Skip to Content
author's profile photo Former Member
Former Member

BI and LDAP integration. HELP.

Hello to everyone.

I've been asked to search for solution where the passwords from Active Directory Domain (LDAP) must be identical to passwords from BI system.

We have domain controller on MS server 2003 where the usernames/password are stored for Exchange Server. And we have a separate system SAP BI with usernames/passwords on it's side.

Our client wants to have same passwords on both systems. However our sys. admins must stay responsible for maintenance of password which means the central password storage must be MS Active Directory.

As far I've read the documentation we need to implement NetWeaver Identity Management which consists of: Identity center and Virtual Server. However there must

be IM Password Hook installed on domain controller to intercept user's password changes. Does it means that it will synchronize the newly typed password to Identity Center which then will be distributed to IM connected systems(in my case SAP BI)

What about the replication of all user information from Active Directory -> Identity Management -> BI. Will it work without password hook? Will it replicate passwords either?

As far as I know passwords in LDAP are stored in hashes so there is no way to replicate this data LDAP -> CUA for example. However CUA -> LDAP is going to work. Please correct me if im wrong.

Reading various docs provided by SAP i've seen only LDAP -> UME scenario where the password replication occurred. In all other cases LDAP used in opposite direction Any Source -> LDAP.

Will it work the way I described( LDAP -> IM -> BI) or I misunderstood smth.

Any help would much appreciated.

Edited by: Artjoms Nikulins on Feb 27, 2009 11:59 AM

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Posted on Feb 27, 2009 at 12:21 PM


    You can also solve this problem without synchronising passwords, and by doing so provide a much more secure solution. I will describe below:

    1. user logs onto windows workstation using Active Directory domain account and password

    2. during the logon Active Directory will issue a Kerberos ticket which is stored in a cache on workstation

    3. user logs onto SAP using SAP GUI and SAP GUI will use Kerberos (via SNC) to authenticate the user to SAP system. The user will not need to authenticate again since they already did this when they logged onto workstation.

    4. The SAP server will not need a password for the user because it will be using SNC and therefore using the Kerberos credentials issued during users logon to workstation in order to identify the user and trust them, and then let them access the applicaiton.

    For above, you need to implement an SNC library on each workstation, and also on each SAP ABAP AS systsem. This does not involve any password sync and does not involve any passwords being passed over network to SAP system. The only password the user needs is the one they logon to their workstation with before they logon to SAP. This is the Active Directory domain user name and password.

    I hope you find this useful whilst you research the options available - it looks like you were not aware of this being possible since you only mentioned Idm and ldap in your post.

    Take care,


    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Feb 27, 2009 at 02:32 PM

    Thank you Tim for reply!

    Yes, i haven't mentioned this scenario in this thread because it is not going to work for me. The problem is that we have 2 domains. Let's say A and B domains.

    Some of the users are granted to log on to domain A and they are using Novell client to login. Other users log in to domain B however they are also using domain A credentials to get mail from Exchange server. And they are typing their password for domain B during login to workstation.

    So that's why this scenario is not quite suitable for my client.

    Anyway thanks for advice.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.