Skip to Content

Unfortunately, it seems that just one LDAP directory is not always enough. Sometimes we need to configure multiple LDAP directories as data source for the UME (User Management Engine); sometimes what we need is a high availability solution for our LDAP. Or even a mixture of both flavours:

    Multiple LDAP data sources: This means that you have several LDAP directories (up to five) connected to the portal in parallel, so that the user data within the UME is coming from all of them.

    High availability of 2 LDAP servers: This means that you have one LDAP server connected to the UME and, in case it is down for some reason, the UME fails over to another LDAP server which is also defined in the UME configuration.

    High availability of multiple LDAP servers: This is a mixture of the previous scenarios. Here the UME obtains the user data from a group of LDAP directories which behave as described in the first point. Something to keep in mind here is that multiple data sources have different structures (otherwise you would not find the specific users as they would not be unique), so they cannot act as a high availability and a multiple LDAP server scenario at the same time!

      Lets have a look here at the first configuration, the multiple-LDAP data source scenario:


      Multiple LDAP directory servers as data source.Once we have created the new data source configuration file we have to upload it to the system. You can do this via the UM Configuration in the portal. Browse to find your XML file and upload it. After saving the new configuration, ensure that the LDAP parameters (ume.ldap.access.) in the “Direct Editing” tab are commented out, as these parameters should be configured in the XML file you have uploaded. After that, you will need to restart the J2EE.<br /><br />Note: The configuration for multiple LDAP servers does not apply for the high availability scenario.</p><p> </p><p>You can find further documentation on this at the SAP Library:<br />Example: Configuration of Multiple LDAP Data Sources
      </p><p>And some good SAP notes to have a look at are:</p><p>673824 * – LDAP Issues for UME.
      736471 – UME Configuration of multiple LDAP data sources.











      To report this post you need to login first.


      You must be Logged on to comment or reply to a post.

      1. Luis Felipe Lanz
        Hi Desiree,

        Thanks for share with the community this valuable information, do you have any estimated date for the other part ?

        I guess it will be interesting too 🙂

        Best Regards, Luis

      2. Bobu George Putheeckal

        I have a business scenario, all our users are in LDAP, MSADS. Now there r some attributes for all the users for eg, “shift timings”. can i map this attribute to UME? so that i should see that attribute while i am searching for that user in portal.

        1. Desiree Matas Post author
          Hi Bobu
          I have no much documentation regarding mapping of attributes, but it may be a good idea for a future blog. I will try to find further information on this question.
          Thanks and regards.
        2. Former Member

          Hello Bobu,The list is semicolon ( 😉 separated. Here is an example for more than one additional attribute:<br/><br/>ume.admin.addattrs = shtiming;krb5principalname;spn<br/><br/>Kind regards,<br/>Tsvetomir

      3. Former Member

        It was great blog. I have one question on this when we have multiple LDAP for user stores to store users and authenticate. How will the sequence of user authentication will be defined. e.g. I have corporate LDAP as ADS where my internal users are stored and another LDAP servers where my external users are stored. When a user tries to login to portal and his id exists in the 5th LDAP server so will the login module of WAS first try to verify the users aginst all 4 LDAP servers before it hits the 5ht LDAP server . THat means its going to create login failure for other 4 LDAP servers.
        Please correct me if I am wrong

        Thanks a lot


      4. Former Member
        Hi Diasree,

        Blog is very informative and followed as per the SAP standards,

        I have some questions on LDAP integration on EP7.0

        We have integrated one MSADS into portal with only one LDAP server with the foloowing details

        1. Server name-  Domain Controller name
        2. server port-389
        3. user
        4. password-
        5. User path-DC=IN,DC=XXAtil,DC=net
        6. Group Path – OU=Salvant,DC=IN,DC=XXAtil,DC=net

        My doubt is

        a) Can we include one more domain ? – – for SSO? End users from need to be authenticated along with existing users from domain.

        b) The current AD server in will be moved to domain. What would be the impact and necessary changes required.

        c) Suppose we re-configure SSO to . Can users from still get SSO?

        Please clarify.


      5. Former Member

        Your blog was a useful resource while we did your LDAP SAP integration.

        We are running ldap_rfc on the apps servers of our Sol Man system (SMP)
        to run LDAPConnector.

        Following are the connect strings:

        d:\usr\sap\SMP\D01\exe ldap_rfc –a LDAP_RFC –x sapgw01 –g sfrncorssm41

        We are successful in replication all directory users onto SAP user

        When we are trying to run this LDAP_RFC into a windows service using

        sc install “ldap.bat -log none” -b c:\ldap.bat -p service

        (the ldap.bat file containing – ldap_rfc –a LDAP_RFC –x sapgw01 –g
        sfrncorssm41), we are getting the below error:
        “sc install – unrecognized command”

        Please advise.

        Thanks in advance,

      6. Former Member
        Hi Desiree.
        Excelent Blog. I’d like to ask you something.
        I have a portal connected to four LDAP, configure as you suggested. Everything works fine. But if one of the LDAP shuts down unexpectedly, portal hangs, and no other users (from the other active LDAPs) can log on or even continue old sessions.
        My question is, as you say it is neccesary that all LDAP are active when you start de J2EE server, but it is also a requisite that they are all always available in order to the portal to work?
        Is there any way to make it work only for users from the active servers?.

        Sorry for the long comment and thanks.


      Leave a Reply