LDAP Integration without samaccountname
Hi everybody,
first let me quickly explain the situation: The customer has different usernames in LDAP and R/3. This SAP-Usernames are stored in the DS in the attribute u201CextensionAttribute2u201D and used for the SAP-Referencesystem (works fine). The problem is, that we also need to use Federated Portal Network and this cannot work with different usernames (at least not for a double stack which is included in this scenario).
Our idea was to u201Crecurveu201D the ldap-connection to the ADS and use extensionAttribute2 instead of samaccountname. We got it working, so that the user can log in to the portal using his sap-username and his current windows password (Donu2019t bother irritation on the users side, because we are also working with Kerberos 😊 ).
The problem is however, that we get an error within the usermanagement, because the mandatory-field u201Clogon-idu201D is not filled, although it is returned by the ads-server.
Has anybody ever tried this?
Imo it should be possible, because when your working with a non-Microsoft-Ldap, there is no samaccountnameu2026
-
-
My datasourceConfiguration-File:
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_deep_readonly_db.xml#6
$ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"></principal>
<principal type="user"></principal>
<principal type="account"></principal>
<principal type="team"></principal>
<principal type="ROOT"></principal>
<principal type="OOOO"></principal>
</principals>
</homeFor>
<notHomeFor></notHomeFor>
<responsibleFor>
<principals>
<principal type="group"></principal>
<principal type="user"></principal>
<principal type="account"></principal>
<principal type="team"></principal>
<principal type="ROOT"></principal>
<principal type="OOOO"></principal>
</principals>
</responsibleFor>
<privateSection>
</privateSection>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor></homeFor>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user"></attribute>
<attribute name="j_password"></attribute>
<attribute name="userid"></attribute>
<attribute name="logonalias"></attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal"></attribute>
<attribute name="realm"></attribute>
<attribute name="domain"></attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname" populateInitially="true"></attribute>
<attribute name="displayname" populateInitially="true"></attribute>
<attribute name="lastname" populateInitially="true"></attribute>
<attribute name="fax"></attribute>
<attribute name="email"></attribute>
<attribute name="title"></attribute>
<attribute name="department"></attribute>
<attribute name="description"></attribute>
<attribute name="mobile"></attribute>
<attribute name="telephone"></attribute>
<attribute name="streetaddress"></attribute>
<attribute name="uniquename" populateInitially="true"></attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"></attribute>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER"></attribute>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname" populateInitially="true"></attribute>
<attribute name="description" populateInitially="true"></attribute>
<attribute name="uniquename"></attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"></attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"></attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn"></attribute>
</nameSpace>
</principal>
</responsibleFor>
<attributeMapping>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user">
<physicalAttribute name="extensionAttribute2"></physicalAttribute>
</attribute>
<attribute name="logonalias">
<physicalAttribute name="extensionAttribute2"></physicalAttribute>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"></physicalAttribute>
</attribute>
<attribute name="userid">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal">
<physicalAttribute name="extensionAttribute2"></physicalAttribute>
</attribute>
<attribute name="realm">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
<attribute name="domain">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname">
<physicalAttribute name="givenname"></physicalAttribute>
</attribute>
<attribute name="displayname">
<physicalAttribute name="displayname"></physicalAttribute>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"></physicalAttribute>
</attribute>
<attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber"></physicalAttribute>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="extensionAttribute2"></physicalAttribute>
</attribute>
<attribute name="loginid">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
<attribute name="email">
<physicalAttribute name="mail"></physicalAttribute>
</attribute>
<attribute name="mobile">
<physicalAttribute name="mobile"></physicalAttribute>
</attribute>
<attribute name="telephone">
<physicalAttribute name="telephonenumber"></physicalAttribute>
</attribute>
<attribute name="department">
<physicalAttribute name="ou"></physicalAttribute>
</attribute>
<attribute name="description">
<physicalAttribute name="description"></physicalAttribute>
</attribute>
<attribute name="streetaddress">
<physicalAttribute name="postaladdress"></physicalAttribute>
</attribute>
<attribute name="pobox">
<physicalAttribute name="postofficebox"></physicalAttribute>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"></physicalAttribute>
</attribute>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname">
<physicalAttribute name="displayname"></physicalAttribute>
</attribute>
<attribute name="description">
<physicalAttribute name="description"></physicalAttribute>
</attribute>
<attribute name="uniquename" populateInitially="true">
<physicalAttribute name="ou"></physicalAttribute>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
</nameSpace>
</principal>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>false</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>organizationalUnit</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>extensionAttribute2</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>extensionAttribute2</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>ou</ume.ldap.access.naming_attribute.grup>
</privateSection>
</dataSource>
</dataSources>
-
-
The Output of u201CTest component for UME objectsu201D from u201CTest component for UME objectsu201D:
Get user object by logonId took: 0ms
...
UME User toString
Transient data: No transient data set. Persistent data: *************************************************************************** * com.sap.security.core.persistence.imp.PrincipalDatabag Wed May 28 17:26:39 CEST 2008 * UniqueID: USER.CORP_LDAP.cn=fpn-user,ou=special-users,ou=bae-users,dc=customer,dc=de * Type: USER * Home data source: CORP_LDAP * Private id part: cn=fpn-user,ou=special-users,ou=bae-users,dc=customer,dc=de * * Principal exists. * * Direct parents: * GRUP: GRUP.SUPER_GROUPS_DATASOURCE.EVERYONE * GRUP.SUPER_GROUPS_DATASOURCE.AUTHENTICATED_USERS * ROLE: * "com.sap.portal.dsm"|->"DebugControlFlag" (no time limit)= * "com.sap.security.core.usermanagement"|->"accessibilitylevel" (no time limit)= * "com.sap.security.core.usermanagement"|->"unlockdate" (no time limit)= * "com.sap.security.core.usermanagement"|->"uniquename" (no time limit)="fpn-user2" * "com.sap.security.core.usermanagement"|->"ps_link" (no time limit)= * "com.sap.security.core.usermanagement"|->"lockmessage" (no time limit)= * "com.sap.security.core.usermanagement"|->"lockperson" (no time limit)= * "com.sap.security.core.usermanagement"|->"salutation" (no time limit)= * "com.sap.security.core.usermanagement"|->"displayname" (no time limit)="FPN-User" * "com.sap.security.core.usermanagement"|->"APPROVAL_REQUEST_COMPANYID" (no time limit)= * "com.sap.security.core.usermanagement"|->"company" (no time limit)= * "com.sap.security.core.usermanagement"|->"lastname" (no time limit)="User" * "com.sap.security.core.usermanagement"|->"locale" (no time limit)= * "com.sap.security.core.usermanagement"|->"unlockperson" (no time limit)= * "com.sap.security.core.usermanagement"|->"ps_timestamp" (no time limit)= * "com.sap.security.core.usermanagement"|->"unlockmessage" (no time limit)= * "com.sap.security.core.usermanagement"|->"firstname" (no time limit)="FPN" * "com.sap.security.core.usermanagement"|->"email" (no time limit)="fpn-useru2019AT-Signu2019customer.de" * "com.sap.security.core.usermanagement"|->"ps_version" (no time limit)= * "com.sap.security.core.usermanagement"|->"lockReason" (no time limit)= * "$serviceUser$"|->"SERVICEUSER_ATTRIBUTE" (no time limit)= * "com.sapportals.portal.navigation"|->"uipmode" (no time limit)= ***************************************************************************
-
-
Any help or hint will be appreciated and of course points will be given 😊
Thanks and greets,
Jörg Schröder