topic Re: LDAP User sync problem in Application Development and Automation Discussions

LDAP User sync problem

Former Member — Mon, 03 May 2010 16:21:22 GMT

Hi,

I have configured LDAP on NetWeaver WebAs ABAP using LDAP transaction. It is working fine and I am able to sync users from Microsoft AD to SAP Database. But the problem is It is also synchronizing the terminated users from the company, which are not useful. We have 2 entries under base entry need to be synced excluding the terminated users. If I use base entry it taking all users instead I want to sync only users under those two DNs. Is there any way to do this?

One more Question is I have synchronized all users later I have mapped some fields. For new users I am getting the mapped field updates but not for the already synced users when I run the sync report. Can I update already synced user fields also or do I need to delete all users and start re-sync again?

Thanks,

Ajay.

Re: LDAP User sync problem

Former Member — Tue, 04 May 2010 08:55:18 GMT

Hi Ajay,

You can move the terminated user's to new OU in the active directory and eliminate the synchronization. That is the easiest way I see. If not, you need to customize the standard programs for validity date check and etc.

To forcibly update all users, use the option "Ignore time stamp" and run once. the normal job should be scheduled with "Compare time stamp" option under "Objects that exists both in SAP and Active directory"

Regards,

Gowrinadh

Re: LDAP User sync problem

Former Member — Tue, 04 May 2010 14:32:14 GMT

Hi Gowrinadh,

Thanks for the solution. With the "Ignore time stamp" option it has updated all the mapped fields.

For the 1st Question, Actually the terminated users are under special OU but the OU is under base entry. I have to create users under 2 OU's which are under base entry. Under one of them has required OU and terminated OU. As a Basis admin I cant create or change OU for terminated users. So is there any recommended way to achieve this?

One more Question, If you have configured LDAP on WebAS ABAP System same as me. It has not synced password from AD to SAP. For this what kind of setup you are using? like have you configured SNC with kerberos SSO or some other? Could you please explain your setup suits for this configuration?

Thanks,

Ajay.

Re: LDAP User sync problem

Former Member — Tue, 04 May 2010 14:52:53 GMT

Hi,

For the first question, I think the only option is to have new function module developed and use it in mappings. Or enhance the synchornization program according to your needs to verify the validity date in the active directory. I think enhancing the program looks simple.

And for passwords , SAP ABAP doesn't synchornize them. Hence we have implemented SNC and a third party tool (we are using heterogenous landscape) to make Kerbores work. Single sign on works simply fine and life is lot easier

Regards,

Gowrinadh

Re: LDAP User sync problem

Former Member — Wed, 05 May 2010 10:46:44 GMT

Hi Gowrinadh,

If you have any configuration doc for configuring Kerberos SNC, could you please provide? I could not find direct config steps with kerberos library. We have ABAP data source that all users are in ABAP stack synced from microsoft AD. Now we configure CUA here. Does SSO applicable here as you suggested?. How does SSO work here if we configure on JAVA stack (EP- Single sign on)?

Thanks,

Ajay.

Re: LDAP User sync problem

Former Member — Wed, 05 May 2010 12:22:09 GMT

Does your sap servers on windows environment? If so look for SNC document delivered by SAP in service market place. It has step by step procedure. I have just followed that.

If not, you need a third party tool, who will explain the configurations and setup. For more information on third party tools, refer SAP Ecohub. Just search snc or single sign on. You can also find many threads in SNC.

We are implementing the single sign on for EP, due to other problems we have been delayed. As a first step, we have changed UME pointers to Active directory.

Re: LDAP User sync problem

Former Member — Wed, 05 May 2010 13:38:13 GMT

Hi Gowrinadh,

Our SAP Servers running on Windows 2003 server OS. I have already searched SAP Market Place and got some PDFs/ SAP notes. They contain configuration about crypto library. Few I have got for kerberos also but they does not contain step by step procedure as you told. They making me confused with the steps.

If possible could you please paste the link/ URL of the SAP Market Place from where you have downloaded that doc? What is the name of the document you have followed?

Thanks,

Ajay.

Re: LDAP User sync problem

Former Member — Wed, 05 May 2010 14:59:11 GMT

https://websmp105.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000668333&;

use the above link, and select SNC user guide. if you can't access it directly. Follow the below procedure.

SAP NetWeaver -- SAP NetWeaver in Detail -- Security -- Security n Detail -- Secure User Access -- Authentication & Single Sign-On

In this guide look for section 4.8.1

Re: LDAP User sync problem

Former Member — Thu, 06 May 2010 09:37:50 GMT

Hi Gowrinadh,

Thanks for the link you have provided. I have already downloaded but confused from where to start. As of 4.8 section configuration seems simple but it has mentioned that "It does not provide mutual authentication, and it does not offer

data integrity or data privacy protection for the communication." Is this ok to configure this way?. Is kerberos and NTLM SSO both are same? or different?

We dont have SIDadm user on domain. It was local installation. can I use other domain user? or I have to create SIDadm on domain then start configuring?

After configuring do we need to go to all user work stations and configure front end and GUI? we also want SSO to many systems from GUI (not for single system). Does this work? If yes do we need to configure SNC on all SAP systems?

Please answer the above questions. These will help me decide further steps.

Thanks,

Ajay.

