How-to Guide
Taxpayer Online Service from SAP 2.0
Cookbook for adding new Attributes to UME in LDAP
Version 1.00 February 2011
Applicable Releases:
Taxpayer Online Services from SAP 2.0
© Copyright 2011 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C
®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies.
Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional warranty.
of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or
consequential damages that may result from the use of these materials.
SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages.
SAP NetWeaver -
simplify the product implementation. While specific product features and procedures typically are explained in a practical business context, it is not implied that those features and procedures are the only approach in solving a specific business problem using SAP NetWeaver. Should you wish to receive additional information, clarification or support, please refer to SAP Consulting.
included in this documentation are only examples and
are not intended to be used in a productive system
environment. The Code is only intended better explain
and visualize the syntax and phrasing rules of certain
coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall
not be liable for errors or damages caused by the usage of
the Code, except if such damages were caused by SAP
intentionally or grossly negligent.
1. INTRODUCTION ... 2
1.1 G
OAL OF THE DOCUMENT... 2
1.2 P
REREQUISITES... 2
1.3 S
TEP-
BY-S
TEP INLDAP ... 2
1.4 S
TEP-
BY-S
TEP INUME
ANDC
ONFIGTOOL... 4
1.4.1 Configuring the UME Service to Access the Right LDAP Groups ... 4
1.4.2 Uploading the Configuration File ... 4
1.4.3 Configuring the UME to Use the Uploaded UME Service File ... 5
1.5 T
HER
ESULT... 5
2. APPENDIX ... 6
2.1 UME D
ATAS
OURCEF
ILE... 6
1. Introduction
1.1 Goal of the document
This document describes how to create new attributes in LDAP (MSADS), and how to connect this new attribute to the TPOS users.
1.2 Prerequisites
- You have access to your LDAP server.
- You have created a Management Console for you Active Directory Schema http://technet.microsoft.com/en-us/library/bb727064.aspx
1.3 Step-by-Step in LDAP
In the following steps, you can see how new attributes can be added to the ETAXUser user type in the LDAP. In this example we connect to MSADS and use Microsoft Management Console to manipulate LDAP data.
1. Browse for Attributes in
Schema
2. Open in Menu: Action ->
Create Attribute
( Please create a unique X500 Object ID
3. Browse For group
ETAXUSER
4. Right-Click eTaxUser 5. Open Properties
6. Navigate to Attributes Tab 7. Add the new Attributes.
1.4 Step-by-Step in UME and Configtool
When the new LDAP attributes are created the UME database descriptor XML file must be edited and new entries must be created. Please find the old LDAP XML with the new entries added in the Appendix. The new entries are highlighted with red colour.
1.4.1 Configuring the UME Service to Access the Right LDAP Groups
Start the configuration tool:
Switch to directory <SAP installation directory>\usr\sap\CE1\J00\j2ee\configtool Depending up on your OS start configtool.bat (Windows) or configtool.sh (Linux).
Choose Tools Configuration Editor
Choose the Display Configuration tab page.
In the navigation tree, choose Cluster_config/system/custom_global/cfg/services/com.sap.security.core .ume.service.
Choose Edit.
1.4.2 Uploading the Configuration File
Choose com.sap.security.core.ume.service Persistent Create Sub-Node.
Select the file entry from the first dropdown, and enter, without the path, the name of the XML file (dataSourceConfiguration_TPOS20.xml) you want to upload.
Choose Upload.
Choose the XML filename you just entered, and then choose Open.
The content of the XML file appears in the screen area.
Choose Create.
The UME service file is now uploaded.
1.4.3 Configuring the UME to Use the Uploaded UME Service File
Choose Propertysheet Properties com.sap.security.core.ume.service Change.
In the Change Configuration dialog box, specify the configuration file you want to use:
Double-click ume.persistence.data_source_configuration.
In the Change Property Entry dialog box, change the entry in the field for Custom-Value to the name of the UME service file you uploaded previously. (dataSourceConfiguration_TPOS20.xml).
