Integration of SAP Netweaver User Management with LDAP

Applies to:
SAP Netweaver 7.0/7.1 Microsoft Active Directory 2003

Summary
The document describes the detailed steps of configuring the integration of SAP Netweaver User Management with LDAP (Microsoft Active Directory 2003 is used as LDAP). LDAP, being the integrated, provides a central user repository used to centrally maintain user data, thus avoiding the redundant, error prone maintenance of user information in several systems and reduced total cost to ownership. Here the LDAP directory acts as a leading system wherein the Users are imported to the SAP system when the user synchronization happens every time. Author: Radha SK

Company: Team: Technical Validation -SAP Labs India, Bangalore Created on: 1 July 2009

SAP COMMUNITY NETWORK © 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com 1

.............................................................. 11  Configuring Java UME to use LDAP as a data source with the Config Tool ........... 8  LDAP Synchronization ..... 15  Configuring Java UME to use LDAP as a data source with the Netweaver Administrator Console (NWA) for SAP Netweaver 7...........................sap.......com | BPX ...................................................................com 2 ......................................................................com | BOC .................................................sap....................................................................................................... Refer the below screenshot......... 3  Configuring LDAP Connector .......................................Integration of SAP Netweaver User Management with LDAP Table of Contents Prerequisites ................................................................... 9  Integration of Java User Management Engine with LDAP ...................................................................... 13  Limitation of UME when AS ABAP is used as a data source ... 17  Disclaimer and Liability Notice .................................................................................................. 16  Related content ........................................................................................................................................... 5  Defining Server Details ................................................................ 11  Configuring Java UME to use LDAP as a data source with the User Management Console ...............................................................................  SAP COMMUNITY NETWORK © 2009 SAP AG SDN ..................... 7  Mapping Using function modules8  Mapping Using function modules ..............  2........ 5  1.................................................................................................................................................... 5  Switch to change mode and choose New Entries ...........  3................................................. 8  Synchronization of SAP User Administration with LDAP Directory ................................................................................................................................................................................................1 Java system....................... 6  Mapping ....................................................................................................................................................... 4  Defining System Users.....................................  Access the LDAP Connector via Tcode “LDAP” choose System Users ...............bpx.................................................................................................................................. 5  Logging on to the Directory Service ............................................................. ......................... Error! Bookmark not defined....................................................................................................sdn.................................................. 5  Enter the required data and Save the entries............................................................................................................................... 15  Procedure: ................sap...... 11  Procedure ......boc.........................................................

bpx.Integration of SAP Netweaver User Management with LDAP Prerequisites The LDAP connector requires access to some specific library which is installed on the specific application server platform.sap. Run “ldap_rfc” command in the kernel directory and check the version details.com 3 .sap. that is checking the availability of LDAP Library on the application server.sdn. SAP COMMUNITY NETWORK © 2009 SAP AG SDN . To check whether LDAP Connector is operable.com | BPX .com | BOC .sap. The LDAP connector is called using ABAP functions and communicates with the directory services using Lightweight Directory Access Protocol.boc.

If there are multiple LDAP connectors on one server then use: LDAP_<server_name>_<sequence_number> Example: LDAP_SERVER_01 2. 4.sdn.sap.sap.bpx.com 4 . Select Registered server program as activation type 3. Specify the Program ID same as the RFC destination.boc.sap.com | BPX . Refer the below screenshot for LDAP connector details SAP COMMUNITY NETWORK © 2009 SAP AG SDN . Save your entries.com | BOC .Integration of SAP Netweaver User Management with LDAP Configuring LDAP Connector 1. Create and RFC of connector T-Type Note: It is recommended to use the following naming convention: LDAP_<server_name>.

sap.com 5 . 3. On the initial screen of LDAP choose Server and switch to change mode.sdn.com | BPX . Choose New Entries and Enter the required data and Save Entries Refer the below screen shot for Server Entry details SAP COMMUNITY NETWORK © 2009 SAP AG SDN . Refer the below screenshot. 1.sap. 2.boc.sap.com | BOC . Here you have to maintain the connection details of the physical directory 1.bpx. 2. Defining Server Details Create a new logical LDAP Server.Integration of SAP Netweaver User Management with LDAP Defining System Users The communication user (Example: TestUser) has to be maintained in the LDAP server which used by the LDAP connector to bind to the LDAP Directory Server. Access the LDAP Connector via Tcode “LDAP” choose System Users Switch to change mode and choose New Entries Enter the required data and Save the entries.

bpx.sdn.sap.Integration of SAP Netweaver User Management with LDAP Logging on to the Directory Service Now you must check the connection to the directory service by logging on to it. 1.sap.boc. Provide the System User or enter the directory service user and password. Choose Execute. specify the LDAP server name and the LDAP connector.com | BOC . 2.com | BPX . SAP COMMUNITY NETWORK © 2009 SAP AG SDN . In the initial screen of the LDAP transaction.com 6 . 4. Press Logon 3.sap.

export or for both ways of synchronization. SAP COMMUNITY NETWORK © 2009 SAP AG SDN .com | BOC .com 7 .bpx.boc.sdn.com | BPX . SAP offers directory specific proposals for the mapping of the directory attributes to the SAP data fields. For each attribute there is the option to specify whether the customized mapping is only valid for import.sap.Integration of SAP Netweaver User Management with LDAP Mapping In transaction LDAPMAP specific SAP data fields can be mapped to the desired directory attributes.sap.sap. After importing the proposal the mapping details can be customized as desired.

