Upload
vinod-reddy
View
112
Download
4
Embed Size (px)
Citation preview
Vendavo 6.5
Setup Guide For Integrating With LDAP,
Active Directory
Copyright Copyright © 2000‐2007 Vendavo, Inc. All rights reserved.
Version: 6510070220
Proprietary Content Your access to and use of the confidential information contained in this document is subject to the terms and conditions of your license and/or the Vendavo Non‐Disclosure Agreement.
Document Reproduction No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photographic, magnetic or other record, without the prior agreement and written permission of Vendavo, Inc.
Trademarks All product names, marks, logos and symbols within this document may be trademarks of their respective owners. The following terms are trademarks of Vendavo, Inc.: Vendavo™, Vendavo Price Manager™, Vendavo Deal Manager™, Vendavo Profit Analyzer™, Whole Price Management™, Vendavo Price Trail™, Vendavo Price Engine™, Vendavo Price Explorer™, Vendavo Portfolio Manager™, Vendavo Price List Manager™, Vendavo Policy Manager™, and Vendavo Pricemart Server™.
Contents
CHAPTER 1: ABOUT THIS MANUAL.................................................................................... 6 INTENDED AUDIENCE .............................................................................................................................. 6 TYPOGRAPHIC CONVENTIONS............................................................................................................... 6 RELATED DOCUMENTS ........................................................................................................................... 6
CHAPTER 2: PREREQUISITES FOR INTEGRATION .......................................................... 7 HARDWARE REQUIREMENTS ................................................................................................................. 7
Database Server Machine ...................................................................................................... 7 Application Server Machine(s) ................................................................................................ 7
SOFTWARE REQUIREMENTS.................................................................................................................. 8 Third-Party Software Products and Versions.......................................................................... 8
CHAPTER 3: SETTING UP THE OPENLDAP SERVER AND LDAP BROWSER................ 9 ADDING LDAP USERS .............................................................................................................................11
CHAPTER 4: CONFIGURING LDAP SERVER FOR AUTHENTICATION .......................... 13 CONFIGURING LDAP SERVER FOR AUTHENTICATION ON SAP NETWEAVER ................................13
Testing LDAP Authentication ................................................................................................ 17
CHAPTER 5: CONFIGURING WINDOWS ACTIVE DIRECTORY AUTHENTICATION...... 18 CONFIGURING WINDOWS ACTIVE DIRECTORY AUTHENTICATION ON NETWEAVER ....................18
Integrate Vendavo with MS Active Directory for User Authentication................................... 18 Testing AD Authentication .................................................................................................... 25
v
About This Manual
Chapter 1: About This Manual The Setup Guide ‐ For Integrating with LDAP, Active Directory explains how to configure Windows 2003 Active Directory Authentication and how to set up the Open LDAP Server for authentication, on various platforms.
Intended Audience This manual is intended for the administrators of the Vendavo application.
Typographic Conventions The following table lists the conventions used in this manual:
Convention Description
Refers to a note or important information
Text Refers to a command, a filename or location, or code
Text Used for emphasis or references
Text Refers to a page name, or any form object (like a button, link, etc.)
Related Documents • Setup Guide – For Installing Vendavo on Windows‐NetWeaver Platform: Describes how to install
the Vendavo application on the Windows‐NetWeaver platform.
• Setup Guide – For Setting Up the Pricemart Server: Describes how to set up the Pricemart server.
• Setup Guide – For Setting Up Oracle: Describes how to set up Oracle for Vendavo installation.
6
Prerequisites for Integration
Chapter 2: Prerequisites for Integration
This section lists the hardware and software requirements for integrating Vendavo with LDAP, active directory on various platforms.
Hardware Requirements This section lists the hardware requirements for application and database server machines.
Database Server Machine
Category Requirement
Platform NetWeaver
Operating System Windows
Disk Space 5 GB or more
Network Connection
100 Mbps or faster
Application Server Machine(s)
Category Windows
Platform Intel P4
Operating System Windows 2003 Server Only
RAM 3 GB
CPUs Minimum: 1
Recommended: 2
Disk Space 1 GB or more
Network Connection 100 Mbps or faster
7
Prerequisites for Integration
Software Requirements This section lists the software requirements.
