These properties enable you to configure how the user management engine (UME) accesses a directory server data source.
The properties are divided into the following groups:
· LDAP properties of the UME
· LDAP properties of the data source configuration file
For information about LDAP connection pool properties, see LDAP Directory: Connection Pooling.
LDAP Properties of the UME
Property |
Value |
Description |
ume.ldap.access. |
Default value is 2. |
In a high availability scenario: Number of times UME repeats an action on the LDAP directory server, before switching to another server and reinitializing the connection pools. In a scenario with only one LDAP server: Number of times UME repeats an action on the LDAP directory server before throwing an exception. |
ume.ldap.access. |
|
When you configure multiple LDAP directory servers, you can configure up to five passwords for the respective communication users. For more information, see Configuration of More Than One LDAP Data Source. See also SAP Note 736471. |
ume.ldap.access. |
|
Auxiliary naming attribute of principal type group. |
ume.ldap.access. |
|
Auxiliary naming attribute of principal type user account. |
ume.ldap.access. |
|
Auxiliary naming attribute of principal type user. |
ume.ldap.access. |
|
Auxiliary object class of principal type group. |
ume.ldap.access. |
|
Auxiliary object class of principal type user account. |
ume.ldap.access. |
|
Auxiliary object class of principal type user. |
ume.ldap.access. |
|
Distinguished name of branch of directory where information about groups is stored If you have a ‘ groups in a tree’ hierarchy, this property must have the same value as ume.ldap.access.base_path.user.
ou=CorporateGroups,c=us, |
ume.ldap.access. |
|
Distinguished name of branch of directory where information about users is stored. If you have a ‘ groups in a tree’ hierarchy, this property must have the same value as ume.ldap.access.base_path.grup. ou=CorporateUsers,c=us, |
ume.ldap.access. |
|
Distinguished name of branch of directory where information about user accounts is stored |
ume.ldap.access. |
|
Path where new groups are created. This path must be
relative to the path defined in If this property is
not defined, groups are stored in the path defined in
If the properties are set as follows: ume.ldap.access.base_path.grup ume.ldap.access.creation_path.user New groups are created at ou=NewGroups,ou=Groups,c=us,o=mycompany |
ume.ldap.access. |
|
Path where new user accounts are created. This path must be
relative to the path defined in If this property is
not defined, user accounts are stored in the path defined in |
ume.ldap.access. |
|
Path where new users are created. This path must be
relative to the path defined in If this property is
not defined, users are stored in the path defined in |
ume.ldap.access. |
Default is TRUE. TRUE = A flat hierarchy is used. FALSE = A ‘groups as tree’ hierarchy is used. MIXED = A mixture of the two hierarchies is used. |
If this property is set incorrectly, the UME cannot properly read the relationship between groups and their members. |
ume.ldap.access. |
Default value is FALSE. |
Set this property to TRUE to support logon in a multidomain Windows environment. If there are multiple Windows domains in your environment, your unique ID is defined through logon ID and domain. See also SAP Note 762419. |
ume.ldap.access. |
<comma-separated_ |
Naming attribute of groups. In the LDAP directory a group is uniquely identified by its distinguished name (DN). The naming attribute is the attribute used to distinguish the group from the next level above it in the LDAP directory.
If a group’s DN is ou=mygroup, ou=CorporateGroups,c=us,o=mycompany, the naming attribute for groups is ou. |
ume.ldap.access. |
<comma-separated_ |
Naming attribute of user accounts. |
ume.ldap.access. |
<comma-separated_ |
Naming attribute of users. |
ume.ldap.access. |
<comma-separated_ |
Object class of groups. |
ume.ldap.access. |
<comma-separated_ |
Object class of user accounts. |
ume.ldap.access. |
<comma-separated_ |
Object class of users. |
ume.ldap.access. |
|
Password of the communication user that is used to connect (bind) to the LDAP directory server. If you do not set the password, the system attempts an anonymous bind. The configuration of your directory server may not return data to an anonymous user. |
ume.ldap.access. |
|
Hostname or IP address of the LDAP directory server. For a high availability scenario, you can enter a comma-separated list of LDAP directory servers. |
ume.ldap.access. |
|
The port that the LDAP directory server listens at. For a high availability scenario, you can enter a comma-separated list of ports for the LDAP directory servers (in the same order as the servers). |
ume.ldap.access. |
NOVELL = Novell eDirectory SUN = Sun ONE Directory Server ADS = Microsoft Active Directory Server SIEMENS = Siemens DirX |
Type of the LDAP directory server. |
ume.ldap.access. |
Default value is 0. 0 = No limit. |
Defines the maximum number of entries the UME fetches from a search of a directory server. |
ume.ldap.access.ssl |
Default value is FALSE. |
Use this property to enable the UME to use SSL for the connection to the directory server. |
ume.ldap.access. |
Default value is 0. 0 = No limit. |
Defines the maximum length of time in milliseconds, the UME allows for a search of a directory server. The UME only fetches the results it found within the specified period of time. |
ume.ldap.access.user |
|
Distinguished name (DN) of the communication user on the directory server with which the UME connects (bind) to the LDAP directory server.
