Ldap sync with sap(rfc)
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
4,563
On Slideshare
4,563
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
179
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Integration of SAP Netweaver User Management with LDAPApplies to:SAP Netweaver 7.0/7.1Microsoft Active Directory 2003SummaryThe document describes the detailed steps of configuring the integration of SAP Netweaver UserManagement with LDAP (Microsoft Active Directory 2003 is used as LDAP).LDAP, being the integrated, provides a central user repository used to centrally maintain user data, thusavoiding the redundant, error prone maintenance of user information in several systems and reduced totalcost to ownership.Here the LDAP directory acts as a leading system wherein the Users are imported to the SAP system whenthe user synchronization happens every time.Author: Radha SKCompany: Team: Technical Validation -SAP Labs India, BangaloreCreated on: 1 July 2009SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 1
  • 2. Integration of SAP Netweaver User Management with LDAPTable of ContentsPrerequisites ....................................................................................................................................................... 3  Configuring LDAP Connector .......................................................................................................................... 4  Defining System Users.................................................................................................................................... 5 1.  Access the LDAP Connector via Tcode “LDAP” choose System Users ..................................................... 5 2.  Switch to change mode and choose New Entries ....................................................................................... 5 3.  Enter the required data and Save the entries. Refer the below screenshot. .............................................. 5 Defining Server Details ....................................................................................................................................... 5 Logging on to the Directory Service ................................................................................................................... 6 Mapping .............................................................................................................................................................. 7 Mapping Using function modules8 Mapping Using function modules ....................................................................................................................... 8 Synchronization of SAP User Administration with LDAP Directory .................................................................... 8  LDAP Synchronization .................................................................................................................................... 9 Integration of Java User Management Engine with LDAP ............................................................................... 11  Configuring Java UME to use LDAP as a data source with the User Management Console ...................... 11  Procedure .................................................................................................................................................................. 11  Configuring Java UME to use LDAP as a data source with the Config Tool ................................................ 13 Limitation of UME when AS ABAP is used as a data source ........................................................................... 15  Configuring Java UME to use LDAP as a data source with the Netweaver Administrator Console (NWA) for SAP Netweaver 7.1 Java system.................................................................................................................. 15  Procedure: ................................................................................................................................................................. 16 Related content ................................................................................................................................................. 17 Disclaimer and Liability Notice ........................................................................... Error! Bookmark not defined. SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 2
  • 3. Integration of SAP Netweaver User Management with LDAPPrerequisitesThe LDAP connector requires access to some specific library which is installed on the specific applicationserver platform. The LDAP connector is called using ABAP functions and communicates with the directoryservices using Lightweight Directory Access Protocol.To check whether LDAP Connector is operable, that is checking the availability of LDAP Library on theapplication server.Run “ldap_rfc” command in the kernel directory and check the version details.SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 3
  • 4. Integration of SAP Netweaver User Management with LDAPConfiguring LDAP Connector 1. Create and RFC of connector T-Type Note: It is recommended to use the following naming convention: LDAP_<server_name>. If there are multiple LDAP connectors on one server then use: LDAP_<server_name>_<sequence_number> Example: LDAP_SERVER_01 2. Select Registered server program as activation type 3. Specify the Program ID same as the RFC destination. 4. Save your entries. Refer the below screenshot for LDAP connector detailsSAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 4
  • 5. Integration of SAP Netweaver User Management with LDAPDefining System UsersThe communication user (Example: TestUser) has to be maintained in the LDAP server which used by theLDAP connector to bind to the LDAP Directory Server. 1. Access the LDAP Connector via Tcode “LDAP” choose System Users 2. Switch to change mode and choose New Entries 3. Enter the required data and Save the entries. Refer the below screenshot.Defining Server DetailsCreate a new logical LDAP Server. Here you have to maintain the connection details of the physical directory 1. On the initial screen of LDAP choose Server and switch to change mode. 2. Choose New Entries and Enter the required data and Save Entries Refer the below screen shot for Server Entry detailsSAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 5
  • 6. Integration of SAP Netweaver User Management with LDAPLogging on to the Directory ServiceNow you must check the connection to the directory service by logging on to it. 1. In the initial screen of the LDAP transaction, specify the LDAP server name and the LDAP connector. 2. Press Logon 3. Provide the System User or enter the directory service user and password. 4. Choose Execute.SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 6
  • 7. Integration of SAP Netweaver User Management with LDAPMappingIn transaction LDAPMAP specific SAP data fields can be mapped to the desired directory attributes.SAP offers directory specific proposals for the mapping of the directory attributes to the SAP data fields. Afterimporting the proposal the mapping details can be customized as desired.For each attribute there is the option to specify whether the customized mapping is only valid for import,export or for both ways ofsynchronization.SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 7
