Integration of SAP Netweaver User Management with LDAP

Integration of SAP Netweaver User Management with LDAP Applies to: SAP Netweaver 7.0/7.1 Microsoft Active Directory 2003 Summary The document describes the detailed steps of configuring the integration of SAP Netweaver User Management with LDAP (Microsoft Active Directory 2003 is used as LDAP). LDAP, being the integrated, provides a central user repository used to centrally maintain user data, thus avoiding the redundant, error prone maintenance of user information in several systems and reduced total cost to ownership. Here the LDAP directory acts as a leading system wherein the Users are imported to the SAP system when the user synchronization happens every time. Author: Radha SK Company: Team: Technical Validation -SAP Labs India, Bangalore Created on: 1 July 2009 2009 SAP AG 1

Table of Contents Prerequisites... 3 Configuring LDAP Connector... 4 Defining System Users... 5 1. Access the LDAP Connector via Tcode LDAP choose System Users... 5 2. Switch to change mode and choose New Entries... 5 3. Enter the required data and Save the entries. Refer the below screenshot.... 5 Defining Server Details... 5 Logging on to the Directory Service... 6 Mapping... 7 Mapping Using function modules8 Mapping Using function modules... 8 Synchronization of SAP User Administration with LDAP Directory... 8 LDAP Synchronization... 9 Integration of Java User Management Engine with LDAP... 11 Configuring Java UME to use LDAP as a data source with the User Management Console... 11 Procedure... 11 Configuring Java UME to use LDAP as a data source with the Config Tool... 13 Limitation of UME when AS ABAP is used as a data source... 15 Configuring Java UME to use LDAP as a data source with the Netweaver Administrator Console (NWA) for SAP Netweaver 7.1 Java system.... 15 Procedure:... 16 Related content... 17 Disclaimer and Liability Notice... Error! Bookmark not defined. 2009 SAP AG 2

Prerequisites The LDAP connector requires access to some specific library which is installed on the specific application server platform. The LDAP connector is called using ABAP functions and communicates with the directory services using Lightweight Directory Access Protocol. To check whether LDAP Connector is operable, that is checking the availability of LDAP Library on the application server. Run ldap_rfc command in the kernel directory and check the version details. 2009 SAP AG 3

Configuring LDAP Connector 1. Create and RFC of connector T-Type Note: It is recommended to use the following naming convention: LDAP_<server_name>. If there are multiple LDAP connectors on one server then use: LDAP_<server_name>_<sequence_number> Example: LDAP_SERVER_01 2. Select Registered server program as activation type 3. Specify the Program ID same as the RFC destination. 4. Save your entries. Refer the below screenshot for LDAP connector details 2009 SAP AG 4

Defining System Users The communication user (Example: TestUser) has to be maintained in the LDAP server which used by the LDAP connector to bind to the LDAP Directory Server. 1. Access the LDAP Connector via Tcode LDAP choose System Users 2. Switch to change mode and choose New Entries 3. Enter the required data and Save the entries. Refer the below screenshot. Defining Server Details Create a new logical LDAP Server. Here you have to maintain the connection details of the physical directory 1. On the initial screen of LDAP choose Server and switch to change mode. 2. Choose New Entries and Enter the required data and Save Entries Refer the below screen shot for Server Entry details 2009 SAP AG 5

Logging on to the Directory Service Now you must check the connection to the directory service by logging on to it. 1. In the initial screen of the LDAP transaction, specify the LDAP server name and the LDAP connector. 2. Press Logon 3. Provide the System User or enter the directory service user and password. 4. Choose Execute. 2009 SAP AG 6

Mapping In transaction LDAPMAP specific SAP data fields can be mapped to the desired directory attributes. SAP offers directory specific proposals for the mapping of the directory attributes to the SAP data fields. After importing the proposal the mapping details can be customized as desired. For each attribute there is the option to specify whether the customized mapping is only valid for import, export or for both ways of synchronization. 2009 SAP AG 7

