Skip to Content
0
Former Member
May 15, 2007 at 12:24 AM

LDAP users cannot logon to Portal after datasource configuration change

470 Views

Hi,

After changing our user management datasource configuration back to

it's original (readonly ADS with DB) after implementing SSO with Kerberos - ADS LDAP users cannot logon to the Portal. They receive the error 'Authentication failed' and in the default trace the following error is thrown;

'Error in some of the login modules. [EXCEPTION]

#1#com.sap.engine.services.security.exceptions.BaseLoginException:

Error in some of the login modules.

at com.sap.engine.services.security.login.ModulesProcessAction.run

(ModulesProcessAction.java:149)

......

Caused by: com.sap.security.api.PrincipalNotAccessibleException:

Principal "USER.CORP_LDAP.sam_derfel" is not accessible because the

unique name is not available.'

However, the user’s unique names are available in the ADS tree and can

be tested successfully using the Configtool authentication test.

The user management was set back to the original datasource

configuration file and the Kerberos loginmodules were removed from the

module stack. The UME is set to access users from the LDAP using the

unique LDAP attribute samaccountname. Users have not been relocated in

the ADS store so the dn's have not changed. The settings in notes

777640 and 881440 are set.

The service user has read and search permissions in the ADS directory

tree and the connection tests are successful. The ADS domain controller

and the Portal server are in the same network domain.

Portal release 7.00 SP10 (1000.7.00.10.0.20061026144500)

LDAP MSADS 2003

Portal OS Windows 2003 R2 SP1

Contents of datasource configuration file below. Does anyone have any hints on what could be the cause of this?

<?xml version="1.0" encoding="UTF-8"?>

<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->

<!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">

<dataSources>

<dataSource id="PRIVATE_DATASOURCE"

className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"

isReadonly="false"

isPrimary="true">

<homeFor>

<principals>

<principal type="group"/>

<principal type="user"/>

<principal type="account"/>

<principal type="team"/>

<principal type="ROOT" />

<principal type="OOOO" />

</principals>

</homeFor>

<notHomeFor/>

<responsibleFor>

<principals>

<principal type="group"/>

<principal type="user"/>

<principal type="account"/>

<principal type="team"/>

<principal type="ROOT" />

<principal type="OOOO" />

</principals>

</responsibleFor>

<privateSection>

</privateSection>

</dataSource>

<dataSource id="CORP_LDAP"

className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"

isReadonly="true"

