Ldap sync with sap(rfc)

Integration of SAP Netweaver User
Management with LDAP

Applies to:
SAP Netweaver 7.0/7.1
Microsoft Active Directory 2003

Summary
The document describes the detailed steps of configuring the integration of SAP Netweaver User
Management with LDAP (Microsoft Active Directory 2003 is used as LDAP).
LDAP, being the integrated, provides a central user repository used to centrally maintain user data, thus
avoiding the redundant, error prone maintenance of user information in several systems and reduced total
cost to ownership.
Here the LDAP directory acts as a leading system wherein the Users are imported to the SAP system when
the user synchronization happens every time.
Author: Radha SK
Company: Team: Technical Validation -SAP Labs India, Bangalore
Created on: 1 July 2009

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com
© 2009 SAP AG 1

Integration of SAP Netweaver User Management with LDAP

Table of Contents
Prerequisites ....................................................................................................................................................... 3
Configuring LDAP Connector .......................................................................................................................... 4
Defining System Users.................................................................................................................................... 5
1. Access the LDAP Connector via Tcode “LDAP” choose System Users ..................................................... 5
2. Switch to change mode and choose New Entries ....................................................................................... 5
3. Enter the required data and Save the entries. Refer the below screenshot. .............................................. 5
Defining Server Details ....................................................................................................................................... 5
Logging on to the Directory Service ................................................................................................................... 6
Mapping .............................................................................................................................................................. 7
Mapping Using function modules8
Mapping Using function modules ....................................................................................................................... 8
Synchronization of SAP User Administration with LDAP Directory .................................................................... 8
LDAP Synchronization .................................................................................................................................... 9
Integration of Java User Management Engine with LDAP ............................................................................... 11
Configuring Java UME to use LDAP as a data source with the User Management Console ...................... 11
Procedure .................................................................................................................................................................. 11
Configuring Java UME to use LDAP as a data source with the Config Tool ................................................ 13
Limitation of UME when AS ABAP is used as a data source ........................................................................... 15
Configuring Java UME to use LDAP as a data source with the Netweaver Administrator Console (NWA) for
SAP Netweaver 7.1 Java system.................................................................................................................. 15
Procedure: ................................................................................................................................................................. 16
Related content ................................................................................................................................................. 17
Disclaimer and Liability Notice ........................................................................... Error! Bookmark not defined.

© 2009 SAP AG 2


Prerequisites
The LDAP connector requires access to some specific library which is installed on the specific application
server platform. The LDAP connector is called using ABAP functions and communicates with the directory
services using Lightweight Directory Access Protocol.
To check whether LDAP Connector is operable, that is checking the availability of LDAP Library on the
application server.
Run “ldap_rfc” command in the kernel directory and check the version details.

© 2009 SAP AG 3


Configuring LDAP Connector
1. Create and RFC of connector T-Type
Note: It is recommended to use the following naming convention: LDAP_<server_name>.
If there are multiple LDAP connectors on one server then use:
LDAP_<server_name>_<sequence_number> Example: LDAP_SERVER_01
2. Select Registered server program as activation type
3. Specify the Program ID same as the RFC destination.
4. Save your entries.
Refer the below screenshot for LDAP connector details

© 2009 SAP AG 4


Defining System Users

The communication user (Example: TestUser) has to be maintained in the LDAP server which used by the
LDAP connector to bind to the LDAP Directory Server.

1. Access the LDAP Connector via Tcode “LDAP” choose System Users

2. Switch to change mode and choose New Entries

3. Enter the required data and Save the entries. Refer the below screenshot.

Defining Server Details
Create a new logical LDAP Server. Here you have to maintain the connection details of the physical directory
1. On the initial screen of LDAP choose Server and switch to change mode.
2. Choose New Entries and Enter the required data and Save Entries
Refer the below screen shot for Server Entry details

© 2009 SAP AG 5


Logging on to the Directory Service
Now you must check the connection to the directory service by logging on to it.
1. In the initial screen of the LDAP transaction, specify the LDAP server name and the LDAP
connector.
2. Press Logon
3. Provide the System User or enter the directory service user and password.
4. Choose Execute.

© 2009 SAP AG 6


Mapping
In transaction LDAPMAP specific SAP data fields can be mapped to the desired directory attributes.
SAP offers directory specific proposals for the mapping of the directory attributes to the SAP data fields. After
importing the proposal the mapping details can be customized as desired.
For each attribute there is the option to specify whether the customized mapping is only valid for import,
export or for both ways of
synchronization.

