SlideShare a Scribd company logo

Ecc ad ldap

Shobha Nand Kumar
Shobha Nand Kumar

LDAP Configuration

Technology
1 of 16
Download to read offline
1 Integration of SAP central user administration with Microsoft Active Directory Chris Kohlsdorf, Senior System Architect SAP NetWeaver, REALTECH AG Walldorf André Fischer, Project Manager Collaboration Technology Support Center, SAP AG Summary As system landscapes become more and more complex efficient identity management becomes a key success factor in IT organizations. Often the same identity information has to be maintained in lots of different IT systems. This leads to a great administrative overhead for creating, updating and deleting user data in all involved systems. Focussing on an entire SAP system landscape the integration of SAP CUA (central user administration) with Microsoft Active Directory Services can be the first step in implementing identity management in your IT infrastructure. The benefit is a huge reduction of administrative efforts and more consistent data across the different participating systems. Applies to ƒ SAP Web Application Server ƒ Microsoft Active Directory 2000 ƒ Microsoft Active Directory 2003 Keywords Directory synchronization, identity management, central user administration Level of difficulty Technical consultants, Developers Contact For feedback or questions you can contact the Collaboration Technology Support Center at ctsc@sap.com. Please check the .NET interoperability area in the SAP Developer Network http://www.sdn.sap.com/sdn/developerareas/dotnet.sdn for any updates or further information. You can contact REALTECH at customer-services@realtech.de. Collaboration Technology Support Center – Microsoft - Collaboration Brief June 2005
2 Copyright 2004 SAP AG. All rights reserved. All other product and service names mentioned are the trademarks of their respective companies No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
3 Contents Summary .............................................................................................................1 Applies to ............................................................................................................1 Keywords.............................................................................................................1 Level of difficulty ................................................................................................1 Contact ................................................................................................................1 Contents ..............................................................................................................3 Introduction.........................................................................................................4 Scenario .................................................................................................................................... 4 Technical Basis...................................................................................................5 The SAP LDAP Connector....................................................................................................... 5 LDAP_RFC ................................................................................................................................ 6 SAP CUA ................................................................................................................................... 8 Implementation ...................................................................................................8 Transaction LDAP .................................................................................................................... 8 Mapping............................................................................................................................... 10 Mapping using function modules......................................................................................... 11 Synchronization...................................................................................................................... 12 Extensions to the standard..............................................................................13 Assigning Active Directory Groups to SAP ABAP roles.................................................... 13 Maintain SAP specific attributes in Active Directory.......................................................... 14 Conclusion ........................................................................................................15 Limitations.........................................................................................................15 References ........................................................................................................16
4 Introduction As already mentioned in the short summary above the scenario used for this collaboration brief deals with two key components: Microsoft Active Directory and SAP Central User Administration. Active Directory, being the integrated, distributed directory service included with Microsoft Windows Server 2003 and Microsoft Windows 2000 Server, provides a central user repository used to centrally maintain user data, thus avoiding the redundant, error- prone maintenance of user information in several systems. Most organizations already use Active Directory to organize and manage information about all kinds of their different resources like users, computers, applications and so on. While the user management engine (UME) used by SAP Enterprise Portal can use a central Active Directory as its user persistence store ABAP systems use their own database as user store. SAP’s central user administration (CUA) can be used to maintain SAP user master records in one central system and distribute this information in a consistent way to connected child systems. This provides a single point of administration of all SAP user data in the entire SAP system landscape in one central system. This document describes the benefits of a synchronization of user data between an LDAP directory (e.g. Microsoft’s Active Directory) and SAP systems. In the outlined scenario MS Active Directory will become the leading system for storing common user data. As a result users newly created in the directory will be synchronized and created in the SAP CUA. For user data that has been updated in the directory this new information is also synchronized into the SAP system and updated there as well. The SAP CUA will be used to distribute all the user data that has been “imported” from the directory to all its connected child systems. Scenario The following screenshot provides an overview of the outlined scenario discussed in this guide:
5 ABAP System Central User Administration (CUA) ABAP System ABAP System ABAP System Child systems of CUA Distribution of user data Active Directory Synchronize user data ABAP System Central User Administration (CUA) ABAP System ABAP System ABAP System Child systems of CUA Distribution of user data Active Directory Synchronize user data Figure 1 - Scenario overview Technical Basis The SAP LDAP Connector The following part gives a short introduction to the technological mechanism providing the synchronization functionality between the directory service and the SAP system – the so-called SAP LDAP Connector. The protocol used for communicating with a directory is usually the Lightweight Directory Access Protocol (LDAP). The SAP LDAP connector allows direct access to directories within ABAP applications using the LDAP protocol. It provides this functionality in form of an API for connecting and searching, reading and editing of directory entries. This API has already been shipped with the basis release 4.6. But this release does not provide any functionality to synchronize user master data between SAP and the Active Directory. This functionality was first introduced with basis release 6.x that is used for SAP’s Web Application Server architecture and is therefore also available for all components based on SAP’s NetWeaver platform. The following figure shows the architecture of the LDAP connector:
6 Active Directory LDAP interface with mapping LDAP Connector LDAP API Delta management Synchronization Mapping = shipped with 4.6 = shipped with 6.10 ABAP ldap_rfc.exe SAP Active Directory LDAP interface with mapping LDAP Connector LDAP API Delta management Synchronization Mapping = shipped with 4.6 = shipped with 6.10 ABAP ldap_rfc.exe SAP Figure 2 - Architecture of SAP LDAP Connector LDAP_RFC From technical point of view the LDAP connector is represented by the program ”ldap_rfc” that is running as a registered server program. The communication between the Active Directory and the executable ldap_rfc is performed using the standardized access protocol LDAP. The LDAP protocol is normally using the TCP/IP port 389. There are two possible options how to set up the LDAP Connector: a) The LDAP connector can run as part of the SAP Application Server. In this case the executable in the directory usrsap<SID>SYSexerun (Windows) or /usr/sap/<SID>/sys/exe/run (UNIX) is used. b) The LDAP connector can run as a standalone program on a dedicated server with access to the Active Directory. Option a) is shown in the following figure “LDAP Connector as part of the SAP application server”:
