06-30-2006 1:18 PM
Hi all,
I'm facing the scenario where a customer uses MS ADS for authentication of users but uses Novell eDirectory for Identity Management purposes. They want to connect eDir to a CUA system for ABAP role upload and user synchronisation and in addition use the groups and ou's in eDir to bind the users to Portal roles.
The users should access the Portal via SSO (so in my opinion ADS Kerberos authentication should be used) but all the additional info should be taken from the eDir (such as group memberships, ou's). So this is NOT the scenario for two LDAP servers as stated in help.sap.com
I know how to configure Kerberos SSO (via SPNego) but this means to modify dhe datasourceADS.xml file for the ADS, while all other details should be read from eDir.
Is it possible to configure the UME so it takes the Kerberos from ADS but all user related data from eDir, other than using IISProxy?
much obliged
Marcel Rabe
06-30-2006 3:32 PM
Hi Marcel,
Take a look at the information here:
http://help.sap.com/saphelp_nw2004s/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/content.htm
For this UME configuration case you'll only need to modify a configuration XML for the eDir and you use one LDAP server (the eDir). You need to syncronize the user data in the ADS and the eDir, however. Also note that due to the syncronization requirement this is an advanced configuration case for enabling SPNego.
Hope this helps you.
Regards,
Yonko
06-30-2006 3:32 PM
Hi Marcel,
Take a look at the information here:
http://help.sap.com/saphelp_nw2004s/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/content.htm
For this UME configuration case you'll only need to modify a configuration XML for the eDir and you use one LDAP server (the eDir). You need to syncronize the user data in the ADS and the eDir, however. Also note that due to the syncronization requirement this is an advanced configuration case for enabling SPNego.
Hope this helps you.
Regards,
Yonko
06-30-2006 4:21 PM
Hi Yonko,
thanks. This is what I figured out also so far. I was hoping to do it without synchronizing but this seems inevitable.
I'm also still confused in regard to the status of IISProxy support in sapnote 886214. Is IISProxy really end-of-maintenance?
Cheers
Marcel
06-30-2006 5:03 PM
Hi Marcel,
yes, the IISproxy support is phased out as of SP15, and replaced by the SPNego mechanisms for Kerberos authentication. Even if this wasn't the case, however, you'd still need a certain degree of syncronization between the directory for authentication and the UME data source.
You can still use an alternative reverse proxy and forward the user credentials in header variables from the proxy to the J2EE Engine (a case of Header Variable authentication). With SPNego you'll have end-to-end Kerberos though.
Regards,
Yonko