topic Re: Config UME with ABAP+LDAP datasource in Application Development and Automation Discussions

Config UME with ABAP+LDAP datasource

Former Member — Sun, 30 Jul 2006 11:07:41 GMT

Hi all,

We are implementing an EP installation. We want to reuse the abap role assignment for the portal roles and we require a SSO solution based on SPNego.

Now we can implement each on it's own fine. The question is how we can connect the ume to use both abap and ldap datasource. I opened an OSS about it and they said it's possible, supported but I'm on my own when it comes to implementing it (or consulting offcourse).

Anyone had experience with this configuration or can provide me with the datasource schema file?

Thank in advance,

Eric

Re: Config UME with ABAP+LDAP datasource

MichaelShea — Mon, 31 Jul 2006 07:11:35 GMT

Eric,

My understanding is that SAP does not currently support simultaneous ABAP and LDAP data sources. What SAP does support is an ABAP backend with LDAP synchronization:

http://help.sap.com/saphelp_nw04s/helpdata/en/0c/632441cd87a12be10000000a1550b0/frameset.htm

I do not think that helps you with your authentication problem though.

Would importing the ABAP roles into the portal help?

http://help.sap.com/saphelp_nw04s/helpdata/en/0c/632441cd87a12be10000000a1550b0/frameset.htm

-Michael

Re: Config UME with ABAP+LDAP datasource

Former Member — Mon, 31 Jul 2006 09:50:24 GMT

Hi Michael,

According to an OSS message I opened, this is indeed possible and similar scenarious are even described in the ADM200 course.

Imporitng roles into the portal is no good for me since I need the users which are assigned to these roles and not the name of the roles. This must be dynamic and not batched.

Eric

Re: Config UME with ABAP+LDAP datasource

Former Member — Thu, 11 Jan 2007 20:38:32 GMT

Hi Eric,

As Michael replied such configuration is not supported by SAP at the moment. You should be able to achieve that though, by doing the following:

customization of the datasource xml file that you use, adding two datasources: ldap and abap. You can achieve that by using the provided templates, i.e. copy and paste from dataSourceConfiguration_abap.xml and dataSourceConfiguration_[your ldap server].xml the relevant datasource sections.

Configure UME to use that customized xml file

Configure the LDAP connection configuration in the private section of the LDAP datasource as explained here:

http://help.sap.com/saphelp_nw2004s/helpdata/en/4e/4d0d40c04af72ee10000000a1550b0/frameset.htm

Configure the ABAP connection as explained here:

http://help.sap.com/saphelp_nw2004s/helpdata/en/4e/4d0d40c04af72ee10000000a1550b0/frameset.htm

After that restart and you should be able to use the two systems as user stores.

Let me remind you again that this is not supported by SAP that is why you should do that configuration on your own risk.

Cheers,

Ilian

Re: Config UME with ABAP+LDAP datasource

Former Member — Fri, 12 Jan 2007 05:39:46 GMT

Please do the below setting for LDAP and ABAP

<b>LDAP settings (only when ldap persistence is used)</b>

ume.ldap.access.server_name : /H/sapgate1.wdf.sap.corp/S/3299/H/p102397.ume.wdf.sap.corp

ume.ldap.access.server_port : 389

ume.ldap.access.user : cn=administrator, cn=users, dc=ume, dc=wdf, dc=sap, dc=corp

ume.ldap.access.password : admin

ume.ldap.access.base_path.user : DC=ume, DC=wdf, DC=sap, DC=corp

Ume.ldap.access.base_path.grup : dc=ume, dc=wdf, dc=sap, dc=corp

<b>Abap Settings (only when Abap Persistence is used)</b>

1. Take one ABAP system: Ex: System Name: B4T, Client Num: 000

2. Login with user, who has admin rights.

3. Create user “J2EE_ADMIN” using “SU01” transaction.

4. Assign role “SAP_J2EE_ADMIN” (note: assign all roles).

5. Create user “J2EE_GUEST” using “SU01” transaction.

6. Assign role “SAP_J2EE_GUEST”.

7. Create communication user “COMUSER” using “SU01” transaction; usertype: communications.

8. Assign role” SAP_BC_JSF_COMMUNICATION”.

ume.persistance.data_source_configuration: dataSouceConfiguration_abap.xml

r3.connection.master.ashost /H/sapgate1.wdf.sap.corp/S/3299/H/ls4079

r3.connection.master.client : 000

r3.connection.master.sysnr : 09

r3.connection.master.user : comuser (the sapjsf or communication user which we created in backend system)

r3.connection.master.password : test (it is the password of the com user which is in the backend system)

Re: Config UME with ABAP+LDAP datasource

HuseyinBilgen — Wed, 15 Aug 2007 13:36:21 GMT

Hi Eric,

If you want, I can give an example Schema content that I'm using

Re: Config UME with ABAP+LDAP datasource

edgar_humann — Thu, 07 Feb 2008 11:55:37 GMT

Hi Hussein Bilgen,

I´m concerned with the same problem (UME-Source = ABAP ; SSO via ADS-LDAP with SPNEGO).

Can you send me the example schema?

Or is there in the meantime a solution provided by SAP?

Edgar

Re: Config UME with ABAP+LDAP datasource

tim_alsop — Thu, 07 Feb 2008 12:12:08 GMT

Hi,

I appologise in advance for this being a bit of s vendor sales pitch, but I think it is important and useful to many people who have posted in this thread.

