Scribd
Upload
164 views18 pages

Integration LDAP SAP-2

Uploaded by

Martin Carrozzo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
164 views18 pages

Integration LDAP SAP-2

Uploaded by

Martin Carrozzo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Integration of SAP Netweaver User

Management with LDAP

Applies to:
SAP Netweaver 7.0/7.1
Microsoft Active Directory 2003

Summary
The document describes the detailed steps of configuring the integration of SAP Netweaver User
Management with LDAP (Microsoft Active Directory 2003 is used as LDAP).
LDAP, being the integrated, provides a central user repository used to centrally maintain user data, thus
avoiding the redundant, error prone maintenance of user information in several systems and reduced total
cost to ownership.
Here the LDAP directory acts as a leading system wherein the Users are imported to the SAP system when
the user synchronization happens every time.
Author: Radha SK
Company: Team: Technical Validation -SAP Labs India, Bangalore
Created on: 1 July 2009

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 1
Integration of SAP Netweaver User Management with LDAP

Table of Contents
Prerequisites ....................................................................................................................................................... 3 
Configuring LDAP Connector .......................................................................................................................... 4 
Defining System Users.................................................................................................................................... 5 
1.  Access the LDAP Connector via Tcode “LDAP” choose System Users ..................................................... 5 
2.  Switch to change mode and choose New Entries ....................................................................................... 5 
3.  Enter the required data and Save the entries. Refer the below screenshot. .............................................. 5 
Defining Server Details ....................................................................................................................................... 5 
Logging on to the Directory Service ................................................................................................................... 6 
Mapping .............................................................................................................................................................. 7 
Mapping Using function modules8 
Mapping Using function modules ....................................................................................................................... 8 
Synchronization of SAP User Administration with LDAP Directory .................................................................... 8 
LDAP Synchronization .................................................................................................................................... 9 
Integration of Java User Management Engine with LDAP ............................................................................... 11 
Configuring Java UME to use LDAP as a data source with the User Management Console ...................... 11 
Procedure .................................................................................................................................................................. 11 
Configuring Java UME to use LDAP as a data source with the Config Tool ................................................ 13 
Limitation of UME when AS ABAP is used as a data source ........................................................................... 15 
Configuring Java UME to use LDAP as a data source with the Netweaver Administrator Console (NWA) for
SAP Netweaver 7.1 Java system.................................................................................................................. 15 
Procedure: ................................................................................................................................................................. 16 
Related content ................................................................................................................................................. 17 
Disclaimer and Liability Notice ........................................................................... Error! Bookmark not defined. 

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 2
Integration of SAP Netweaver User Management with LDAP

Prerequisites
The LDAP connector requires access to some specific library which is installed on the specific application
server platform. The LDAP connector is called using ABAP functions and communicates with the directory
services using Lightweight Directory Access Protocol.
To check whether LDAP Connector is operable, that is checking the availability of LDAP Library on the
application server.
Run “ldap_rfc” command in the kernel directory and check the version details.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 3
Integration of SAP Netweaver User Management with LDAP

Configuring LDAP Connector


1. Create and RFC of connector T-Type
Note: It is recommended to use the following naming convention: LDAP_<server_name>.
If there are multiple LDAP connectors on one server then use:
LDAP_<server_name>_<sequence_number> Example: LDAP_SERVER_01
2. Select Registered server program as activation type
3. Specify the Program ID same as the RFC destination.
4. Save your entries.
Refer the below screenshot for LDAP connector details

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 4
Integration of SAP Netweaver User Management with LDAP

Defining System Users

The communication user (Example: TestUser) has to be maintained in the LDAP server which used by the
LDAP connector to bind to the LDAP Directory Server.

1. Access the LDAP Connector via Tcode “LDAP” choose System Users

2. Switch to change mode and choose New Entries

3. Enter the required data and Save the entries. Refer the below screenshot.

Defining Server Details


Create a new logical LDAP Server. Here you have to maintain the connection details of the physical directory
1. On the initial screen of LDAP choose Server and switch to change mode.
2. Choose New Entries and Enter the required data and Save Entries
Refer the below screen shot for Server Entry details

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 5
Integration of SAP Netweaver User Management with LDAP

Logging on to the Directory Service


Now you must check the connection to the directory service by logging on to it.
1. In the initial screen of the LDAP transaction, specify the LDAP server name and the LDAP
connector.
2. Press Logon
3. Provide the System User or enter the directory service user and password.
4. Choose Execute.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 6
Integration of SAP Netweaver User Management with LDAP

Mapping
In transaction LDAPMAP specific SAP data fields can be mapped to the desired directory attributes.
SAP offers directory specific proposals for the mapping of the directory attributes to the SAP data fields. After
importing the proposal the mapping details can be customized as desired.
For each attribute there is the option to specify whether the customized mapping is only valid for import,
export or for both ways of
synchronization.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 7
Integration of SAP Netweaver User Management with LDAP

Mapping Using function modules


If the desired mapping is not a simple 1:1 relationship, function modules can be used to enable a more
complicated mapping procedure.
A simple example is the telephone number. The telephone number of a user is stored in the directory
attribute “telephone” (in MS Active Directory). The extension is normally split by a hyphen ‘-‘.
In SAP the telephone number of a user is stored in two data fields ADDRESS-TEL1_NUMBR and
ADDRESS-TEL1_EXT.
Therefore the function module MAP_SPLIT_CHAR can be used.
This module reads the value for the telephone number from the directory attribute telephone. The extension
is split at the position where the system finds a hyphen ‘-‘ in the string and the two values are stored in the
SAP data fields ADDRESSTEL1_NUMBR and ADDRESS-TEL1_EXT.

