cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP Authentication - Changing LDAP Server Type

Go to solution
Former Member

on ‎01-27-2016 8:49 AM

0 Kudos

Dear all,

We face the following scenario:

1.) We have a SAP BO BI 4.0 SP7 server which runs on SuSE SLES 11.

2.) The authentication scheme currently used is LDAP > LDAP Server Type = Oracle Internet Directory.

3.) The customer wants to change the LDAP > LDAP Server Type = Microsoft Active Directory Application Server.

If we fulfill all the necessary restrictions while mapping LDAP against Windows AD, as stated in Administrator's Manual, I would like to ask:

A.) Are the following assumptions correct?


  A1.) If an existing user has the same name with one coming from Windows AD, then the user will remain intact.

  A2.) If an existing user has different name with one coming for Windows AD, then the existing user will be removed and a new one will be created.

There are two useful links:

10 easy steps - How to use LDAP-based authentication in SAP BusinessObjects 4.1

Setting up the LDAP connector - Business Intelligence (BusinessObjects) - SCN Wiki


Thanks in advance for any answer.


Regards,

ilias

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

denis_konovalov
Active Contributor
‎01-27-2016 12:21 PM
0 Kudos

If you simply change them you'll lose all users.

You need to ensure each user has an Enterprise alias before making this change.

Then after the change you'll see both of your assumptions.

Show replies
Show replies
former_member205064
Active Contributor
‎01-27-2016 1:45 PM
0 Kudos

The user account can remain in in BO under 2 condition:-

The AD group is mapped in BO and LDAP group is also present and the user id is same and they get sync.

1205637 - How to map Active Directory accounts in a Windows and UNIX/Linux environment

But as you have Suse so you do not have AD plugin hence you will have to map in the LDAP Plugin itself while the LDAP is already configured.

U can only configure AD as LDAP in the current configuration if you have same OU.

So, the best option is create enterprise alise for all LDAP with the script:-

1804839 - How to add or remove an Enterprise alias through a script in SAP BI 4.0


once the alias is created then you can remove and configure new AD.

former_member136842
Employee
Employee
‎01-27-2016 4:00 PM
0 Kudos

Hello,

the guys gave you already the tipps you need.

I want to draw the Attention to something else. You posted that you are running SAP BI 4.0 SP07. BI 4.0 is out of Support since 12.31.2015.

You should plan to update to the latest Version which is SAP BI 4.1 SP07. Its just a simple update installer...so no rocket science here.

Regards

-Seb.

Answers (1)

Answers (1)

Former Member
‎02-01-2016 11:44 AM
0 Kudos

Dear all,

I've made some investigation in a test BO environment and here are my results / conclusions:

1.) The first step is to create Enterprise Aliases for every user that came from LDAP (Oracle Internet Directory). In that way we will ensure that no user account and dependent objects (Favorites Folder, Inbox) will be removed after re-adjusting the LDAP authentication plugin with Windows Active Directory.

2.) After we re-adjust the LDAP authentication plugin in order to get the users from Windows Active Directory, there are two possible scenarios:

A. If an existing user has the same name with one coming from Windows AD, then the user will remain intact (automatic user aliasing).


B.  If an existing user has different name with one coming for Windows AD, then the existing user will be removed from the current LDAP group and a new one will be created. So, for one physical user we will have two different BO-related accounts (Enterprise, LDAP).


C. The next step should be the manual aliasing of the current Enterprise User with the new LDAP User. In that way we will preserve the security scheme for the existing user. After this step, the new LDAP User will not be visible in the LDAP Group and dependent objects will be removed (Favorites, Inbox). If we re-import the users from Windows AD, then we will see the Enterprise User Account (which is aliased with the LDAP Account) in LDAP Group.


Thanks for your time and answers,

ilias


PS: I already informed the customer about the current status of 4.0 version (end of mainstream maintenance) and I hope they will soon move on 4.1 version.

Show replies
Show replies
Ask a Question