Hi,
To support both LDAP and ABAP user authentication, you need to configure two login modules in the ticket auth stack in visual administrator. The BasicPasswordLoginModule will be used to authenticate users who have an ABAP user and password. You then need a login module which will authenticate the user using Active Directory account and password. The SAP product does not include such a login module since SAP have assumed you will be using one or the other and not both methods of authentication. The only way SAP software supports using LDAP is if you configure UME and make the UME authentication use LDAP, which means that BasicPasswordLoginModule will then be used for LDAP, and cannot be used for ABAP authentication...
The solution is to use a third party product that includes a login module for authentication with Active Directory. One such product can be found at <removed by moderator>
Thanks,
Tim
Message was edited by: <Moderator>
Hi Tim,
Thanks for the reply.
When you say that two login modules are to be configured in the visual admin , can you tell me if it is the same thing as maintaining two data sources in the datasources xml file and if not , how different is it ?
Also will the LDAP <--> ABAP synchronization provided by SAP will be a solution for this situation
Thanks
Avinash
If you configure SAP ABAP to use LDAP, then all users in ABAP will need to be in your Active Directory. Earlier you said you have some users who are in AD and some who are in SAP, but not in AD. So, you need two different methods to authenticate users.
No, I was not talking about data source. I am talking about the JAAS login modules configured in visual admin (NWA on 7.3) which are used to authenticate users when they login. The ticket auth stack can be configured with a list of login modules, so when first login module is unable to authenticate the user the 2nd one will be used, and after any login module has authenticated the user, an SSO2 login ticket is issued for SSO purposes. So, the first login module configured would authenticate the user against Active Directory, and if this fails to authenticate the user (e.g. they are not in AD) then the 2nd one (BasicPasswordLoginModule) would be used, which will check the users password in the ABAP user store.
Thanks Tim,
I think i understand better now , i will check further on the procedure to implement this.
could you provide some useful links that would take me in that direction please ?
thanks
Hi,
I have already given you a link in my first reply, which is referencing a product that does what you need. If you don't use such a product, you would have to develop your own custom login module.
You can search SAP help library for JAAS and you will see details of how the JAAS auth stack is configured.
Thanks,
Tim
Thanks Tim,
I will get back to you regarding TrustBroker
