EUROPEAN SAP TECHNICAL EDUCATION CONFERENCE 2002

E-Business Security

WORKSHOP
Sept. 30 Oct. 2, 02 Bremen, Germany

LDAP Directory Synchronization with Central User Administration Boris Kberle, SAP AG

PRINT ON DEMAND
sponsored by

1 1

Learning Objectives

As a result of this workshop, you will be able to:

T T T T T T T T T

Understand how user management works in R/3 systems Understand how directories work and represent user data Understand how the directory interface of your R/3 works Understand how the directory synchronization works Configure your directory server for synchronization Configure the LDAP Connection in your R/3 system Configure the LDAP Mappings in your R/3 system Configure the synchronization flags in your R/3 system Run the synchronization between directory and R/3

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 2

PRINT ON DEMAND
sponsored by

2 2

Agenda

' ' ' ' ' ' '

Homogeneous Landscapes Heterogeneous Landscapes Directory Basics Directory Interface Directory Mapping Directory Synchronization Summary

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 3

PRINT ON DEMAND
sponsored by

3 3

User Data in SAP Systems

Administration of User Data:

T Transactions SUxx T BAPI-Interface

Maintained Data:
T SAP Username T Logon Data T Adress Data T Access Control Data T Personalization Data

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 4

PRINT ON DEMAND
sponsored by

4 4

SAP System Landscape without CUA

S Users of several SAP

Systems must be maintained separately

S Enormous efforts for

manual synchronization of different systems

S Inconsistencies S No central locks

Separate SAP Systems

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 5

PRINT ON DEMAND
sponsored by

5 5

SAP System Landscape with CUA

Central System of CUA

S Users can be administrated

in central system
S Automatic distribution to

client systems
ALE ALE

S Local administration still

possible (back distribution)

S No inconsistencies S Central locks possible

Client Systems of CUA

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 6

PRINT ON DEMAND
sponsored by

6 6

Agenda

' ' ' ' ' ' '

Homogeneous Landscapes Heterogeneous Landscapes Directory Basics Directory Interface Directory Mapping Directory Synchronization Summary

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 7

PRINT ON DEMAND
sponsored by

7 7

Heterogeneous System Landscape

Central System of CUA

Directory

LDAP
ALE ALE
Access/ Synchronization

Client Systems of CUA

MS Exchange

Lotus Notes

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 8

PRINT ON DEMAND
sponsored by

8 8

Heterogeneous System Landscape

Central System of CUA LDAP

Synchronization

Directory

LDAP
ALE ALE
Access/ Synchronization

Client Systems of CUA

MS Exchange

Lotus Notes

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 9

PRINT ON DEMAND
sponsored by

9 9

Heterogeneous System Landscape

SAP 6.10 CUA Central LDAP

Synchronization

Directory

ALE

ALE

LDAP
Synchronization

SAP 6.10 CUA Client

SAP 4.6 CUA Client

SAP 4.5 CUA Client

SAP 6.10

SAP 6.10

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 10

PRINT ON DEMAND
sponsored by

10 10

Corporate User Management

SAP or non-SAP

HR system
E-mail

SAP Enterprise Portal

Corp. Directory Server

Telephony

Roles creation

SAP WebAS 6.10+

Central Admin. System including Central User Administration

Operating system

SAP Applications / Component Systems

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 11

other applications

PRINT ON DEMAND
sponsored by

11 11

Agenda

' ' ' ' ' ' '

Homogeneous Landscapes Heterogeneous Landscapes Directory Basics Directory Interface Directory Mapping Directory Synchronization Summary

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 12

PRINT ON DEMAND
sponsored by

12 12

Directory Benefits

S Directories serve als central repository for data,

which is used by several different applications

S Access to this data is provided by the standardized

access protocol LDAP

S SAP Systems can be connected to such a directory

to share parts of their user data with other applications

S Modifications on this data can then be done by

every authorized application

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 13

PRINT ON DEMAND
sponsored by

13 13

Directory Schema
person
cn givenName sn telephone mail top

objectclass hierarchy

orgPerson
cn givenName sn telephone mail employeeID title department function inetOrgPerson orgPerson

person

organization

residPerson

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 14

PRINT ON DEMAND
sponsored by

14 14

Directory Entries

uid
objectclass

TechEd2002 inetOrgPerson sapAddOnUM John Doe +49-6227 7-47474 john.doe@sap.com DOEJOHN ABC:sapDeveloper XYZ:sapAdministrator 20020730175352Z

naming attribute (RDN) special attribute

givenName sn telephoneNumber mail sapUserName sapRoles

single-value attribute mandatory attribute optional attribute

user attribute multi-value attribute

modifyTimestamp

operational attribute

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 15

PRINT ON DEMAND
sponsored by

15 15

Directory Information Tree (DIT)

country c=de

organization o=sap

organization o=bmw

organizationalUnit ou=TechEd2002

inetOrgPerson uid=TechEd2002
uid=TechEd2002, o=sap, c=de (DN)

