Show TOC Start of Content Area

This graphic is explained in the accompanying textExample: Configuration of Multiple LDAP Data Sources  Locate the document in its SAP Library structure

Denise DeLassandros has user data distributed across several directory services (LDAP directories). Her company’s employees are in one directory service, and the company’s customers and suppliers are in another directory service. She wants to configure the User Management Engine (UME) to read and write data from more than one directory service. Denise configures the UME to search for user data in both directories.

Caution

The configuration must not allow a user or other principal to be created on two separate data sources. In other words, only one data source can be the home data source for a user or other principal.

Do not use the configuration described here to configure high-availability. For more information about high-availability, see Configuring High Availability of the LDAP Data Source.

The following restrictions apply:

        Users’ logon IDs must be unique across all directory services.

        The groups to which a user belongs must be in the same directory service as the user or in the database of the SAP NetWeaver Application Server (AS) Java.

...

For each directory service, Denise must create a separate data source entry in the data source configuration file.

In the private section of each data source, she defines the following properties:

      ume.ldap.access.server_type

      ume.ldap.access.server_name

      ume.ldap.access.server_port

      ume.ldap.access.user

      ume.ldap.access.password

      ume.ldap.access.base_path.user

      ume.ldap.access.base_path.grup

To prevent passwords from appearing in the data source configuration file in plain text, Denise must enter a variable for the UME property which includes the password for the target directory service. The UME can support up to five directory services with the following properties:

      ume.ldap.access.additional_password.1

      ume.ldap.access.additional_password.2

      ume.ldap.access.additional_password.3

      ume.ldap.access.additional_password.4

      ume.ldap.access.additional_password.5

Denise enters the passwords for the directory services in the UME properties and in the data source configuration file she add a reference to the UME property containing the password under ume.ldap.access.password.

Example

For example, Denise enters a password for the second directory service data source in the UME property ume.ldap.access.additional_password.2. In the data source configuration file, in the private section for that directory service data source, she enters a reference to the property as follows:

<ume.ldap.access.password>
    $ume.ldap.access.additional_password.2
</ume.ldap.access.password>

Always precede the UME property name with a dollar sign ($).

Example

<dataSources>
    …
    
<dataSource id="CORP_LDAP2"
            
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
            
isReadonly="true"
            
isPrimary="true">
        …
        
<privateSection>
            …
            
<ume.ldap.access.server_type>NOVELL</ume.ldap.access.server_type>
            
<ume.ldap.access.server_name>p11111</ume.ldap.access.server_name>
            
<ume.ldap.access.server_port>390</ume.ldap.access.server_port>
            
<ume.ldap.access.ssl>false</ume.ldap.access.ssl>
            
<ume.ldap.access.user>cn=admin,o=ume</ume.ldap.access.user>
            
<ume.ldap.access.password>$ume.ldap.access.additional_password.1</ume.ldap.access.password>
            
<ume.ldap.access.base_path.user>o=ume</ume.ldap.access.base_path.user>
            
<ume.ldap.access.base_path.grup>o=ume</ume.ldap.access.base_path.grup>          
        
</privateSection>
    
</dataSource>

    
<dataSource id="CORP_LDAP"
            
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
            
isReadonly="true"
            
isPrimary="true">
        …
        
<privateSection>
            …
            
<ume.ldap.access.server_type>SUN</ume.ldap.access.server_type>
            
<ume.ldap.access.server_name>p22222</ume.ldap.access.server_name>
            
<ume.ldap.access.server_port>400</ume.ldap.access.server_port>
            <ume.ldap.access.ssl>false</ume.ldap.access.ssl>
            <ume.ldap.access.user>cn=Directory Manager</ume.ldap.access.user>
            <ume.ldap.access.password>$ume.ldap.access.additional_password.2</ume.ldap.access.password>
            <ume.ldap.access.base_path.user>dc=ume.wdf.sap.corp</ume.ldap.access.base_path.user>
            <ume.ldap.access.base_path.grup>dc=ume.wdf.sap.corp</ume.ldap.access.base_path.grup>

                    
        </privateSection>
    </dataSource>
</dataSources>

 

End of Content Area