Professional Documents
Culture Documents
Setup Guide
For Integrating With LDAP, Active Directory
Copyright
Copyright20002007Vendavo,Inc.Allrightsreserved. Version:6510070220
Proprietary Content
Youraccesstoanduseoftheconfidentialinformationcontainedinthisdocumentissubjecttothe termsandconditionsofyourlicenseand/ortheVendavoNonDisclosureAgreement.
Document Reproduction
Nopartofthispublicationmaybestoredinaretrievalsystem,transmitted,orreproducedinany way,includingbutnotlimitedtophotocopy,photographic,magneticorotherrecord,withoutthe prioragreementandwrittenpermissionofVendavo,Inc.
Trademarks
Allproductnames,marks,logosandsymbolswithinthisdocumentmaybetrademarksoftheir respectiveowners.ThefollowingtermsaretrademarksofVendavo,Inc.:Vendavo,Vendavo PriceManager,VendavoDealManager,VendavoProfitAnalyzer,WholePrice Management,VendavoPriceTrail,VendavoPriceEngine,VendavoPriceExplorer, VendavoPortfolioManager,VendavoPriceListManager,VendavoPolicyManager,and VendavoPricemartServer.
Contents
CHAPTER 1: ABOUT THIS MANUAL.................................................................................... 6
INTENDED AUDIENCE .............................................................................................................................. 6 TYPOGRAPHIC CONVENTIONS............................................................................................................... 6 RELATED DOCUMENTS ........................................................................................................................... 6
CHAPTER 2:
Third-Party Software Products and Versions.......................................................................... 8 CHAPTER 3: SETTING UP THE OPENLDAP SERVER AND LDAP BROWSER................ 9
CHAPTER 4:
Testing LDAP Authentication ................................................................................................ 17 CHAPTER 5: CONFIGURING WINDOWS ACTIVE DIRECTORY AUTHENTICATION...... 18
Integrate Vendavo with MS Active Directory for User Authentication................................... 18 Testing AD Authentication .................................................................................................... 25
Chapter 1:
Intended Audience
ThismanualisintendedfortheadministratorsoftheVendavoapplication.
Typographic Conventions
Thefollowingtableliststheconventionsusedinthismanual: Convention Description Referstoanoteorimportantinformation Text Referstoacommand,afilenameorlocation,or code Usedforemphasisorreferences Referstoapagename,oranyformobject(like abutton,link,etc.)
Text Text
Related Documents
SetupGuideForInstallingVendavoonWindowsNetWeaverPlatform:Describeshowtoinstall theVendavoapplicationontheWindowsNetWeaverplatform. SetupGuideForSettingUpthePricemartServer:DescribeshowtosetupthePricemartserver. SetupGuideForSettingUpOracle:DescribeshowtosetupOracleforVendavoinstallation.
Hardware Requirements
Thissectionliststhehardwarerequirementsforapplicationanddatabaseservermachines.
RAM CPUs
Software Requirements
Thissectionliststhesoftwarerequirements.
OperatingSystem
No
Database
No
LDAPServer
Yes
LDAPBrowser
LDAPGUIBrowser http://wwwunix.mcs.anl.gov/~gawor/ldap/
2.8.1
Yes
5.6.1or higher
Yes
6.0orhigher
Yes
Yes
Yes
JDBCDriver
Oracle10g(ojdbc14.jar) http://www.oracle.com
Yes
5.
7.
8. ClickEdittomodifytheLDAPconfiguration.Tocreateanewsession,clickNew. TheEditSessiondialogboxisdisplayed.
MakethechangesandclickSave. BASE DN, User DN, and Password are available in the <LDAP Server Installed directory> \slapd.conf file. The values used for fields such as Base DN are examples. Therefore, dc=mydomain and dc=com is an example for a fictitious domain and it should be substituted with the actual Domain Name for which they are setting up the LDAP.
2. IntheLDAPBrowsertool,selectLDIF>Import. TheLDIFImportdialogboxisdisplayed.
3.
11
# People dn: cn=smith,dc=my-domain,dc=com objectClass: person sn: smith cn: smith userpassword: smith Make sure that the users defined in the LDIF file are available in the VUser.xml file and are imported into Vendavo.
12
3.
ClickDownloadtodownloadthefileandsavethefileinthedesiredlocation.ClickOKon theDisplayFilewindow.
13
4. 5.