Save your entries and Execute. function modules can be used to enable a more complicated mapping procedure. Specify the logical LDAP server and LDAP connector 3. 1.com | BPX . Therefore the function module MAP_SPLIT_CHAR can be used. A simple example is the telephone number.sap. SAP COMMUNITY NETWORK © 2009 SAP AG SDN . a.sdn. Objects that exists in both in directory and database b.bpx.boc. The search result is made up of three subsets. Define how the report has to process the entries of the objects that found during the search.Integration of SAP Netweaver User Management with LDAP Mapping Using function modules If the desired mapping is not a simple 1:1 relationship. you have to synchronize the data from the LDAP server with the SAP User Administration. Execute report RSLDAPSYNC_USER in the transaction SE38.sap.com 8 . Objects that exits only in database 4. 2. This module reads the value for the telephone number from the directory attribute telephone.com | BOC . Objects that exits only in directory c. The extension is normally split by a hyphen ‘-‘. The telephone number of a user is stored in the directory attribute “telephone” (in MS Active Directory). The extension is split at the position where the system finds a hyphen ‘-‘ in the string and the two values are stored in the SAP data fields ADDRESSTEL1_NUMBR and ADDRESS-TEL1_EXT. In SAP the telephone number of a user is stored in two data fields ADDRESS-TEL1_NUMBR and ADDRESS-TEL1_EXT.sap. Synchronization of SAP User Administration with LDAP Directory Once the mapping indicators have been set.

sap.com | BPX .sap.com | BOC .sdn.com 9 . The below figure is LDAP synchronization log when the report has been executed successfully.boc. SAP COMMUNITY NETWORK © 2009 SAP AG SDN .Integration of SAP Netweaver User Management with LDAP LDAP Synchronization For example the user “LDAP ABAP” has been created in the Active Directory Server.sap.bpx. When the synchronization report is executed in an SAP system. the user “LDAP ABAP” is taken from the LDAP directory server to the ABAP system.

boc.bpx.com 10 .sap.sap.com | BPX .sdn.com | BOC .Integration of SAP Netweaver User Management with LDAP The following is the screenshot of the user “LDAP ABAP” is the ABAP User Management SU01 SAP COMMUNITY NETWORK © 2009 SAP AG SDN .sap.

Choose Modify Configuration 5.sdn.com | BPX .sap.boc.Integration of SAP Netweaver User Management with LDAP Integration of Java User Management Engine with LDAP Configuring Java UME to use LDAP as a data source with the User Management Console Procedure 1. select the data source that best matches your LDAP directory. Start the User Management 3. choose ads_readonly_db 6. Enter the required data for connection SAP COMMUNITY NETWORK © 2009 SAP AG SDN . For Microsoft Active Directory.sap. 2.bpx. Choose the LDAP Server tab 7.com | BOC . From Data Source.com 11 . Login to the User Management console with the Administrator rights. Choose Data sources tab 4.sap.

com | BOC .sap.sap. Choose Test Connection If the test fails. To see the users from LDPA directory.sap. SAP COMMUNITY NETWORK © 2009 SAP AG SDN . Below is snapshot of the users in the Java UME which are imported from LDAP directory. go to Identity management and search for the users from the source LDAP. Once the server is restarted. If necessary. Sava all the changes 10. go back and reenter the connection data and test the connection until you are successful. 9.boc. The monitoring tools of your LDAP directory can also help you determine the cause of the problem.bpx. Restart the application server for the changes to take effect.sdn. you will see the users which are imported from the LDAP directory.com 12 . user management configuration displays the entry from the security log.Integration of SAP Netweaver User Management with LDAP 8.com | BPX .

bpx.Integration of SAP Netweaver User Management with LDAP Configuring Java UME to use LDAP as a data source with the Config Tool The UME LDAP configuration tool simplifies the process of configuring the UME to use an LDAP directory. <SAPJ2EEEngine_installation>\j2ee\configtool\configtool. It allows to choose the configuration file for configuring the data source files and also to enter the connection data for the LDAP directory and the test the data.sap. In the configtool.sdn.sap. Click on the Configtool.bat 2.com | BOC .bat file in the installation folder. choose UME LDAP SAP COMMUNITY NETWORK © 2009 SAP AG SDN . 1.com | BPX .sap.com 13 .boc.

