LDAP Directory as Data Source
Purpose
User Management Engine (UME) can use an LDAP directory as its data source for user management data. The LDAP directory can either be connected as a read-only data source or as a writeable data source.
For more information on using an LDAP directory as a data source, see also SAP Note 673824.
Prerequisites
● The LDAP directory has a hierarchy of users and groups that is supported by UME. The hierarchies supported by UME are:
○ Groups as tree
○ Flat hierarchy
For more information, see Organization of Users and Groups in LDAP Directory.
● The administrator of the LDAP directory must create a user that UME can use to connect to the LDAP server. This user should have read and search permissions for all branches of the LDAP directory. If UME also needs to write to the LDAP directory, the user must additionally have create and change authorizations.
Constraints
● The Distinguished Names (DNs) of user and group objects must not be longer than 240 characters.
● You should not create groups with the names of the default groups, that is Everyone, Authenticated Users, and Anonymous Users. If you create a group with one of these names through the native user interface of your LDAP directory, you will not get an error message, and your user management will no longer function correctly. If you try to create a group with one of these names through the user management administration console, you will get an error message.
● Similarly, you should not create users with the same user ID as one of the service users used internally. The service users adhere to the naming convention XXX_service, where XXX is the name of the corresponding application. Again, if you use the native user interface of your LDAP directory, you will not get a message, and your user management will no longer function correctly.
● If user management is set up with write access to an LDAP directory, the following restriction applies: When assigning members to a group that is stored in the LDAP directory, you can only assign users or groups that are also stored in the LDAP directory. You cannot assign users or groups from the database to groups from the LDAP directory.
You can, however, assign users and groups stored in the LDAP directory to a group in the database.
● If you are using an LDAP directory with a deep hierarchy, you cannot assign users or groups as members of another group using the UME user administration tools.
Even if you use the native tools of the LDAP directory, you should not move users or groups to a different location in the directory. This is because the unique ID that the UME uses to uniquely identify the user or group contains the Distinguished Name of the user or group. If the user or group is moved to a different group in the LDAP directory, the Distinguished Name changes and, as a result, the unique ID changes as well. Any information about roles that were assigned to the user or group are lost. For more information, see SAP Note 777640.
Available Data Source Configuration Files
Choose from the following options:
Data source configuration files for certified LDAP vendors are delivered with the AS for Java. To find the configuration file, use the Config Tool. For more information, see Editing UME Configuration Files. For recently certified LDAP directories, contact the LDAP directory vendor directly. For a list of certified LDAP vendors, visit the SAP Service Marketplace at service.sap.com/securitypartners ® Partners for directory services (Interface to LDAP enabled directories).
Option 1: User management data is stored in a combination of an LDAP server and a database
Description:
The following data is written to and read from the LDAP server:
● Users (displayname, lastname, fax, email, title, department, description, mobile, telephone, streetaddress. uniquename, and group membership – and any other attributes defined through attribute mapping)
● User accounts (logonid, password, ID of the assigned user)
● Groups (displayname, description, uniquename, and the group members)
The following data is written to and read from the database:
● Additional data (for example, information about when a user was last changed)
● Other principal types (for example, roles)
● Additional attributes (for example, attributes not covered by the standard object classes of the LDAP server)
Use case: You have a mixed system landscape including both SAP and non-SAP systems, or you have an existing corporate LDAP directory in your system landscape. You wish to store standard user data such as name, address, email address, and so on in the directory while you wish to store application-specific data in the database.
Configuration file:
● If the LDAP directory has a flat hierarchy: dataSourceConfiguration_<LDAP_directory_vendor>_not_readonly_db.xml
● If the LDAP directory has a deep hierarchy: dataSourceConfiguration_<LDAP_directory_vendor>_deep_not_readonly_db.xml
Option 2: User management data is stored in a combination of a read-only LDAP server and a database
Description: You cannot create, modify, or delete users or groups in the LDAP server. All newly created principals and additional data are stored in the database.
Use case: You have an existing corporate LDAP directory in your system landscape and have existing processes for administering user data on this directory. You are using UME with SAP Enterprise Portal and want all users that register themselves in the portal to be stored separately from the user data on the corporate directory.
Configuration file:
● If the LDAP directory has a flat hierarchy: dataSourceConfiguration_<LDAP_directory_vendor>_readonly_db.xml
● If the LDAP directory has a deep hierarchy: dataSourceConfiguration_<LDAP_directory_vendor>_deep_readonly_db.xml
You can find most of the configuration files using the Config Tool as described in Editing UME Configuration Files. For LDAP directories that have only recently been certified, you can get the configuration files from the LDAP directory vendor directly.