Vendavo 6.

Setup Guide
For Integrating With LDAP, Active Directory

Copyright
Copyright20002007Vendavo,Inc.Allrightsreserved. Version:6510070220

Proprietary Content
Youraccesstoanduseoftheconfidentialinformationcontainedinthisdocumentissubjecttothe termsandconditionsofyourlicenseand/ortheVendavoNonDisclosureAgreement.

Document Reproduction
Nopartofthispublicationmaybestoredinaretrievalsystem,transmitted,orreproducedinany way,includingbutnotlimitedtophotocopy,photographic,magneticorotherrecord,withoutthe prioragreementandwrittenpermissionofVendavo,Inc.

Trademarks
Allproductnames,marks,logosandsymbolswithinthisdocumentmaybetrademarksoftheir respectiveowners.ThefollowingtermsaretrademarksofVendavo,Inc.:Vendavo,Vendavo PriceManager,VendavoDealManager,VendavoProfitAnalyzer,WholePrice Management,VendavoPriceTrail,VendavoPriceEngine,VendavoPriceExplorer, VendavoPortfolioManager,VendavoPriceListManager,VendavoPolicyManager,and VendavoPricemartServer.

Contents
CHAPTER 1: ABOUT THIS MANUAL.................................................................................... 6
INTENDED AUDIENCE .............................................................................................................................. 6 TYPOGRAPHIC CONVENTIONS............................................................................................................... 6 RELATED DOCUMENTS ........................................................................................................................... 6

CHAPTER 2:

PREREQUISITES FOR INTEGRATION .......................................................... 7

HARDWARE REQUIREMENTS ................................................................................................................. 7

Database Server Machine ...................................................................................................... 7 Application Server Machine(s) ................................................................................................ 7

SOFTWARE REQUIREMENTS.................................................................................................................. 8

Third-Party Software Products and Versions.......................................................................... 8 CHAPTER 3: SETTING UP THE OPENLDAP SERVER AND LDAP BROWSER................ 9

ADDING LDAP USERS .............................................................................................................................11

CHAPTER 4:

CONFIGURING LDAP SERVER FOR AUTHENTICATION .......................... 13

CONFIGURING LDAP SERVER FOR AUTHENTICATION ON SAP NETWEAVER ................................13

Testing LDAP Authentication ................................................................................................ 17 CHAPTER 5: CONFIGURING WINDOWS ACTIVE DIRECTORY AUTHENTICATION...... 18

CONFIGURING WINDOWS ACTIVE DIRECTORY AUTHENTICATION ON NETWEAVER ....................18

Integrate Vendavo with MS Active Directory for User Authentication................................... 18 Testing AD Authentication .................................................................................................... 25

About This Manual

Chapter 1:

About This Manual

TheSetupGuideForIntegratingwithLDAP,ActiveDirectoryexplainshowtoconfigureWindows 2003ActiveDirectoryAuthenticationandhowtosetuptheOpenLDAPServerfor authentication,onvariousplatforms.

Intended Audience
ThismanualisintendedfortheadministratorsoftheVendavoapplication.

Typographic Conventions
Thefollowingtableliststheconventionsusedinthismanual: Convention Description Referstoanoteorimportantinformation Text Referstoacommand,afilenameorlocation,or code Usedforemphasisorreferences Referstoapagename,oranyformobject(like abutton,link,etc.)

Text Text

Related Documents
SetupGuideForInstallingVendavoonWindowsNetWeaverPlatform:Describeshowtoinstall theVendavoapplicationontheWindowsNetWeaverplatform. SetupGuideForSettingUpthePricemartServer:DescribeshowtosetupthePricemartserver. SetupGuideForSettingUpOracle:DescribeshowtosetupOracleforVendavoinstallation.

Prerequisites for Integration

Chapter 2: Prerequisites for Integration

ThissectionliststhehardwareandsoftwarerequirementsforintegratingVendavowithLDAP, activedirectoryonvariousplatforms.

Hardware Requirements
Thissectionliststhehardwarerequirementsforapplicationanddatabaseservermachines.

Database Server Machine

Category Platform OperatingSystem DiskSpace Network Connection Requirement NetWeaver Windows 5GBormore 100Mbpsorfaster

Application Server Machine(s)

Category Platform OperatingSystem Windows IntelP4 Windows2003Server Only 3GB Minimum:1 Recommended:2 DiskSpace NetworkConnection 1GBormore 100Mbpsorfaster

RAM CPUs

Prerequisites for Integration

Software Requirements
Thissectionliststhesoftwarerequirements.

