Client's LDAP directories is connected to

NetWeaver Portal 7.0 but since username's in LDAP directory are more than 12

Chars, it will be problematic for Users having name with more 12 chars to

establish SSO between Portal and R/3 System. To make the SSO possible, User

Mapping was performed on Portal Side. My blog demonstrate the steps to achieve

this.               

Clients LDAP Directory is connected to NetWeaver Portal 7.0, to access the

Portal, but the R/3 System contains User-ID with different names for the same

Portal User say for e.g.: if abc@xyz.com is the Corporate Mail ID for a User,

User uses "abc" to login into portal, but "abc" is having

different Username (say "LMNO") in R/3 System, in that case there was

a need for User Mapping when the User connects for some information to R/3

System via NetWeaver Portal say for JCo Destinations we use Tickets or for

Transaction iViews or IAC iViews or for BSP applications or to Pull the UWL workitem

in Portal.

Because of Username length restrictions in R/3 system and since there are large

number of Users already created in LDAP directory, it was not possible for

client to change username whose length are greater than 12 Chars.

The possible solution for this is to create a Custom Attribute in LDAP (in our

case it was Microsoft ADS), which will help to store R/3 username against each

user in LDAP. (Custom Attribute is created by LDAP Administrators not by Portal

Consultants).

In my blog, I will not discuss on "How to configure LDAP in Netweaver

Portal", already wonderful blogs are available on SDN Blogs for the same

which helped me too, to configure LDAP with Portal. My blog will focus mainly

on "User Mapping using the Custom LDAP Attribute to Login in R/3

Systems".

Note:- Before proceeding further, make sure that LDAP (ADS) Administrator had

created a Custom User Attribute in LDAP and also assigned the values, to make

it more clear:- If Mail ID - "abc.lmn@test.com",

then for this user there will be a custom user attribute in LDAP for which

value "abc" is assigned, so that while Login into portal user will

enter "abc.lmn" as

username but once logged into portal for any access to backend R/3 System,

Logon Ticket will replace abc.lmn with *abc *value so SSO will automatically login into the

R/3 system without asking the user principles again. (Attributes discussed in

more detail at end of the blog.)

In order to achieve this, First of all, Login into NetWeaver Portal with Super

Administrator rights, go to System Administration ->

System Configuration -

UME Configuration, here in Data Sources tab, download UME Configuration

file (for e.g.:-dataSourceConfiguration_ads_deep_readonly_db.xml) on your local

machine.*                2. *  Define the attribute mapping from the logical attribute REFERENCE_SYSTEM_USER to the physical attribute that actually stores ABAP user ID in your LDAP directory i.e. we need to mention the attribute physical name given in our LDAP directory. In our example employeer3id*                  3**. In our case, the Custom User attribute while creating was belonged to Class "person*", so we have to explicitly specify the class so as to access Attribute value. 

Example

        In following example, *person *object class contains *employeer3id *attribute, which contains the user's ABAP user ID.</p>

<p>          ...</p>

<p>           <dataSources></p>

<p>              ...</p>

<p>               <dataSource id="CORP_LDAP" ...></p>

<p>                ...</p>

<p>                    <privateSection></p>

<p>                           ...     </p>

<p>+                          <ume.ldap.access.auxiliary_objectclass.user>+</p>

<p>+                                      person+* *

+       +

       ...

• Before restarting Server Nodes, there are 2-more

Properties need to be changed via Config Tool on Server in Menu File ->

Configuration Editor of Config Tool.

ume.usermapping.refsys.mapping.type to

value  attribute - 

This property defines that the UME gets the user's ABAP user ID from the LDAP

directory in the logical user attribute REFERENCE_SYSTEM_USER.

ume.r3.mastersystem to value UME Internal Reference System -  This property

is set to allow users to access all ABAP systems in which they have the same

user ID as in the ABAP central instance of the Enterprise Search appliance

using logon tickets.

     After doing changes in

XML file and values in the properties of Configuration Editor in Config Tool on

Portal Server, restart Server Nodes and test configuration by accessing a

transaction iView, you will find that inspite of Portal Login name and R/3

UserId different, the SSO worked and didn’t asked for any kind of

Authentication information.</p>

<p>+Note:-

The values in LDAP needs to be maintained carefully because if wrong UserName

is given to some user it might expose the System to User with some other persons

information.+</p>

<p>+Note: -

To edit XML File, to the point and exact Input is required for User Mapping.

The Attributes and Class Name need to be communicated properly, because the

Class and Attribute Name are case-sensitive as well as space-sensitive.+</p>

<p> </p>

<p>*What is attributes

in LDAP?*</p>

<p>Attributes are characteristic of an object

(person, thing, etc.), In LDAP, all User Account are created wherein,

attributes for a User Account is username, firstname, lastname, emailid,

telephoneno, to make it clear in XML way see the below code</p>

<p><user><br />

    <username>XYZ.LMN</username><br />

    <firstname>XYZ</firstname><br />

    <lastname>LMN</lastname><br />

    <emailid>xyz.lmn@test.com</emailid><br />

    <telephoneno>123456789</telephoneno><br />

    <department>SAP Systems</department><br />

    <designation>SAP Netweaver

Consultant</designation><br />

</user></p>

<p><br />

<person><br />

    <employeer3id>xyz</employeer3id><br />

</person></p>

<p>On portal side, if you go carefully through

config file written in XML language, in this file Initially all Logical

Attributes are created which are used by Netweaver Portal for its internal use.

Physical Attributes of LDAP are mapped to Logical Attributes of Portal and with

help of this mapping all User Attribute related values stored in LDAP are

available on Portal for usage.</p>

<p> </p>

<p>*Conclusion:

-* As a POC (Proof of

Concept), please find below image wherein you can see that, I logged into

portal with test username "Abhishek.Singh" but while accessing R/3

Systems, SSO picked up mapped username "222222" to login into R/3

Systems.</p><p>!https://weblogs.sdn.sap.com/weblogs/images/252123779/HomePageSBWPsmal.JPG|height=500|alt=Proof of Concept for User Mapping|width=667|src=https://weblogs.sdn.sap.com/weblogs/images/252123779/HomePageSBWPsmal.JPG|border=vertical-align: middle; border: 1px solid black;!</body>