LDAPActivedir Guide SAP

Vendavo 6.5

Setup Guide For Integrating With LDAP,

Active Directory

Copyright Copyright © 2000‐2007 Vendavo, Inc. All rights reserved.

Version: 6510070220

Proprietary Content Your access to and use of the confidential information contained in this document is subject to the terms and conditions of your license and/or the Vendavo Non‐Disclosure Agreement.

Document Reproduction No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photographic, magnetic or other record, without the prior agreement and written permission of Vendavo, Inc.

Trademarks All product names, marks, logos and symbols within this document may be trademarks of their respective owners. The following terms are trademarks of Vendavo, Inc.: Vendavo™, Vendavo Price Manager™, Vendavo Deal Manager™, Vendavo Profit Analyzer™, Whole Price Management™, Vendavo Price Trail™, Vendavo Price Engine™, Vendavo Price Explorer™, Vendavo Portfolio Manager™, Vendavo Price List Manager™, Vendavo Policy Manager™, and Vendavo Pricemart Server™.

Contents

CHAPTER 1: ABOUT THIS MANUAL.................................................................................... 6 INTENDED AUDIENCE .............................................................................................................................. 6 TYPOGRAPHIC CONVENTIONS............................................................................................................... 6 RELATED DOCUMENTS ........................................................................................................................... 6

CHAPTER 2: PREREQUISITES FOR INTEGRATION .......................................................... 7 HARDWARE REQUIREMENTS ................................................................................................................. 7

Database Server Machine ...................................................................................................... 7 Application Server Machine(s) ................................................................................................ 7

SOFTWARE REQUIREMENTS.................................................................................................................. 8 Third-Party Software Products and Versions.......................................................................... 8

CHAPTER 3: SETTING UP THE OPENLDAP SERVER AND LDAP BROWSER................ 9 ADDING LDAP USERS .............................................................................................................................11

CHAPTER 4: CONFIGURING LDAP SERVER FOR AUTHENTICATION .......................... 13 CONFIGURING LDAP SERVER FOR AUTHENTICATION ON SAP NETWEAVER ................................13

Testing LDAP Authentication ................................................................................................ 17

CHAPTER 5: CONFIGURING WINDOWS ACTIVE DIRECTORY AUTHENTICATION...... 18 CONFIGURING WINDOWS ACTIVE DIRECTORY AUTHENTICATION ON NETWEAVER ....................18

Integrate Vendavo with MS Active Directory for User Authentication................................... 18 Testing AD Authentication .................................................................................................... 25

v

About This Manual

Chapter 1: About This Manual The Setup Guide ‐ For Integrating with LDAP, Active Directory explains how to configure Windows 2003 Active Directory Authentication and how to set up the Open LDAP Server for authentication, on various platforms.

Intended Audience This manual is intended for the administrators of the Vendavo application.

Typographic Conventions The following table lists the conventions used in this manual:

Convention Description

Refers to a note or important information

Text Refers to a command, a filename or location, or code

Text Used for emphasis or references

Text Refers to a page name, or any form object (like a button, link, etc.)

Related Documents • Setup Guide – For Installing Vendavo on Windows‐NetWeaver Platform: Describes how to install

the Vendavo application on the Windows‐NetWeaver platform.

• Setup Guide – For Setting Up the Pricemart Server: Describes how to set up the Pricemart server.

• Setup Guide – For Setting Up Oracle: Describes how to set up Oracle for Vendavo installation.

6

Prerequisites for Integration

Chapter 2: Prerequisites for Integration

This section lists the hardware and software requirements for integrating Vendavo with LDAP, active directory on various platforms.

Hardware Requirements This section lists the hardware requirements for application and database server machines.

Database Server Machine

Category Requirement

Platform NetWeaver

Operating System Windows

Disk Space 5 GB or more

Network Connection

100 Mbps or faster

Application Server Machine(s)

Category Windows

Platform Intel P4

Operating System Windows 2003 Server Only

RAM 3 GB

CPUs Minimum: 1

Recommended: 2

Disk Space 1 GB or more

Network Connection 100 Mbps or faster

7

Prerequisites for Integration

Software Requirements This section lists the software requirements.

