Configuring the UME to
Use an LDAP Directory as Data Source
Use
Use this procedure to configure the user management engine (UME) to use an LDAP directory as the data source.
Prerequisites
● More information: LDAP Directory as Data Source.
● This procedure requires you to restart the SAP NetWeaver Application Server (AS) Java. Plan for the required downtime while the AS Java restarts.
Procedure
...
1. Start the UME Configuration.
More information: Configuring User Management.
2. Choose the Modify Configuration pushbutton.
3. On the Data Sources tab page, select the data source that best matches your LDAP directory.
4. Choose the LDAP Server tab page, enter connection data as required.
The table below lists the settings for configuring the LDAP directory connection.
Settings for Configuring an LDAP Directory as Data Source
Setting |
Description |
Server Name |
Host name of the LDAP directory server. |
Server Port |
Port used by the LDAP directory. |
User |
Distinguished name (DN) of the user that is used to connect (bind) to the LDAP directory.
This user must have read and search permissions for all branches of the LDAP directory. If the UME requires write access, the user must have create and change authorizations.
cn=Directory Manager |
Password |
Password of the user (indicated above) that is used to connect (bind) to the LDAP directory. When you enter the password, user management configuration hides your input on the screen. |
User Path |
Distinguished name of the branch directory where information about users is stored. If you have a groups in a tree hierarchy, the User Path and Group Path values must be the same. More information: Organization of Users and Groups in LDAP Directory.
ou=CorporateUsers,c=us,o=mycompany |
Group Path |
Distinguished name of the branch directory where information about the groups is stored.
ou=CorporateGroups,c=us,o=mycompany |
Use SSL for LDAP Access |
This checkbox determines if the UME uses a Secure Sockets Layer (SSL) connection to the LDAP directory. |
Use Unique Attribute for UME Unique ID |
Select this checkbox to use a unique ID instead of a distinguished name to identify a user account. When LDAP attribute is used as the unique ID is defined in the data source configuration file and appears as the default value when you set this indicator. This enables you to physically move users in your LDAP directory structure and still be able to find them, because the user ID is based on the unique ID and not the distinguished name. See also SAP Note 777640. |
5. Choose the Validate Configuration pushbutton.
If the test fails, user management configuration displays the entry from the security log. The monitoring tools of your LDAP directory can also help you determine the cause of the problem. If necessary, go back and reenter the connection data and test the connection until you are successful.
6. Enter the rest of the data as required.
The table below lists the LDAP directory connection settings for the following:
○ LDAP connection pool
More information: UME Connection Pool for LDAP Directory.
○ LDAP cache
The UME uses the LDAP cache to optimize access to the LDAP directory server by caching things such as previous search results.
○ Blocked principals
○ Directory server access log
Additional Connection Settings for LDAP Directories
Setting |
Description |
Initial Size |
Minimum number of connections in the connection pool.
If set to 1, the connection pool never has less than one open connection. |
Maximum Idle Size |
Maximum number of idle connections in the connection pool. If the maximum number of idle connections is reached, the connection pool closes every incoming released connection. |
Maximum Size |
Maximum number of connections in the connection pool. |
Maximum Idle Time |
Maximum time in milliseconds for an idle connection in the connection pool. |
Connect Timeout |
Enter the number of milliseconds between connection requests sent from the UME to the LDAP directory server. By default the UME tries the connection twice. If the second attempt fails, the UME does one of the following: ● Attempts to connect to a redundant LDAP directory (if you configured for high availability, see below) ● Returns an error message that the LDAP directory cannot be reached. |
Monitoring Interval |
Enter a value larger than 999 to enable the directory server connection pool log. The monitoring interval is the interval in milliseconds at which the system records information. Any value less than 1000 disables logging. More information: Directory Server Connection Pool Log. |
Cache Size |
Number of cache entries saved. |
Cache Lifetime |
How long a search entry remains in the cache. |
Unique Name of Blocked Users |
Enter the unique names of users in the LDAP directory that the UME should ignore. If users exist in the LDAP directory and the AS Java database with the same unique name, use this setting to prevent the UME from finding these users in the LDAP directory. |
Unique Name of Blocked Groups |
Enter the unique names of groups in the LDAP directory that the UME should ignore.
The AS Java database includes a default group named everyone. If there is a group in the LDAP directory with the same name, enter everyone to prevent the UME from finding the group in the LDAP directory. |
Record LDAP Access |
Select this checkbox to enable the directory service access log. This log records LDAP requests and the response time. More information: Directory Server Access Log. |
7. Save your entries.
8. Restart the AS Java.
Result
The UME can access the LDAP directory. You can perform further configuration of the LDAP directory configuration, such as the following:
● Configuring High Availability of the LDAP Data Source
● Configuring attribute mapping for the data source configuration file
More information: Customizing a UME Data Source Configuration.
●
Configuring SSL
Between the UME and an LDAP Directory
We strongly recommend that you configure SSL between the UME and the LDAP directory. Some LDAP directories, such as Microsoft Active Directory Server, require an SSL connection if you want to create users on the LDAP directory.