Mapping Using function modules If the desired mapping is not a simple 1:1 relationship, function modules can be used to enable a more complicated mapping procedure. A simple example is the telephone number. The telephone number of a user is stored in the directory attribute telephone (in MS Active Directory). The extension is normally split by a hyphen -. In SAP the telephone number of a user is stored in two data fields ADDRESS-TEL1_NUMBR and ADDRESS-TEL1_EXT. Therefore the function module MAP_SPLIT_CHAR can be used. This module reads the value for the telephone number from the directory attribute telephone. The extension is split at the position where the system finds a hyphen - in the string and the two values are stored in the SAP data fields ADDRESSTEL1_NUMBR and ADDRESS-TEL1_EXT. Synchronization of SAP User Administration with LDAP Directory Once the mapping indicators have been set, you have to synchronize the data from the LDAP server with the SAP User Administration. 1. Execute report RSLDAPSYNC_USER in the transaction SE38. 2. Specify the logical LDAP server and LDAP connector 3. Define how the report has to process the entries of the objects that found during the search. The search result is made up of three subsets. a. Objects that exists in both in directory and database b. Objects that exits only in directory c. Objects that exits only in database 4. Save your entries and Execute. 2009 SAP AG 8

LDAP Synchronization For example the user LDAP ABAP has been created in the Active Directory Server. When the synchronization report is executed in an SAP system, the user LDAP ABAP is taken from the LDAP directory server to the ABAP system. The below figure is LDAP synchronization log when the report has been executed successfully. 2009 SAP AG 9

The following is the screenshot of the user LDAP ABAP is the ABAP User Management SU01 2009 SAP AG 10

Integration of Java User Management Engine with LDAP Configuring Java UME to use LDAP as a data source with the User Management Console Procedure 1. Login to the User Management console with the Administrator rights. 2. Start the User Management 3. Choose Data sources tab 4. Choose Modify Configuration 5. From Data Source, select the data source that best matches your LDAP directory. For Microsoft Active Directory, choose ads_readonly_db 6. Choose the LDAP Server tab 7. Enter the required data for connection 2009 SAP AG 11

8. Choose Test Connection If the test fails, user management configuration displays the entry from the security log. The monitoring tools of your LDAP directory can also help you determine the cause of the problem. If necessary, go back and reenter the connection data and test the connection until you are successful. 9. Sava all the changes 10. Restart the application server for the changes to take effect. Once the server is restarted, you will see the users which are imported from the LDAP directory. To see the users from LDPA directory, go to Identity management and search for the users from the source LDAP. Below is snapshot of the users in the Java UME which are imported from LDAP directory. 2009 SAP AG 12

Configuring Java UME to use LDAP as a data source with the Config Tool The UME LDAP configuration tool simplifies the process of configuring the UME to use an LDAP directory. It allows to choose the configuration file for configuring the data source files and also to enter the connection data for the LDAP directory and the test the data. 1. Click on the Configtool.bat file in the installation folder. <SAPJ2EEEngine_installation>\j2ee\configtool\configtool.bat 2. In the configtool, choose UME LDAP 2009 SAP AG 13

3. Configure the LDAP Data Source as required and save your entries 4. Click on the Test connection button to establish a connection with the LDAP directory with service user. 2009 SAP AG 14

5. Restart the AS Java Now you can see the users in the User Management console in which the users are imported from the LDAP data source. Limitation of UME when AS ABAP is used as a data source In a ABAP+Java dual stack system, by default the system takes the User Management of an ABAP system. In this case, it possible to configure LDAP as a data source in the Java UME. It is also not possible to create the users in the database of AS Java. For more information refer to SAP Note 718383 Configuring Java UME to use LDAP as a data source with the Netweaver Administrator Console (NWA) for SAP Netweaver 7.1 Java system. The above mentioned steps for configuring SAP Netweaver 7.0 java system to use LDAP as a data source are valid for the SAP Netweaver 7.1 system as well. The only difference is we can also configure the User Management with Netweaver Administrative console as well. 2009 SAP AG 15

Procedure: 1. Login to NWA with Admin rights. 2. Choose Operation Management -> Users and Access -> Identity Management 3. Under Related Tasks, choose Configuration. 4. Fill in the required details of the LDAP server and Save your entries. 5. Restart the AS Refer the below screenshot for the connection details 2009 SAP AG 16

Related content SAP Online Help http://help.sap.com http://service.sap.com/security ->Security in Detail -> Identity Management -> Directory Services 2009 SAP AG 17

Copyright Copyright 2009 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iseries, pseries, xseries, zseries, eserver, z/vm, z/os, i5/os, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. 2009 SAP AG 18