My company has a product which implements Integrated Windows Authenticaiton using SPNEGO protocol, but our product does not requrie any changes to data source. The product also uses C based Kerberos libraries rather than the somewhat dated Kerberos protocol support in Java SDK which is used by SAP SPNEGO login module. We can support any configuration of datasource required, so are not dependant on UME LDAP configuration. As far as I am aware the reason why SAP SPNEGO login module uses UME and LDAP data source is so it can determine the SAP user id after the user has been authenticated using Kerberos credentials. Our product uses a different approach - we map the principal/account name of the authenticated user onto a SAP id using one of many methods. At moment latest version of our product supports 2 methods of mapping, and we plan to add more. The 2 mapping methods are described below:

1. If user has authenticated as username@REALM we assume that their SAP user name = USERNAME (e.g. username converted to upper case). This method seems to be ok for many SAP customers.

2. If user has authenticated as username@REALM we look in USRACL table on ABAP system for a match, and if we find one we will know the SAP user id to use when creating the SSO2 ticket. This method of mapping is suited to customers who are also using SAP GUI SNC SSO and are therefore already maintaining the USRACL table mapping via SU01 t-code on ABAP system.

I appreciate that this is vendor specific and not describing a SAP solution, but it is clear from this thread that people are trying to make SAP product do things it cannot - this is why vendors like us develop such solutions so we can fill the gaps

If you need any more info on our product, please contact me using the email address in my SDN business card.

Thanks,

Tim

Re: Config UME with ABAP+LDAP datasource

Former Member — Tue, 03 Jun 2008 08:41:34 GMT

Hi Edgar Hussmann

We have exactly the same problem, also opened an OSS call without satisfying result (SAP´d only tried to sell their consulting).

[/thread/897899 ;

Did you manage to get your scenario running? Can you provide us your ume-xml as an example?

Sincerely, Simon

Re: Config UME with ABAP+LDAP datasource

Former Member — Tue, 03 Jun 2008 20:30:43 GMT

Try the following:

1. Download the SPNegoWizard_645.zip (for 7.0) SPNegoWizard_640 (for 6.40)from SAP Note 994791 and unzip it.

2. Adjust the user running the SAP system in Active Directory

3. Copy the EAR and XML Files from the SPNegoWizard.ZIP file to a temporary directory on the server.

4. Open up the Visual Administrator. Logon with the admin ID.

5. SID ->Server -> Services -> Deploy

6. Open the Config Tool. (Yes to using DB settings)

7. Select UME LDAP Data

8. Browse to the XML file you copied earlier. (dataSourceConfiguration_ads_readonly_db_with_krb5.xml)

Click the upload button.

9. Select the Configuration file you just uploaded. Click OK on the Warning message.

10. Setup the Connection details as specified below:

Server Name: xxxxxx

Server Port: xxxxxxx

User: SAPService<SID>@domain.com

Password: xxxxxx

Use UME unique id with unique LDAP attribute (checked): samaccountname

User Path: dc=<domain>,dc=com

Group Path: ou=xxxxxx,ou=xxxx,dc=xxxx,dc=xxxx

11. Click the Test Connection button you should see:

Click Close when done.

12. Click the Test Authentication button, enter NT user ID and NT password, and click the authenticate button and you should get a success message:

13. Select cluster-data  Global Server Configuration  services  com.sap.security.core.ume.service

14. Edit the ume.admin.addattrs.

Add the values: krb5principalname;kpnprefix;dn

Click the Set button.

15. Click the Save button or File -> Apply.

16. Close the Config tool and restart the JAVA engine.

17. After the engine is restarted, continue on with the Kerberos configuration.

18. Open up the SP Nego Wizard by going to the following URL: http://<server>:<port>/spnego

19. Logon with the Administrator user ID.

20. Select the check boxes for the u201CService user is created and configured in Active Directoryu201D and u201CUME configuration includes SPNego specific settingsu201D

Click the Next button

21. Click the Add Kerberos Realm button and enter your domain name (e.g. company.com)

22. For the Realm Configurationu2019s KDCs (Key Distribution Centers) put in <KDC host> and 88 for the port (the port should already be filled in.

23. In the KPN (Kerberos Principal Name) section enter the Service User Name & Password.

Service User: SAPService<SID>

Password: xxxx

Leave LDAP Host - blank

24. Click the Next button

25. Select Prefix Based for the Resolution Mode and Click Next

26. In Policy Configuration we want to create a new policy called spnego. Tick Basic password Fallback (when SSO do not work) and tick SSO with Logon Tickets. Click the Next button.

27. Click Finish on the Confirmation screen.

28. Close the browser and restart the engine.

29. After the engine has finished restarting, continue with the final steps.

30. Open up the Visual Administrator. Logon as the Administrator ID.

31. SID  Server  Services  Security Provider

32. Go into change mode by clicking the change button.

33. On the Runtime tab  Policy Configurations tab  Select ticket from the Components list.

34. On the Authentication tab for the ticket component  select Authentication Template: spnego

35. Now go to the useradmin service (http://<server>:<port>/useradmin) to test the Kerberos SSO. You should get signed on without entering a user name or password.

You are done!

Re: Config UME with ABAP+LDAP datasource

Former Member — Wed, 04 Jun 2008 07:26:00 GMT

Hi Ankur Agrawal

Thank you for this guide. I´d like to be shure about the following criterias before implementing this:

- Roles from the ABAP Backend will still be converted into Portal Roles automatically, similar to the scenario when we configure the ABAP Backend as UME-Datasource

- User can have similar or different userid´s on the DataSources (Mapping required if they are different)

I really doubt about the rolles beeing loaded automatically. Do you know this?

Sincerely, Simon