© 2009 SAP AG 7


Mapping Using function modules
If the desired mapping is not a simple 1:1 relationship, function modules can be used to enable a more
complicated mapping procedure.
A simple example is the telephone number. The telephone number of a user is stored in the directory
attribute “telephone” (in MS Active Directory). The extension is normally split by a hyphen ‘-‘.
In SAP the telephone number of a user is stored in two data fields ADDRESS-TEL1_NUMBR and
ADDRESS-TEL1_EXT.
Therefore the function module MAP_SPLIT_CHAR can be used.
This module reads the value for the telephone number from the directory attribute telephone. The extension
is split at the position where the system finds a hyphen ‘-‘ in the string and the two values are stored in the
SAP data fields ADDRESSTEL1_NUMBR and ADDRESS-TEL1_EXT.

Synchronization of SAP User Administration with LDAP Directory
Once the mapping indicators have been set, you have to synchronize the data from the LDAP server with the
SAP User Administration.
1. Execute report RSLDAPSYNC_USER in the transaction SE38.
2. Specify the logical LDAP server and LDAP connector
3. Define how the report has to process the entries of the objects that found during the search. The
search result is made up of three subsets.
a. Objects that exists in both in directory and database
b. Objects that exits only in directory
c. Objects that exits only in database
4. Save your entries and Execute.

© 2009 SAP AG 8


LDAP Synchronization
For example the user “LDAP ABAP” has been created in the Active Directory Server. When the
synchronization report is executed in an SAP system, the user “LDAP ABAP” is taken from the LDAP
directory server to the ABAP system. The below figure is LDAP synchronization log when the report has
been executed successfully.

© 2009 SAP AG 9


The following is the screenshot of the user “LDAP ABAP” is the ABAP User Management SU01

© 2009 SAP AG 10


Integration of Java User Management Engine with LDAP
Configuring Java UME to use LDAP as a data source with the User Management Console

Procedure
1. Login to the User Management console with the Administrator rights.
2. Start the User Management
3. Choose Data sources tab
4. Choose Modify Configuration
5. From Data Source, select the data source that best matches your LDAP directory. For Microsoft
Active Directory, choose ads_readonly_db
6. Choose the LDAP Server tab
7. Enter the required data for connection

© 2009 SAP AG 11


8. Choose Test Connection
If the test fails, user management configuration displays the entry from the security log. The monitoring
tools of your LDAP directory can also help you determine the cause of the problem. If necessary, go
back and reenter the connection data and test the connection until you are successful.
9. Sava all the changes
10. Restart the application server for the changes to take effect.
Once the server is restarted, you will see the users which are imported from the LDAP directory.
To see the users from LDPA directory, go to Identity management and search for the users from the source
LDAP. Below is snapshot of the users in the Java UME which are imported from LDAP directory.

© 2009 SAP AG 12


Configuring Java UME to use LDAP as a data source with the Config Tool
The UME LDAP configuration tool simplifies the process of configuring the UME to use an LDAP directory. It
allows to choose the configuration file for configuring the data source files and also to enter the connection
data for the LDAP directory and the test the data.
1. Click on the Configtool.bat file in the installation folder.
<SAPJ2EEEngine_installation>j2eeconfigtoolconfigtool.bat
2. In the configtool, choose UME LDAP

© 2009 SAP AG 13


3. Configure the LDAP Data Source as required and save your
entries

4. Click on the Test connection button to establish a connection with the LDAP directory with service
user.

© 2009 SAP AG 14


5. Restart the AS Java
Now you can see the users in the User Management console in which the users are imported from the LDAP
data source.

Limitation of UME when AS ABAP is used as a data source
In a ABAP+Java dual stack system, by default the system takes the User Management of an ABAP system.
In this case, it possible to configure LDAP as a data source in the Java UME. It is also not possible to create
the users in the database of AS Java.
For more information refer to SAP Note 718383

Configuring Java UME to use LDAP as a data source with the Netweaver Administrator Console
(NWA) for SAP Netweaver 7.1 Java system.
The above mentioned steps for configuring SAP Netweaver 7.0 java system to use LDAP as a data source
are valid for the SAP Netweaver 7.1 system as well.
The only difference is we can also configure the User Management with Netweaver Administrative console
as well.

© 2009 SAP AG 15


Procedure:
1. Login to NWA with Admin rights.
2. Choose Operation Management -> Users and Access -> Identity Management
3. Under Related Tasks, choose Configuration.
4. Fill in the required details of the LDAP server and Save your entries.
5. Restart the AS
Refer the below screenshot for the connection details

© 2009 SAP AG 16


Related content
• SAP Online Help http://help.sap.com
• http://service.sap.com/security ->Security in Detail -> Identity Management -> Directory
Services

© 2009 SAP AG 17


Copyright
© Copyright 2009 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by
Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document
serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP
Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the
express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an
additional warranty.

© 2009 SAP AG 18

Ldap sync with sap(rfc)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Ldap sync with sap(rfc)

Similar to Ldap sync with sap(rfc) (20)

Ldap sync with sap(rfc)