Third-Party Software Products and Versions

Category Software Product Version Freeware

Operating System Microsoft Windows

http://www.microsoft.com

2003 Server only

No

Database Oracle 9i, or 10g Enterprise Edition

http://www.oracle.com

9.2.0.7 (Certified) 10.2 (Supported)

No

LDAP Server Open LDAP Server for Windows

http://www.openldap.org

2.2.19 Yes

LDAP Browser LDAP GUI Browser

http://www‐unix.mcs.anl.gov/~gawor/ldap/

2.8.1 Yes

Scripting Environment (for Install)

Active State ActivePerl

http://www.activestate.com

5.6.1 or higher

Yes

Web Browser Internet Explorer

http://www.microsoft.com

6.0 or higher Yes

Client Graphics Display

Adobe SVG Viewer (Internet Explorer plug‐in)

http://www.adobe.com

3.01 or higher

Yes

JDK http://java.sun.com 1.4.2 or higher

Yes

JDBC Driver Oracle 10g (ojdbc14.jar)

http://www.oracle.com10.2 Yes

8

http://www.microsoft.com/

http://www.oracle.com/

http://www.openldap.org/

http://www-unix.mcs.anl.gov/~gawor/ldap/

http://www.activestate.com/

http://www.microsoft.com/

http://www.adobe.com/

http://java.sun.com/

http://www.oracle.com/

Setting up the OpenLDAP Server and LDAP Browser

Chapter 3: Setting up the OpenLDAP Server and LDAP Browser

This section describes how to set up OpenLDAP and LDAP Browser. It also describes how to add LDAP users for testing.

To set up OpenLDAP and LDAP browser in Windows:

1. Double‐click Setup.exe. The Welcome screen is displayed.

2. Click Next. The License agreement screen is displayed.

3. Select I have read and understood the license and click Next. The File Locations screen is displayed.

4. Click Install. If you install in a location other than the default (C:\openldap), note down the path. You will need it during the setup.

5. After the installation is complete, start the OpenLDAP server:

A. Open a command prompt and switch to the LDAP installation directory.

B. Run one of the following commands:

slapd.exe

slapd.exe –d 1 (for debug mode)

6. Start the LDAP Browser by either double clicking the lbe.bat file or by running the lbe.bat file from the command prompt. The LDAP Browser is displayed.

7. In the LDAP Browser, click Connect. The connect dialog box is displayed.

9


8. Click Edit to modify the LDAP configuration. To create a new session, click New. The Edit Session dialog box is displayed.

The following table describes the fields in the Edit Session dialog box.

Field Description

Host Host name of the LDAP Server.

Port Port number in which the LDAP Server is running.

Base DN Base Directory Node of the LDAP Server.

10


Field Description

User DN User Directory Node of the LDAP Server.

Password Password for the User Directory Node.

9. Make the changes and click Save.

BASE DN, User DN, and Password are available in the <LDAP Server Installed directory> \slapd.conf file.

The values used for fields such as Base DN are examples. Therefore, dc=my-domain and dc=com is an example for a fictitious domain and it should be substituted with the actual Domain Name for which they are setting up the LDAP.

Adding LDAP Users You can add LDAP users, using a LDIF format file.

To add LDAP users:

1. Create a file with the .ldif extension.

2. In the LDAP Browser tool, select LDIF > Import. The LDIF Import dialog box is displayed.

3. Select the LDIF File and click Import. The contents of a sample LDIF File are shown below:

# sample.ldif

dn: dc=my-domain,dc=com

dc: my-domain

11


objectClass: dcObject

objectClass: organization

o: Vendavo, Inc

# People

dn: cn=smith,dc=my-domain,dc=com

objectClass: person

sn: smith

cn: smith

userpassword: smith

Make sure that the users defined in the LDIF file are available in the VUser.xml file and are imported into Vendavo.

