Solved: LDAP UME different user path

former_member184588 · ‎07-13-2009

Hello,

I am just setting up the connection between an UME and LDAP as data source. In the fantastic test environmental world where the gras is green and ... I had one path to the groups and one path to the users and everything was like it should be.

Unfortunately I arrived in the real world and in the LDAP directory the users in splitted into different "folders" beneath one root user folder. In this "folders" are differnent users that I don't need. But they have no attribute to filter out.

Now I am thinking creating one group and assign all portal users to this group. Afterwards I am using an the negative user filter like "not member of group portalusers". Is this a normal way and does someone know some expamples? Is a not in the negative filter possible?

The other way would be to configure multi datasources that are connecting to the same ldap but the user paths are different.

How are you using problems like having users in different paths?

It would be nice if someone could give help,

Vanessa

Former Member · ‎07-23-2009

I have a tree structure like this...

region.company.net
+ Administrators
- Country_1
  - DataCentre
    - ManagementGroups
      - SAPPortals
        DEV
        TST
        PRD
  + Site_1
  + Site_2
  - Site_3
    + Function_1
    + Function_2
    - Function_3
      + Servers
      + Laptops
      + Desktops
      + Groups
        Users

And the above repeats for each functional grouping at each location in each country...

My userid exists in one of the "users" folders and other valid users exist in other "users" folders on various branches of the tree. I've pointed the UME LDAP user path to the root node at "region.company.net". This means that every user defined in AD has the potential to log on to the portal using their AD (Windows) credentials. We don't consider this a problem because we have granted access to a welcome page to the "Everyone" group within the portal and the page says that, if the user has no tabs on the top of the page to allow them to do anything useful, they should request access via the security process.

Access is controlled slightly differently in that we assign portal roles to AD groups as the only means of granting access (administrators excepted). A user who wants access to specific functions is added to the relevant group by the AD group administration team (fairly low level administration activity on the security control process so it's very quick). To achieve this we did need to have a SINGLE folder for each portal set up in an administrative branch of the tree and then each portal's UME LDAP configuration was pointed to its own group.

The original hope was that we would match group name to role name but we ended up having to create a group folder for each portal (incorporated the portal's SID in the folder name for identification) and to insert the portal's SID in the name of every group within that portal's folder. This was because AD requires that a group name be unique within the whole tree and we needed a means of distinguishing between what access a user may have in dev, test and prod portals.

Does this help?

Edited by: Murray Nicholas on Jul 23, 2009 3:45 PM

former_member184588 · ‎07-23-2009

Hello and thank you very much for all of your answers. At the end we really created a new node for the portal users and so we took the easy way.

Thx, Vanessa

former_member184588 · ‎07-21-2009

Is it possible to use the negative_user_filter for OEs?

former_member184588 · ‎07-21-2009

no ideas?

LDAP UME different user path

Accepted Solutions (1)

Accepted Solutions (1)

Answers (3)

Answers (3)

Re: fuzzy search with multiple name fields

SAC: Find drill level in hierarchy based on string

Re: SAP Cloud Identity Services - Identity Authent...

There were some trfcs error in SAP car but we have...

Re: The deployed project is not reflecting in Agen...