LDAP Directory as Data Source
Purpose
The user management engine (UME) can use an LDAP directory as its data source for user management data. You can connect the LDAP directory as a read-only data source or as a writeable data source.
For more information about how to configure the UME to use an LDAP directory as data source, see Configuring the UME to use an LDAP Directory as Data Source.
For more information about using an LDAP directory as a data source, see also SAP Note 673824.
Prerequisites
· You have installed SAP NetWeaver Application Server (AS) Java so that the UME is configured to use the database of the AS Java as data source.
For more information, see Selecting the UME Data Source.
· The LDAP directory has a hierarchy of users and groups that is supported by the UME. The hierarchies supported by the UME are:
¡ Groups as tree
¡ Flat hierarchy
For more information, see Organization of Users and Groups in LDAP Directory.
· The administrator of the LDAP directory must create a user that the UME can use to connect to the LDAP server. This user should have read and search permissions for all branches of the LDAP directory. If the UME needs to write to the LDAP directory, the user must have create and change authorizations.
Constraints
· The Distinguished Names (DNs) of user and group objects must not be longer than 240 characters.
· The UME maintains internally, the default groups, Everyone, Authenticated Users, and Anonymous Users. If you create groups with these names with the native user interface of your LDAP directory, you must block the UME from reading them from the LDAP directory. Otherwise the name is ambiguous. To block a group name in an LDAP, set Unique Names of Blocked Groups when you configure the UME to use the LDAP directory as data source.
· Similarly, if you create user accounts with the same user ID as the service users used internally, you must block the UME from reading them from the LDAP directory. Service user IDs adhere to the naming convention <application_name>_service. To block a user account ID in an LDAP, set Unique Names of Blocked Users when you configure the UME to use the LDAP directory as data source.
· If you configure your data source connection to use Secure Socket Layer (SSL), the UME cannot add any users to the built-in group Anonymous Users from the LDAP directory. These users must be in either the local database of the AS Java or an LDAP directory unprotected by SSL. The UME must be able to add the default guest user to the Anonymous Users group during startup or the AS Java cannot start.
· If user management is set up with write access to an LDAP directory, the following restriction applies: When assigning members to a group that is stored in the LDAP directory, you can only assign users or groups that are also stored in the LDAP directory. You cannot assign users or groups from the database to groups from the LDAP directory.
You can, however, assign users and groups stored in the LDAP directory to a group in the database.
● You cannot search for users with locked passwords. Searching for users with locked passwords returns no results.
● If you are using an LDAP directory with a deep hierarchy, you cannot assign users or groups as members of another group using the UME user administration tools.
● You cannot assign UME groups to LDAP groups.
Available Data Source Configuration Files
Choose from the following options:
Data source configuration files for certified LDAP directory vendors are delivered with the AS Java or are available from SAP Note 983808. For more information about accessing the data source configuration files, see Customizing a UME Data Source Configuration. For recently certified LDAP directories, contact the LDAP directory vendor directly. SAP has set up a program to certify LDAP directory solutions for use with UME. For a list of certified LDAP vendors, visit the SAP Service Marketplace at service.sap.com/securitypartners ® Partners for directory services (Interface to LDAP enabled directories).
Option 1: User management data is stored in a combination of an LDAP server and a database
Description:
The following data is written to and read from the LDAP server:
● Users (displayname, lastname, fax, email, title, department, description, mobile, telephone, streetaddress. uniquename, and group membership, and any other attributes defined through attribute mapping)
● User accounts (logonid, password, ID of the assigned user)
● Groups (displayname, description, uniquename, and the group members)
The following data is written to and read from the database:
· Additional data (for example, information about when a user was last changed)
· Other principal types (for example, roles)
· Additional attributes (for example, attributes not covered by the standard object classes of the LDAP directory)
Use case: You have a mixed system landscape including both SAP and non-SAP systems, or you have an existing corporate LDAP directory in your system landscape. You want to store standard user data such as name, address, email, and so on in the directory while you want to store application-specific data in the database.
Configuration file:
· If the LDAP directory has a flat hierarchy:
dataSourceConfiguration_<LDAP_directory_vendor>_not_readonly_db.xml
· If the LDAP directory has a deep hierarchy:
dataSourceConfiguration_<LDAP_directory_vendor>_deep_not_readonly_db.xml
Option 2: User management data is stored in a combination of a read-only LDAP server and a database
Description: You cannot create, modify, or delete users or groups in the LDAP directory. All newly created principals and additional data are stored in the database.
Use case: You have an existing corporate LDAP directory in your system landscape and have existing processes for administering user data on this directory. You are using the UME with SAP NetWeaver Portal and want all users that register themselves in the portal to be stored separately from the user data on the corporate directory.
Configuration file:
· If the LDAP directory has a flat hierarchy:
dataSourceConfiguration_<LDAP_directory_vendor>_readonly_db.xml
· If the LDAP directory has a deep hierarchy:
dataSourceConfiguration_<LDAP_directory_vendor>_deep_readonly_db.xml