Skip to Content

Unfortunately, it seems that just one LDAP directory is not always enough. Sometimes we need to configure multiple LDAP directories as data source for the UME (User Management Engine); sometimes what we need is a high availability solution for our LDAP. Or even a mixture of both flavours:

    Multiple LDAP data sources: This means that you have several LDAP directories (up to five) connected to the portal in parallel, so that the user data within the UME is coming from all of them.

    High availability of 2 LDAP servers: This means that you have one LDAP server connected to the UME and, in case it is down for some reason, the UME fails over to another LDAP server which is also defined in the UME configuration.

    High availability of multiple LDAP servers: This is a mixture of the previous scenarios. Here the UME obtains the user data from a group of LDAP directories which behave as described in the first point. Something to keep in mind here is that multiple data sources have different structures (otherwise you would not find the specific users as they would not be unique), so they cannot act as a high availability and a multiple LDAP server scenario at the same time!

      Lets have a look here at the first configuration, the multiple-LDAP data source scenario:

       

      Multiple LDAP directory servers as data source.Once we have created the new data source configuration file we have to upload it to the system. You can do this via the UM Configuration in the portal. Browse to find your XML file and upload it. After saving the new configuration, ensure that the LDAP parameters (ume.ldap.access.) in the “Direct Editing” tab are commented out, as these parameters should be configured in the XML file you have uploaded. After that, you will need to restart the J2EE.<br /><br />Note: The configuration for multiple LDAP servers does not apply for the high availability scenario.</p><p> </p><p>You can find further documentation on this at the SAP Library:<br />Example: Configuration of Multiple LDAP Data Sources
      </p><p>And some good SAP notes to have a look at are:</p><p>673824 * – LDAP Issues for UME.
      736471 – UME Configuration of multiple LDAP data sources.

       

       

       

       

       

       

       

       

       

       

      To report this post you need to login first.

      9 Comments

      You must be Logged on to comment or reply to a post.

      1. Luis Felipe Lanz
        Hi Desiree,

        Thanks for share with the community this valuable information, do you have any estimated date for the other part ?

        I guess it will be interesting too ๐Ÿ™‚

        Best Regards, Luis

        (0) 
      2. Bobu George Putheeckal
        Hi,

        I have a business scenario, all our users are in LDAP, MSADS. Now there r some attributes for all the users for eg, “shift timings”. can i map this attribute to UME? so that i should see that attribute while i am searching for that user in portal.

        (0) 
        1. Desiree Matas Post author
          Hi Bobu
          I have no much documentation regarding mapping of attributes, but it may be a good idea for a future blog. I will try to find further information on this question.
          Thanks and regards.
          (0) 
        2. Tsvetomir Tsvetanov

          Hello Bobu,The list is semicolon ( ๐Ÿ˜‰ separated. Here is an example for more than one additional attribute:<br/><br/>ume.admin.addattrs = shtiming;krb5principalname;spn<br/><br/>Kind regards,<br/>Tsvetomir

          (0) 
      3. Ajay Kumar
        Hi

        It was great blog. I have one question on this when we have multiple LDAP for user stores to store users and authenticate. How will the sequence of user authentication will be defined. e.g. I have corporate LDAP as ADS where my internal users are stored and another LDAP servers where my external users are stored. When a user tries to login to portal and his id exists in the 5th LDAP server so will the login module of WAS first try to verify the users aginst all 4 LDAP servers before it hits the 5ht LDAP server . THat means its going to create login failure for other 4 LDAP servers.
        Please correct me if I am wrong

        Thanks a lot

        Regards
        AJay

        (0) 
      4. sreedhar Gunda
        Hi Diasree,

        Blog is very informative and followed as per the SAP standards,

        I have some questions on LDAP integration on EP7.0

        We have integrated one MSADS into portal with only one LDAP server with the foloowing details

        1. Server name-  Domain Controller name
        2. server port-389
        3. user
        4. password-
        5. User path-DC=IN,DC=XXAtil,DC=net
        6. Group Path – OU=Salvant,DC=IN,DC=XXAtil,DC=net

        My doubt is

        a) Can we include one more domain ? – Salvant.net – for SSO? End users from Salvant.net need to be authenticated along with existing users from in.XXAtil.net domain.

        b) The current AD server in in.XXAtil.net will be moved to Salvant.net domain. What would be the impact and necessary changes required.

        c) Suppose we re-configure SSO to Salvant.net . Can users from in.XXAtil.net still get SSO?

        Please clarify.

        Regards,
        Sree

        (0) 
      5. Abdul Rahim Shaik
        Hi,

        Your blog was a useful resource while we did your LDAP SAP integration.

        We are running ldap_rfc on the apps servers of our Sol Man system (SMP)
        to run LDAPConnector.

        Following are the connect strings:

        d:\usr\sap\SMP\D01\exe ldap_rfc –a LDAP_RFC –x sapgw01 –g sfrncorssm41

        We are successful in replication all directory users onto SAP user
        management.

        When we are trying to run this LDAP_RFC into a windows service using

        sc install “ldap.bat -log none” -b c:\ldap.bat -p service

        (the ldap.bat file containing – ldap_rfc –a LDAP_RFC –x sapgw01 –g
        sfrncorssm41), we are getting the below error:
        “sc install – unrecognized command”

        Please advise.

        Thanks in advance,
        Abdul

        (0) 
      6. Rosalรญa Bote
        Hi Desiree.
        Excelent Blog. I’d like to ask you something.
        I have a portal connected to four LDAP, configure as you suggested. Everything works fine. But if one of the LDAP shuts down unexpectedly, portal hangs, and no other users (from the other active LDAPs) can log on or even continue old sessions.
        My question is, as you say it is neccesary that all LDAP are active when you start de J2EE server, but it is also a requisite that they are all always available in order to the portal to work?
        Is there any way to make it work only for users from the active servers?.

        Sorry for the long comment and thanks.

        (0) 

      Leave a Reply