Configuration of More Than One LDAP Data Source (SAP Library)

Configuration of More Than One LDAP Data Source

Use

If your user data is distributed across several LDAP directories, you can configure SAP User Management Engine (UME) to read and write data from more than one LDAP directory. For example, your employees are in one LDAP directory and your customers or suppliers in another LDAP directory, so you configure UME to search for user data in both directories.

Caution

The configuration must not allow a user or other principal to be created on two separate data sources. In other words, only one data source can be the home data source for a user or other principal.

Restrictions

· Users’ logon IDs must be unique across all LDAP directories.

· The groups to which a user belongs must be in the same LDAP directory as the user.

Procedure

For each LDAP directory, you have to create a separate data source entry in the data source configuration file.

In the private section of each data source, you must define the following properties:

· ume.ldap.access.server_type

· ume.ldap.access.server_name

· ume.ldap.access.server_port

· ume.ldap.access.user

· ume.ldap.access.password

· ume.ldap.access.base_path.user

· ume.ldap.access.base_path.grup

To prevent passwords from appearing in the configuration file in plain text, passwords are handled as follows. The property sheet for UME properties contains properties for storing up to five encrypted passwords for different LDAP data sources. These are:

· ume.ldap.access.additional_password.1

· …

· ume.ldap.access.additional_password.5

In the property sheet you enter the passwords for the LDAP directories and in the configuration file you add a reference to the property of the property sheet containing the password.

Example

For example, you enter a password for the second LDAP data source in the property ume.ldap.access.additional_password.2. In the data source configuration file, in the private section for that LDAP data source, you enter a reference to the property as follows:

<ume.ldap.access.password>
$ume.ldap.access.additional_password.2
</ume.ldap.access.password>

The property name is always preceded by a dollar sign ($).

Example

<dataSources>
    …
    <dataSource id="CORP_LDAP2"
            className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
            isReadonly="true"
            isPrimary="true">
        …
        <privateSection>
            …
            <ume.ldap.access.server_type>NOVELL</ume.ldap.access.server_type>
            <ume.ldap.access.server_name>p11111</ume.ldap.access.server_name>
            <ume.ldap.access.server_port>390</ume.ldap.access.server_port>
            <ume.ldap.access.ssl>false</ume.ldap.access.ssl>
            <ume.ldap.access.user>cn=admin,o=ume</ume.ldap.access.user>
            <ume.ldap.access.password>$ume.ldap.access.additional_password.1</ume.ldap.access.password>
            <ume.ldap.access.base_path.user>o=ume</ume.ldap.access.base_path.user>
            <ume.ldap.access.base_path.grup>o=ume</ume.ldap.access.base_path.grup>
        </privateSection>
    </dataSource>

    <dataSource id="CORP_LDAP"
            className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
            isReadonly="true"
            isPrimary="true">
        …
        <privateSection>
            …
            <ume.ldap.access.server_type>SUN</ume.ldap.access.server_type>
            <ume.ldap.access.server_name>p22222</ume.ldap.access.server_name>
            <ume.ldap.access.server_port>400</ume.ldap.access.server_port>
            <ume.ldap.access.ssl>false</ume.ldap.access.ssl>
            <ume.ldap.access.user>cn=Directory Manager</ume.ldap.access.user>
            <ume.ldap.access.password>$ume.ldap.access.additional_password.2</ume.ldap.access.password>
            <ume.ldap.access.base_path.user>dc=ume.wdf.sap.corp</ume.ldap.access.base_path.user>
            <ume.ldap.access.base_path.grup>dc=ume.wdf.sap.corp</ume.ldap.access.base_path.grup>

        </privateSection>
    </dataSource>
</dataSources>