Exitfromtheeditmodeandrenamethedownloadedfileto dataSourceConfiguration_open_ldap.xml. DoubleclickthedataSourceConfiguration_open_ldap.xmlfileandmodifyas follows: C. InattributeMapping > principal type account, setthe physicalAttribute nametocnforthefollowingattributes: j_user logonalias
D. InattributeMapping > principal type user, setthe physicalAttribute nametonullforthefollowingattributes: fax email mobile telephone description streetaddress pobox
E. InattributeMapping > principal type user, setthe physicalAttribute nametocn forthefollowingattributes: firstname displayname uniquename REFERENCE_SYSTEM_USER
F. InattributeMapping > principal type group, setthe physicalAttribute nametocn forthefollowingattributes: displayname description
G. DeletethefollowinglinesinprivateSection. <ume.ldap.access.server_type>SUN</ume.ldap.access.server_type> <ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory </ume.ldap.access.context_factory> H. Setthevalueto*forthefollowinglinesinprivateSection as shown below: <ume.ldap.access.objectclass.user>*</ume.ldap.access.objectclass. user> <ume.ldap.access.objectclass.uacc>*</ume.ldap.access.objectclass. uacc> <ume.ldap.access.objectclass.grup>*</ume.ldap.access.objectclass. grup>
14
I.
6. 7.
8. 9. SelectdataSourceConfiguration_open_ldap.xmlastheConfigurationfileto configureUMELDAPData. EntertheServername,portandothervalidinformationcorrespondingtoyourLDAPserver. Ensure the details of the User corresponding to the dn(distinguished name) is entered. For Eg: cn=Manager,dc=my-domain,dc=com
15
A. StarttheVisualAdministratorandselectServer###>Services>SecurityProvider. B. InthePolicyConfigurationstab,selectvendavo.com/kubera*Vendavoin Components. C. ClicktheAuthenticationtabintherightpane,switchtoeditmode,andclickAddNew. D. Selectthedefaultloginmodule(forexample,BasicPasswordLoginModule)andclick OK. E. SelectthenewlyconfiguredloginmoduleandclickModify. F. Inthesubsequentdialogwindow,decreasethePositionvaluefrom2to1. 13. IntheVendavoapplication,twologinmodulesareconfigured.Verifythatbothhavethe SUFFICIENTflagset,asshowninthescreenshotbelow.
The Vendavo Login Module is still needed because the administration user account vendavosystem must be defined and is created in the Vendavo database as part of the build process.
14. RestarttheSAPMMCandlaunchtheVisualAdministrator. 15. Then,selectserver>Services>SecurityProvider>UserManagement. 16. AssigntheVENDAVOgrouptotheLDAPusers.IftheuseralreadyexistsintheVendavo group,thenitneedstobedeleted. 17. CreatetheuserintheVendavoapplicationaswell.Onlytheuseridsneedtoremainidentical inVendavo;otherattributessuchasfullnameandpasswordcandifferfromthosedefinedin LDAP. You need to create these users into Vendavo, because in Vendavo, each user must have some roles and permission assigned in order to access different parts of the application. 16
Configuring LDAP Server for Authentication When the users are assigned to Vendavo group, make sure the flag No Password Change required is checked in the UME, for all the Vendavo users.
17
TointegrateVendavo6.5withMicrosoftActiveDirectory: 4. InstallActiveDirectoryonWindows2003ServerandtheOSSupportTools. SAPWAScomeswithpreconfiguredtemplatesforActiveDirectoryintegration.The templatemapsUMEuserstoobjectsofclassInetOrgPersonintheActiveDirectory.This classisonlyavailableonWindows2003versionofActiveDirectory.ForWindows2003 Server,thereisaseparatekitfromMicrosoftthatincludesthisobjectclass,butthereare knownbugswiththekitthatpreventanysuccessfulintegrationbetweenNetWeaverand ActiveDirectory. Inaddition,toeditandviewvariouspropertiesoftheentitiesinActiveDirectory,aseparate toolcalledADSIEditisveryuseful.Itispartoftheoperatingsystemsupporttoolspackage availablefromMicrosoftwebsite. CreateafewtestusersinActiveDirectory. TodistinguishbetweentheuserscreatedforaccessingVendavoapplicationfromotherusers intheActiveDirectory,createasamplestructurewithanorganizationunit,ausergroup, andafewtestusersinthegroup.Inthenextstep,configureSAPUMEtoonlyretrieveusers inthesamplestructure/branch. A. IntheActiveDirectoryUsersandComputerstool,rightclickandselectNew> OrganizationUnittocreateanorganizationunitcalledNetWeaver.
5.
18
B. RightclickthenewlycreatedNetWeaverorganizationunitandselectNew>Groupto createagroupcalledNW1.
C. RightclicktheNetWeaverorganizationunit,andselectNew>InetOrgPersontocreatea fewusersofclassInetOrgPerson.
19
D. AddallthenewlycreateduserstotheNW1group,andsettheirpasswords.
20
8. ConfigureNetWeaverUMEtouseActiveDirectoryasuserstore: Refer to SAP documentation at http://help.sap.com/saphelp_erp2004/helpdata/en/cc/cdd93f130f9115e1000 0000a155106/frameset.htm. A. Stopallinstancesinthecluster,andrestarttheConfigTool. B. Switchtoconfigurationeditormode. C. Expandthenode cluster_data/server/persistent/com.sap.security.core.ume.service. MakesureanentrynameddataSourceConfiguration_ads_readonly_db.xmlis listed.ThisentrycorrespondstothetemplatefileshippedwithNetWeaver. It is recommended to take a backup copy of this template file.