cn=Directory Manager |
ume.ldap.access. |
Default value is TRUE. |
Defines if the UME user and account objects point to the same object in the directory server or not. Set this property to FALSE, if the directory server treats the user and account as separate objects. |
ume.ldap.blocked_accounts |
<comma-separated list of logon IDs> Default value is Administrator,Guest. |
Specifies the logon IDs of accounts ín the LDAP directory that are ignored by the UME. See also LDAP Directory as Data Source. |
ume.ldap.blocked_groups |
<comma-separated list of unique names> Default value is Administrators,Guests |
Specifies the unique names of groups in the LDAP directory that are ignored by the UME. See also LDAP Directory as Data Source. |
ume.ldap.blocked_users |
<comma-separated list of unique names> Default value is Administrator,Guest. |
Specifies the unique names of users in the LDAP directory that are ignored by the UME. See also LDAP Directory as Data Source. |
ume.ldap.cache_lifetime |
Default value is 300. |
Lifetime in seconds of a search cache entry for LDAP directory. |
ume.ldap.cache_size |
Default value is 100. |
Number of entries in the search cache for LDAP directory. |
ume.ldap.default_group_ |
Default value is DUMMY_MEMBER_FOR_UME. |
Sets the name of
the dummy group member when the property ume.ldap.default_group_ |
ume.ldap.default_group_ |
Default value is FALSE. |
Some directory servers require that groups have a member when created. Enable this property to have the UME include a dummy member when creating a directory server group. This dummy member is filtered out in the UME user interface. If this feature is not set properly, you cannot create new groups. |
ume.ldap.record_access |
Default value is FALSE. TRUE = Trace file is created. |
Defines whether the UME creates the trace file sapum.access.audit, which contains additional information about the performance of the LDAP directory. For more information, see Directory Server Access Log. |
ume.ldap.unique |
|
Attribute used to create unique ID of a group. We strongly recommend that you do not change this property. |
ume.ldap.unique |
|
Attribute used to create unique ID for the j_user. See also SAP Note 777640. |
ume.ldap.unique |
|
Attribute used to create unique ID for the j_user. By default, the unique ID is the distinguished name (DN) of the user in the LDAP directory. See also SAP Note 777640. |
The following properties occur only in the private section of the data source configuration file. For more information about the private section, see <privateSection>.
LDAP Properties of the Data Source Configuration File
Property |
Value |
Description |
ume.ldap.access. |
Default value is FALSE. |
Defines whether internal object IDs created by the UME are case sensitive or not. If your directory server requires case sensitive object IDs, set this property to TRUE. See also SAP Note 763084. |
ume.ldap.access. |
Default value is 10. |
Only configured in high-availability scenarios. Time in minutes after which the UME tries to reconnect to the main directory server. |
ume.ldap.access. |
Pair of domain alias and directory server path. Use the following syntax: [<alias>;<path>] |
Defines the domain and server path mapping for multidomain Windows environments. See also SAP Note 762419. |
ume.ldap.access. |
Default value is FALSE. |
Enable this property if your directory server immediately expires passwords set in the administrator context. This property enables the communication user temporarily to set passwords in the user context. See also SAP Note 865399. |
ume.ldap.access. |
Default value is TRUE. |
Disable this property if your directory server causes new passwords to expire immediately after a password set command. See also SAP Note 865399. |
ume.ldap.negative_ |
attribute_name=[comma separated list of values] |
Enables you to filter out objects from search requests based on LDAP attributes. For more information about negative attributes, see LDAP Only: Negative User Filter. |