Third-Party Software Products and Versions

Category Software Product Version Freeware

OperatingSystem

MicrosoftWindows http://www.microsoft.com Oracle9i,or10gEnterpriseEdition http://www.oracle.com OpenLDAPServerforWindows http://www.openldap.org

2003Server only 9.2.0.7 (Certified) 10.2 (Supported) 2.2.19

No

Database

No

LDAPServer

Yes

LDAPBrowser

LDAPGUIBrowser http://wwwunix.mcs.anl.gov/~gawor/ldap/

2.8.1

Yes

Scripting Environment(for Install) WebBrowser

ActiveStateActivePerl http://www.activestate.com InternetExplorer http://www.microsoft.com

5.6.1or higher

Yes

6.0orhigher

Yes

ClientGraphics Display JDK

AdobeSVGViewer(InternetExplorerplugin) http://www.adobe.com http://java.sun.com

3.01or higher 1.4.2or higher 10.2

Yes

Yes

JDBCDriver

Oracle10g(ojdbc14.jar) http://www.oracle.com

Yes

Setting up the OpenLDAP Server and LDAP Browser

Chapter 3: Setting up the OpenLDAP Server and LDAP Browser

ThissectiondescribeshowtosetupOpenLDAPandLDAPBrowser.Italsodescribeshowtoadd LDAPusersfortesting. TosetupOpenLDAPandLDAPbrowserinWindows: 1. 2. 3. 4. DoubleclickSetup.exe. TheWelcomescreenisdisplayed. ClickNext. TheLicenseagreementscreenisdisplayed. SelectIhavereadandunderstoodthelicenseandclickNext. TheFileLocationsscreenisdisplayed. ClickInstall. Ifyouinstallinalocationotherthanthedefault(C:\openldap),notedownthepath. Youwillneeditduringthesetup. Aftertheinstallationiscomplete,starttheOpenLDAPserver: A. OpenacommandpromptandswitchtotheLDAPinstallationdirectory. B. Runoneofthefollowingcommands: 6. slapd.exe slapd.exe d 1 (for debug mode)

5.

StarttheLDAPBrowserbyeitherdoubleclickingthelbe.batfileorbyrunningthe lbe.batfilefromthecommandprompt. TheLDAPBrowserisdisplayed. IntheLDAPBrowser,clickConnect. Theconnectdialogboxisdisplayed.

7.

Setting up the OpenLDAP Server and LDAP Browser

8. ClickEdittomodifytheLDAPconfiguration.Tocreateanewsession,clickNew. TheEditSessiondialogboxisdisplayed.

ThefollowingtabledescribesthefieldsintheEditSessiondialogbox. Field Host Port BaseDN 10 Description HostnameoftheLDAPServer. PortnumberinwhichtheLDAPServerisrunning. BaseDirectoryNodeoftheLDAPServer.

Setting up the OpenLDAP Server and LDAP Browser

Field UserDN Password 9.

Description UserDirectoryNodeoftheLDAPServer. PasswordfortheUserDirectoryNode.

MakethechangesandclickSave. BASE DN, User DN, and Password are available in the <LDAP Server Installed directory> \slapd.conf file. The values used for fields such as Base DN are examples. Therefore, dc=mydomain and dc=com is an example for a fictitious domain and it should be substituted with the actual Domain Name for which they are setting up the LDAP.

Adding LDAP Users

YoucanaddLDAPusers,usingaLDIFformatfile. ToaddLDAPusers: 1. Createafilewiththe.ldifextension.

2. IntheLDAPBrowsertool,selectLDIF>Import. TheLDIFImportdialogboxisdisplayed.

3.

SelecttheLDIFFileandclickImport. ThecontentsofasampleLDIFFileareshownbelow: # sample.ldif dn: dc=my-domain,dc=com dc: my-domain

11

Setting up the OpenLDAP Server and LDAP Browser

objectClass: dcObject objectClass: organization o: Vendavo, Inc

# People dn: cn=smith,dc=my-domain,dc=com objectClass: person sn: smith cn: smith userpassword: smith Make sure that the users defined in the LDIF file are available in the VUser.xml file and are imported into Vendavo.

12

Configuring LDAP Server for Authentication

Chapter 4: Configuring LDAP Server for Authentication

ThissectiondescribeshowtoconfigureyoursystemtouseopenLDAPserverforauthentication, onNetWeaver.

