Show TOC Start of Content Area

Function documentation Using an LDAP Directory Attribute as the ABAP User ID  Locate the document in its SAP Library structure

Use

If users have different IDs in the portal and in ABAP systems, users and administrators can map users’ portal user ID to their ABAP user ID in a SAP reference system. Then both user IDs are included in the logon ticket and users can access all ABAP systems, in which they have the same user ID as in the SAP reference system, with Single Sign-On (SSO) using logon tickets.

By default the mapped user ID is stored in the portal database. If you are using an LDAP directory as a data source, it is also possible to store the mapped user ID as a user attribute in the LDAP directory.

Storing the mapped user ID in the LDAP directory is useful in the following scenarios:

·        You are using an LDAP directory as a data source for the User Management Engine (UME). The user IDs for ABAP systems are already available in the LDAP directory. You no longer need to define a user mapping for each user, as the data is already available in the LDAP directory.

·        Users are synchronized to the LDAP directory from an existing ABAP system (with Central User Administration). The UME can use the LDAP attribute for ABAP user ID that was filled during user synchronization.

Prerequisites

You are using an LDAP directory as a data source. In the LDAP directory, one of the user attributes is defined to contain users’ ABAP user ID.

Note

The LDAP object class that contains the user attribute for the ABAP user ID must already be assigned to the users, otherwise it is not possible to save user mapping data for users.

Constraints

It is not possible to store the ABAP user IDs both in the database and in the LDAP directory. Administrators must choose one option.

Caution

The ABAP user IDs are stored in the LDAP directory in unencrypted form. To prevent these IDs from being manipulated, you must make sure that no unauthorized users have write-access to the LDAP directory, in particular to the attribute containing the ABAP user ID.

If these IDs are manipulated, users’ logon tickets could contain a different user ID. Thus a malicous user could gain access to ABAP systems as a different user who might have more extensive authorizations in the ABAP system than the user should have.

Features

     You can use an existing attribute in your LDAP directory to store users’ ABAP user IDs. This avoids administrators or users from having to define a user mapping for each user.

     Users’ passwords for the ABAP system are not stored in the LDAP directory.

     If the UME provides write access to the LDAP directory, users and administrators can enter or modify their ABAP user ID using the user mapping functions of the portal.

     Users must always enter a password to validate their ABAP user ID. This password is not stored in the LDAP directory, but is used to confirm that the user is entering a user ID, which he or she could access the ABAP system.

     Administrators can enter a password to validate their entries. The UME property ume.usermapping.admin.pwdprotection defines whether they must enter a password or not. By default they must enter one.

Note

If the LDAP data source is read-only, any users already existing in the LDAP directory and their ABAP user IDs are read-only. Any users created by the UME are stored in the database and their attributes are writeable even though some of the attributes are stored in the LDAP directory.

Activities

By default users’ ABAP user IDs are not stored in the LDAP directory. To set up the UME to use ABAP user IDs from the LDAP directory, proceed as follows:

       1.      Modify your data source configuration file to include the attribute containing the ABAP user ID. This includes:

     Defining that the logical attribute REFERENCE_SYSTEM_USER is stored in the LDAP data source

     Defining the attribute mapping from the logical attribute REFERENCE_SYSTEM_USERto the physical attribute that actually stores the ABAP user ID in your LDAP directory

     If necessary, declaring an additional object class containing the ABAP user ID attribute

For detailed instructions, see Adapting the Data Source Configuration File.

       2.      Change the following UME property using the procedure outlined in Editing UME Properties.

     ume.usermapping.refsys.mapping.type = attribute

This property defines that the UME gets users’ ABAP user ID from the LDAP directory in the logical user attribute REFERENCE_SYSTEM_USER.

Optionally, you can also change the property ume.usermapping.admin.pwdprotection. This property defines whether administrators have to enter a password when they change a user’s user mapping data.

For more information about these properties, see User Mapping.

       3.      Define a SAP reference system for user mapping as described in Defining an SAP Reference System for User Data.

End of Content Area