  • 8. Integration of SAP Netweaver User Management with LDAPMapping Using function modulesIf the desired mapping is not a simple 1:1 relationship, function modules can be used to enable a morecomplicated mapping procedure.A simple example is the telephone number. The telephone number of a user is stored in the directoryattribute “telephone” (in MS Active Directory). The extension is normally split by a hyphen ‘-‘.In SAP the telephone number of a user is stored in two data fields ADDRESS-TEL1_NUMBR andADDRESS-TEL1_EXT.Therefore the function module MAP_SPLIT_CHAR can be used.This module reads the value for the telephone number from the directory attribute telephone. The extensionis split at the position where the system finds a hyphen ‘-‘ in the string and the two values are stored in theSAP data fields ADDRESSTEL1_NUMBR and ADDRESS-TEL1_EXT.Synchronization of SAP User Administration with LDAP DirectoryOnce the mapping indicators have been set, you have to synchronize the data from the LDAP server with theSAP User Administration. 1. Execute report RSLDAPSYNC_USER in the transaction SE38. 2. Specify the logical LDAP server and LDAP connector 3. Define how the report has to process the entries of the objects that found during the search. The search result is made up of three subsets. a. Objects that exists in both in directory and database b. Objects that exits only in directory c. Objects that exits only in database 4. Save your entries and Execute.SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 8
  • 9. Integration of SAP Netweaver User Management with LDAPLDAP SynchronizationFor example the user “LDAP ABAP” has been created in the Active Directory Server. When thesynchronization report is executed in an SAP system, the user “LDAP ABAP” is taken from the LDAPdirectory server to the ABAP system. The below figure is LDAP synchronization log when the report hasbeen executed successfully.SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 9
  • 10. Integration of SAP Netweaver User Management with LDAPThe following is the screenshot of the user “LDAP ABAP” is the ABAP User Management SU01SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 10
  • 11. Integration of SAP Netweaver User Management with LDAPIntegration of Java User Management Engine with LDAPConfiguring Java UME to use LDAP as a data source with the User Management ConsoleProcedure 1. Login to the User Management console with the Administrator rights. 2. Start the User Management 3. Choose Data sources tab 4. Choose Modify Configuration 5. From Data Source, select the data source that best matches your LDAP directory. For Microsoft Active Directory, choose ads_readonly_db 6. Choose the LDAP Server tab 7. Enter the required data for connectionSAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 11
  • 12. Integration of SAP Netweaver User Management with LDAP 8. Choose Test Connection If the test fails, user management configuration displays the entry from the security log. The monitoring tools of your LDAP directory can also help you determine the cause of the problem. If necessary, go back and reenter the connection data and test the connection until you are successful. 9. Sava all the changes 10. Restart the application server for the changes to take effect.Once the server is restarted, you will see the users which are imported from the LDAP directory.To see the users from LDPA directory, go to Identity management and search for the users from the sourceLDAP. Below is snapshot of the users in the Java UME which are imported from LDAP directory.SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 12
  • 13. Integration of SAP Netweaver User Management with LDAPConfiguring Java UME to use LDAP as a data source with the Config ToolThe UME LDAP configuration tool simplifies the process of configuring the UME to use an LDAP directory. Itallows to choose the configuration file for configuring the data source files and also to enter the connectiondata for the LDAP directory and the test the data. 1. Click on the Configtool.bat file in the installation folder. <SAPJ2EEEngine_installation>j2eeconfigtoolconfigtool.bat 2. In the configtool, choose UME LDAPSAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 13
  • 14. Integration of SAP Netweaver User Management with LDAP 3. Configure the LDAP Data Source as required and save your entries 4. Click on the Test connection button to establish a connection with the LDAP directory with service user.SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 14
  • 15. Integration of SAP Netweaver User Management with LDAP 5. Restart the AS JavaNow you can see the users in the User Management console in which the users are imported from the LDAPdata source.Limitation of UME when AS ABAP is used as a data sourceIn a ABAP+Java dual stack system, by default the system takes the User Management of an ABAP system.In this case, it possible to configure LDAP as a data source in the Java UME. It is also not possible to createthe users in the database of AS Java.For more information refer to SAP Note 718383Configuring Java UME to use LDAP as a data source with the Netweaver Administrator Console(NWA) for SAP Netweaver 7.1 Java system.The above mentioned steps for configuring SAP Netweaver 7.0 java system to use LDAP as a data sourceare valid for the SAP Netweaver 7.1 system as well.The only difference is we can also configure the User Management with Netweaver Administrative consoleas well.SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 15
  • 16. Integration of SAP Netweaver User Management with LDAPProcedure: 1. Login to NWA with Admin rights. 2. Choose Operation Management -> Users and Access -> Identity Management 3. Under Related Tasks, choose Configuration. 4. Fill in the required details of the LDAP server and Save your entries. 5. Restart the AS Refer the below screenshot for the connection detailsSAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 16
  • 17. Integration of SAP Netweaver User Management with LDAPRelated content • SAP Online Help http://help.sap.com • http://service.sap.com/security ->Security in Detail -> Identity Management -> Directory ServicesSAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 17
  • 18. Integration of SAP Netweaver User Management with LDAPCopyright© Copyright 2009 SAP AG. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9,iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks ofCitrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, MassachusettsInstitute of Technology.Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented byNetscape.SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentionedherein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, andother Business Objects products and services mentioned herein as well as their respective logos are trademarks or registeredtrademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.All other product and service names mentioned are the trademarks of their respective companies. Data contained in this documentserves informational purposes only. National product specifications may vary.These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAPGroup") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors oromissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in theexpress warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting anadditional warranty.SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2009 SAP AG 18