Configuring Non-ADS Data Sources for Kerberos
Authentication
Use
Use this topic to modify the UMEdata source configuration for using non-ADS data stores with Kerberos authentication.
Using Kerberos for Windows Integrated authentication with non-ADS data sources on the J2EE Engine can lead to security vulnerabilities due to inconsistency of user data. The reason is that the source of authentication, the Windows DC acting as a KDC, can use a user store that is different from the user repository of the J2EE engine. For example, Joe in the KDC and Joe in an ABAP user repository for the J2EE Engine may not be the same physical person, and there may not even be a Joe in the ABAP system. Therefore, we recommend that you regularly synchronize the user information in the two user store, or use a single user data store.
Prerequisites
For this scenario, the UME uses the user account ID of the authenticated user to search for the user in the UME data source. Therefore, the user account ID attribute must be unique for each of the users in the UME data source.
Procedure
...
1.
Modify the value of the SPNegoLoginModule property com.sap.spnego.uid.resolution.mode to use prefixbased user resolution mode. For more
information, see 
Managing Login
Modules and Overview of
SPNegoLoginModule.
2.
Customize the UME data source configuration file. For more
information, see Customizing UME Data
Source Configuration.
a. Define the attribute kpnprefix in the responsibleFor section of the UME data source configuration file.
b. Map the attribute kpnprefix to the physical attribute in the UME data source that corresponds to the user account ID.
When using Sun JDK, you have to map the krb5principalname to the physical attribute user principal name. This is necessary for the acquisition of the J2EE Engine service user credentials.
3.
Add an additional user profile attribute
krb5principalname to the UME property ume.admin.addattrs. For more information about
adding user attributes, see UME Reference
® Administration.
4.
Create a J2EE Engine service user in the
UME data source. For more information, see Creating and Removing
Users.
a.
Modify the krb5principalname value for the J2EE Engine
service user to the KPN used on the KDC, for example HTTP/hades.customer.de@IT.CUSTOMER.DE. For more information, see User Management
Administration Console
® User
Profile.
b.
Enable the No password change
required
option for the J2EE Engine service user. For more information, see Viewing User
Information.
Example
Defining a UME attribute:
<responsibleFor> ... <principal type="user"> <nameSpaces> <nameSpace name="com.sap.security.core.usermanagement"> <attributes> <attribute name="firstname" populateInitially="true"/> ... <attribute name="kpnprefix"/> </attributes> </namespace> </namespaces> </principal> ... </responsibleFor> |
Mapping UME attribute:
<attributeMapping> <principals> <principal type="account"> <nameSpaces> ... </nameSpaces> </principal> <principal type="user"> <nameSpaces> <nameSpace name="com.sap.security.core.usermanagement"> <attributes> <attribute name="firstname"> <physicalAttribute name="givenname"/> </attribute> ... <attribute name="kpnprefix"> <physicalAttribute name="uid"/> </attribute> </attributes> </namespace> </namespaces> </principal> </attributeMapping> |
The uid attribute in the attribute mapping above is specific to this example. In many directory servers, for example Sun ONE LDAP server, the uid attribute is used as logonid and can be used to uniquely identify a user.
See also:
Customizing a UME
Data Source Configuration