Property

Value

Description

ume.ldap.access.
action_retrial

Default value is 2.

In a high availability scenario: Number of times UME repeats an action on the LDAP directory server, before switching to another server and reinitializing the connection pools.

In a scenario with only one LDAP server: Number of times UME repeats an action on the LDAP directory server before throwing an exception.

ume.ldap.access.
additional_password.
<number>

When you configure multiple LDAP directory servers, you can configure up to five passwords for the respective communication users. For more information, see Configuration of More Than One LDAP Data Source. See also SAP Note 736471.

ume.ldap.access.
auxiliary_naming_
attribute.grup

Auxiliary naming attribute of principal type group.

ume.ldap.access.
auxiliary_naming_
attribute.uacc

Auxiliary naming attribute of principal type user account.

ume.ldap.access.
auxiliary_naming_
attribute.user

Auxiliary naming attribute of principal type user.

ume.ldap.access.
auxiliary_
objectclass.grup

Auxiliary object class of principal type group.

ume.ldap.access.
auxiliary_
objectclass.uacc

Auxiliary object class of principal type user account.

ume.ldap.access.
auxiliary_
objectclass.user

Auxiliary object class of principal type user.

ume.ldap.access.
base_path.grup

Distinguished name of branch of directory where information about groups is stored

If you have a ‘ groups in a tree’ hierarchy, this property must have the same value as ume.ldap.access.base_path.user.

ou=CorporateGroups,c=us,
o=mycompany

ume.ldap.access.
base_path.user

Distinguished name of branch of directory where information about users is stored.

If you have a ‘ groups in a tree’ hierarchy, this property must have the same value as ume.ldap.access.base_path.grup.

 ou=CorporateUsers,c=us,
o=mycompany

ume.ldap.access.
base_path.uacc

Distinguished name of branch of directory where information about user accounts is stored

ume.ldap.access.
creation_path.grup

Path where new groups are created.

This path must be relative to the path defined in
ume.ldap.access.
base_path.grup.

If this property is not defined, groups are stored in the path defined in
ume.ldap.access.
base_path.grup

If the properties are set as follows:

ume.ldap.access.base_path.grup
=ou=Groups,c=us,o=mycompany

ume.ldap.access.creation_path.user
=ou=NewGroups

New groups are created at ou=NewGroups,ou=Groups,c=us,o=mycompany

ume.ldap.access.
creation_path.uacc

Path where new user accounts are created.

This path must be relative to the path defined in
ume.ldap.access.
base_path.uacc.

If this property is not defined, user accounts are stored in the path defined in
ume.ldap.access.
base_path.uacc.

ume.ldap.access.
creation_path.user

Path where new users are created.

This path must be relative to the path defined in
ume.ldap.access.
base_path.user.

If this property is not defined, users are stored in the path defined in
ume.ldap.access.
base_path.user.

ume.ldap.access.
flat_group_hierachy

Default is TRUE.

TRUE = A flat hierarchy is used.

FALSE = A ‘groups as tree’ hierarchy is used.

MIXED = A mixture of the two hierarchies is used.

If this property is set incorrectly, the UME cannot properly read the relationship between groups and their members.

ume.ldap.access.
multidomain.enabled

Default value is FALSE.

Set this property to TRUE to support logon in a multidomain Windows environment. If there are multiple Windows domains in your environment, your unique ID is defined through logon ID and domain. See also SAP Note 762419.

ume.ldap.access.
naming_attribute.grup

<comma-separated_
list_of_attributes>

Naming attribute of groups.

In the LDAP directory a group is uniquely identified by its distinguished name (DN). The naming attribute is the attribute used to distinguish the group from the next level above it in the LDAP directory.

If a group’s DN is ou=mygroup, ou=CorporateGroups,c=us,o=mycompany, the naming attribute for groups is ou.

ume.ldap.access.
naming_attribute.uacc

<comma-separated_
list_of_attributes>

Naming attribute of user accounts.

ume.ldap.access.
naming_attribute.user

<comma-separated_
list_of_attributes>

Naming attribute of users.

ume.ldap.access.
objectclass.grup

<comma-separated_
list_of_object_
classes>

Object class of groups.

ume.ldap.access.
objectclass.uacc

<comma-separated_
list_of_object_
classes>

Object class of user accounts.

ume.ldap.access.
objectclass.user

<comma-separated_
list_of_object_
classes>

Object class of users.

ume.ldap.access.
password

Password of the communication user that is used to connect (bind) to the LDAP directory server.

If you do not set the password, the system attempts an anonymous bind. The configuration of your directory server may not return data to an anonymous user.

ume.ldap.access.
server_name

Hostname or IP address of the LDAP directory server.