Synchronization of SAP User Administration with LDAP Directory


Once the mapping indicators have been set, you have to synchronize the data from the LDAP server with the
SAP User Administration.
1. Execute report RSLDAPSYNC_USER in the transaction SE38.
2. Specify the logical LDAP server and LDAP connector
3. Define how the report has to process the entries of the objects that found during the search. The
search result is made up of three subsets.
a. Objects that exists in both in directory and database
b. Objects that exits only in directory
c. Objects that exits only in database
4. Save your entries and Execute.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 8
Integration of SAP Netweaver User Management with LDAP

LDAP Synchronization
For example the user “LDAP ABAP” has been created in the Active Directory Server. When the
synchronization report is executed in an SAP system, the user “LDAP ABAP” is taken from the LDAP
directory server to the ABAP system. The below figure is LDAP synchronization log when the report has
been executed successfully.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 9
Integration of SAP Netweaver User Management with LDAP

The following is the screenshot of the user “LDAP ABAP” is the ABAP User Management SU01

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 10
Integration of SAP Netweaver User Management with LDAP

Integration of Java User Management Engine with LDAP


Configuring Java UME to use LDAP as a data source with the User Management Console

Procedure
1. Login to the User Management console with the Administrator rights.
2. Start the User Management
3. Choose Data sources tab
4. Choose Modify Configuration
5. From Data Source, select the data source that best matches your LDAP directory. For Microsoft
Active Directory, choose ads_readonly_db
6. Choose the LDAP Server tab
7. Enter the required data for connection

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 11
Integration of SAP Netweaver User Management with LDAP

8. Choose Test Connection


If the test fails, user management configuration displays the entry from the security log. The monitoring
tools of your LDAP directory can also help you determine the cause of the problem. If necessary, go
back and reenter the connection data and test the connection until you are successful.
9. Sava all the changes
10. Restart the application server for the changes to take effect.
Once the server is restarted, you will see the users which are imported from the LDAP directory.
To see the users from LDPA directory, go to Identity management and search for the users from the source
LDAP. Below is snapshot of the users in the Java UME which are imported from LDAP directory.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 12
Integration of SAP Netweaver User Management with LDAP

Configuring Java UME to use LDAP as a data source with the Config Tool
The UME LDAP configuration tool simplifies the process of configuring the UME to use an LDAP directory. It
allows to choose the configuration file for configuring the data source files and also to enter the connection
data for the LDAP directory and the test the data.
1. Click on the Configtool.bat file in the installation folder.
<SAPJ2EEEngine_installation>\j2ee\configtool\configtool.bat
2. In the configtool, choose UME LDAP

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 13
Integration of SAP Netweaver User Management with LDAP

3. Configure the LDAP Data Source as required and save your


entries

4. Click on the Test connection button to establish a connection with the LDAP directory with service
user.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 14
Integration of SAP Netweaver User Management with LDAP

5. Restart the AS Java


Now you can see the users in the User Management console in which the users are imported from the LDAP
data source.

Limitation of UME when AS ABAP is used as a data source


In a ABAP+Java dual stack system, by default the system takes the User Management of an ABAP system.
In this case, it possible to configure LDAP as a data source in the Java UME. It is also not possible to create
the users in the database of AS Java.
For more information refer to SAP Note 718383

Configuring Java UME to use LDAP as a data source with the Netweaver Administrator Console
(NWA) for SAP Netweaver 7.1 Java system.
The above mentioned steps for configuring SAP Netweaver 7.0 java system to use LDAP as a data source
are valid for the SAP Netweaver 7.1 system as well.
The only difference is we can also configure the User Management with Netweaver Administrative console
as well.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 15
Integration of SAP Netweaver User Management with LDAP

Procedure:
1. Login to NWA with Admin rights.
2. Choose Operation Management -> Users and Access -> Identity Management
3. Under Related Tasks, choose Configuration.
4. Fill in the required details of the LDAP server and Save your entries.
5. Restart the AS
Refer the below screenshot for the connection details

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 16
Integration of SAP Netweaver User Management with LDAP

Related content
• SAP Online Help http://help.sap.com
• http://service.sap.com/security ->Security in Detail -> Identity Management -> Directory
Services

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 17
Integration of SAP Netweaver User Management with LDAP

Copyright
© Copyright 2009 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by
Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document
serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP
Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the
express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an
additional warranty.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com


© 2009 SAP AG 18

You might also like