cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Setting up an LDAP data source as an xMII (12.0.4) data server

Go to solution
Former Member

on ‎08-27-2008 2:05 PM

0 Kudos

I'm trying to set up an LDAP data source as an xMII data server in order to retrieve user attributes from our company's Active Directory. I downloaded an LDAP jdbc driver from Novell and deployed it. I set up an IDBC data server with the following parameters:

JDBC Driver: com.novell.sql.LDAPDriver

Server Package: com.sap.xmii.Illuminator.connectors.IDBC

ServerURL: jdbc:ldap://DCSERVER.na.com:389/dc=na,dc=com?SEARCH_SCOPE:=subTreeScope

I used the same AD account that we used in xMII 11.5 to authenticate to LDAP to authenticate users to xMII. (We're still using Netweaver accounts in 12.0.4 but will migrate to LDAP in the next month or so.)

When I check the data server status I get 'Error'.

Any ideas?

David Macindoe

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-03-2008 9:34 PM
0 Kudos

Hi David,

We connect to LDAP with our own driver that's not meant for jdbc access. The question I suppose is how does the jdbc-ldap driver work, does it do similar namespace browsing? Perhaps you could connect somehow, but I have not seen it done nor have I run into a similar issue. I was hoping the log file would provide more meaningful information - maybe you could try changing the log level, not sure if that would help at all. You could also review the Default Trace log. Sorry I can't be of better help.

Regards,

Diana

Show replies
Show replies
Former Member
‎09-18-2008 9:22 PM
0 Kudos

Just getting back to this issue (after getting distracted by several others!)

I am now able to connect to our LDAP data source. My server URL (which I copied from xMII 11.5 where we were authenticating with LDAP) was not comptabile with the Novell jdbc-ldap driver I'm using in 12.0.

I changed the server URL to: 'jdbc:ldap://<server>.na.com:389;useCleartext=true' and I got connected. (I needed the 'useClearText parameter as our LDAP source doesn't utililize SSL.) In the workbench I can see "tables" and "columns" suitable for a SELECT query.

The current problem is when I run a query, for example:

SELECT organization.adminDescription from organization

I get the following error:

java.sql.SQLException: [Novell][LDAP JDBC Driver] LDAPStatement.setMaxRows() is not suppported.

I'm not trying to limit the number of rows I'm getting back so I'm not sure why this error is being generated.

Any ideas? I'll query the Novell forums to find an answer.

David Macindoe

jcgood25
Active Contributor
‎09-19-2008 3:48 PM
0 Kudos

David,

Now that you can connect and see Tables/Columns, your are encountering another JDBC / LDAP driver limitation. The query mechanism is issuing the max rows request through the driver (SQLQuery default is 100) but apparently your driver doesn't like this.

Regards,

Jeremy

Former Member
‎09-19-2008 4:10 PM
0 Kudos

I'm not sure how to disable it. I made sure the 'Limit Number of Rows' is unchecked when I run the query i the workbench. Just as a test, I put the query in a transaction and ran it from there but it had the same result.

Any ideas on how to prevent the query from issuing the max rows request? Should I be looking for another LDAP driver?

David

jcgood25
Active Contributor
‎09-19-2008 4:27 PM
0 Kudos

That's just it - you can't disable it. All IDBC connections do this, for SQL queries to Oracle, SQLServer, MySQL, DB2, etc. Our query engine treats all of these Data Server connections the same way when issuing requests, and expects the JDBC driver to honor the statments or handle them accordingly.

I don't know if another driver will be the answer, since you really don't know until you try it out.

Regards,

Jeremy

Former Member
‎09-19-2008 4:42 PM
0 Kudos

Thanks, Jeremy! I'll see if I can do something from the driver side, like replace it. If I come up with something, I'll post it.

David

Answers (2)

Answers (2)

Former Member
‎09-03-2008 4:13 PM
0 Kudos

Hi David,

I've done some asking around here in the office - the LDAP server is not a relational database, and uses a different protocol, so there does not appear to be a way to connect to it as such.

Kind Regards,

Diana Hoppe

Show replies
Show replies
Former Member
‎09-03-2008 3:34 PM
0 Kudos

Hi David,

Have you checked the Netweaver logs? I would suggest you recreate the issue, noting the time you did so, and then peruse the logs for more detailed information as to why the connection is failing.

Kind Regards,

Diana Hoppe

Show replies
Show replies
Former Member
‎09-03-2008 4:00 PM
0 Kudos

Thanks Diana. The last two entries in the logs are:

Reload request for server NAOXY

Stopping Server [name=NAOXY,className=com.sap.xmii.Illuminator.connectors.IDBC.IDBC,description=null,enabled=true,connected=true,holder=com.sap.xmii.Illuminator.tools.database.ConnectionHolder@6b676b67]

No reason why the server was being stopped.

David

Former Member
‎09-03-2008 4:54 PM
0 Kudos 
We're still using Netweaver accounts in 12.0.4 but will migrate to LDAP in the next month or so.

If this is the goal, then I would suggest wait , because you would anyway be confiuguring the LDAP on the Netweaver UME. Once that is done you can easily access user attributes as defined in LDAP.

Former Member
‎09-03-2008 7:43 PM
0 Kudos

Two things -

1) Diana - While LDAP isn't a true relational database, the jdbc driver should allow us to treat it as one - albeit with limited SELECT functionality.

The 11.5 help on 'LDAP User Configuration' says - "The Lightweight Directory Access Protocol (LDAP) connector allows Security Manager to query the user and role information from any LDAP version 3 compliant server. It uses simple SQL statements. Since the LDAP server is not a true relational database, the driver supports limited SELECT capabilities."

I had hoped the same concept applied to setting up LDAP as a 12.0 data server.

2) Udayan - when you say 'you can easily access user attributes as defined in LDAP', are you saying all of the characteristics pertaining to a specific LDAP user object are visible to Netweaver and thus to MII? For example, I'd like to be able to retrieve the user's LDAP group memberships as we'll be using that to assign permissions to certain aspects of MII projects.

If all the user's LDAP characteristics can be defined as user attributes then yes, I'll pull them in through the authentication process. If not, then I'll need to pull them in later through a data server query.

David

Former Member
‎09-03-2008 8:59 PM
0 Kudos

The User Attributes I was referring to were the common user information like Email,telefone,address etc.

Now I have very little knowledge on the AD side but as I understand, these are the most common user attributes apart from which I am sure AD would allow you to define more.

As far as the AD Group is concerned , I am not sure if this could be defined as an attribute, I may be wrong. Moreover in my experience so far I have not come accross any instance wherein I was able to see the AD group info in xMII although it is very much accessible from the Netweaver UME.

Also, are you not thinking of defining Netweaver Roles (which should be mapped to the AD groups) for assigning the permissions in MII? As far as I know this is the cleanest way to secure your application because as far as the Navigation is concerned you will be able to see only the Users and the Netweaver Roles in MII.

Ask a Question