Re: LDAP User sync problem

tim_alsop — Thu, 06 May 2010 09:49:41 GMT


> Hi Gowrinadh,
I know you didn't address these questions to me, but I hope you don't mind me contributing anyway.
> 
> Thanks for the link you have provided. I have already downloaded but confused from where to start. As of 4.8 section configuration seems simple but it has mentioned that "It does not provide mutual authentication, and it does not offer
> data integrity or data privacy protection for the communication." Is this ok to configure this way?. Is kerberos and NTLM SSO both are same? or different?
Kerberos is more secure and uptodate, so you should use Kerberos instead of NTLM. I think NTLM will eventually be unsupported in Windows domains, since Kerberos is better and more strategic. When using Kerberos, you will get confidentiality and integrity checking if you use an appropriate SNC library.
> 
> We dont have SIDadm user on domain. It was local installation. can I use other domain user? or I have to create SIDadm on domain then start configuring?
The SAP SNC library for Windows requires the user that SAP is started as to be a domain user, so if you are running the SAP service as something different now, you would need to change to a domain account otherwise Kerberos will not work. This is because the SAP SNC library is using a user-to-user approach for GSS-API authentication. If you want to use a user-to-service approach, so that the SAP system does not need to be running as a domain user, you can use a third party SAP SNC library instead of the SNC library from SAP. 
> 
> After configuring do we need to go to all user work stations and configure front end  and GUI? we also want SSO to many systems from GUI (not for single system). Does this work? If yes do we need to configure SNC on all SAP systems?
You will need to install an SNC library on each workstation where SAP GUI is installed. The saplogon.ini file used by GUI will need to be configured with the SNC names of each SAP system that the user needs to logon to using SNC. Of course, you need to setup SNC on each SAP system first.
> 
> Please answer the above questions. These will help me decide further steps.
I hope I have been helpful.
> 
> Thanks,
> Ajay.

Re: LDAP User sync problem

Former Member — Thu, 06 May 2010 12:51:19 GMT

Hi Tim and Gowrinadh,

Thank you for providing me answers to my questions.

I have got a document to configure Kerberos SNC. Which seems to be simple than crypto SNC. Now I have a question regarding this. In the document he has mentioned like "Sapserv<x>" as below

"Copy the SAPSSO.MSI program from the sapserv<x> directory

general/R3Server/binaries/NT/W2K to a local directory

I have got the files individually from SAP notes. Does sapserv<x> mean to SAP Market Place?

Thanks,

Ajay.

Edited by: Ajay_Basis on May 6, 2010 5:42 PM

Re: LDAP User sync problem

Former Member — Fri, 07 May 2010 13:04:38 GMT

Hi Tim,

I need your help in this. I am configuring kerberos SNC on the same system on which I have configured Crypto SNC. I have cleared all env variables and PSEs every thing. Now I have started with Kerberos SNC.

We are on NetWeaver 7.0 System and my Active directory is on Windows 2008. My NetWeaver Installation was local. I got the same SAPServiceSID on the domain with same password and have added this user in local admin and SAP global admin groups.

copied gsskrb5.dll file in windows32 directory. Edited Instance profile as below

snc/enable = 1

snc/gssapi_lib =<DRIVE>:\%windir%\system32\gsskrb5.dll

snc/identity/as =p:<SAP_Service_User>@<DOMAIN_NAME>

Now when I started SAP it giving error like below in dev_w0 file with dialogue info unavailable and disp+work dies.

The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p:SAPServiceSID@DOMAIN

*N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]*

N GSS-API(maj): No valid credentials provided (or available)

N GSS-API(min): SSPI u2u-problem: please add Service principal for own account

N Could't acquire ACCEPTING credentials for

N name="p:SAPServiceSID@DOMAIN"

I have tried below options for snc/identify/as parameter.

p:DOMAIN\SAPServiceNW3

p:SAPServiceSIDatDOMAIN.NET

p:SAPServiceSID@DOMAIN

But getting same error. Please suggest.

Thanks,

Ajay.

Re: LDAP User sync problem

tim_alsop — Fri, 07 May 2010 15:25:31 GMT

Ajay,

The answers is in the error message: please add Service principal for own account

This means that you are trying to get SAP to authenticate as a different user. The user which SAP is running under when started is not same as the user you are using in the snc/identify/as parameter. The user must be same an it must be a domain user. if you are starting SAP as a service, you need to check the service properties to find the user id which SAP is started as. Is this a domain user ?

Thanks,

Tim

Re: LDAP User sync problem

Former Member — Sat, 08 May 2010 16:47:44 GMT

Hi Tim,

As you told "you need to check the service properties to find the user id which SAP is started as" could you please explain how can I check that? you mean under administritave tasks-> services? If yes. I have changed it to domain user.

One more thing as I mentioned before that Our NetWeaver system was local installation and now I have created a user as SAPServiceSID same as NetWeaver user on domain with the help of IT team. Now I have changed under services in the sap service log on as to "DOMAIN\SAPServiceSID" and I have also added this user in the Administrators, SAP local and global admins groups then started SAP. Still I was getting error. Do I need to perform any thing else?

I did not performed set SPN (Service principle name) step. Is this compulsory? The guide doesn't contain this step. Please help.

Thanks,

Ajay.

Re: LDAP User sync problem

tim_alsop — Sun, 09 May 2010 09:04:35 GMT

Ajay,

I would love to help you, if I could. The reason I cannot is that you are trying to use a solution provided by SAP which is competitive with products from my company, and clearly not very well supported by SAP ... So, I hope you can get help from somebody else, or contact me again if you want to consider an alternative.

Thanks,

Tim