7 Active Directory SAP Application Server Work Process LDAP Connector RFC LDAP Active Directory / DC Active Directory SAP Application Server Work Process LDAP Connector RFC LDAP Active Directory / DC Figure 3 - Option a) LDAP Connector as part of the SAP application server If the LDAP connector is running as part of the SAP application server it can be monitored and managed using the CCMS. The CCMS alert monitor can monitor the load (percentage of used LDAP- connections) and the status (UP or DOWN) of the LDAP Connector. CCMS will also start the LDAP connector if it is down. Since the LDAP connector loads the LDAP library of the operating system at runtime it is a prerequisite that the operating system is offering such an LDAP library. This prerequisite is fulfilled by Windows 2000/2003 since Windows 2000/2003 is shipped with the required DLL. Option b) can be used as a workaround if no LDAP library for the desired operating system is available. In such a case there is the option to run the LDAP Connector as a “standalone program” on a dedicated server as shown in the following figure: Active Directory SAP Application Server Work Process RFC LDAP Active Directory / DC LDAP Connector Active Directory SAP Application Server Work Process RFC LDAP Active Directory / DC LDAP Connector Figure 4 - Option b) LDAP Connector as standalone program on dedicated server The drawback of using option b) is that the LDAP connector is not part of the SAP Application Server and can therefore not be monitored and managed using the CCMS. However, since the LDAP connector can be implemented as a service on the Windows operation system it can be monitored by common monitoring tools.
8 SAP CUA As mentioned above, SAP systems, which should be connected to the Active Directory directly, must be based on basis release 6.x of SAP Web Application Server. If the systems are based on release 4.6 or lower it is possible to implement the SAP Central User Administration (CUA) on a SAP Web Application Server, which then acts as a kind of LDAP gateway. Since also SAP Systems that are based on the Web Application Server can be added as child systems to the SAP CUA the directory enabled SAP CUA can be used to distribute data across the whole SAP system landscape while still offering the possibility to maintain SAP specific data in the central system rather than in the Active Directory. Implementation Transaction LDAP Central point of administration for all settings regarding SAP’s LDAP Connector is transaction LDAP. Here you can configure the required RFC destinations, set up a new LDAP connector, create a new logical LDAP server, maintain communication users as well as maintain the mapping and synchronization details. Figure 5 - Transaction LDAP The required steps are in detail: • Create an RFC Destination to the program “LDAP_RFC”
9 • Create a new LDAP Connector that utilizes the RFC destination maintained before • Create a new logical LDAP Server. Here you have to maintain the connection details to the physical directory • Maintain the communication user that is used by the LDAP connector to bind the LDAP Directory Server. The binding information (username and password of a Active Directory user) is stored in the secure storage.
10 • Now you can already test the connection to the directory: Mapping In transaction LDAPMAP specific SAP data fields can be mapped to the desired directory attributes. SAP offers directory specific proposals for the mapping of the directory attributes to the SAP data fields. After importing the proposal the mapping details can be customized as desired. Active Directory users, which should be selected for the synchronization with the SAP system, are identified by one specific so-called filter attribute. If this attribute is set for an Active Directory user object the synchronization report RSLDAPSYNC_USER will either create a SAP user with that SAP username in SAP system (here SAP CUA) if it does not already exists or it will update the SAP user if the user has been changed in the Active Directory for example because the phone number of that user has changed. The following screenshot shows a default mapping:
11 Figure 6 - Mapping of SAP data fields to directory attributes For each attribute there is the option to specify whether the customized mapping is only valid for import, export or for both ways of synchronization. Mapping using function modules If the desired mapping is not a simple 1:1 relationship, function modules can be used to enable a more complicated mapping procedure. A simple example is the telephone number. The telephone number of a user is stored in the directory attribute “telephone” (in MS Active Directory). The extension is normally split by a hyphen ‘-‘. In SAP the telephone number of a user is stored in two data fields ADDRESS-TEL1_NUMBR and ADDRESS-TEL1_EXT. Therefore the function module MAP_SPLIT_CHAR can be used. This module reads the value for the telephone number from the directory attribute telephone. The extension is split at the position where the system finds a hyphen ‘-‘ in the string and the two values are stored in the SAP data fields ADDRESS- TEL1_NUMBR and ADDRESS-TEL1_EXT.
12 Figure 7 - Mapping using function modules Synchronization The report RSLDAPSYNC_USER selects all the users, which are to be synchronized with Active Directory. It is to be scheduled regularly. Furthermore the report can be scheduled as an event triggered job that can be started by the user administrators using the external SAP program ”sapevt”. The following screenshot shows report RSLDAPSYNC_USER:
13 Figure 8 - Report RSLDAPSYNC_USER Using transaction LDAPLOG the protocols of the LDAP synchronizations can be monitored. Extensions to the standard Assigning Active Directory Groups to SAP ABAP roles To provide synchronisation of role assignments the interface BC-LDAP-USR expects the name of the SAP roles to be stored in a multi-value attribute called SAProles. The problem with using this setup is how to fill this attribute with the appropriate information. The SAP user management engine (UME) offers the option to assign portal roles to groups stored in Active Directory if Active Directory is used as user persistence store. To achieve a comparable functionality out of the box it must be possible to map SAP roles to Microsoft Active Directory groups.
14 Therefore REALTECH has developed a special report which creates Active Directory groups from SAP roles. Users in Active Directory can now be assigned to these groups which correspond to roles in the SAP system. During synchronization a custom function module retrieves the information about the user’s group membership and assigns the corresponding SAP role to the user. Using this mechanism described above it is possible to leverage Active Directory group memberships for SAP role assignment also for SAP ABAP user management. As a result Active Directory users and SAP users can be administered at a single location. The following screenshot shows the exported SAP roles that appear as groups in the directory: Figure 9 - Exported SAP roles appear as groups in the AD Maintain SAP specific attributes in Active Directory Using Microsoft’s MMC Snap-In “Users and Computers” it is not possible to maintain attributes others than those delivered as standard attributes by Microsoft. Though it would be possible to use a low level LDAP editor such as the MMC Snap-In “ADSI Edit” this is no user-friendly solution since it would be necessary to use a different tool in the AD for the SAP user administration. Because of this REALTECH has developed a Property Page extension DLL for the Users and Computers Snap-In that makes it possible to maintain the attribute sapUsername (which can be imported into the directory using a schema extension delivered by SAP) in a separate property page SAP of the Users and Computers Snap-In. The following screenshot shows the new property page “SAP” in the MMC:
15 Figure 10 - Extension of MMC Snap-In Users and Computers The property page also provides a button for immediate synchronization. The button triggers a corresponding event in the SAP system, which then starts the report for user synchronization. Conclusion Implementing synchronization between SAP CUA and MS Active Directory provides an easy way to reduce administrative effort and helps to raise the quality of available user data across the entire system landscape. SAP’s LDAP Connector can easily be configured and works seamless with Microsoft Active Directory as it does with other common directory services available on the market. Limitations Please keep in mind that the LDAP Connector is only available on SAP systems based on Web Application Server. Sometimes a schema extension to the relevant directory might be necessary. Please be aware that schema extensions to directories can often not be reverted (e.g. MS Active Directory). The Extensions to the standard described in this collaboration brief are only available as a consulting solution by REALTECH.
16 References ƒ SAP Online Help http://help.sap.com ƒ http://service.sap.com/security Æ Security in Detail Æ Identity Management Æ Directory Services ƒ Success Story EnBW http://wwwsmart.sap.com/d/0066086_Energie_Baden_Württemberg_AG_S..pdf ƒ SAP Technical Brief on SAP NetWeaver Platform and Microsoft Active Directory https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents /a1-8- 4/SAP%20Technical%20Brief%20on%20SAP%20NetWeaver%20Platform%20and% 20Microsoft%20Active%20Directory.pdf

