I have a clarification . we are planning to implement a portal which will have an ABAP ume . The ABAP UME will be integrated into LDAP.
This portal will be further allowed access through the Internet for ess access using web dispatcher 7.2 as a reverse proxy.
Now There are going to be a certain set of users who will not have access to LDAP but would need access to the portal via the internet.
The questions i have are :
1. will the ldap users be able to login into the portal via internet by providing their AD user id and password or do they have to provide their sap id and pass
2. Incase the users are able to enter the portal via internet using ldap id and pass , how to we get the users who do not have ldap id's access to the internet.
Basically what im trying to ask his how do we enable both these sets of users access via the internet.One set of people will enter their LDAP user id and password where as the other set of users will enter their SAP user id and password.
Thanks & Appreciate any guidance
To support both LDAP and ABAP user authentication, you need to configure two login modules in the ticket auth stack in visual administrator. The BasicPasswordLoginModule will be used to authenticate users who have an ABAP user and password. You then need a login module which will authenticate the user using Active Directory account and password. The SAP product does not include such a login module since SAP have assumed you will be using one or the other and not both methods of authentication. The only way SAP software supports using LDAP is if you configure UME and make the UME authentication use LDAP, which means that BasicPasswordLoginModule will then be used for LDAP, and cannot be used for ABAP authentication...
The solution is to use a third party product that includes a login module for authentication with Active Directory. One such product can be found at <removed by moderator>
Message was edited by: <Moderator>
Thanks for the reply.
When you say that two login modules are to be configured in the visual admin , can you tell me if it is the same thing as maintaining two data sources in the datasources xml file and if not , how different is it ?
Also will the LDAP <--> ABAP synchronization provided by SAP will be a solution for this situation
If you configure SAP ABAP to use LDAP, then all users in ABAP will need to be in your Active Directory. Earlier you said you have some users who are in AD and some who are in SAP, but not in AD. So, you need two different methods to authenticate users.
No, I was not talking about data source. I am talking about the JAAS login modules configured in visual admin (NWA on 7.3) which are used to authenticate users when they login. The ticket auth stack can be configured with a list of login modules, so when first login module is unable to authenticate the user the 2nd one will be used, and after any login module has authenticated the user, an SSO2 login ticket is issued for SSO purposes. So, the first login module configured would authenticate the user against Active Directory, and if this fails to authenticate the user (e.g. they are not in AD) then the 2nd one (BasicPasswordLoginModule) would be used, which will check the users password in the ABAP user store.
I have already given you a link in my first reply, which is referencing a product that does what you need. If you don't use such a product, you would have to develop your own custom login module.
You can search SAP help library for JAAS and you will see details of how the JAAS auth stack is configured.