Third-Party Software Products and Versions
Category Software Product Version Freeware
Operating System Microsoft Windows
http://www.microsoft.com
2003 Server only
No
Database Oracle 9i, or 10g Enterprise Edition
http://www.oracle.com
9.2.0.7 (Certified) 10.2 (Supported)
No
LDAP Server Open LDAP Server for Windows
http://www.openldap.org
2.2.19 Yes
LDAP Browser LDAP GUI Browser
http://www‐unix.mcs.anl.gov/~gawor/ldap/
2.8.1 Yes
Scripting Environment (for Install)
Active State ActivePerl
http://www.activestate.com
5.6.1 or higher
Yes
Web Browser Internet Explorer
http://www.microsoft.com
6.0 or higher Yes
Client Graphics Display
Adobe SVG Viewer (Internet Explorer plug‐in)
http://www.adobe.com
3.01 or higher
Yes
JDK http://java.sun.com 1.4.2 or higher
Yes
JDBC Driver Oracle 10g (ojdbc14.jar)
http://www.oracle.com10.2 Yes
8
Setting up the OpenLDAP Server and LDAP Browser
Chapter 3: Setting up the OpenLDAP Server and LDAP Browser
This section describes how to set up OpenLDAP and LDAP Browser. It also describes how to add LDAP users for testing.
To set up OpenLDAP and LDAP browser in Windows:
1. Double‐click Setup.exe. The Welcome screen is displayed.
2. Click Next. The License agreement screen is displayed.
3. Select I have read and understood the license and click Next. The File Locations screen is displayed.
4. Click Install. If you install in a location other than the default (C:\openldap), note down the path. You will need it during the setup.
5. After the installation is complete, start the OpenLDAP server:
A. Open a command prompt and switch to the LDAP installation directory.
B. Run one of the following commands:
slapd.exe
slapd.exe –d 1 (for debug mode)
6. Start the LDAP Browser by either double clicking the lbe.bat file or by running the lbe.bat file from the command prompt. The LDAP Browser is displayed.
7. In the LDAP Browser, click Connect. The connect dialog box is displayed.
9
Setting up the OpenLDAP Server and LDAP Browser
8. Click Edit to modify the LDAP configuration. To create a new session, click New. The Edit Session dialog box is displayed.
The following table describes the fields in the Edit Session dialog box.
Field Description
Host Host name of the LDAP Server.
Port Port number in which the LDAP Server is running.
Base DN Base Directory Node of the LDAP Server.
10
Setting up the OpenLDAP Server and LDAP Browser
Field Description
User DN User Directory Node of the LDAP Server.
Password Password for the User Directory Node.
9. Make the changes and click Save.
BASE DN, User DN, and Password are available in the <LDAP Server Installed directory> \slapd.conf file.
The values used for fields such as Base DN are examples. Therefore, dc=my-domain and dc=com is an example for a fictitious domain and it should be substituted with the actual Domain Name for which they are setting up the LDAP.
Adding LDAP Users You can add LDAP users, using a LDIF format file.
To add LDAP users:
1. Create a file with the .ldif extension.
2. In the LDAP Browser tool, select LDIF > Import. The LDIF Import dialog box is displayed.
3. Select the LDIF File and click Import. The contents of a sample LDIF File are shown below:
# sample.ldif
dn: dc=my-domain,dc=com
dc: my-domain
11
Setting up the OpenLDAP Server and LDAP Browser
objectClass: dcObject
objectClass: organization
o: Vendavo, Inc
# People
dn: cn=smith,dc=my-domain,dc=com
objectClass: person
sn: smith
cn: smith
userpassword: smith
Make sure that the users defined in the LDIF file are available in the VUser.xml file and are imported into Vendavo.