12

Configuring LDAP Server for Authentication

Chapter 4: Configuring LDAP Server for Authentication

This section describes how to configure your system to use open LDAP server for authentication, on NetWeaver.

Configuring LDAP Server for Authentication on SAP NetWeaver To configure the Open LDAP Server on Netweaver:

1. Start the SAP Config Tool and click Switch to Configuration Editor Mode.

2. In the Display configuration tab, navigate to cluster_data/server/persistent/com.sap.security.core.ume.service folder. Double‐click the dataSourceConfiguration_iplanet_readonly_db.xml file.The Display File window is displayed.

3. Click Download to download the file and save the file in the desired location. Click OK on the Display File window.

13


4. Exit from the edit mode and rename the downloaded file to dataSourceConfiguration_open_ldap.xml.

5. Double‐click the dataSourceConfiguration_open_ldap.xml file and modify as follows:

C. In attributeMapping > principal type account, set the physicalAttribute name to cn for the following attributes:

j_user

logonalias

D. In attributeMapping > principal type user, set the physicalAttribute name to null for the following attributes:

fax

email

mobile

telephone

description

streetaddress

pobox

E. In attributeMapping > principal type user, set the physicalAttribute name to cn for the following attributes:

firstname

displayname

uniquename

REFERENCE_SYSTEM_USER

F. In attributeMapping > principal type group, set the physicalAttribute name to cn for the following attributes:

displayname

description

G. Delete the following lines in privateSection. <ume.ldap.access.server_type>SUN</ume.ldap.access.server_type> <ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>

H. Set the value to * for the following lines in privateSection as shown below: <ume.ldap.access.objectclass.user>*</ume.ldap.access.objectclass.user> <ume.ldap.access.objectclass.uacc>*</ume.ldap.access.objectclass.uacc> <ume.ldap.access.objectclass.grup>*</ume.ldap.access.objectclass.grup>

14


I. Set the value cn for the following lines in privateSection as shown below: <ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user> <ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>

6. Save the file.

7. In the SAP Config Tool, select UME LDAP Data. Browse for the edited file and click Upload to upload the file.

8. Select dataSourceConfiguration_open_ldap.xml as the Configuration file to configure UME LDAP Data.

9. Enter the Server name, port and other valid information corresponding to your LDAP server.

Ensure the details of the User corresponding to the dn(distinguished name) is entered.

For Eg: cn=Manager,dc=my-domain,dc=com

10. Do not select the Use UME unique id with unique LDAP attribute checkbox.

11. Use the Test connection and Test authentication to validate the connection details.

12. Add the UME default login module to the JAAS stack for the Vendavo application as follows:

15


A. Start the Visual Administrator and select Server ###> Services > Security Provider.

B. In the Policy Configurations tab, select vendavo.com/kubera*Vendavo in Components.

C. Click the Authentication tab in the right pane , switch to edit mode, and click Add New.

D. Select the default login module (for example, BasicPasswordLoginModule) and click OK.

E. Select the newly configured login module and click Modify.

F. In the subsequent dialog window, decrease the Position value from 2 to 1.

13. In the Vendavo application, two login modules are configured. Verify that both have the SUFFICIENT flag set, as shown in the screenshot below.

The Vendavo Login Module is still needed because the administration user account vendavosystem must be defined and is created in the Vendavo database as part of the build process.

14. Restart the SAP MMC and launch the Visual Administrator.

15. Then, select server > Services > Security Provider‐> User Management.

16. Assign the “VENDAVO” group to the LDAP users. If the user already exists in the Vendavo group, then it needs to be deleted.

17. Create the user in the Vendavo application as well. Only the user ids need to remain identical in Vendavo; other attributes such as full name and password can differ from those defined in LDAP.

You need to create these users into Vendavo, because in Vendavo, each user must have some roles and permission assigned in order to access different parts of the application.

