Use this procedure to configure the user management engine (UME) to use an LDAP directory as the data source.
More information: Configuring User Management .
The table below lists the settings for configuring the LDAP directory connection.
Settings for Configuring an LDAP Directory as Data Source
Setting | Description |
---|---|
Server Name |
Host name of the LDAP directory server. |
ServerPort |
Port used by the LDAP directory. |
User |
Distinguished name (DN) of the user that is used to connect (bind) to the LDAP directory.
This user must have read and search permissions for all branches of the LDAP directory. If the UME requires write access, the user must have create and change authorizations.
cn=Directory Manager |
Password |
Password of the user (indicated above) that is used to connect (bind) to the LDAP directory. When you enter the password, user management configuration hides your input on the screen. |
User Path |
Distinguished name of the branch directory where information about users is stored. If you have a groups in a tree hierarchy, the User Path and Group Path values must be the same. More information: Organization of Users and Groups in LDAP Directory .
ou=CorporateUsers,c=us,o=mycompany |
Group Path |
Distinguished name of the branch directory where information about the groups is stored.
ou=CorporateGroups,c=us,o=mycompany |
Use SSL for LDAP Access |
This checkbox determines if the UME uses a Secure Sockets Layer (SSL) connection to the LDAP directory. |
Use Unique Attribute for UMEUnique ID |
Select this checkbox to use a unique ID instead of a distinguished name to identify a user account. When LDAP attribute is used as the unique ID is defined in the data source configuration file and appears as the default value when you set this indicator. This enables you to physically move users in your LDAP directory structure and still be able to find them, because the user ID is based on the unique ID and not the distinguished name. See also SAP Note 777640. |
If the test fails, user management configuration displays the entry from the security log. The monitoring tools of your LDAP directory can also help you determine the cause of the problem. If necessary, go back and reenter the connection data and test the connection until you are successful.
The table below lists the LDAP directory connection settings for the following:
More information: UME Connection Pool for LDAP Directory .
The UME uses the LDAP cache to optimize access to the LDAP directory server by caching things such as previous search results.
Additional Connection Settings for LDAP Directories
Setting | Description |
---|---|
Initial Size |
Minimum number of connections in the connection pool.
If set to 1 , the connection pool never has less than one open connection. |
Maximum Idle Size |
Maximum number of idle connections in the connection pool. If the maximum number of idle connections is reached, the connection pool closes every incoming released connection. |
Maximum Size |
Maximum number of connections in the connection pool. |
Maximum Idle Time |
Maximum time in milliseconds for an idle connection in the connection pool. |
Connect Timeout |
Enter the number of milliseconds between connection requests sent from the UME to the LDAP directory server. By default the UMEtries the connection twice. If the second attempt fails, the UME does one of the following:
|
Monitoring Interval |
Enter a value larger than 999 to enable the directory server connection pool log. The monitoring interval is the interval in milliseconds at which the system records information. Any value less than 1000 disables logging. More information: Directory Server Connection Pool Log . |
Cache Size |
Number of cache entries saved. |
Cache Lifetime |
How long a search entry remains in the cache. |
Unique Name of Blocked Users |
Enter the unique names of users in the LDAP directory that the UMEshould ignore. If users exist in the LDAP directory and the AS Java database with the same unique name, use this setting to prevent the UMEfrom finding these users in the LDAP directory. |
Unique Name of Blocked Groups |
Enter the unique names of groups in the LDAP directory that the UMEshould ignore.
The AS Java database includes a default group named everyone. If there is a group in the LDAP directory with the same name, enter everyone to prevent the UMEfrom finding the group in the LDAP directory. |
Record LDAP Access |
Select this checkbox to enable the directory service access log. This log records LDAP requests and the response time. More information: Directory Server Access Log . |
The UME can access the LDAP directory. You can perform further configuration of the LDAP directory configuration, such as the following:
More information: Customizing a UME Data Source Configuration .
We strongly recommend that you configure SSL between the UMEand the LDAP directory. Some LDAP directories, such as Microsoft Active Directory Server, require an SSL connection if you want to create users on the LDAP directory.