Configuring LDAP Server for Authentication on SAP NetWeaver

ToconfiguretheOpenLDAPServeronNetweaver: 1. 2. StarttheSAPConfigToolandclickSwitchtoConfigurationEditorMode. IntheDisplayconfigurationtab,navigateto cluster_data/server/persistent/com.sap.security.core.ume.service folder.DoubleclickthedataSourceConfiguration_iplanet_readonly_db.xml file.TheDisplayFilewindowisdisplayed.

3.

ClickDownloadtodownloadthefileandsavethefileinthedesiredlocation.ClickOKon theDisplayFilewindow.

13

Configuring LDAP Server for Authentication

4. 5.

Exitfromtheeditmodeandrenamethedownloadedfileto dataSourceConfiguration_open_ldap.xml. DoubleclickthedataSourceConfiguration_open_ldap.xmlfileandmodifyas follows: C. InattributeMapping > principal type account, setthe physicalAttribute nametocnforthefollowingattributes: j_user logonalias

D. InattributeMapping > principal type user, setthe physicalAttribute nametonullforthefollowingattributes: fax email mobile telephone description streetaddress pobox

E. InattributeMapping > principal type user, setthe physicalAttribute nametocn forthefollowingattributes: firstname displayname uniquename REFERENCE_SYSTEM_USER

F. InattributeMapping > principal type group, setthe physicalAttribute nametocn forthefollowingattributes: displayname description

G. DeletethefollowinglinesinprivateSection. <ume.ldap.access.server_type>SUN</ume.ldap.access.server_type> <ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory </ume.ldap.access.context_factory> H. Setthevalueto*forthefollowinglinesinprivateSection as shown below: <ume.ldap.access.objectclass.user>*</ume.ldap.access.objectclass. user> <ume.ldap.access.objectclass.uacc>*</ume.ldap.access.objectclass. uacc> <ume.ldap.access.objectclass.grup>*</ume.ldap.access.objectclass. grup>

14

Configuring LDAP Server for Authentication

I.

SetthevaluecnforthefollowinglinesinprivateSection as shown below: <ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming _attribute.user> <ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming _attribute.uacc>

6. 7.

Savethefile. IntheSAPConfigTool,selectUMELDAPData.BrowsefortheeditedfileandclickUpload touploadthefile.

8. 9. SelectdataSourceConfiguration_open_ldap.xmlastheConfigurationfileto configureUMELDAPData. EntertheServername,portandothervalidinformationcorrespondingtoyourLDAPserver. Ensure the details of the User corresponding to the dn(distinguished name) is entered. For Eg: cn=Manager,dc=my-domain,dc=com

10. DonotselecttheUseUMEuniqueidwithuniqueLDAPattributecheckbox. 11. UsetheTestconnectionandTestauthenticationtovalidatetheconnectiondetails. 12. AddtheUMEdefaultloginmoduletotheJAASstackfortheVendavoapplicationasfollows:

15

Configuring LDAP Server for Authentication

A. StarttheVisualAdministratorandselectServer###>Services>SecurityProvider. B. InthePolicyConfigurationstab,selectvendavo.com/kubera*Vendavoin Components. C. ClicktheAuthenticationtabintherightpane,switchtoeditmode,andclickAddNew. D. Selectthedefaultloginmodule(forexample,BasicPasswordLoginModule)andclick OK. E. SelectthenewlyconfiguredloginmoduleandclickModify. F. Inthesubsequentdialogwindow,decreasethePositionvaluefrom2to1. 13. IntheVendavoapplication,twologinmodulesareconfigured.Verifythatbothhavethe SUFFICIENTflagset,asshowninthescreenshotbelow.

The Vendavo Login Module is still needed because the administration user account vendavosystem must be defined and is created in the Vendavo database as part of the build process.

14. RestarttheSAPMMCandlaunchtheVisualAdministrator. 15. Then,selectserver>Services>SecurityProvider>UserManagement. 16. AssigntheVENDAVOgrouptotheLDAPusers.IftheuseralreadyexistsintheVendavo group,thenitneedstobedeleted. 17. CreatetheuserintheVendavoapplicationaswell.Onlytheuseridsneedtoremainidentical inVendavo;otherattributessuchasfullnameandpasswordcandifferfromthosedefinedin LDAP. You need to create these users into Vendavo, because in Vendavo, each user must have some roles and permission assigned in order to access different parts of the application. 16

Configuring LDAP Server for Authentication When the users are assigned to Vendavo group, make sure the flag No Password Change required is checked in the UME, for all the Vendavo users.

Testing LDAP Authentication

TotestLDAPauthentication: 1. 2. 3. EnsuretheLDAPServerisrunning. MakesuretheLDAPusersareaddedintotheVENDAVOgroupusingVisual Administrators. LogontoyourvendavoinstanceusingtheLDAPuserandmakesuretheuserhasloggedin.

