signed on without entering a user name or password.
  You are done!

• About EP(on UNIX) UME integration with LDAP

  Hello guys,
  We want  that UME use LDAP(read-only) as data source  .
  Our EP installed on UNIX , LDAP on Windows.
  Connection data
  Server Name:    sapsso
  Server Port:      389
  User:               p106658 (an administrator user)
  Password:        ******
  User Path : ou=test,c=us,o=gnpjvc 
  Group Path:  ou=test,c=us,o=gnpjvc
  We fill the data reference document on help websit :Configuring the UME to Use an LDAP Directory as Data Source   .
  But test connection always failed.
  Is there any solution?
  Thank you!
  Louis

  Hi,
  check your JDK version, some SUN version (>1.4.2_13) won't work with Kerberos. Start with SAP Note 968191 to gain more information.
  For checking the Java JDK parameters and recommendations / bugs, take a look at these Notes:
  716604    for the Sun JDK (Windows, Linux, Solaris)
  716926    for the HP JDK (HP-UX)
  716927    for the IBM JDK (AIX)
  1234382   for the IBM JDK IT4J (IBM i, iSeries, OS/400)
  717376    for the IBM JDK Classic (IBM i, iSeries, OS/400)
  746299    for the IBM JDK (Linux for zSeries)
  810008    for the IBM JDK (Linux on POWER)
  861215    for the IBM JDK (Linux on AMD64/EM64T)
  br,
  Tobias

• Link ECC roles to Portal roles (Portal is using LDAP source for UME)

  Hi all,
  If a user is assigned a certain ECC ABAP role, they should also receive a related portal role.  Our portal is using LDAP.
  If our portal ume source was an ABAP system, I think it would be easy to achieve the ECC to ABAP role linkage.
  We were thinking of developing a UME java webservice and have an ABAP proxy class consume it to allow our abap system to assign the correct portal role, and delete the portal role.
  Any other ideas?

  Rajendra,
  Thx for your reply.  Can you provide any more details as to the design of your solution with the web service?  We are thinking of running a batch job nightly with a some mapping table in ECC to determine what ABAP role should link to the portal group then call the webservice to add the user to the portal group or delete the user from the portal group. 
  A second question is...does SAP Identity Manager offer any solution for this type of requirement?
  Thanks

• Sync User Locks from LDAP(Microsoft AD) to Portal UME

  Hi All,
  Currently we have our Portal UME connected to LDAP (Microsoft AD) as our data source. I can bring up all Active Directory users in Portal, however the users that are locked and disabled in Active directory are still active in portal. To be more clear the expiration date of a userid in AD does not sync with Portal UME account expiration date. Is there a way to bring in the expiration value in to portal?
  Regards,
  Junaid

  Config tool may not have expiry date as mapping in Additional LDAP prop tab, you may need to look for configuration file where you can map the logical attribute to the LDAP.
  Licensing impact depends on your contract with SAP.
  However you can check portal users with USMM at the end of URL.
  E.g.
  remove 'irj/portal' from your initial portal link and add 'usmm'

• CUP 5.3 with SAP EP 7.0 (UME as LDAP Read Only)

  Hi experts,
  I have a simple question to figure out whether or not it's possible to :
  - use CUP 5.3 to ONLY assign UME portal groups on EP 7.0, considering the fact that my portal has UME as Read-only LDAP?
  SAP Notes and SAP docs (including How-to Configure SAP BusinessObjects Access Control .3 for SAP NetWeaver Portal 7.0) don't provide an answer for this.
  If you follow the documentation with a Portal UME as read-only, you will have an error like : "Can not modify firstname attribute on Active Directory..."
  To sum up
  - EP 7.0 has UME = Read-only LDAP
  - CUP 5.3 has UME = Read-only LDAP
  - We want to use CUP to assign portal groups without modifying users file. According to documentations and previous posts on SDN it seems that everyone has write access on the Active Directory servers What if we don't?
  Many thanks for your answers

  Problem was solved implementing patch 2 for GRC 5.3 - SP08
  VIRAE08P_2-20002300.SCA   Patch for VIRAE 530_700 SP08
  The issue mentioned in my above message was described in SAP note 1168508

• Problem with LDAP in BEA Portal

  Problem with LDAP in BEA Portal
  I have a list of 50 user which should be cerated in portal staging(devlopment) machine and should be transfered to
  production machine using LDAP
  Steps which i followed to create Users
  1.Create User Profile with 2 parameters branch and Role
  2.I have list user in the Xls file with Username,password ,branch and Role
  3.Write a java File which will read the Xls File
  4.The users are created in the staging machine for the portal
  Steps which i followed in LDAP to tranfer the created User form Devlopment to Production
  1.Export the created user from Devlopment (which was moved as .DAT in my local directory)
  2.import the user from local direcory to production machine
  The Users are imported in the production machine with username and password but the role and branch values are empty
  We need a solution for importing the user with role and branch corresponding to each user.
  Thanks in Adv
  Suresh

  In Portal 8.1, user name and password in stored in LDAP where as user profile values are stored in database. That is the reason you are not able to see the user profile values.
  Check once again whether you can see these values through admin tool. In case,it is not(after confirmation again),you might have to use APIs to do this for you incase you dont want to manage through Admin Tool.
  Thanks,
  Prashanth Bhat.

• Problem with users in portal - login conflict with LDAP.

  Hi.
  Let me describe our problem:
  We've a EP5 portal with LDAP conected to a central LDAP server, users access with the same user and password to all the different systems.
  The problem happens to users who have theyr passwords expired. We already set to 0 the password expiration days to avoid future problems but that didn't applied to the already expired ones.
  This affected users cannot change the password due to problems with the connection rights to LDAP server.
  We're trying to find the place there it's set that the user is in some kind of "password expired" status, directly in a database table if neccesary, to change the status manually, as system does not allow os to set it by user administration in portal.
  Any suggestions would be appreciated.

  Restoring expired Portal passwords
  Solved