12
Configuring LDAP Server for Authentication
Chapter 4: Configuring LDAP Server for Authentication
This section describes how to configure your system to use open LDAP server for authentication, on NetWeaver.
Configuring LDAP Server for Authentication on SAP NetWeaver To configure the Open LDAP Server on Netweaver:
1. Start the SAP Config Tool and click Switch to Configuration Editor Mode.
2. In the Display configuration tab, navigate to cluster_data/server/persistent/com.sap.security.core.ume.service folder. Double‐click the dataSourceConfiguration_iplanet_readonly_db.xml file.The Display File window is displayed.
3. Click Download to download the file and save the file in the desired location. Click OK on the Display File window.
13
Configuring LDAP Server for Authentication
4. Exit from the edit mode and rename the downloaded file to dataSourceConfiguration_open_ldap.xml.
5. Double‐click the dataSourceConfiguration_open_ldap.xml file and modify as follows:
C. In attributeMapping > principal type account, set the physicalAttribute name to cn for the following attributes:
j_user
logonalias
D. In attributeMapping > principal type user, set the physicalAttribute name to null for the following attributes:
fax
mobile
telephone
description
streetaddress
pobox
E. In attributeMapping > principal type user, set the physicalAttribute name to cn for the following attributes:
firstname
displayname
uniquename
REFERENCE_SYSTEM_USER
F. In attributeMapping > principal type group, set the physicalAttribute name to cn for the following attributes:
displayname
description
G. Delete the following lines in privateSection. <ume.ldap.access.server_type>SUN</ume.ldap.access.server_type> <ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
H. Set the value to * for the following lines in privateSection as shown below: <ume.ldap.access.objectclass.user>*</ume.ldap.access.objectclass.user> <ume.ldap.access.objectclass.uacc>*</ume.ldap.access.objectclass.uacc> <ume.ldap.access.objectclass.grup>*</ume.ldap.access.objectclass.grup>
14
Configuring LDAP Server for Authentication
I. Set the value cn for the following lines in privateSection as shown below: <ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user> <ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
6. Save the file.
7. In the SAP Config Tool, select UME LDAP Data. Browse for the edited file and click Upload to upload the file.
8. Select dataSourceConfiguration_open_ldap.xml as the Configuration file to configure UME LDAP Data.
9. Enter the Server name, port and other valid information corresponding to your LDAP server.
Ensure the details of the User corresponding to the dn(distinguished name) is entered.
For Eg: cn=Manager,dc=my-domain,dc=com
10. Do not select the Use UME unique id with unique LDAP attribute checkbox.
11. Use the Test connection and Test authentication to validate the connection details.
12. Add the UME default login module to the JAAS stack for the Vendavo application as follows:
15
Configuring LDAP Server for Authentication
A. Start the Visual Administrator and select Server ###> Services > Security Provider.
B. In the Policy Configurations tab, select vendavo.com/kubera*Vendavo in Components.
C. Click the Authentication tab in the right pane , switch to edit mode, and click Add New.
D. Select the default login module (for example, BasicPasswordLoginModule) and click OK.
E. Select the newly configured login module and click Modify.
F. In the subsequent dialog window, decrease the Position value from 2 to 1.
13. In the Vendavo application, two login modules are configured. Verify that both have the SUFFICIENT flag set, as shown in the screenshot below.
The Vendavo Login Module is still needed because the administration user account vendavosystem must be defined and is created in the Vendavo database as part of the build process.
14. Restart the SAP MMC and launch the Visual Administrator.
15. Then, select server > Services > Security Provider‐> User Management.
16. Assign the “VENDAVO” group to the LDAP users. If the user already exists in the Vendavo group, then it needs to be deleted.
17. Create the user in the Vendavo application as well. Only the user ids need to remain identical in Vendavo; other attributes such as full name and password can differ from those defined in LDAP.
You need to create these users into Vendavo, because in Vendavo, each user must have some roles and permission assigned in order to access different parts of the application.
