Example: Configuration of Multiple LDAP Data Sources
Denise DeLassandros has user data distributed across several directory services (LDAP directories). Her company's employees are in one directory service, and the company's customers and suppliers are in another directory service. She wants to configure the User Management Engine (UME) to read and write data from more than one directory service. Denise configures the UME to search for user data in both directories.
The configuration must not allow a user or other principal to be created on two separate data sources. In other words, only one data source can be the home data source for a user or other principal.
Do not use the configuration described here to configure high-availability. For more information about high-availability, see Configuring High Availability of the LDAP Data Source .
The following restrictions apply:
- Users' logon IDs must be unique across all directory services.
- The groups to which a user belongs must be in the same directory service as the user or in the database of the SAP NetWeaver Application Server (AS) Java.
For each directory service, Denise must create a separate data source entry in the data source configuration file.
In the private section of each data source, she defines the following properties:
- ume.ldap.access.server_type
- ume.ldap.access.server_name
- ume.ldap.access.server_port
- ume.ldap.access.user
- ume.ldap.access.password
- ume.ldap.access.base_path.user
- ume.ldap.access.base_path.grup
To prevent passwords from appearing in the data source configuration file in plain text, Denise must enter a variable for the UME property which includes the password for the target directory service. The UME can support up to five directory services with the following properties:
- ume.ldap.access.additional_password.1
- ume.ldap.access.additional_password.2
- ume.ldap.access.additional_password.3
- ume.ldap.access.additional_password.4
- ume.ldap.access.additional_password.5
Denise enters the passwords for the directory services in the UME properties and in the data source configuration file she add a reference to the UME property containing the password under ume.ldap.access.password .
For example, Denise enters a password for the second directory service data source in the UME property ume.ldap.access.additional_password.2 . In the data source configuration file, in the private section for that directory service data source, she enters a reference to the property as follows:
<ume.ldap.access.password> $ume.ldap.access.additional_password.2</ume.ldap.access.password>
Always precede the UME property name with a dollar sign ($ ).
<dataSources> … <dataSource id="CORP_LDAP2" className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence" isReadonly="true" isPrimary="true"> … <privateSection> … <ume.ldap.access.server_type>NOVELL</ume.ldap.access.server_type> <ume.ldap.access.server_name>p11111</ume.ldap.access.server_name> <ume.ldap.access.server_port>390</ume.ldap.access.server_port> <ume.ldap.access.ssl>false</ume.ldap.access.ssl> <ume.ldap.access.user>cn=admin,o=ume</ume.ldap.access.user> <ume.ldap.access.password>$ume.ldap.access.additional_password.1</ume.ldap.access.password> <ume.ldap.access.base_path.user>o=ume</ume.ldap.access.base_path.user> <ume.ldap.access.base_path.grup>o=ume</ume.ldap.access.base_path.grup> </privateSection> </dataSource> <dataSource id="CORP_LDAP" className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence" isReadonly="true" isPrimary="true"> … <privateSection> … <ume.ldap.access.server_type>SUN</ume.ldap.access.server_type> <ume.ldap.access.server_name>p22222</ume.ldap.access.server_name> <ume.ldap.access.server_port>400</ume.ldap.access.server_port> <ume.ldap.access.ssl>false</ume.ldap.access.ssl> <ume.ldap.access.user>cn=Directory Manager</ume.ldap.access.user> <ume.ldap.access.password>$ume.ldap.access.additional_password.2</ume.ldap.access.password> <ume.ldap.access.base_path.user>dc=ume.wdf.sap.corp</ume.ldap.access.base_path.user> <ume.ldap.access.base_path.grup>dc=ume.wdf.sap.corp</ume.ldap.access.base_path.grup> </privateSection> </dataSource> </dataSources>