UsingthistemplateallowsUMEreadonlyaccesstotheActiveDirectory.Anynewusers createdlocallyonUME(throughtheVisualAdministratortoolforexample)arenot createdinActiveDirectoryinthismode.Othermodes,suchasads_writeable_dbare possibletoo.ConsultSAPdocumentationontheimplications. D. EnterconfigurationparametersforActiveDirectory: IntheConfigTool,switchtoEditmode. Expandthenodecluster_data / server / cfg / services.
21
SetthevaluestomatchyourActiveDirectoryconfigurationinstep2.Thefollowing tableshowsexamplevalues. ume.persistence.data_sourc e_configuration ume.ldap.access.auxiliary_ naming_attribute.uacc ume.ldap.access.auxiliary_ naming_attribute.user ume.ldap.access.base_path. grup ume.ldap.access.base_path. uacc ume.ldap.access.base_path. user ume.ldap.access.naming_att ribute.grup ume.ldap.access.naming_att ribute.uacc ume.ldap.access.naming_att ribute.user ume.ldap.access.objectclas 22 dataSourceConfiguration_ads_re adonly_db.xml Samaccountname Samaccountname OU=NetWeaver,DC=vn8dc,DC=com OU=NetWeaver,DC=vn8dc,DC=com OU=NetWeaver,DC=vn8dc,DC=com CN CN CN Group
s.grup ume.ldap.access.objectclas s.uacc ume.ldap.access.objectclas s.user ume.ldap.access.user User User Distinguishednameoftheuserfor connectingtoActiveDirectory. Forexample: CN=nw1u1,OU=NetWeaver,DC=vn8dc ,DC=com ume.ldap.access.password ume.ldap.access.server_nam e ume.ldap.access.server_por t ume.ldap.access.server_typ e ume.ldap.default_group_mem ber E. RestarttheJ2EEEngineinstances. 9. ValidatetheconnectiontoActiveDirectory,usingtheVisualAdministratortool: A. SelectServer>Services>SecurityProvider. B. Intherightpane,clicktheUserManagementtab. Thegroup(NW1)thatyoucreatedinActiveDirectoryisdisplayedundertheUserTree. C. Expandthegroup. TheusersthatyoucreatedinActiveDirectoryaredisplayed. Passwordfortheuserabove. HostnamewhereActiveDirectoryis installed. PortnumberconfiguredforActive Directory.Defaultis389. MSADS OU=NetWeaver
23
10. ConfigureVendavoapplicationtouseActiveDirectoryforauthentication: A. Inthescreenabove,assigntheusersinNW1grouptogroupVENDAVO. ThisgrantstheusersaccesstotheVendavoapplication. In this example, the user group VENDAVO is created in UME local store, not in Active Directory. However, you can create a group named VENDAVO and assign appropriate users to the group in Active Directory. If you create the group and assign users to it in Active Directory, this step is not required. You just have to make sure that the group VENDAVO and all the users assigned to it are displayed under the User Tree. 11. AddtheUMEdefaultloginmoduletotheJAASstackfortheVendavoapplicationasfollows: A. StarttheVisualAdministratorandselectServer###>Services>SecurityProvider. B. InthePolicyConfigurationstab,selectvendavo.com/kubera*Vendavoin Components. C. ClicktheAuthenticationtabintherightpane,switchtoeditmodeandclickAddNew. D. Selectthedefaultloginmodule(forexample,BasicPasswordLoginModule)andclick OK. E. SelectthenewlyconfiguredloginmoduleandclickModify. F. Inthesubsequentdialogwindow,decreasethePositionvaluefrom2to1. 12. IntheVendavoapplication,twologinmodulesareconfigured.Verifythatbothhavethe SUFFICIENTflagset,asshowninthescreenshotbelow.
24
The Vendavo Login Module is still needed because the administration user account vendavosystem must be defined and is created in the Vendavo database as part of the build process.
13. RestarttheSAPMMCandlaunchtheVisualAdministrator. 14. CreatetheuserintheVendavoapplicationaswell.Onlytheuseridsneedtoremainidentical inVendavo;otherattributessuchasfullnameandpasswordcandifferfromthosedefinedin ActiveDirectory. You need to create these users into Vendavo, because in Vendavo, each user must have some roles and permission assigned in order to access different parts of the application. When the users are assigned to Vendavo group, make sure the flag No Password Change required is checked in the UME for all the Vendavo users.
Testing AD Authentication
TotestADAuthentication 1. 2. MakesurethatADusersareaddedintotheVENDAVOgroupusingVisual Administrators. LogontoyourvendavoinstanceusingtheADuserandmakesuretheuserhasloggedin.
25