LDAP configuration for multiple object classes

July 1, 2009 at 4:52 am

[] [] [] [] [] [] [] []

Symptom

This note is only relevant if you are using a LDAP server as your backend data source. It describes what changes you need to do to configure the SAP’s User Management Engine to use multiple object classes for principals (users and/or groups).
Other terms

UME, LDAP, multiple object classes
Reason and Prerequisites

You are using LDAP backend data source and you want to configure multiple object classes for users and/or groups. To achieve that you will have to customize and sections of the UME data source configuration file. How to do that is shown in the following links:
SAP Netweaver 6.40:
http://help.sap.com/saphelp_nw04/helpdata/EN/b7/14d43f2dd44821e10000000a1550b0/frameset.htm
SAP Netweaver 7.00:
http://help.sap.com/saphelp_nw2004s/helpdata/EN/b7/14d43f2dd44821e10000000a1550b0/frameset.htm
Solution

There is a little difference when you are configuring multiple object classes for users and for groups.
Lets start with the configuration for the user principal. First you must modify the private section of your LDAP data source configuration file:

SUN

true



inetOrgPerson,myUser


inetOrgPerson,myUser



uid,my_uid


cn


uid,my_uid


cn
 The order of the entries in the different tags is very important. The first entry for the object class belongs to the first entry for the naming attribute. In the example, inetOrgPerson, uid and cn belong together. myUser and my_uid belong together.
All newly created principals (users and/or groups) will belong to the first object class in the list. In the above example, all created users will belong to the inetOrgPerson object class.
The second step in the configuration process is to modify the attribute mapping section.
The attribute mapping has to be changed to prevent the logical attributes of the UME API from being mapped to the same physical attribute name for every object class. In the above example, the firstname attribute is mapped to givenname for the object class inetOrgPerson and to my_givenname for the objectclass myUser. To distinguish between the object classes, a prefix containing the object class name is added to every logical and physical attribute name. This must be done for all atrributes in all namespaces for the user principal. If you have configured users and user accounts to be the same object in LDAP (check property ume.ldap.access.user_as_account in the private section), you have to do the same thing for the user account principal.
All attribute mapping information must be entered in lower case, otherwise the mapping will fail.
The process for group principals is almost the same. First you have to modify the private section.


SIEMENS


true



person


person


organization,organizationalunit


cn



uid


o,ou

 The next step is to change the attribute mapping as it was described for user principals, but this time it must be applied to the group sub section of the section.
In addition to the above configuration, the user principal attribute PRINCIPAL_RELATION_PARENT_ATTRIBUTE must be changed too, because it is related with the group principal.
Everything else is the same as configuring multiple object classes for user principals.
Example datasource configuration files, based on dataSourceConfiguration_ads_writeable_db.xml can be found attached to this note.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Leave a Comment