cancel
Showing results for 
Search instead for 
Did you mean: 

Authentication for multiple AD domains

Former Member
0 Kudos
117

Hello,

Currently we have MS AD datasource as UME for all our internal portal users. We also have spnego setup for authentication for our EP 7.0 The user path and group path is of the form dc=dom1 dc=company dc=domain dc=com.

Now we are planning to add additional domains to authenticate users .

Will the configuration differ if they are maintained on a different ldap server altogether or when only the user and group paths are different for the new domains as shown below? The user path and group path is of the form dc=dom2,dc=company,dc=domain,dc=com and

dc=dom3,dc=company,dc=domain,dc=com.

It seems that we have to change the datasource file for the additional ldap scenario.But are both of these the same,Would appreciate if someone could clarify this.

Rgds

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

This should help:

[SAP Note 762419 |https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/oss_notes/sdn_oss_bc_jas/~form/handler]

If the user and group path are the same, you can use option 1. But option 1 is read-only. If the user and group path are different, use option 2. Option 2 also allows write back to AD.

Former Member
0 Kudos

Hi Andrew,

Thanks a lot for replying. This was the note I was referring .

But we have currently 3268 as our ldap port which i believe is the port for the global catalogue. Will this be a problem?

Also read somewhere that group to role assignments,KM authorization could all get affected when we change the unique name attribute for the datasource file(which would be reqd) . Is this so? And we are yet to confirm on which option to be follwed for the multiple domains.

Rgds

Former Member
0 Kudos

We implemented Option 1 and are using port 3268.

We have not changed the unique name of the datasource, as we implemented this option from the beginning, but it makes sense that it would effect EP. For KM permissions, we found out the hard way that the datasource is not part of the user group.

We have user groups with the same name in all three of our domains. We were able to successfully assign 1, 2, or all user groups with the same name to a role in EP. However, we can not assign any usergroup with the same name to a KM permission. That tells me that KM is not distinguishing the user groups by datasource. By the way, we got around this issue by creating a simple role in the UME, and assigning the usergroups to it. Then we could assign the simple role in KM.

As for the changing datasource names, can you just add new datasources without changing the original datasource name?

Former Member
0 Kudos

Hello Andrew,

Thanks a lot for your support .

We are thinking of going for the same datasource file with multiple information similar to your opinion.But it seems there is no specific data source file available for the second ldap server ?

Also would this in anyway affect the current spnego configuration setup for users in our first domain.As of now we wont be going for spnego for all domains ,but just want to continue with it for the single domain while authenticating from multiple ones.

Could you let me know what you think of this.

Rgds

Former Member
0 Kudos

Vineeth,

Within the 1 file, you can setup n-number of datasources. Below is an example.

As for having SPNego work for only 1 of those datasources (AD domains), I can't say if that will work. We have SPNego working for all our domains. There is probably something you can do within AD or your domain controller to limit Kerberos authentication.


<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
<!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">
<dataSources>
	<dataSource id="PRIVATE_DATASOURCE1" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
		<homeFor>
			<principals>
				<principal type="group"/>
				<principal type="user"/>
				<principal type="account"/>
				<principal type="team"/>
				<principal type="ROOT"/>
				<principal type="OOOO"/>
			</principals>
		</homeFor>
		<notHomeFor/>
		<responsibleFor>
			<principals>
				<principal type="group"/>
				<principal type="user"/>
				<principal type="account"/>
				<principal type="team"/>
				<principal type="ROOT"/>
				<principal type="OOOO"/>
			</principals>
		</responsibleFor>
		<privateSection/>
	</dataSource>
    <dataSource id="PRIVATE_DATASOURCE2" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
            <homeFor>
                <principals>
                    <principal type="group"/>
                    <principal type="user"/>
                    <principal type="account"/>
                    <principal type="team"/>
                    <principal type="ROOT"/>
                    <principal type="OOOO"/>
                </principals>
            </homeFor>
            <notHomeFor/>
            <responsibleFor>
                <principals>
                    <principal type="group"/>
                    <principal type="user"/>
                    <principal type="account"/>
                    <principal type="team"/>
                    <principal type="ROOT"/>
                    <principal type="OOOO"/>
                </principals>
            </responsibleFor>
            <privateSection/>
    </dataSource>
    <dataSource id="PRIVATE_DATASOURCE3" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
            <homeFor>
                <principals>
                    <principal type="group"/>
                    <principal type="user"/>
                    <principal type="account"/>
                    <principal type="team"/>
                    <principal type="ROOT"/>
                    <principal type="OOOO"/>
                </principals>
            </homeFor>
            <notHomeFor/>
            <responsibleFor>
                <principals>
                    <principal type="group"/>
                    <principal type="user"/>
                    <principal type="account"/>
                    <principal type="team"/>
                    <principal type="ROOT"/>
                    <principal type="OOOO"/>
                </principals>
            </responsibleFor>
            <privateSection/>
    </dataSource>
</dataSources>

Answers (0)