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 16

PRINT ON DEMAND
sponsored by

16 16

Directory Specifics

Structure and arrangement of user entries in directories differ due to different

mandatory and optional attributes attribute types attribute syntaxes objectclass affiliations naming attributes DIT structure rules

Distinguished Names (DN) are not persistent, because an entry can be renamed or moved within the DIT.

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 17

PRINT ON DEMAND
sponsored by

17 17

Agenda

' ' ' ' ' ' '

Homogeneous Landscapes Heterogeneous Landscapes Directory Basics Directory Interface Directory Mapping Directory Synchronization Summary

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 18

PRINT ON DEMAND
sponsored by

18 18

Architecture

Synchronization Delta Management LDAP Interface with Mapping Mapping LDAP API LDAP Connector Directory

= shipped = shipped

with Release 6.10 with Release 4.6

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 19

PRINT ON DEMAND
sponsored by

19 19

LDAP Connector

Application Server
Work Process
Call Function LDAP_XXX

Directory

LDAP Connector

Connection with LDAP Server

LDAP

Function LDAP_XXX

RFC

' Executable LDAP_RFC shipped since Release 4.6A ' Loads LDAP Library of operating system at runtime
SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 20

PRINT ON DEMAND
sponsored by

20 20

LDAP API

S S S S

Direct access to directories within ABAP applications via LDAP protocol. Provides functionality for connecting and searching, reading and editing of directory entries. Connects to a directory server via LDAP Connector. Provides functions for testing the configured directory connections.

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 21

PRINT ON DEMAND
sponsored by

21 21

Transaction LDAP

Allows setup of LDAP Connectors for directory access. Allows deposition of connection and authentication data for different directory servers. Provides simple access to basic LDAP functionality for testing purposes.

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 22

PRINT ON DEMAND
sponsored by

22 22

Agenda

' ' ' ' ' ' '

Homogeneous Landscapes Heterogeneous Landscapes Directory Basics Directory Interface Directory Mapping Directory Synchronization Summary

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 23

PRINT ON DEMAND
sponsored by

23 23

Mapping to Directory Schema

dn
objectclass givenName sn telephoneNumber uid mail sapUserName sapRoles

uid=TechEd2002,o=sap,c=de inetOrgPerson sapAddOnUM John Doe +49-6227 7-47474 TechEd2002 john.doe@sap.com DOEJOHN ABC:sapDeveloper XYZ:sapAdministrator

Username
Firstname Surname Telephon Nr. Telephon Ext. Mail Roles

DOEJOHN John Doe 6227 7 47474 john.doe@sap.com sapDeveloper (ABC) sapAdministrator (XYZ)

Mapping

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 24

PRINT ON DEMAND
sponsored by

24 24

Tasks of the Mapping Layer

Central System of CUA

Directory

LDAP
Synchronization

Mapping

' Mapping of data to designated directory attributes ' Assignment of entries to designated object classes ' Assignment of RDN and DN (Key) ' Handling of complex structures
SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 25

PRINT ON DEMAND
sponsored by

25 25

Mapping Flags in LDAPMAP

Filter RDN Required Import Export

Determines how corresponding entries for SAP Objects can be found in the directory. Marks the Mapping which is used to form the RDN of new directory entries. Determines which attributes are essential for new directory entries. Determines which mappings are used to read directory entries Determines which mappings are used to write directory entries

