cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ECC - LDAP Authentication

Former Member

on ‎02-24-2015 8:04 PM

0 Kudos

Hi,

I already have CUA configured to synchronize users with my LDAP Server. I'd to use authenticate SAP users at my LDAP Server. I saw the note 793191 - FAQ: User master synchronization with LDAP directories informing that is not possible to synchronize userPassword attribute. Is there a way to achieve LDAP Authentication? With Enterprise SSO is it possible?

Thank you.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (6)

Answers (6)

Chenyang
Contributor
‎03-09-2015 1:53 AM
0 Kudos

Hi Bruno,

In your case, you perhaps need an Identity Management solution (rather than a SSO solution) to sync passwords among different applications, for instance SAP Identity Management (SAP IdM).

First of all you need to have an app to host all the user accounts. In your case, it should be Oracle LDAP.

Then when creating user account on Oracle LDAP or user changes its password on Oracle LDAP, this app should be able to catch this password and send it to IdM via API.

Next, IdM is able to send this password to all the systems it connects to, in your case, SAP ECC or Portal. SAP IdM is capable of provisioning productive password to SAP ABAP/Java and even Microsoft AD.

Best Regards

Chenyang Xiong

Show replies
Show replies
Former Member
‎03-09-2015 6:49 AM
0 Kudos


Hi Chenyang Xiong,

password synchronizatioin is not a supported feature for SAP ABAP application servers. Therefor SSO is the only choice, when you want a central token to be used for authentication. For SAP Java sever, you can authenticate against an LDAP server, so there neither SSO nor IDM would be required.

Regards,

Patrick

Chenyang
Contributor
‎03-09-2015 8:26 AM
0 Kudos

Hi Patrick,

Yes, however this is possible in IdM and it is a standard feature of SAP IdM.

Check this out.

There is one more about productive password provisioning

http://help.sap.com/saphelp_nwidmic_72/helpdata/en/28/9a4ad9a18448bfa5d2a1b8f51610c9/content.htm?fra...

it says

To provision productive passwords to AS ABAP systems, see SAP Note 1575445.

Best Regards

Chenyang Xiong

Former Member
‎03-09-2015 10:27 AM
0 Kudos

Hi Chenyang Xiong,

not everything technically feasible should be used for productive systems.

Please see Note 376856 for details. This states:



Passwords are essentially considered as a "secret between the user and the (one) system" and are dealt with accordingly. 

and



The reason for the desire to keep passwords at an identical value in different systems might be the request for a single sign-on (SSO ) mechanism.

Regards,

Patrick

Former Member
‎02-26-2015 2:33 PM
0 Kudos

OK. Thank you guys!

Show replies
Show replies
Former Member
‎02-25-2015 7:00 PM
0 Kudos

I got it. The thing is, I don't have all SAP users created in my Active Directory.

For Java System, can I use something like this:

Show replies
Show replies
tim_alsop
Active Contributor
‎02-25-2015 9:03 PM
0 Kudos

Yes, for Java you can setup UME for LDAP user auth, but for ABAP user auth with LDAP or Kerberos (e.g. Active Directory) you need to buy a product as that functionality is not free.

We are planning to add LDAP auth to our product. At the moment, it can just be used to authenticate using Active Directory password and RSA SecurID passcode.

former_member200373
Participant
‎02-26-2015 12:46 PM
0 Kudos

SAP SSO may fit well here. With Secure Login Server, you get an easy on-the-fly conversion of your LDAP user credentials into X.509 certificates, which then allow SSO or login with session wise re-authentication into ABAP and other PKI aware apps (which is the majority). So you have both, Kerberos and X.509, with AD and LDAP. Plug it together as required by your respective use cases.

-- Stephan

Former Member
‎02-25-2015 6:40 PM
0 Kudos

Active Directory's passwords are not synchronized with OID yet, but will be.

Thank you.

Show replies
Show replies
tim_alsop
Active Contributor
‎02-25-2015 6:45 PM
0 Kudos

It is easier to implement a solution where user gets to enter their Active Directory password when they logon to a SAP system with SAP GUI or a Web browser. Using LDAP out of the box is only possible on NetWeaver JAVA systems. For ABAP systems (GUI or Web logon) you need to buy a product to allow AD auth to be possible, and without SSO.

tim_alsop
Active Contributor
‎02-25-2015 6:46 PM
0 Kudos

I suggest that you look at using AD password and when the users passwords are in sync they won't know whether their password is being checked against AD or LDAP server (OID)

Former Member
‎02-25-2015 6:24 PM
0 Kudos

That's correct.

Show replies
Show replies
tim_alsop
Active Contributor
‎02-25-2015 6:29 PM
0 Kudos

ok, so a user has two passwords to remember, one being the Active Directory password used to logon to their workstation, and the other being the Oracle Directory password. Are these in sync ?

tim_alsop
Active Contributor
‎02-24-2015 10:12 PM
0 Kudos

Is LDAP Server = Active Directory ?

Do you want to logon to your ABAP system using Active Directory credentials ? if so, via GUI or web browser, or both GUI and web browser ?

Thanks

Tim

Show replies
Show replies
Former Member
‎02-25-2015 4:37 PM
0 Kudos

Its not Active Directory, actually is Oracle Directory Server (LDAP).

I'd like to authenticate both, GUI and Web Apps. I don't wanna SSO, its not a problem to me my users input username/password. I just wanna have one username/password to access SAP and other legacy apps.

Thank you.

tim_alsop
Active Contributor
‎02-25-2015 4:40 PM
0 Kudos

ok, so let me make sure I understand. A user will logon to their Windows workstation using Active Directory domain credentials, and when they login to a SAP system using SAP GUI you want to prompt them to enter credentials which are checked against Oracle Directory. Is this correct ?

Ask a Question