Skip to Content

LDAP configuration for Rex 3.2/SMP 2.3 allowing unintended access

Hi,

I have installed SMP 2.3 SP04 and deployed Retail Execution 3.2 in its own domain and with its own security configuration.

I configured the LDAP login module in both the admin and the REx configurations. The configurations are quite similar.

Here is my problem: It seems that any LDAP user in our Active Directory is able to register a device. I have had AD groups (custom named according to company standard) created for admins, supporters and device users, but users can register their device even though they are not a member of any of the groups.

User and role lookup as well as authentication works fine, so I suspect I am just missing a simple configuration step.

The LDAP login module in the admin security configuration was configured to connect to AD more or less according to this excellent document: http://scn.sap.com/docs/DOC-56672, which unfortunately only deals with the authentication part (unless I missed something). When the configuration parameters had been entered and the LDAP module had been validated and saved, I continued to the mapping tab. I was able to map to my AD roles and everything works as I expected in SCC: in accordance with their AD role assignment my administrators have read/write access and my supporters have read-only access in SCC. Device users and others are not able to log into SCC.

Then I set up the LDAP login module in the REx security configuration the same way. Again I am able to see all my AD roles and I can also do the mapping, but it looks like the mapping is not taken into account when validating the user’s group membership.

So I figure that device user authorization works different than SCC authorization.

The LDAPLoginModule is configured like this:

Provider URL: ldap://myADserver.myCompany.com

Control Flag: sufficient

Authentication Scope: subtree

Role Scope: subtree

Bind DN: <some account>

Bind Password : <password>

Default Search Base: OU=ou_users,DC=myCompany,DC=com

Role Search Base : OU=ou_groups,DC=myCompany,DC=com

Server Type: msad2k

Authentication method: simple

Authentication filter: (&(sAMAccountName={uid})(objectclass=user))

The automatically generated LDAPAuthorizer was deleted and the LDAPAttributer left unmodified.

How do I ensure that only AD users, who are a member of a specific group, are able to register in the domain?

Can I do some magic with the Role Filter, so that it only looks up my dedicated device user role? For msad2k it is supposed to default to (|(objectclass=groupofnames)(objectclass=group)).

Any help is greatly appreciated.

Thanks/Stig

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Posted on Apr 04, 2015 at 08:07 AM

    Actually, I succeeded by changing the authentication filter:

    (&(sAMAccountName={uid})(objectclass=user)(memberOf=cn=myRole,OU=ou_groups,DC=myCompany,DC=com))

    It works, but I would still like to know if this is the right way to do it, or it should have been done by the use of role mappings instead.

    Thanks/Stig

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.