Recommended

Sap hana client_installation_update_guide_en
Sap hana client_installation_update_guide_enSap hana client_installation_update_guide_en
Sap hana client_installation_update_guide_en
Shobha Nand Kumar
 
SAP HANA Overview
SAP HANA OverviewSAP HANA Overview
SAP HANA Overview
Manjunath Pathapadu
 
SAP HANA for SAP Overview
SAP HANA for SAP OverviewSAP HANA for SAP Overview
SAP HANA for SAP Overview
Iliya Ruvinsky
 
SSL Configuration within SAP HANA
SSL Configuration within SAP HANASSL Configuration within SAP HANA
SSL Configuration within SAP HANA
Debajit Banerjee
 
SAP HANA Overview
SAP HANA OverviewSAP HANA Overview
SAP HANA Overview
Sitaram Kotnis
 
SAP HANA SPS09 - Security
SAP HANA SPS09 - SecuritySAP HANA SPS09 - Security
SAP HANA SPS09 - Security
SAP Technology
 
SAP HANA – A Technical Snapshot
SAP HANA – A Technical SnapshotSAP HANA – A Technical Snapshot
SAP HANA – A Technical Snapshot
Debajit Banerjee
 
SAP HANA SPS09- Administration Monitoring
SAP HANA SPS09- Administration MonitoringSAP HANA SPS09- Administration Monitoring
SAP HANA SPS09- Administration Monitoring
SAP Technology
 

Recommended

Sap hana client_installation_update_guide_en
Sap hana client_installation_update_guide_enSap hana client_installation_update_guide_en
Sap hana client_installation_update_guide_en
Shobha Nand Kumar
 
SAP HANA Overview
SAP HANA OverviewSAP HANA Overview
SAP HANA Overview
Manjunath Pathapadu
 
SAP HANA for SAP Overview
SAP HANA for SAP OverviewSAP HANA for SAP Overview
SAP HANA for SAP Overview
Iliya Ruvinsky
 
SSL Configuration within SAP HANA
SSL Configuration within SAP HANASSL Configuration within SAP HANA
SSL Configuration within SAP HANA
Debajit Banerjee
 
SAP HANA Overview
SAP HANA OverviewSAP HANA Overview
SAP HANA Overview
Sitaram Kotnis
 
SAP HANA SPS09 - Security
SAP HANA SPS09 - SecuritySAP HANA SPS09 - Security
SAP HANA SPS09 - Security
SAP Technology
 
SAP HANA – A Technical Snapshot
SAP HANA – A Technical SnapshotSAP HANA – A Technical Snapshot
SAP HANA – A Technical Snapshot
Debajit Banerjee
 