16


When the users are assigned to Vendavo group, make sure the flag No Password Change required is checked in the UME, for all the Vendavo users.

Testing LDAP Authentication To test LDAP authentication:

1. Ensure the LDAP Server is running.

2. Make sure the LDAP users are added into the “VENDAVO” group using Visual Administrators.

3. Log on to your vendavo instance using the LDAP user and make sure the user has logged in.

17

Configuring Windows Active Directory Authentication

Chapter 5: Configuring Windows Active Directory Authentication

This section describes how to configure your system to user Windows 2003 Active Directory‐based authentication on SAP NetWeaver application servers.

Configuring Windows Active Directory Authentication on NetWeaver This section describes how to configure your system to user Windows Active Directory authentication on SAP NetWeaver.

Integrate Vendavo with MS Active Directory for User Authentication The Vendavo application can now be integrated with Microsoft Active Directory for user authentication. Microsoft Active Directory supports LDAP protocol and can be used to authenticate users for accessing the Vendavo application.

The Active Directory can be configured in many ways. Steps 1 through 5 provide a sample Active Directory configuration that you may choose to follow. However, irrespective of how you configure the Active Directory, you must make sure that the NetWeaver's UME can connect to it.

To integrate Vendavo 6.5 with Microsoft Active Directory:

4. Install Active Directory on Windows 2003 Server and the OS Support Tools. SAP WAS comes with pre‐configured templates for Active Directory integration. The template maps UME users to objects of class InetOrgPerson in the Active Directory. This class is only available on Windows 2003 version of Active Directory. For Windows 2003 Server, there is a separate kit from Microsoft that includes this object class, but there are known bugs with the kit that prevent any successful integration between Net Weaver and Active Directory. In addition, to edit and view various properties of the entities in Active Directory, a separate tool called ADSI Edit is very useful. It is part of the operating system support tools package available from Microsoft website.

5. Create a few test users in Active Directory. To distinguish between the users created for accessing Vendavo application from other users in the Active Directory, create a sample structure with an organization unit, a user group, and a few test users in the group. In the next step, configure SAP UME to only retrieve users in the sample structure/branch.

A. In the Active Directory Users and Computers tool, right‐click and select New > Organization Unit to create an organization unit called NetWeaver.

18


B. Right‐click the newly created NetWeaver organization unit and select New > Group to create a group called NW1.

C. Right‐click the NetWeaver organization unit, and select New > InetOrgPerson to create a few users of class InetOrgPerson.

19


D. Add all the newly created users to the NW1 group, and set their passwords.

6. Switch to ADSI Edit tool, expand the Domain node, and select the node OU=NetWeaver.

7. Select one of the newly created users. You can see the parts that make up the distinguished names. SAP UME configuration needs to know these parts to retrieve the correct objects from Active Directory. For user nw1u1, the distinguished name is CN=nw1u1, OU=NetWeaver, DC=vn8dc, DC=com.

20


8. Configure NetWeaver UME to use Active Directory as user store:

Refer to SAP documentation at http://help.sap.com/saphelp_erp2004/helpdata/en/cc/cdd93f130f9115e10000000a155106/frameset.htm.

A. Stop all instances in the cluster, and restart the Config Tool.

B. Switch to configuration editor mode.

C. Expand the node cluster_data/server/persistent/com.sap.security.core.ume.service. Make sure an entry named dataSourceConfiguration_ads_readonly_db.xml is listed. This entry corresponds to the template file shipped with NetWeaver.

It is recommended to take a backup copy of this template file.

Using this template allows UME read‐only access to the Active Directory. Any new users created locally on UME (through the Visual Administrator tool for example) are not created in Active Directory in this mode. Other modes, such as ads_writeable_db are possible too. Consult SAP documentation on the implications.

D. Enter configuration parameters for Active Directory:

In the Config Tool, switch to Edit mode.

Expand the node cluster_data / server / cfg / services.

