Skip to Content
avatar image
Former Member

ECC - LDAP Authentication

Hi,

I already have CUA configured to synchronize users with my LDAP Server. I'd to use authenticate SAP users at my LDAP Server. I saw the note 793191 - FAQ: User master synchronization with LDAP directories informing that is not possible to synchronize userPassword attribute. Is there a way to achieve LDAP Authentication? With Enterprise SSO is it possible?

Thank you.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

6 Answers

  • Feb 24, 2015 at 10:12 PM

    Is LDAP Server = Active Directory ?

    Do you want to logon to your ABAP system using Active Directory credentials ? if so, via GUI or web browser, or both GUI and web browser ?

    Thanks

    Tim

    Add comment
    10|10000 characters needed characters exceeded

    • ok, so let me make sure I understand. A user will logon to their Windows workstation using Active Directory domain credentials, and when they login to a SAP system using SAP GUI you want to prompt them to enter credentials which are checked against Oracle Directory. Is this correct ?

  • avatar image
    Former Member
    Feb 25, 2015 at 06:24 PM

    That's correct.

    Add comment
    10|10000 characters needed characters exceeded

    • ok, so a user has two passwords to remember, one being the Active Directory password used to logon to their workstation, and the other being the Oracle Directory password. Are these in sync ?

  • avatar image
    Former Member
    Feb 25, 2015 at 06:40 PM

    Active Directory's passwords are not synchronized with OID yet, but will be.

    Thank you.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Feb 25, 2015 at 07:00 PM

    I got it. The thing is, I don't have all SAP users created in my Active Directory.

    For Java System, can I use something like this:

    Integration of SAP Netweaver User Management with LDAP

    Add comment
    10|10000 characters needed characters exceeded

    • SAP SSO may fit well here. With Secure Login Server, you get an easy on-the-fly conversion of your LDAP user credentials into X.509 certificates, which then allow SSO or login with session wise re-authentication into ABAP and other PKI aware apps (which is the majority). So you have both, Kerberos and X.509, with AD and LDAP. Plug it together as required by your respective use cases.

      -- Stephan

  • avatar image
    Former Member
    Feb 26, 2015 at 02:33 PM

    OK. Thank you guys!

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 09, 2015 at 01:53 AM

    Hi Bruno,

    In your case, you perhaps need an Identity Management solution (rather than a SSO solution) to sync passwords among different applications, for instance SAP Identity Management (SAP IdM).

    First of all you need to have an app to host all the user accounts. In your case, it should be Oracle LDAP.

    Then when creating user account on Oracle LDAP or user changes its password on Oracle LDAP, this app should be able to catch this password and send it to IdM via API.

    Next, IdM is able to send this password to all the systems it connects to, in your case, SAP ECC or Portal. SAP IdM is capable of provisioning productive password to SAP ABAP/Java and even Microsoft AD.

    Best Regards

    Chenyang Xiong

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Chenyang Xiong

      Hi Chenyang Xiong,

      not everything technically feasible should be used for productive systems.

      Please see Note 376856 for details. This states:

      Passwords are essentially considered as a "secret between the user and the (one) system" and are dealt with accordingly. 

      and

      The reason for the desire to keep passwords at an identical value in different systems might be the request for a single sign-on (SSO ) mechanism.

      Regards,

      Patrick