SAP HANA SPS09- Administration Monitoring
SAP HANA SPS09- Administration MonitoringSAP HANA SPS09- Administration Monitoring
SAP HANA SPS09- Administration Monitoring
SAP Technology
 
SAP HANA SPS09 - SAP HANA Scalability
SAP HANA SPS09 - SAP HANA ScalabilitySAP HANA SPS09 - SAP HANA Scalability
SAP HANA SPS09 - SAP HANA Scalability
SAP Technology
 
What's New in SAP HANA SPS 11 Platform Lifecycle Management (Operations)
What's New in SAP HANA SPS 11 Platform Lifecycle Management (Operations)What's New in SAP HANA SPS 11 Platform Lifecycle Management (Operations)
What's New in SAP HANA SPS 11 Platform Lifecycle Management (Operations)
SAP Technology
 
What's New in SAP HANA SPS 11 Operations
What's New in SAP HANA SPS 11 OperationsWhat's New in SAP HANA SPS 11 Operations
What's New in SAP HANA SPS 11 Operations
SAP Technology
 
SAP HANA
SAP HANASAP HANA
SAP HANA
Saravanan Manoharan
 
What's New in SAP HANA SPS 11 DB Control Center (Operations)
What's New in SAP HANA SPS 11 DB Control Center (Operations)What's New in SAP HANA SPS 11 DB Control Center (Operations)
What's New in SAP HANA SPS 11 DB Control Center (Operations)
SAP Technology
 
SAP HANA SPS10- SAP HANA Remote Data Sync
SAP HANA SPS10- SAP HANA Remote Data SyncSAP HANA SPS10- SAP HANA Remote Data Sync
SAP HANA SPS10- SAP HANA Remote Data Sync
SAP Technology
 
How Do You Innovate In a Complex Work? Read How SAP and Intel Can Help
How Do You Innovate In a Complex Work? Read How SAP and Intel Can HelpHow Do You Innovate In a Complex Work? Read How SAP and Intel Can Help
How Do You Innovate In a Complex Work? Read How SAP and Intel Can Help
SAP Technology
 
SAP HANA SPS08 Administration & Monitoring
SAP HANA SPS08 Administration & Monitoring SAP HANA SPS08 Administration & Monitoring
SAP HANA SPS08 Administration & Monitoring
SAP Technology
 
SAP HANA Cloud Platform - Overview
SAP HANA Cloud Platform - OverviewSAP HANA Cloud Platform - Overview
SAP HANA Cloud Platform - Overview
Matthias Steiner
 
What's New in SAP HANA SPS 11 Backup and Recovery (Operations)
What's New in SAP HANA SPS 11 Backup and Recovery (Operations)What's New in SAP HANA SPS 11 Backup and Recovery (Operations)
What's New in SAP HANA SPS 11 Backup and Recovery (Operations)
SAP Technology
 
SAP HANA SPS10- SAP HANA Modeling
SAP HANA SPS10- SAP HANA ModelingSAP HANA SPS10- SAP HANA Modeling
SAP HANA SPS10- SAP HANA Modeling
SAP Technology
 
What's New for SAP HANA Smart Data Integration & Smart Data Quality
What's New for SAP HANA Smart Data Integration & Smart Data QualityWhat's New for SAP HANA Smart Data Integration & Smart Data Quality
What's New for SAP HANA Smart Data Integration & Smart Data Quality
SAP Technology
 
SAP HANA - Understanding the Basics
SAP HANA - Understanding the Basics SAP HANA - Understanding the Basics
SAP HANA - Understanding the Basics
Global Business Solutions SME
 
Taking it all offline with SQL Anywhere
Taking it all offline with SQL AnywhereTaking it all offline with SQL Anywhere
Taking it all offline with SQL Anywhere
ZendCon
 
SAP Hana Overview
SAP Hana OverviewSAP Hana Overview
SAP Hana Overview
Tomislav Milinović
 
What's new in SAP HANA SPS 11 Security
What's new in SAP HANA SPS 11 SecurityWhat's new in SAP HANA SPS 11 Security
What's new in SAP HANA SPS 11 Security
SAP Technology
 
SAP HANA Interview questions
SAP HANA Interview questionsSAP HANA Interview questions
SAP HANA Interview questions
IT LearnMore
 
Why SAP HANA?
Why SAP HANA?Why SAP HANA?
Why SAP HANA?
SAP Technology
 
SAP HANA SPS10- SAP HANA Dynamic Tiering
SAP HANA SPS10- SAP HANA Dynamic TieringSAP HANA SPS10- SAP HANA Dynamic Tiering
SAP HANA SPS10- SAP HANA Dynamic Tiering
SAP Technology
 
SAP HANA SPS09 - XS Programming Model
SAP HANA SPS09 - XS Programming ModelSAP HANA SPS09 - XS Programming Model
SAP HANA SPS09 - XS Programming Model
SAP Technology
 
Funds management configuration sap ag
Funds management configuration sap agFunds management configuration sap ag
Funds management configuration sap ag
Lluckyy
 
Data sevice architecture
Data sevice architectureData sevice architecture
Data sevice architecture
Pankaj Sharma
 

More Related Content

What's hot

SAP HANA
SAP HANASAP HANA
SAP HANA
Saravanan Manoharan
 

What's hot (20)

SAP HANA SPS09 - SAP HANA Scalability
SAP HANA SPS09 - SAP HANA ScalabilitySAP HANA SPS09 - SAP HANA Scalability
SAP HANA SPS09 - SAP HANA Scalability
 