16
Configuring LDAP Server for Authentication
When the users are assigned to Vendavo group, make sure the flag No Password Change required is checked in the UME, for all the Vendavo users.
Testing LDAP Authentication To test LDAP authentication:
1. Ensure the LDAP Server is running.
2. Make sure the LDAP users are added into the “VENDAVO” group using Visual Administrators.
3. Log on to your vendavo instance using the LDAP user and make sure the user has logged in.
17
Configuring Windows Active Directory Authentication
Chapter 5: Configuring Windows Active Directory Authentication
This section describes how to configure your system to user Windows 2003 Active Directory‐based authentication on SAP NetWeaver application servers.
Configuring Windows Active Directory Authentication on NetWeaver This section describes how to configure your system to user Windows Active Directory authentication on SAP NetWeaver.
Integrate Vendavo with MS Active Directory for User Authentication The Vendavo application can now be integrated with Microsoft Active Directory for user authentication. Microsoft Active Directory supports LDAP protocol and can be used to authenticate users for accessing the Vendavo application.
The Active Directory can be configured in many ways. Steps 1 through 5 provide a sample Active Directory configuration that you may choose to follow. However, irrespective of how you configure the Active Directory, you must make sure that the NetWeaver's UME can connect to it.
To integrate Vendavo 6.5 with Microsoft Active Directory:
4. Install Active Directory on Windows 2003 Server and the OS Support Tools. SAP WAS comes with pre‐configured templates for Active Directory integration. The template maps UME users to objects of class InetOrgPerson in the Active Directory. This class is only available on Windows 2003 version of Active Directory. For Windows 2003 Server, there is a separate kit from Microsoft that includes this object class, but there are known bugs with the kit that prevent any successful integration between Net Weaver and Active Directory. In addition, to edit and view various properties of the entities in Active Directory, a separate tool called ADSI Edit is very useful. It is part of the operating system support tools package available from Microsoft website.
5. Create a few test users in Active Directory. To distinguish between the users created for accessing Vendavo application from other users in the Active Directory, create a sample structure with an organization unit, a user group, and a few test users in the group. In the next step, configure SAP UME to only retrieve users in the sample structure/branch.
A. In the Active Directory Users and Computers tool, right‐click and select New > Organization Unit to create an organization unit called NetWeaver.
18
Configuring Windows Active Directory Authentication
B. Right‐click the newly created NetWeaver organization unit and select New > Group to create a group called NW1.
C. Right‐click the NetWeaver organization unit, and select New > InetOrgPerson to create a few users of class InetOrgPerson.
19
Configuring Windows Active Directory Authentication
D. Add all the newly created users to the NW1 group, and set their passwords.
6. Switch to ADSI Edit tool, expand the Domain node, and select the node OU=NetWeaver.
7. Select one of the newly created users. You can see the parts that make up the distinguished names. SAP UME configuration needs to know these parts to retrieve the correct objects from Active Directory. For user nw1u1, the distinguished name is CN=nw1u1, OU=NetWeaver, DC=vn8dc, DC=com.
20
Configuring Windows Active Directory Authentication
8. Configure NetWeaver UME to use Active Directory as user store:
Refer to SAP documentation at http://help.sap.com/saphelp_erp2004/helpdata/en/cc/cdd93f130f9115e10000000a155106/frameset.htm.
A. Stop all instances in the cluster, and restart the Config Tool.
B. Switch to configuration editor mode.
C. Expand the node cluster_data/server/persistent/com.sap.security.core.ume.service. Make sure an entry named dataSourceConfiguration_ads_readonly_db.xml is listed. This entry corresponds to the template file shipped with NetWeaver.
It is recommended to take a backup copy of this template file.
Using this template allows UME read‐only access to the Active Directory. Any new users created locally on UME (through the Visual Administrator tool for example) are not created in Active Directory in this mode. Other modes, such as ads_writeable_db are possible too. Consult SAP documentation on the implications.
D. Enter configuration parameters for Active Directory:
In the Config Tool, switch to Edit mode.
Expand the node cluster_data / server / cfg / services.
