on 2008 Apr 22 8:30 PM
Hi,
We currently have 3 seperate LDAP domain datasources configured in our custom UME XML file for our SAP portal. There is an upcoming need for 2 additional domains, which will put us to the maximum of 5 allowed according to a few OSS notes.
Has anyone had to deal with this limitation? Is it a real hard limitation or a suggested limit by SAP? Is SAP planning on increasing this maximum? What are other folks doing to get around this limitation?
I would think in today's environment of increased M&A activity someone else out there has a need to service more than 5 domains with one portal.
Thanks,
Ashley Williams
You might be able to get around this kind of issue with a virtual directory server. SAP NetWeaver Identity Management has such a product.
-Michael
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yeah I realize we could solve this by adding another layer in between the portal and our MSAD domains, however there are several complexities with our setup that make that an undesirable choice.
What I'm really trying to figure out in this thread is if anyone has ever tried to setup more than 5 data sources. Upon further investigation I found a How-to guide on the SDN for configuring UME for multiple LDAP data sources, and in that document it says it is only 'recommended' not to use more than 5 due to performance issues with search operations within the UME.
I'm assuming this would only effect performance of user/group/role searching via the user administration role. If that is the case we have no problem configuring more data sources.
SAP didn't seem willing to answer if this 5 data source limitation was 'soft' or 'hard' in an OSS message, so I'm trying to get more information here.
Thanks,
Ashley
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ashley,
It is not just a performance issue, but a security issue as well. The communication user password is stored in a UME property, ume.ldap.access.additional_password1-5. Otherwise you end up including this password along with the user ID in the data source configuration file in plain text. See the following:
http://help.sap.com/saphelp_nw04s/helpdata/en/4e/4d0d40c04af72ee10000000a1550b0/frameset.htm
-Michael
You are correct about that, and we were aware of that. However, in our situation all the 6+ domains would be in the 2 forests, and therefore you can use the same bind user within each forest so only one password needs to be stored per forest. The bind user we use has read access to all domains in the forest.
Since I am also SAP, I can hardly contradict my fellow coworkers. I would guess that SAP does not want to create an infinite number of password properties, hence the limit (not that it impacts you as you pointed out). As far as performance issues go, I would bet that performance plays a role, too. Add to that, the more LDAPs you add, the greater the chance you have for collisions. I can only suggest that you try it out and see what results you get.
-Michael
User | Count |
---|---|
66 | |
11 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.