What's New in SAP HANA SPS 11 Platform Lifecycle Management (Operations)
What's New in SAP HANA SPS 11 Platform Lifecycle Management (Operations)What's New in SAP HANA SPS 11 Platform Lifecycle Management (Operations)
What's New in SAP HANA SPS 11 Platform Lifecycle Management (Operations)
 
What's New in SAP HANA SPS 11 Operations
What's New in SAP HANA SPS 11 OperationsWhat's New in SAP HANA SPS 11 Operations
What's New in SAP HANA SPS 11 Operations
 
SAP HANA
SAP HANASAP HANA
SAP HANA
 
What's New in SAP HANA SPS 11 DB Control Center (Operations)
What's New in SAP HANA SPS 11 DB Control Center (Operations)What's New in SAP HANA SPS 11 DB Control Center (Operations)
What's New in SAP HANA SPS 11 DB Control Center (Operations)
 
SAP HANA SPS10- SAP HANA Remote Data Sync
SAP HANA SPS10- SAP HANA Remote Data SyncSAP HANA SPS10- SAP HANA Remote Data Sync
SAP HANA SPS10- SAP HANA Remote Data Sync
 
How Do You Innovate In a Complex Work? Read How SAP and Intel Can Help
How Do You Innovate In a Complex Work? Read How SAP and Intel Can HelpHow Do You Innovate In a Complex Work? Read How SAP and Intel Can Help
How Do You Innovate In a Complex Work? Read How SAP and Intel Can Help
 
SAP HANA SPS08 Administration & Monitoring
SAP HANA SPS08 Administration & Monitoring SAP HANA SPS08 Administration & Monitoring
SAP HANA SPS08 Administration & Monitoring
 
SAP HANA Cloud Platform - Overview
SAP HANA Cloud Platform - OverviewSAP HANA Cloud Platform - Overview
SAP HANA Cloud Platform - Overview
 
What's New in SAP HANA SPS 11 Backup and Recovery (Operations)
What's New in SAP HANA SPS 11 Backup and Recovery (Operations)What's New in SAP HANA SPS 11 Backup and Recovery (Operations)
What's New in SAP HANA SPS 11 Backup and Recovery (Operations)
 
SAP HANA SPS10- SAP HANA Modeling
SAP HANA SPS10- SAP HANA ModelingSAP HANA SPS10- SAP HANA Modeling
SAP HANA SPS10- SAP HANA Modeling
 
What's New for SAP HANA Smart Data Integration & Smart Data Quality
What's New for SAP HANA Smart Data Integration & Smart Data QualityWhat's New for SAP HANA Smart Data Integration & Smart Data Quality
What's New for SAP HANA Smart Data Integration & Smart Data Quality
 
SAP HANA - Understanding the Basics
SAP HANA - Understanding the Basics SAP HANA - Understanding the Basics
SAP HANA - Understanding the Basics
 
Taking it all offline with SQL Anywhere
Taking it all offline with SQL AnywhereTaking it all offline with SQL Anywhere
Taking it all offline with SQL Anywhere
 
SAP Hana Overview
SAP Hana OverviewSAP Hana Overview
SAP Hana Overview
 
What's new in SAP HANA SPS 11 Security
What's new in SAP HANA SPS 11 SecurityWhat's new in SAP HANA SPS 11 Security
What's new in SAP HANA SPS 11 Security
 
SAP HANA Interview questions
SAP HANA Interview questionsSAP HANA Interview questions
SAP HANA Interview questions
 
Why SAP HANA?
Why SAP HANA?Why SAP HANA?
Why SAP HANA?
 
SAP HANA SPS10- SAP HANA Dynamic Tiering
SAP HANA SPS10- SAP HANA Dynamic TieringSAP HANA SPS10- SAP HANA Dynamic Tiering
SAP HANA SPS10- SAP HANA Dynamic Tiering
 
SAP HANA SPS09 - XS Programming Model
SAP HANA SPS09 - XS Programming ModelSAP HANA SPS09 - XS Programming Model
SAP HANA SPS09 - XS Programming Model
 

Similar to Ecc ad ldap

Accessibility guideline web_dynpro_external_version
Accessibility guideline web_dynpro_external_versionAccessibility guideline web_dynpro_external_version
Accessibility guideline web_dynpro_external_version
adatta12
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...
Jaime Marchant Benavides
 
Continuous Integration and Continuous Deployment Pipeline with Apprenda on ON...
Continuous Integration and Continuous Deployment Pipeline with Apprenda on ON...Continuous Integration and Continuous Deployment Pipeline with Apprenda on ON...
Continuous Integration and Continuous Deployment Pipeline with Apprenda on ON...
Shrivatsa Upadhye
 
W2 k3 ad_integration-how_to
W2 k3 ad_integration-how_toW2 k3 ad_integration-how_to
W2 k3 ad_integration-how_to
Meka SriHari
 
Planning guide sap business suite 7 2013 landscape implementation
Planning guide sap business suite 7 2013 landscape implementationPlanning guide sap business suite 7 2013 landscape implementation
Planning guide sap business suite 7 2013 landscape implementation
Leonardo Parpal Roig
 
Wp sap integration kartik
Wp sap integration kartikWp sap integration kartik
Wp sap integration kartik
PRADEEP Reddy
 
How to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchHow to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratch
Ganesh Kumar
 

Similar to Ecc ad ldap (20)

Funds management configuration sap ag
Funds management configuration sap agFunds management configuration sap ag
Funds management configuration sap ag
 
Data sevice architecture
Data sevice architectureData sevice architecture
Data sevice architecture
 
Accessibility guideline web_dynpro_external_version
Accessibility guideline web_dynpro_external_versionAccessibility guideline web_dynpro_external_version
Accessibility guideline web_dynpro_external_version
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...
 