isPrimary="true">

<homeFor/>

<responsibleFor>

<principal type="account">

<nameSpace name="com.sap.security.core.usermanagement">

<attributes>

<attribute name="j_user"/>

<attribute name="logonalias"/>

<attribute name="j_password"/>

<attribute name="userid"/>

</attributes>

</nameSpace>

</principal>

<principal type="user">

<nameSpaces>

<nameSpace name="com.sap.security.core.usermanagement">

<attributes>

<attribute name="firstname" populateInitially="true"/>

<attribute name="displayname" populateInitially="true"/>

<attribute name="lastname" populateInitially="true"/>

<attribute name="fax"/>

<attribute name="email"/>

<attribute name="title"/>

<attribute name="department"/>

<attribute name="description"/>

<attribute name="mobile"/>

<attribute name="telephone"/>

<attribute name="streetaddress"/>

<attribute name="uniquename" populateInitially="true"/>

</attributes>

</nameSpace>

<nameSpace name="com.sap.security.core.usermanagement.relation">

<attributes>

<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>

</attributes>

</nameSpace>

<nameSpace name="$usermapping$">

<attributes>

<attribute name="REFERENCE_SYSTEM_USER"/>

</attributes>

</nameSpace>

</nameSpaces>

</principal>

<principal type="group">

<nameSpaces>

<nameSpace name="com.sap.security.core.usermanagement">

<attributes>

<attribute name="displayname" populateInitially="true"/>

<attribute name="description" populateInitially="true"/>

<attribute name="uniquename"/>

</attributes>

</nameSpace>

<nameSpace name="com.sap.security.core.usermanagement.relation">

<attributes>

<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>

<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>

</attributes>

</nameSpace>

<nameSpace name="com.sap.security.core.bridge">

<attributes>

<attribute name="dn"/>

</attributes>

</nameSpace>

</nameSpaces>

</principal>

</responsibleFor>

<attributeMapping>

<principals>

<principal type="account">

<nameSpaces>

<nameSpace name="com.sap.security.core.usermanagement">

<attributes>

<attribute name="j_user">

<physicalAttribute name="samaccountname"/>

</attribute>

<attribute name="logonalias">

<physicalAttribute name="samaccountname"/>

</attribute>

<attribute name="j_password">

<physicalAttribute name="unicodepwd"/>

</attribute>

<attribute name="userid">

<physicalAttribute name="null"/>

</attribute>

</attributes>

</nameSpace>

</nameSpaces>

</principal>

<principal type="user">

<nameSpaces>

<nameSpace name="com.sap.security.core.usermanagement">

<attributes>

<attribute name="firstname">

<physicalAttribute name="givenname"/>

</attribute>

<attribute name="displayname">

<physicalAttribute name="displayname"/>

</attribute>

<attribute name="lastname">

<physicalAttribute name="sn"/>

</attribute>

<attribute name="fax">

<physicalAttribute name="facsimiletelephonenumber"/>

</attribute>

<attribute name="uniquename">

<physicalAttribute name="samaccountname"/>

</attribute>

<attribute name="loginid">

<physicalAttribute name="null"/>

</attribute>

<attribute name="email">

<physicalAttribute name="mail"/>

</attribute>

<attribute name="mobile">

<physicalAttribute name="mobile"/>

</attribute>

<attribute name="telephone">

<physicalAttribute name="telephonenumber"/>

</attribute>

<attribute name="department">

<physicalAttribute name="ou"/>

</attribute>

<attribute name="description">

<physicalAttribute name="description"/>

</attribute>

<attribute name="streetaddress">

<physicalAttribute name="postaladdress"/>

</attribute>

<attribute name="pobox">

<physicalAttribute name="postofficebox"/>

</attribute>

</attributes>

</nameSpace>

<nameSpace name="com.sap.security.core.usermanagement.relation">

<attributes>

<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">

<physicalAttribute name="memberof"/>

</attribute>

</attributes>

</nameSpace>

<nameSpace name="$usermapping$">

<attributes>

<attribute name="REFERENCE_SYSTEM_USER">

<physicalAttribute name="sapusername"/>

</attribute>

</attributes>

</nameSpace>

</nameSpaces>

</principal>

<principal type="group">

<nameSpaces>

<nameSpace name="com.sap.security.core.usermanagement">

<attributes>

<attribute name="displayname">

<physicalAttribute name="displayname"/>

</attribute>

<attribute name="description">

<physicalAttribute name="description"/>

</attribute>

<attribute name="uniquename" populateInitially="true">

<physicalAttribute name="cn"/>

</attribute>

</attributes>

</nameSpace>

<nameSpace name="com.sap.security.core.usermanagement.relation">

<attributes>

<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">

<physicalAttribute name="member"/>

</attribute>

<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">

<physicalAttribute name="memberof"/>

</attribute>

</attributes>

</nameSpace>

<nameSpace name="com.sap.security.core.bridge">

<attributes>

<attribute name="dn">

<physicalAttribute name="null"/>

</attribute>

</attributes>

</nameSpace>

</nameSpaces>

</principal>

</principals>

</attributeMapping>

<privateSection>

<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>

<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>

<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>

<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>

<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>

<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>

<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>

<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>

<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>

<ume.ldap.access.objectclass.grup>Group</ume.ldap.access.objectclass.grup>

<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>

<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>

<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>

<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>

<ume.ldap.access.naming_attribute.grup>cn</ume.ldap.access.naming_attribute.grup>

</privateSection>

</dataSource>

</dataSources>