For a high availability scenario, you can enter a comma-separated list of LDAP directory servers.

ume.ldap.access.
server_port

The port that the LDAP directory server listens at.

For a high availability scenario, you can enter a comma-separated list of ports for the LDAP directory servers (in the same order as the servers).

ume.ldap.access.
server_type

NOVELL = Novell eDirectory

SUN = Sun ONE Directory Server

ADS = Microsoft Active Directory Server

SIEMENS = Siemens DirX

Type of the LDAP directory server.

ume.ldap.access.
size_limit

Default value is 0.

0 = No limit.

Defines the maximum number of entries the UME fetches from a search of a directory server.

ume.ldap.access.ssl

Default value is FALSE.

Use this property to enable the UME to use SSL for the connection to the directory server.

ume.ldap.access.
time_limit

Default value is 0.

0 = No limit.

Defines the maximum length of time in milliseconds, the UME allows for a search of a directory server. The UME only fetches the results it found within the specified period of time.

ume.ldap.access.user

Distinguished name (DN) of the communication user on the directory server with which the UME connects (bind) to the LDAP directory server.

cn=Directory Manager

ume.ldap.access.
user_as_account

Default value is TRUE.

Defines if the UME user and account objects point to the same object in the directory server or not. Set this property to FALSE, if the directory server treats the user and account as separate objects.

ume.ldap.blocked_accounts      

<comma-separated list of logon IDs>

Default value is Administrator,Guest.

Specifies the logon IDs of accounts ín the LDAP directory that are ignored by the UME.

See also LDAP Directory as Data Source.

ume.ldap.blocked_groups

<comma-separated list of unique names>

Default value is Administrators,Guests

Specifies the unique names of groups in the LDAP directory that are ignored by the UME.

See also LDAP Directory as Data Source.

ume.ldap.blocked_users

<comma-separated list of unique names>

Default value is Administrator,Guest.

Specifies the unique names of users in the LDAP directory that are ignored by the UME.

See also LDAP Directory as Data Source.

ume.ldap.cache_lifetime

Default value is 300.

Lifetime in seconds of a search cache entry for LDAP directory.

ume.ldap.cache_size

Default value is 100.

Number of entries in the search cache for LDAP directory.

ume.ldap.default_group_
member

Default value is DUMMY_MEMBER_FOR_UME.

Sets the name of the dummy group member when the property ume.ldap.default_group_
member.enabled is enabled.

ume.ldap.default_group_
member.enabled

Default value is FALSE.

Some directory servers require that groups have a member when created. Enable this property to have the UME include a dummy member when creating a directory server group. This dummy member is filtered out in the UME user interface. If this feature is not set properly, you cannot create new groups.

ume.ldap.record_access

Default value is FALSE.

TRUE = Trace file is created.

Defines whether the UME creates the trace file sapum.access.audit, which contains additional information about the performance of the LDAP directory. For more information, see Directory Server Access Log.

ume.ldap.unique
_grup_attribute

Attribute used to create unique ID of a group. We strongly recommend that you do not change this property.

ume.ldap.unique
_uacc_attribute

Attribute used to create unique ID for the j_user. See also SAP Note 777640.

ume.ldap.unique
_user_attribute

Attribute used to create unique ID for the j_user. By default, the unique ID is the distinguished name (DN) of the user in the LDAP directory. See also SAP Note 777640.

Property

Value

Description

ume.ldap.access.
case_sensitive

Default value is FALSE.

Defines whether internal object IDs created by the UME are case sensitive or not. If your directory server requires case sensitive object IDs, set this property to TRUE. See also SAP Note 763084.

ume.ldap.access.
default_switch

Default value is 10.

Only configured in high-availability scenarios.

Time in minutes after which the UME tries to reconnect to the main directory server.

ume.ldap.access.
domain_mapping

Pair of domain alias and directory server path. Use the following syntax:

[<alias>;<path>]

Defines the domain and server path mapping for multidomain Windows environments. See also SAP Note 762419.

ume.ldap.access.
pwd.via.usercontext

Default value is FALSE.

Enable this property if your directory server immediately expires passwords set in the administrator context. This property enables the communication user temporarily to set passwords in the user context. See also SAP Note 865399.

ume.ldap.access.
set_pwd

Default value is TRUE.

Disable this property if your directory server causes new passwords to expire immediately after a password set command. See also SAP Note 865399.

ume.ldap.negative_
user_filter

attribute_name=[comma separated list of values]

Enables you to filter out objects from search requests based on LDAP attributes.

For more information about negative attributes, see LDAP Only: Negative User Filter.