SN-2039_SAP_on_Nutanix.pdf
SN-2039_SAP_on_Nutanix.pdfSN-2039_SAP_on_Nutanix.pdf
SN-2039_SAP_on_Nutanix.pdf
 
PLM 200.pdf
PLM 200.pdfPLM 200.pdf
PLM 200.pdf
 
Continuous Integration and Continuous Deployment Pipeline with Apprenda on ON...
Continuous Integration and Continuous Deployment Pipeline with Apprenda on ON...Continuous Integration and Continuous Deployment Pipeline with Apprenda on ON...
Continuous Integration and Continuous Deployment Pipeline with Apprenda on ON...
 
W2 k3 ad_integration-how_to
W2 k3 ad_integration-how_toW2 k3 ad_integration-how_to
W2 k3 ad_integration-how_to
 
SAP BODS 4.2
SAP BODS 4.2 SAP BODS 4.2
SAP BODS 4.2
 
Sqlref
SqlrefSqlref
Sqlref
 
Planning guide sap business suite 7 2013 landscape implementation
Planning guide sap business suite 7 2013 landscape implementationPlanning guide sap business suite 7 2013 landscape implementation
Planning guide sap business suite 7 2013 landscape implementation
 
NetApp FAS2200 Series with Flash Pool
NetApp FAS2200 Series with Flash PoolNetApp FAS2200 Series with Flash Pool
NetApp FAS2200 Series with Flash Pool
 
Wp sap integration kartik
Wp sap integration kartikWp sap integration kartik
Wp sap integration kartik
 
How to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchHow to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratch
 
How to conf_mopz_22_slm
How to conf_mopz_22_slmHow to conf_mopz_22_slm
How to conf_mopz_22_slm
 
App v 4.6 sp1 trial guide
App v 4.6 sp1 trial guideApp v 4.6 sp1 trial guide
App v 4.6 sp1 trial guide
 
SAP Net Weaver Architecture,
SAP Net Weaver Architecture, SAP Net Weaver Architecture,
SAP Net Weaver Architecture,
 
142 bb config_guide_en_co
142 bb config_guide_en_co142 bb config_guide_en_co
142 bb config_guide_en_co
 
sap pp
sap ppsap pp
sap pp
 
application-template-deployment-guide.pdf
application-template-deployment-guide.pdfapplication-template-deployment-guide.pdf
application-template-deployment-guide.pdf
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 