sap.Integration of SAP Netweaver User Management with LDAP 3.bpx.boc.sdn. SAP COMMUNITY NETWORK © 2009 SAP AG SDN . Click on the Test connection button to establish a connection with the LDAP directory with service user. Configure the LDAP Data Source as required and save your entries 4.sap.com | BPX .com | BOC .com 14 .sap.

com | BOC .sap.com 15 . by default the system takes the User Management of an ABAP system.1 Java system. SAP COMMUNITY NETWORK © 2009 SAP AG SDN . For more information refer to SAP Note 718383 Configuring Java UME to use LDAP as a data source with the Netweaver Administrator Console (NWA) for SAP Netweaver 7. It is also not possible to create the users in the database of AS Java. The above mentioned steps for configuring SAP Netweaver 7.com | BPX .1 system as well.sdn.Integration of SAP Netweaver User Management with LDAP 5. Limitation of UME when AS ABAP is used as a data source In a ABAP+Java dual stack system.boc. it possible to configure LDAP as a data source in the Java UME. In this case.0 java system to use LDAP as a data source are valid for the SAP Netweaver 7.bpx. The only difference is we can also configure the User Management with Netweaver Administrative console as well.sap. Restart the AS Java Now you can see the users in the User Management console in which the users are imported from the LDAP data source.sap.

choose Configuration.sap.bpx.com | BOC . Fill in the required details of the LDAP server and Save your entries.Integration of SAP Netweaver User Management with LDAP Procedure: 1.sdn. Login to NWA with Admin rights.sap.sap.com 16 . Under Related Tasks.com | BPX . 4. 5.boc. 2. Restart the AS Refer the below screenshot for the connection details SAP COMMUNITY NETWORK © 2009 SAP AG SDN . Choose Operation Management -> Users and Access -> Identity Management 3.

com/security ->Security in Detail -> Identity Management -> Directory Services SAP COMMUNITY NETWORK © 2009 SAP AG SDN .com http://service.sdn.sap.com | BPX .boc.Integration of SAP Netweaver User Management with LDAP Related content • • SAP Online Help http://help.sap.sap.bpx.sap.com | BOC .sap.com 17 .

and PowerPoint are registered trademarks of Microsoft Corporation. XHTML and W3C are trademarks or registered trademarks of W3C®. Web Intelligence. POWER. HACMP. and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. POWER6+. i5/OS.. Linux is the registered trademark of Linus Torvalds in the U. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services. Redbooks. used under license for technology invented and implemented by Netscape. WinFrame. POWER5+. z10. PowerVM. XML.bpx. R/3. Windows. Business Objects and the Business Objects logo. System z10. Outlook. PowerPC. Nothing herein should be construed as constituting an additional warranty. ICA. JavaScript is a registered trademark of Sun Microsystems. MetaFrame. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. System p.A. PostScript. Netfinity. Crystal Decisions. WebSphere. Business Objects is an SAP company. SAP Business ByDesign. System z9. System z. Data contained in this document serves informational purposes only. OS/390. z/OS. SAP NetWeaver. MVS/ESA. BladeCenter. OSF/1.sap. UNIX. POWER6. RETAIN. BusinessObjects. X/Open.sap. z/VM. Oracle is a registered trademark of Oracle Corporation. DB2.com | BPX . HTML. GPFS. iSeries. pSeries. System p5. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only.sdn. DB2 Connect. OS/2. Microsoft. PartnerEdge. eServer. and SAP Group shall not be liable for errors or omissions with respect to the materials. Massachusetts Institute of Technology. OpenPower. and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Duet. Crystal Reports.Integration of SAP Netweaver User Management with LDAP Copyright © Copyright 2009 SAP AG. SAP COMMUNITY NETWORK © 2009 SAP AG SDN .sap. All rights reserved. System i.S. These materials are subject to change without notice. RACF. Intelligent Miner. Inc. the Adobe logo. S/390 Parallel Enterprise Server. Power Architecture. Java is a registered trademark of Sun Microsystems. Inc. Program Neighborhood. System i5. BatchPipes. zSeries. in the United States and in other countries.com 18 . Excel. S/390. Citrix. z9. World Wide Web Consortium. AIX. without representation or warranty of any kind. Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. SAP. xSeries. DB2 Universal Database. All other product and service names mentioned are the trademarks of their respective companies. if any. ByDesign.boc. POWER5. The information contained herein may be changed without prior notice. System x. Inc. National product specifications may vary. and MultiWin are trademarks or registered trademarks of Citrix Systems. Acrobat. Adobe. OS/400. System Storage. and Motif are registered trademarks of the Open Group. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. Parallel Sysplex. AS/400.com | BOC . VideoFrame. and other countries. and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S. Xcelsius. IBM.

Sign up to vote on this title
UsefulNot useful