17

Configuring Windows Active Directory Authentication

Chapter 5: Configuring Windows Active Directory Authentication

ThissectiondescribeshowtoconfigureyoursystemtouserWindows2003ActiveDirectory basedauthenticationonSAPNetWeaverapplicationservers.

Configuring Windows Active Directory Authentication on NetWeaver

ThissectiondescribeshowtoconfigureyoursystemtouserWindowsActiveDirectory authenticationonSAPNetWeaver.

Integrate Vendavo with MS Active Directory for User Authentication

TheVendavoapplicationcannowbeintegratedwithMicrosoftActiveDirectoryforuser authentication.MicrosoftActiveDirectorysupportsLDAPprotocolandcanbeusedto authenticateusersforaccessingtheVendavoapplication. The Active Directory can be configured in many ways. Steps 1 through 5 provide a sample Active Directory configuration that you may choose to follow. However, irrespective of how you configure the Active Directory, you must make sure that the NetWeaver's UME can connect to it.

TointegrateVendavo6.5withMicrosoftActiveDirectory: 4. InstallActiveDirectoryonWindows2003ServerandtheOSSupportTools. SAPWAScomeswithpreconfiguredtemplatesforActiveDirectoryintegration.The templatemapsUMEuserstoobjectsofclassInetOrgPersonintheActiveDirectory.This classisonlyavailableonWindows2003versionofActiveDirectory.ForWindows2003 Server,thereisaseparatekitfromMicrosoftthatincludesthisobjectclass,butthereare knownbugswiththekitthatpreventanysuccessfulintegrationbetweenNetWeaverand ActiveDirectory. Inaddition,toeditandviewvariouspropertiesoftheentitiesinActiveDirectory,aseparate toolcalledADSIEditisveryuseful.Itispartoftheoperatingsystemsupporttoolspackage availablefromMicrosoftwebsite. CreateafewtestusersinActiveDirectory. TodistinguishbetweentheuserscreatedforaccessingVendavoapplicationfromotherusers intheActiveDirectory,createasamplestructurewithanorganizationunit,ausergroup, andafewtestusersinthegroup.Inthenextstep,configureSAPUMEtoonlyretrieveusers inthesamplestructure/branch. A. IntheActiveDirectoryUsersandComputerstool,rightclickandselectNew> OrganizationUnittocreateanorganizationunitcalledNetWeaver.

5.

18

Configuring Windows Active Directory Authentication

B. RightclickthenewlycreatedNetWeaverorganizationunitandselectNew>Groupto createagroupcalledNW1.

C. RightclicktheNetWeaverorganizationunit,andselectNew>InetOrgPersontocreatea fewusersofclassInetOrgPerson.

19

Configuring Windows Active Directory Authentication

D. AddallthenewlycreateduserstotheNW1group,andsettheirpasswords.

6. 7. SwitchtoADSIEdittool,expandtheDomainnode,andselectthenodeOU=NetWeaver. Selectoneofthenewlycreatedusers. Youcanseethepartsthatmakeupthedistinguishednames.SAPUMEconfigurationneeds toknowthesepartstoretrievethecorrectobjectsfromActiveDirectory. Forusernw1u1,thedistinguishednameisCN=nw1u1,OU=NetWeaver,DC=vn8dc,DC=com.

20

Configuring Windows Active Directory Authentication

8. ConfigureNetWeaverUMEtouseActiveDirectoryasuserstore: Refer to SAP documentation at http://help.sap.com/saphelp_erp2004/helpdata/en/cc/cdd93f130f9115e1000 0000a155106/frameset.htm. A. Stopallinstancesinthecluster,andrestarttheConfigTool. B. Switchtoconfigurationeditormode. C. Expandthenode cluster_data/server/persistent/com.sap.security.core.ume.service. MakesureanentrynameddataSourceConfiguration_ads_readonly_db.xmlis listed.ThisentrycorrespondstothetemplatefileshippedwithNetWeaver. It is recommended to take a backup copy of this template file.

UsingthistemplateallowsUMEreadonlyaccesstotheActiveDirectory.Anynewusers createdlocallyonUME(throughtheVisualAdministratortoolforexample)arenot createdinActiveDirectoryinthismode.Othermodes,suchasads_writeable_dbare possibletoo.ConsultSAPdocumentationontheimplications. D. EnterconfigurationparametersforActiveDirectory: IntheConfigTool,switchtoEditmode. Expandthenodecluster_data / server / cfg / services.