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 26

PRINT ON DEMAND
sponsored by

26 26

Mapping Procedure

Central System of CUA

Directory

LDAP
Synchronization

Mapping

SAP Fields

Function Module

Directory Attributes

Parameters

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 27

PRINT ON DEMAND
sponsored by

27 27

Mapping Procedure

Central System of CUA

Directory

LDAP
Synchronization

Mapping

TEL1_NUMBR TEL1_EXT

Function Module

telephone

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 28

PRINT ON DEMAND
sponsored by

28 28

Mapping Procedure

Central System of CUA

Directory

LDAP
Synchronization

Mapping

06227 7 47474

Function Module

06227 7-47474

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 29

PRINT ON DEMAND
sponsored by

29 29

Transaction LDAPMAP

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 30

PRINT ON DEMAND
sponsored by

30 30

Agenda

' ' ' ' ' ' '

Homogeneous Landscapes Heterogeneous Landscapes Directory Basics Directory Interface Directory Mapping Directory Synchronization Summary

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 31

PRINT ON DEMAND
sponsored by

31 31

Administration in Directory
Admin Corporate Directory e.g. HR 1 1 1 Entry (incl. SAP Username) is created or modified in directory either manually or automatically by another application, e.g. HR. During next run of synchronization the user entry in the synchronizing SAP System will be created or updated against directory data. Additionally manual administration of user data in the SAP Central or Client Systems is possible. In a central system of a CUA landscape the data is distributed to client systems via ALE.

2 2

Admin

SAP System 3
Central System

SAP System
Client System
SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 32

PRINT ON DEMAND
sponsored by

32 32

Administration in SAP System

Corporate Directory e.g. HR 1 4 User is created or modified in the SAP System, e.g. via Transaction SU01 In a central system of a CUA landscape the data is then directly distributed to client systems via ALE. During next run of synchronization the corresponding directory entry will be created or updated against data in the synchronizing SAP System. Other Systems can access updated directory data.

2 3 3 1

Admin

SAP System
Central System

SAP System
Tochtersystem Client System
SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 33

PRINT ON DEMAND
sponsored by

33 33

Sequence of Synchronization
Corporate Directory

1 3

Differences between Corporate Directory and SAP System are determined. Three collections of user entries arise. Two collections of user entries which exist only in one repository must be dispersed first. This happens according to the settings in the customizing and in the selection screen of the synchronization tool. During this process objects are either created, deleted or simply ignored. Finally the collection of entries which already exist in both repositories is dispersed. This is done by bidirectionally synchronization of the corresponding entries according to the settings in the customizing.

2
Users Users

Users

Users

3
= exist in both repositories

SAP System
Zentralsystem

= exist only in SAP System = exist only in Corporate Directory

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 34

PRINT ON DEMAND
sponsored by

34 34

Report RSLDAPSYNC_USER

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 35

PRINT ON DEMAND
sponsored by

35 35

Agenda

' ' ' ' ' ' '

Homogeneous Landscapes Heterogeneous Landscapes Directory Basics Directory Interface Directory Mapping Directory Synchronization Summary

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 36

PRINT ON DEMAND
sponsored by

36 36

Summary

S S S S S S

Available since 6.10 Indirect support of releases <6.10 Synchronization (not migration) Product independent (LDAP) Schema independent (mapping) Integrated with CUA

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 37

PRINT ON DEMAND
sponsored by

37 37

Demo / Exercises

Demo

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 38

PRINT ON DEMAND
sponsored by

38 38

Q&A

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 39

PRINT ON DEMAND
sponsored by

39 39

Further Information

Public Web:
www.sap.com Solutions Technology security@sap.com

SAPNet:
Use ALIAS: systemmanagement Directory Access Services

Related Workshop at TechEd 2002

Role and User Assignment with SAP EP WR13D1W2, Oct 1st, 10am

Related Lectures at TechEd 2002

SAP Web Application Server Security Overview PT1D2P1, Oct 1st, 10am

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 40

PRINT ON DEMAND
sponsored by

40 40

Feedback
http://www.sap.com/teched/bremen/

Conference Activities

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 41

PRINT ON DEMAND
sponsored by

41 41

Copyright 2002 SAP AG. All Rights Reserved

T T T T T T T T T T T T
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint and SQL Server are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix and Informix Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries. ORACLE is a registered trademark of ORACLE Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, MultiWin and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. JAVA is a registered trademark of Sun Microsystems, Inc. JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MarketSet and Enterprise Buyer are jointly owned trademarks of SAP Markets and Commerce One. SAP, SAP Logo, R/2, R/3, mySAP, mySAP.com and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are trademarks of their respective companies.

SAP AG 2002, TechED_02 Bremen, Slot #, Boris Kberle / 42

PRINT ON DEMAND
sponsored by

42 42