cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Certificate User Mapping Service - Active Directory

nuesseler
Explorer

on ‎09-20-2012 3:32 PM

0 Kudos

Hello,

I did set up the following environment:

  • Microsoft Active Directory
  • SAP NW Java 7.3 SP7
  • Secure Login Server 1.0 SP3
  • User Authentication with Kerberos (AD Authentication)
  • Configuration of SPNEGO Login Module / Benutzerzuordnung
    • Zuordnungsmodus: Principal@REALM
    • Quelle: virtual user (nice feature, i like it)
  • User-Defined Properties in SLS
    • LdapReadServers, LdapReadBaseDN1, ... in order to read the AD attribute 'mail' of the user.
    • The LdapReadUser1 is in the root domain.
    • The LdapReadUrl1 is the global catalog server.
    • The LdapReadAttribute1 = "mail"

I did not get a result. The Common Name RDN is still the samAccountName of the user.

Questions:

  • Exist a logfile where I can find information, what goes wrong with the LDAP search?
  • Which search string is used by the SLS (userPrincipalName or samAccountName)?
  • Which attribtue is used to search? If an openLDAP is used, then the attribute 'uid' should be used for the search. If a Microsoft AD is used, then the attribute 'userPrincipalName' should be used. Can this be configured?

Best Regards,

Markus Nüsseler-Polke

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

frane_milicevic
Active Participant
‎09-22-2012 5:19 AM
0 Kudos

Hi Markus,

here my answers.

Question 1
Exist a logfile where I can find information, what goes wrong with the LDAP search?

Answer: Yes, activate trace in Secure Login Server and start tracing using Security Troubleshooting Wizard (in AS JAVA - nwa), or if you are more familar with, use network sniffer tools.

Question 2
Which search string is used by the SLS (userPrincipalName or samAccountName)?

Answer: User ID (comparing to your question: samAccountName) will be used and will be searched in BaseDN (LdapReadBaseDN). Secure Login Server is able to distinguish the differences between ADS System and LDAP System.


Question 3
Which attribute is used to search? If an openLDAP is used, then the attribute 'uid' should be used for the search.
If a Microsoft AD is used, then the attribute 'userPrincipalName' should be used. Can this be configured?

Answer: From my point of view this is not necessary, as we are using User ID and search in the BaseDN. So it works for both. Maybe you want to provide an example configuration?


Best regards,
Frane

Show replies
Show replies
Ask a Question