When you add an SAP NetWeaver Application Server (AS) ABAP system to your system landscape, you must decide whether you want to do the following:
· Add the system to Central User Administration (CUA)
● Use Lightweight Directory Access Protocol (LDAP) synchronization
You can do both. The following figure shows a number of ABAP systems in a CUA where the CUA central system is synchronized with an LDAP directory.
ABAP Systems in a CUA Landscape and Synchronized with an LDAP Directory
With CUA, you maintain user master records centrally in one system. Changes to user information are then automatically distributed to the child systems. The CUA provides you with an overview of all user data in the entire ABAP system landscape.
For more information, see Central User Administration.
The use of CUA is not a requirement, but it is designed to make the management of multiple ABAP systems easier. If a new ABAP system is not a child system of CUA, then you must manage the new system independently.
For more information, see User Administration.
You can make use of or provide information to an LDAP directory in your system landscape. The direction of the synchronization depends on whether the LDAP directory or the ABAP system is the leading system for user data.
The user password is not transferred from the AS ABAP to the LDAP directory when the user data is synchronized. You can maintain user passwords in the following ways:
Maintain passwords in both the CUA and the directory service.
Using Single Sign-On (SSO) with an AS Java, you can avoid duplicate password maintenance altogether. Maintain passwords in the directory service. Configure the user management engine (UME) to support directory service synchronization with the AS ABAP. All systems must be configured to accept logon tickets. Users can now log on with the UME, are authenticated with the directory service, receive a logon ticket, and can then access all systems with SSO.
For more information, see Configuring the UME for Directory Service Sync with AS ABAP.
Users who log in to the ABAP system directly must maintain their passwords in both the LDAP and ABAP systems.
For more information, see Adding an AS Java System to Your System Landscape.
If you want to integrate a large number of ABAP systems, we recommend that you use CUA and synchronize the CUA central system with the LDAP directory. This way it is not necessary to synchronize each ABAP system separately. You can then distribute the synchronized data from the central system to the child systems and use the central system to manage the system-specific ABAP authorization role assignments.
For more information about LDAP synchronization, see Synchronization of SAP User Administration with an LDAP-Compatible Directory Service.