Configuring the UMEfor Directory Service Sync with AS ABAP

Use

Use this procedure if your user management engine (UME) uses SAP NetWeaver Application Server (AS) ABAP as the data source, but you have an LDAP directory with information you want to use, such as the following:

User logon ID
User password
Group membership

You can also use this procedure if you have an existing AS ABAP synchronized with a directory service and you want to add an AS Java to the landscape.

Users log on to the AS Java using the password stored in the directory service, even though the AS ABAP is the data source for the AS Java. If necessary, the AS ABAP synchronizes its user data with the directory service. The figure below illustrates this system landscape.

AS ABAP with Directory Service Synchronization as Data Source for AS Java

Users logged into the AS Java cannot access content in the AS ABAP. To enable logon to the AS ABAP, enable Single Sign-On with logon tickets and enable logon ticket support for the AS ABAP.

Prerequisites

This procedure requires you to restart the AS Java. Plan for the required down time while the AS Java restarts.
You have configured the UME to use an SAP NetWeaver Application Server for ABAP 7.10 and higher as the data source with the data source configuration file dataSourceConfiguration_abap.xml .
For more information, see SAP NetWeaver Application Server for ABAP User Management as Data Source .

Procedure

Configure directory service synchronization for the AS ABAP.
For more information, see the directory service documentation.
Determine if you need to customize the directory service configuration file.
The directory service configuration file governs the configuration between the AS Java and the directory service. If your directory service configuration demands it, you can customize the configuration. For example, if you want to support a deep hierarchy or Secure Sockets Layer (SSL).

Note
We recommend you use the standard configuration files whenever possible. To configure SSL between the UME and the directory service, you must customize the directory service configuration file. The directory service configuration for the Microsoft directory service supports SSL by default.

More information: Customizing a Directory Service Configuration File .

Caution
Do not use the data source configuration files for directory services or attempt to configure the directory service connection from the UMEconfiguration user interface.
Configure the UME for LDAP integration for the AS ABAP data source.
1. Start UME configuration.
  For more information, see Configuring User Management .
2. On the ABAP System tab page, select the LDAP Integration Enabled checkbox.
3. Enter the required data.
  The table below lists the configuration settings for LDAP integration with an AS ABAP data source.

Configuration Settings for LDAP Integration

Setting	Description
LDAP Server ID	Select from the LDAP directory servers configured for directory service synchronization.
LDAP Server Password	Enter the password used by the communications user in the ABAP system for directory server. Choose the Refresh pushbutton to display the name of the user in the LDAP Server User field.
LDAP Logon Attribute	Indicates the mapped attribute set with the Filter indicator. You can enter a different directory attribute with the logon ID for users.

Setting

Description

LDAP Server ID

Select from the LDAP directory servers configured for directory service synchronization.

LDAP Server Password

Enter the password used by the communications user in the ABAP system for directory server. Choose the Refresh pushbutton to display the name of the user in the LDAP Server User field.

LDAP Logon Attribute

Indicates the mapped attribute set with the Filter indicator.

You can enter a different directory attribute with the logon ID for users.

Choose the Validate Configuration pushbutton.
If the test fails, check the connection parameters a try again.
Save your entries.

Restart the AS Java.

Result

The UME first checks in the directory service for the user, identifying the user by the logon attribute selected in the AS ABAP configuration for the directory service synchronization.

If the UME finds the user and successfully authenticates him or her, the UME compares the last modification date in the directory service and in the AS ABAP. If the dates differ, the UME triggers a synchronization of that user's data between the directory service and the AS ABAP.
If the UME cannot find the user in the directory service, it searches for the user in the user management of the AS ABAP and the database of the AS Java.

Flowchart of Logon Process