Entering content frame

Background documentation LDAP Directory as Data Source Locate the document in its SAP Library structure

Purpose

User Management Engine (UME) can use an LDAP directory as its data source for user management data. The LDAP directory can either be connected as a read-only data source or as a writeable data source.

For more information on using an LDAP directory as a data source, see also SAP Note 673824.

Prerequisites

     The LDAP directory has a hierarchy of users and groups that is supported by UME. The hierarchies supported by UME are:

     Groups as tree

     Flat hierarchy

For more information, see Organization of Users and Groups in LDAP Directory.

     The administrator of the LDAP directory must create a user that UME can use to connect to the LDAP server. This user should have read and search permissions for all branches of the LDAP directory. If UME also needs to write to the LDAP directory, the user must additionally have create and change authorizations.

Constraints

     The Distinguished Names (DNs) of user and group objects must not be longer than 240 characters.

     The UME maintains internally, the default groups, Everyone, Authenticated Users, and Anonymous Users. If you create groups with these names with the native user interface of your LDAP directory, you must block the UME from reading them from the LDAP directory. Otherwise the name is ambiguous. To block the group name in LDAP, use the UME property ume.ldap.blocked_groups.

     Similarly, if you create user accounts with the same user ID as the service users used internally, you must block the UME from reading them from the LDAP directory. Service user IDs adhere to the naming convention <application_name>_service. To block the user account ID in LDAP, use the UME properties ume.ldap.blocked_accounts and ume.ldap.blocked_users.

     If user management is set up with write access to an LDAP directory, the following restriction applies: When assigning members to a group that is stored in the LDAP directory, you can only assign users or groups that are also stored in the LDAP directory. You cannot assign users or groups from the database to groups from the LDAP directory. 

You can, however, assign users and groups stored in the LDAP directory to a group in the database.

     You cannot search for users with locked passwords. Searching for users with locked passwords returns no results.

     If you are using an LDAP directory with a deep hierarchy, you cannot assign users or groups as members of another group using the UME user administration tools.

Available Data Source Configuration Files

Choose from the following options:

Note

To find the configuration file, use the Config Tool. For more information, see Editing UME Configuration Files. For recently certified LDAP directories, contact the LDAP directory vendor directly.

Option 1: User management data is stored in a combination of an LDAP server and a database

Description:

The following data is written to and read from the LDAP server:

     Users (displayname, lastname, fax, email, title, department, description, mobile, telephone, streetaddress. uniquename, and group membership – and any other attributes defined through attribute mapping)

     User accounts (logonid, password, ID of the assigned user)

     Groups (displayname, description, uniquename, and the group members)

The following data is written to and read from the database:

     Additional data (for example, information about when a user was last changed)

     Other principal types (for example, roles)

     Additional attributes (for example, attributes not covered by the standard object classes of the LDAP server)

Use case: You have a mixed system landscape including both SAP and non-SAP systems, or you have an existing corporate LDAP directory in your system landscape. You wish to store standard user data such as name, address, email address, and so on in the directory while you wish to store application-specific data in the database.

Configuration file:

     If the LDAP directory has a flat hierarchy: dataSourceConfiguration_<LDAP_directory_vendor>_not_readonly_db.xml

     If the LDAP directory has a deep hierarchy: dataSourceConfiguration_<LDAP_directory_vendor>_deep_not_readonly_db.xml

Option 2: User management data is stored in a combination of a read-only LDAP server and a database

Description: You cannot create, modify, or delete users or groups in the LDAP server. All newly created principals and additional data are stored in the database.

Use case: You have an existing corporate LDAP directory in your system landscape and have existing processes for administering user data on this directory. You are using UME with SAP Enterprise Portal and want all users that register themselves in the portal to be stored separately from the user data on the corporate directory.

Configuration file:

     If the LDAP directory has a flat hierarchy: dataSourceConfiguration_<LDAP_directory_vendor>_readonly_db.xml

     If the LDAP directory has a deep hierarchy: dataSourceConfiguration_<LDAP_directory_vendor>_deep_readonly_db.xml

Leaving content frame