Ecc ad ldap

  • 1. 1 Integration of SAP central user administration with Microsoft Active Directory Chris Kohlsdorf, Senior System Architect SAP NetWeaver, REALTECH AG Walldorf André Fischer, Project Manager Collaboration Technology Support Center, SAP AG Summary As system landscapes become more and more complex efficient identity management becomes a key success factor in IT organizations. Often the same identity information has to be maintained in lots of different IT systems. This leads to a great administrative overhead for creating, updating and deleting user data in all involved systems. Focussing on an entire SAP system landscape the integration of SAP CUA (central user administration) with Microsoft Active Directory Services can be the first step in implementing identity management in your IT infrastructure. The benefit is a huge reduction of administrative efforts and more consistent data across the different participating systems. Applies to ƒ SAP Web Application Server ƒ Microsoft Active Directory 2000 ƒ Microsoft Active Directory 2003 Keywords Directory synchronization, identity management, central user administration Level of difficulty Technical consultants, Developers Contact For feedback or questions you can contact the Collaboration Technology Support Center at ctsc@sap.com. Please check the .NET interoperability area in the SAP Developer Network http://www.sdn.sap.com/sdn/developerareas/dotnet.sdn for any updates or further information. You can contact REALTECH at customer-services@realtech.de. Collaboration Technology Support Center – Microsoft - Collaboration Brief June 2005
  • 2. 2 Copyright 2004 SAP AG. All rights reserved. All other product and service names mentioned are the trademarks of their respective companies No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
  • 3. 3 Contents Summary .............................................................................................................1 Applies to ............................................................................................................1 Keywords.............................................................................................................1 Level of difficulty ................................................................................................1 Contact ................................................................................................................1 Contents ..............................................................................................................3 Introduction.........................................................................................................4 Scenario .................................................................................................................................... 4 Technical Basis...................................................................................................5 The SAP LDAP Connector....................................................................................................... 5 LDAP_RFC ................................................................................................................................ 6 SAP CUA ................................................................................................................................... 8 Implementation ...................................................................................................8 Transaction LDAP .................................................................................................................... 8 Mapping............................................................................................................................... 10 Mapping using function modules......................................................................................... 11 Synchronization...................................................................................................................... 12 Extensions to the standard..............................................................................13 Assigning Active Directory Groups to SAP ABAP roles.................................................... 13 Maintain SAP specific attributes in Active Directory.......................................................... 14 Conclusion ........................................................................................................15 Limitations.........................................................................................................15 References ........................................................................................................16
  • 4. 4 Introduction As already mentioned in the short summary above the scenario used for this collaboration brief deals with two key components: Microsoft Active Directory and SAP Central User Administration. Active Directory, being the integrated, distributed directory service included with Microsoft Windows Server 2003 and Microsoft Windows 2000 Server, provides a central user repository used to centrally maintain user data, thus avoiding the redundant, error- prone maintenance of user information in several systems. Most organizations already use Active Directory to organize and manage information about all kinds of their different resources like users, computers, applications and so on. While the user management engine (UME) used by SAP Enterprise Portal can use a central Active Directory as its user persistence store ABAP systems use their own database as user store. SAP’s central user administration (CUA) can be used to maintain SAP user master records in one central system and distribute this information in a consistent way to connected child systems. This provides a single point of administration of all SAP user data in the entire SAP system landscape in one central system. This document describes the benefits of a synchronization of user data between an LDAP directory (e.g. Microsoft’s Active Directory) and SAP systems. In the outlined scenario MS Active Directory will become the leading system for storing common user data. As a result users newly created in the directory will be synchronized and created in the SAP CUA. For user data that has been updated in the directory this new information is also synchronized into the SAP system and updated there as well. The SAP CUA will be used to distribute all the user data that has been “imported” from the directory to all its connected child systems. Scenario The following screenshot provides an overview of the outlined scenario discussed in this guide:
  • 5. 5 ABAP System Central User Administration (CUA) ABAP System ABAP System ABAP System Child systems of CUA Distribution of user data Active Directory Synchronize user data ABAP System Central User Administration (CUA) ABAP System ABAP System ABAP System Child systems of CUA Distribution of user data Active Directory Synchronize user data Figure 1 - Scenario overview Technical Basis The SAP LDAP Connector The following part gives a short introduction to the technological mechanism providing the synchronization functionality between the directory service and the SAP system – the so-called SAP LDAP Connector. The protocol used for communicating with a directory is usually the Lightweight Directory Access Protocol (LDAP). The SAP LDAP connector allows direct access to directories within ABAP applications using the LDAP protocol. It provides this functionality in form of an API for connecting and searching, reading and editing of directory entries. This API has already been shipped with the basis release 4.6. But this release does not provide any functionality to synchronize user master data between SAP and the Active Directory. This functionality was first introduced with basis release 6.x that is used for SAP’s Web Application Server architecture and is therefore also available for all components based on SAP’s NetWeaver platform. The following figure shows the architecture of the LDAP connector:
  • 6. 6 Active Directory LDAP interface with mapping LDAP Connector LDAP API Delta management Synchronization Mapping = shipped with 4.6 = shipped with 6.10 ABAP ldap_rfc.exe SAP Active Directory LDAP interface with mapping LDAP Connector LDAP API Delta management Synchronization Mapping = shipped with 4.6 = shipped with 6.10 ABAP ldap_rfc.exe SAP Figure 2 - Architecture of SAP LDAP Connector LDAP_RFC From technical point of view the LDAP connector is represented by the program ”ldap_rfc” that is running as a registered server program. The communication between the Active Directory and the executable ldap_rfc is performed using the standardized access protocol LDAP. The LDAP protocol is normally using the TCP/IP port 389. There are two possible options how to set up the LDAP Connector: a) The LDAP connector can run as part of the SAP Application Server. In this case the executable in the directory usrsap<SID>SYSexerun (Windows) or /usr/sap/<SID>/sys/exe/run (UNIX) is used. b) The LDAP connector can run as a standalone program on a dedicated server with access to the Active Directory. Option a) is shown in the following figure “LDAP Connector as part of the SAP application server”:
  • 7. 7 Active Directory SAP Application Server Work Process LDAP Connector RFC LDAP Active Directory / DC Active Directory SAP Application Server Work Process LDAP Connector RFC LDAP Active Directory / DC Figure 3 - Option a) LDAP Connector as part of the SAP application server If the LDAP connector is running as part of the SAP application server it can be monitored and managed using the CCMS. The CCMS alert monitor can monitor the load (percentage of used LDAP- connections) and the status (UP or DOWN) of the LDAP Connector. CCMS will also start the LDAP connector if it is down. Since the LDAP connector loads the LDAP library of the operating system at runtime it is a prerequisite that the operating system is offering such an LDAP library. This prerequisite is fulfilled by Windows 2000/2003 since Windows 2000/2003 is shipped with the required DLL. Option b) can be used as a workaround if no LDAP library for the desired operating system is available. In such a case there is the option to run the LDAP Connector as a “standalone program” on a dedicated server as shown in the following figure: Active Directory SAP Application Server Work Process RFC LDAP Active Directory / DC LDAP Connector Active Directory SAP Application Server Work Process RFC LDAP Active Directory / DC LDAP Connector Figure 4 - Option b) LDAP Connector as standalone program on dedicated server The drawback of using option b) is that the LDAP connector is not part of the SAP Application Server and can therefore not be monitored and managed using the CCMS. However, since the LDAP connector can be implemented as a service on the Windows operation system it can be monitored by common monitoring tools.
  • 8. 8 SAP CUA As mentioned above, SAP systems, which should be connected to the Active Directory directly, must be based on basis release 6.x of SAP Web Application Server. If the systems are based on release 4.6 or lower it is possible to implement the SAP Central User Administration (CUA) on a SAP Web Application Server, which then acts as a kind of LDAP gateway. Since also SAP Systems that are based on the Web Application Server can be added as child systems to the SAP CUA the directory enabled SAP CUA can be used to distribute data across the whole SAP system landscape while still offering the possibility to maintain SAP specific data in the central system rather than in the Active Directory. Implementation Transaction LDAP Central point of administration for all settings regarding SAP’s LDAP Connector is transaction LDAP. Here you can configure the required RFC destinations, set up a new LDAP connector, create a new logical LDAP server, maintain communication users as well as maintain the mapping and synchronization details. Figure 5 - Transaction LDAP The required steps are in detail: • Create an RFC Destination to the program “LDAP_RFC”
  • 9. 9 • Create a new LDAP Connector that utilizes the RFC destination maintained before • Create a new logical LDAP Server. Here you have to maintain the connection details to the physical directory • Maintain the communication user that is used by the LDAP connector to bind the LDAP Directory Server. The binding information (username and password of a Active Directory user) is stored in the secure storage.
  • 10. 10 • Now you can already test the connection to the directory: Mapping In transaction LDAPMAP specific SAP data fields can be mapped to the desired directory attributes. SAP offers directory specific proposals for the mapping of the directory attributes to the SAP data fields. After importing the proposal the mapping details can be customized as desired. Active Directory users, which should be selected for the synchronization with the SAP system, are identified by one specific so-called filter attribute. If this attribute is set for an Active Directory user object the synchronization report RSLDAPSYNC_USER will either create a SAP user with that SAP username in SAP system (here SAP CUA) if it does not already exists or it will update the SAP user if the user has been changed in the Active Directory for example because the phone number of that user has changed. The following screenshot shows a default mapping:
  • 11. 11 Figure 6 - Mapping of SAP data fields to directory attributes For each attribute there is the option to specify whether the customized mapping is only valid for import, export or for both ways of synchronization. Mapping using function modules If the desired mapping is not a simple 1:1 relationship, function modules can be used to enable a more complicated mapping procedure. A simple example is the telephone number. The telephone number of a user is stored in the directory attribute “telephone” (in MS Active Directory). The extension is normally split by a hyphen ‘-‘. In SAP the telephone number of a user is stored in two data fields ADDRESS-TEL1_NUMBR and ADDRESS-TEL1_EXT. Therefore the function module MAP_SPLIT_CHAR can be used. This module reads the value for the telephone number from the directory attribute telephone. The extension is split at the position where the system finds a hyphen ‘-‘ in the string and the two values are stored in the SAP data fields ADDRESS- TEL1_NUMBR and ADDRESS-TEL1_EXT.
  • 12. 12 Figure 7 - Mapping using function modules Synchronization The report RSLDAPSYNC_USER selects all the users, which are to be synchronized with Active Directory. It is to be scheduled regularly. Furthermore the report can be scheduled as an event triggered job that can be started by the user administrators using the external SAP program ”sapevt”. The following screenshot shows report RSLDAPSYNC_USER:
  • 13. 13 Figure 8 - Report RSLDAPSYNC_USER Using transaction LDAPLOG the protocols of the LDAP synchronizations can be monitored. Extensions to the standard Assigning Active Directory Groups to SAP ABAP roles To provide synchronisation of role assignments the interface BC-LDAP-USR expects the name of the SAP roles to be stored in a multi-value attribute called SAProles. The problem with using this setup is how to fill this attribute with the appropriate information. The SAP user management engine (UME) offers the option to assign portal roles to groups stored in Active Directory if Active Directory is used as user persistence store. To achieve a comparable functionality out of the box it must be possible to map SAP roles to Microsoft Active Directory groups.
  • 14. 14 Therefore REALTECH has developed a special report which creates Active Directory groups from SAP roles. Users in Active Directory can now be assigned to these groups which correspond to roles in the SAP system. During synchronization a custom function module retrieves the information about the user’s group membership and assigns the corresponding SAP role to the user. Using this mechanism described above it is possible to leverage Active Directory group memberships for SAP role assignment also for SAP ABAP user management. As a result Active Directory users and SAP users can be administered at a single location. The following screenshot shows the exported SAP roles that appear as groups in the directory: Figure 9 - Exported SAP roles appear as groups in the AD Maintain SAP specific attributes in Active Directory Using Microsoft’s MMC Snap-In “Users and Computers” it is not possible to maintain attributes others than those delivered as standard attributes by Microsoft. Though it would be possible to use a low level LDAP editor such as the MMC Snap-In “ADSI Edit” this is no user-friendly solution since it would be necessary to use a different tool in the AD for the SAP user administration. Because of this REALTECH has developed a Property Page extension DLL for the Users and Computers Snap-In that makes it possible to maintain the attribute sapUsername (which can be imported into the directory using a schema extension delivered by SAP) in a separate property page SAP of the Users and Computers Snap-In. The following screenshot shows the new property page “SAP” in the MMC:
  • 15. 15 Figure 10 - Extension of MMC Snap-In Users and Computers The property page also provides a button for immediate synchronization. The button triggers a corresponding event in the SAP system, which then starts the report for user synchronization. Conclusion Implementing synchronization between SAP CUA and MS Active Directory provides an easy way to reduce administrative effort and helps to raise the quality of available user data across the entire system landscape. SAP’s LDAP Connector can easily be configured and works seamless with Microsoft Active Directory as it does with other common directory services available on the market. Limitations Please keep in mind that the LDAP Connector is only available on SAP systems based on Web Application Server. Sometimes a schema extension to the relevant directory might be necessary. Please be aware that schema extensions to directories can often not be reverted (e.g. MS Active Directory). The Extensions to the standard described in this collaboration brief are only available as a consulting solution by REALTECH.
  • 16. 16 References ƒ SAP Online Help http://help.sap.com ƒ http://service.sap.com/security Æ Security in Detail Æ Identity Management Æ Directory Services ƒ Success Story EnBW http://wwwsmart.sap.com/d/0066086_Energie_Baden_Württemberg_AG_S..pdf ƒ SAP Technical Brief on SAP NetWeaver Platform and Microsoft Active Directory https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents /a1-8- 4/SAP%20Technical%20Brief%20on%20SAP%20NetWeaver%20Platform%20and% 20Microsoft%20Active%20Directory.pdf