Configuring ADS Data Source for Kerberos
Authentication
Use
The configuration steps for the ADS data source of the UME vary depending on the user resolution mode that the UME uses to resolve the user account in ADS.
The
steps below cover the case when using a single ADS data source. For the case
when the UME uses multiple ADS data sources, you must change the
UMEconfiguration as described in
this topic for every ADS data source configured in UME. If the data sources are not mutually trusted in a
directory forest you can create separate Kerberos configurations for each data
source and have a separate logon URL for each ADS domain. For more
information, see 
Configuring UME to Use
an LDAP Server as Data Source.
Procedure
..
1. Modify the value of the SPNegoLoginModule property com.sap.spnego.uid.resolution.mode for the user resolution mode you are using. For information about the possible values, see the table below:
Value |
Comment |
none |
For this mode, the User Principal Name (UPN) attribute in ADS is identical to the KPN. You can use this mode if you did not configure an alternative UPN suffix in ADS. |
simple |
This is the default more when the KPN is an ADS attribute other than the UPN. |
prefixbased |
For this mode, the UME searches for a user based on the KPN prefix. The algorithm works as follows: ... 1. Kerberos authentication yields a KPN, for example johndoe@IT.CUSTOMER.DE. 2. SPNegoLoginModule splits the KPN into the parts johndoe and IT.CUSTOMER.DE and performs a search in UME for a user with uniquename=johndoe. If the search result is unique, then it is returned as logonid to the UME. 3. If the result is not unique, SPNegoLoginModule uses the user's attribute distinguishedName to exclude from the search those who are not in the domain IT.CUSTOMER.DE. |
4.
Customize the UME data source configuration file, as shown in the
table below. For more information, see Customizing UME Data
Source Configuration.
User Resolution Mode |
Procedure |
None |
No customization is necessary. |
Simple |
... a. Define an UME attribute krb5principalname in the responsibleFor section of the UME data source configuration file. b. Map the attribute krb5principalname to the physical attribute userprincipalname in the UME data source configuration file. |
prefixbased |
... a. Define the attributes kpnprefix, krb5principalname and dn in the responsibleFor section of the UME data source configuration file. b. Map the attributes kpnprefix, krb5principalname and dn to the physical attributes samaccountname, userprincipalname and distinguishedname in the UME data source configuration file.
When using Sun JDK, you have to map the krb5principalname to the physical attribute userprincipalname. This is necessary for the acquisition of the J2EE Engine service user credentials. |
Example
Defining attributes in the responsibleFor section of the UME data source configuration file:
<responsibleFor> ... <principal type="user"> <nameSpaces> <nameSpace name="com.sap.security.core.usermanagement"> <attributes> <attribute name="firstname" populateInitially="true"/> ... <attribute name="kpnprefix"/> <attribute name="krb5principalname"/> <attribute name="dn" /> </attributes> </namespace> </namespaces> </principal> ... </responsibleFor> |
Mapping the already defined attributes to physical attributes:
<attributeMapping> <principals> <principal type="account"> <nameSpaces> ... </nameSpaces> </principal> <principal type="user"> <nameSpaces> <nameSpace name="com.sap.security.core.usermanagement"> <attributes> <attribute name="firstname"> <physicalAttribute name="givenname"/> </attribute> ... <attribute name="kpnprefix"> <physicalAttribute name="samaccountname"/> </attribute> <attribute name="krb5principalname"> <physicalAttribute name="userprincipalname"/> </attribute> <attribute name="dn"> <physicalAttribute name="distinguishedname"/> </attribute> </attributes> </namespace> </namespaces> </principal> </attributeMapping> |