Configuring the UME
when Using ADS Data Sources for Kerberos
Use
The configuration steps for the ADS data source of the user management engine (UME) vary depending on the user resolution mode that the UME uses to resolve the user account in the ADS.
The configuration below covers the case when a single ADS data source is used. For the case when the UME uses multiple ADS data sources, you change the UME configuration as described in this topic for every ADS data source configured in UME. If the data sources are not mutually trusted in a directory forest, you can create separate Kerberos configurations for each data source and have a separate logon URL for each ADS domain.
For more
information, see
Configuring the UME to
Use an LDAP Directory as Data Source.
Procedure
..
1. Use the service user name and password that you created for the AS Java on the ADS to connect the AS Java to the ADS data source.
2.
For the user
resolution mode that you use, create and map necessary user attributes in the
UME data source configuration xml for ADS, as shown below. For more
information, see
Customizing UME Data
Source Configuration.
User Resolution Mode None
...
a. You can use this mode only if the user’s logon ID corresponds to the KPN. In this case no customization is necessary. If the logon ID corresponds to the samaccountnameattribute in the Active Directory, then use resolution mode simple or resolution mode prefixbased.
User Resolution Mode Simple
...
a. Define an UME attribute krb5principalname in the responsibleFor section of the UME data source configuration file.
b. Map the attribute krb5principalname to the physical attribute userprincipalname in the UME data source configuration file.
Use this mode only if the User Principal Name (UPN) is the same as the Kerberos Principal Name (KPN).
User Resolution Mode Prefixbased
...
a. Define the attributes kpnprefix, krb5principalname and dn in the responsibleFor section of the UME data source configuration file.
b. In the UME data source configuration file, map the attributes to physical attributes as follows:
i. Map kpnprefix to physical attribute samaccountname.
ii. Map krb5principalname to the physical attribute userprincipalname.
iii. Map dn to physical attribute distinguishedname.
We recommend that you use resolution mode prefixbased when the UME is configured to use ADS data sources.
Example
...
1. Defining attributes in the responsibleFor section of the UME data source configuration file:
<responsibleFor> ... <principal type="user"> <nameSpaces> <nameSpace name="com.sap.security.core.usermanagement"> <attributes> <attribute name="firstname" populateInitially="true"/> ... <attribute name="kpnprefix"/> <attribute name="krb5principalname"/> <attribute name="dn" /> </attributes> </namespace> </namespaces> </principal> ... </responsibleFor> |
2. Mapping the already defined attributes to the corresponding physical attributes:
<attributeMapping> <principals> <principal type="account"> <nameSpaces> ... </nameSpaces> </principal> <principal type="user"> <nameSpaces> <nameSpace name="com.sap.security.core.usermanagement"> <attributes> <attribute name="firstname"> <physicalAttribute name="givenname"/> </attribute> ... <attribute name="kpnprefix"> <physicalAttribute name="samaccountname"/> </attribute> <attribute name="krb5principalname"> <physicalAttribute name="userprincipalname"/> </attribute> <attribute name="dn"> <physicalAttribute name="distinguishedname"/> </attribute> </attributes> </namespace> </namespaces> </principal> </attributeMapping> |