Double‐Click Propertysheet com.sap.security.core.ume.service. The configuration parameters are displayed in a new window, in an editable mode.
21
Configuring Windows Active Directory Authentication
Set the values to match your Active Directory configuration in step 2. The following table shows example values.
ume.persistence.data_source_configuration
dataSourceConfiguration_ads_readonly_db.xml
ume.ldap.access.auxiliary_naming_attribute.uacc
Samaccountname
ume.ldap.access.auxiliary_naming_attribute.user
Samaccountname
ume.ldap.access.base_path.grup
OU=NetWeaver,DC=vn8dc,DC=com
ume.ldap.access.base_path.uacc
OU=NetWeaver,DC=vn8dc,DC=com
ume.ldap.access.base_path.user
OU=NetWeaver,DC=vn8dc,DC=com
ume.ldap.access.naming_attribute.grup
CN
ume.ldap.access.naming_attribute.uacc
CN
ume.ldap.access.naming_attribute.user
CN
ume.ldap.access.objectclas Group
22
Configuring Windows Active Directory Authentication
s.grup
ume.ldap.access.objectclass.uacc
User
ume.ldap.access.objectclass.user
User
ume.ldap.access.user Distinguished name of the user for connecting to Active Directory.
For example: CN=nw1u1,OU=NetWeaver,DC=vn8dc,DC=com
ume.ldap.access.password Password for the user above.
ume.ldap.access.server_name
Hostname where Active Directory is installed.
ume.ldap.access.server_port
Port number configured for Active Directory. Default is 389.
ume.ldap.access.server_type
MSADS
ume.ldap.default_group_member
OU=NetWeaver
E. Restart the J2EE Engine instances.
9. Validate the connection to Active Directory, using the Visual Administrator tool:
A. Select Server > Services > Security Provider.
B. In the right pane, click the User Management tab. The group (NW1) that you created in Active Directory is displayed under the User Tree.
C. Expand the group. The users that you created in Active Directory are displayed.
23
Configuring Windows Active Directory Authentication
10. Configure Vendavo application to use Active Directory for authentication:
A. In the screen above, assign the users in NW1 group to group VENDAVO. This grants the users access to the Vendavo application.
In this example, the user group VENDAVO is created in UME local store, not in Active Directory. However, you can create a group named VENDAVO and assign appropriate users to the group in Active Directory.
If you create the group and assign users to it in Active Directory, this step is not required. You just have to make sure that the group VENDAVO and all the users assigned to it are displayed under the User Tree.
11. Add the UME default login module to the JAAS stack for the Vendavo application as follows:
A. Start the Visual Administrator and select Server ###> Services > Security Provider.
B. In the Policy Configurations tab, select vendavo.com/kubera*Vendavo in Components.
C. Click the Authentication tab in the right pane , switch to edit mode and click Add New.
D. Select the default login module (for example, BasicPasswordLoginModule) and click OK.
E. Select the newly configured login module and click Modify.
F. In the subsequent dialog window, decrease the Position value from 2 to 1.
12. In the Vendavo application, two login modules are configured. Verify that both have the SUFFICIENT flag set, as shown in the screenshot below.
24
Configuring Windows Active Directory Authentication
The Vendavo Login Module is still needed because the administration user account vendavosystem must be defined and is created in the Vendavo database as part of the build process.
13. Restart the SAP MMC and launch the Visual Administrator.
14. Create the user in the Vendavo application as well. Only the user ids need to remain identical in Vendavo; other attributes such as full name and password can differ from those defined in Active Directory.
You need to create these users into Vendavo, because in Vendavo, each user must have some roles and permission assigned in order to access different parts of the application.
When the users are assigned to Vendavo group, make sure the flag No Password Change required is checked in the UME for all the Vendavo users.
Testing AD Authentication To test AD Authentication
1. Make sure that AD users are added into the “VENDAVO” group using Visual Administrators.
2. Log on to your vendavo instance using the AD user and make sure the user has logged in.
25