Double‐Click Propertysheet com.sap.security.core.ume.service. The configuration parameters are displayed in a new window, in an editable mode.

21

http://help.sap.com/saphelp_erp2004/helpdata/en/cc/cdd93f130f9115e10000000a155106/frameset.htm

http://help.sap.com/saphelp_erp2004/helpdata/en/cc/cdd93f130f9115e10000000a155106/frameset.htm


Set the values to match your Active Directory configuration in step 2. The following table shows example values.

ume.persistence.data_source_configuration

dataSourceConfiguration_ads_readonly_db.xml

ume.ldap.access.auxiliary_naming_attribute.uacc

Samaccountname

ume.ldap.access.auxiliary_naming_attribute.user

Samaccountname

ume.ldap.access.base_path.grup

OU=NetWeaver,DC=vn8dc,DC=com

ume.ldap.access.base_path.uacc


ume.ldap.access.base_path.user


ume.ldap.access.naming_attribute.grup

CN

ume.ldap.access.naming_attribute.uacc

CN

ume.ldap.access.naming_attribute.user

CN

ume.ldap.access.objectclas Group

22


s.grup

ume.ldap.access.objectclass.uacc

User

ume.ldap.access.objectclass.user

User

ume.ldap.access.user Distinguished name of the user for connecting to Active Directory.

For example: CN=nw1u1,OU=NetWeaver,DC=vn8dc,DC=com

ume.ldap.access.password Password for the user above.

ume.ldap.access.server_name

Hostname where Active Directory is installed.

ume.ldap.access.server_port

Port number configured for Active Directory. Default is 389.

ume.ldap.access.server_type

MSADS

ume.ldap.default_group_member

OU=NetWeaver

E. Restart the J2EE Engine instances.

9. Validate the connection to Active Directory, using the Visual Administrator tool:

A. Select Server > Services > Security Provider.

B. In the right pane, click the User Management tab. The group (NW1) that you created in Active Directory is displayed under the User Tree.

C. Expand the group. The users that you created in Active Directory are displayed.

23


10. Configure Vendavo application to use Active Directory for authentication:

A. In the screen above, assign the users in NW1 group to group VENDAVO. This grants the users access to the Vendavo application.

In this example, the user group VENDAVO is created in UME local store, not in Active Directory. However, you can create a group named VENDAVO and assign appropriate users to the group in Active Directory.

If you create the group and assign users to it in Active Directory, this step is not required. You just have to make sure that the group VENDAVO and all the users assigned to it are displayed under the User Tree.

11. Add the UME default login module to the JAAS stack for the Vendavo application as follows:

A. Start the Visual Administrator and select Server ###> Services > Security Provider.

B. In the Policy Configurations tab, select vendavo.com/kubera*Vendavo in Components.

C. Click the Authentication tab in the right pane , switch to edit mode and click Add New.

D. Select the default login module (for example, BasicPasswordLoginModule) and click OK.

E. Select the newly configured login module and click Modify.

F. In the subsequent dialog window, decrease the Position value from 2 to 1.

12. In the Vendavo application, two login modules are configured. Verify that both have the SUFFICIENT flag set, as shown in the screenshot below.

24


The Vendavo Login Module is still needed because the administration user account vendavosystem must be defined and is created in the Vendavo database as part of the build process.

13. Restart the SAP MMC and launch the Visual Administrator.

14. Create the user in the Vendavo application as well. Only the user ids need to remain identical in Vendavo; other attributes such as full name and password can differ from those defined in Active Directory.

You need to create these users into Vendavo, because in Vendavo, each user must have some roles and permission assigned in order to access different parts of the application.

When the users are assigned to Vendavo group, make sure the flag No Password Change required is checked in the UME for all the Vendavo users.

Testing AD Authentication To test AD Authentication

1. Make sure that AD users are added into the “VENDAVO” group using Visual Administrators.

2. Log on to your vendavo instance using the AD user and make sure the user has logged in.

25