DoubleClickPropertysheet com.sap.security.core.ume.service. Theconfigurationparametersaredisplayedinanewwindow,inaneditablemode.

21

Configuring Windows Active Directory Authentication

SetthevaluestomatchyourActiveDirectoryconfigurationinstep2.Thefollowing tableshowsexamplevalues. ume.persistence.data_sourc e_configuration ume.ldap.access.auxiliary_ naming_attribute.uacc ume.ldap.access.auxiliary_ naming_attribute.user ume.ldap.access.base_path. grup ume.ldap.access.base_path. uacc ume.ldap.access.base_path. user ume.ldap.access.naming_att ribute.grup ume.ldap.access.naming_att ribute.uacc ume.ldap.access.naming_att ribute.user ume.ldap.access.objectclas 22 dataSourceConfiguration_ads_re adonly_db.xml Samaccountname Samaccountname OU=NetWeaver,DC=vn8dc,DC=com OU=NetWeaver,DC=vn8dc,DC=com OU=NetWeaver,DC=vn8dc,DC=com CN CN CN Group

Configuring Windows Active Directory Authentication

s.grup ume.ldap.access.objectclas s.uacc ume.ldap.access.objectclas s.user ume.ldap.access.user User User Distinguishednameoftheuserfor connectingtoActiveDirectory. Forexample: CN=nw1u1,OU=NetWeaver,DC=vn8dc ,DC=com ume.ldap.access.password ume.ldap.access.server_nam e ume.ldap.access.server_por t ume.ldap.access.server_typ e ume.ldap.default_group_mem ber E. RestarttheJ2EEEngineinstances. 9. ValidatetheconnectiontoActiveDirectory,usingtheVisualAdministratortool: A. SelectServer>Services>SecurityProvider. B. Intherightpane,clicktheUserManagementtab. Thegroup(NW1)thatyoucreatedinActiveDirectoryisdisplayedundertheUserTree. C. Expandthegroup. TheusersthatyoucreatedinActiveDirectoryaredisplayed. Passwordfortheuserabove. HostnamewhereActiveDirectoryis installed. PortnumberconfiguredforActive Directory.Defaultis389. MSADS OU=NetWeaver

23

Configuring Windows Active Directory Authentication

10. ConfigureVendavoapplicationtouseActiveDirectoryforauthentication: A. Inthescreenabove,assigntheusersinNW1grouptogroupVENDAVO. ThisgrantstheusersaccesstotheVendavoapplication. In this example, the user group VENDAVO is created in UME local store, not in Active Directory. However, you can create a group named VENDAVO and assign appropriate users to the group in Active Directory. If you create the group and assign users to it in Active Directory, this step is not required. You just have to make sure that the group VENDAVO and all the users assigned to it are displayed under the User Tree. 11. AddtheUMEdefaultloginmoduletotheJAASstackfortheVendavoapplicationasfollows: A. StarttheVisualAdministratorandselectServer###>Services>SecurityProvider. B. InthePolicyConfigurationstab,selectvendavo.com/kubera*Vendavoin Components. C. ClicktheAuthenticationtabintherightpane,switchtoeditmodeandclickAddNew. D. Selectthedefaultloginmodule(forexample,BasicPasswordLoginModule)andclick OK. E. SelectthenewlyconfiguredloginmoduleandclickModify. F. Inthesubsequentdialogwindow,decreasethePositionvaluefrom2to1. 12. IntheVendavoapplication,twologinmodulesareconfigured.Verifythatbothhavethe SUFFICIENTflagset,asshowninthescreenshotbelow.

24

Configuring Windows Active Directory Authentication

The Vendavo Login Module is still needed because the administration user account vendavosystem must be defined and is created in the Vendavo database as part of the build process.

13. RestarttheSAPMMCandlaunchtheVisualAdministrator. 14. CreatetheuserintheVendavoapplicationaswell.Onlytheuseridsneedtoremainidentical inVendavo;otherattributessuchasfullnameandpasswordcandifferfromthosedefinedin ActiveDirectory. You need to create these users into Vendavo, because in Vendavo, each user must have some roles and permission assigned in order to access different parts of the application. When the users are assigned to Vendavo group, make sure the flag No Password Change required is checked in the UME for all the Vendavo users.

Testing AD Authentication
TotestADAuthentication 1. 2. MakesurethatADusersareaddedintotheVENDAVOgroupusingVisual Administrators. LogontoyourvendavoinstanceusingtheADuserandmakesuretheuserhasloggedin.

25