Specify custom attributes:
Double-click ume.admin.addattrs.
In the Change Property Entry dialog box, change the field entry for Custom-Value to com.sap.etax:BusinessPartnerId;com.sap.etax:EtaxMassUser
Choose Apply Custom.
Double-click ume.admin.self.addattrs.
In the Change Property Entry dialog box, change the field entry for Custom-Value to com.sap.etax:BusinessPartnerId;com.sap.etax:EtaxMassUser
Choose Apply Custom.
Save settings and restart your engine:
Choose Config Tool Mode (ALT+C).
Choose File/Apply Changes.
Restart your engine.
1.5 The Result
You can check whether you were successful, if you open up useradministration in Netweaver Administrator,
and you can see the new fields on the Custom Attributes tab of a UME User.
2. Appendix
2.1 UME DataSource File
<?xml version="1.0" encoding="UTF-8"?>
<dataSources>
<dataSource id="ICOD_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principal type="account"/>
<principal type="user"/>
<principal type="group"/>
</homeFor>
<notHomeFor>
<principal type="account">
<nameSpace name="$serviceUser$">
<attribute name="SERVICEUSER_ATTRIBUTE">
<values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="$serviceUser$">
<attribute name="SERVICEUSER_ATTRIBUTE">
<values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
</notHomeFor>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user"/>
<attribute name="logonalias"/>
<attribute name="j_password"/>
<attribute name="userid"/>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal"/>
<attribute name="realm"/>
<attribute name="domain"/>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname" populateInitially="true"/>
<attribute name="displayname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="fax"/>
<attribute name="email"/>
<attribute name="title"/>
<attribute name="department"/>
<attribute name="description"/>
<attribute name="mobile"/>
<attribute name="telephone"/>
<attribute name="streetaddress"/>
<attribute name="locale"/>
<attribute name="uniquename" populateInitially="true"/>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER"/>
</nameSpace>
<nameSpace name="com.sap.etax">
<attributes>
<attribute name="BusinessPartnerId" />
</attributes>
</nameSpace>
<nameSpace name="com.sap.etax">
<attributes>
<attribute name="EtaxMassUser" />
</attributes>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname" populateInitially="true"/>
<attribute name="description" populateInitially="true"/>
<attribute name="uniquename"/>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn"/>
</nameSpace>
<nameSpace name="com.sap.etax">
<attribute name="technicalUserName"/>
<attribute name="technicalUserPassword"/>
</nameSpace>
</principal>-->
</responsibleFor>
<attributeMapping>
<principals>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="j_user">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="logonalias">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="*null*"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attributes>
<attribute name="principal">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="realm">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="domain">
<physicalAttribute name="*null*"/>
</attribute>
</attributes>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="email">
<physicalAttribute name="mail"/>
</attribute>
<attribute name="mobile">
<physicalAttribute name="mobile"/>
</attribute>
<attribute name="telephone">
<physicalAttribute name="telephonenumber"/>
</attribute>
<attribute name="department">
<physicalAttribute name="ou"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="streetaddress">
<physicalAttribute name="postaladdress"/>
</attribute>
<attribute name="pobox">
<physicalAttribute name="postofficebox"/>
</attribute>
<attribute name="locale">
<physicalAttribute name="language"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="*null*"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.etax">
<attributes>
<attribute name="BusinessPartnerId" >
<physicalAttribute name="businesspartnerid" />
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.etax">
<attributes>
<attribute name="EtaxMassUser" >
<physicalAttribute name="etaxmassuser" />
</attribute>
</attributes>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="displayname">
<physicalAttribute name="displayName"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="uniquename" populateInitially="true">
<physicalAttribute name="cn"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<!--physicalAttribute name="*null*"/-->
<physicalAttribute name="member"/>
</attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="*null*"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attributes>
<attribute name="dn">
<physicalAttribute name="*null*"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.etax">
<attributes>
<attribute name="technicalUserName">
<physicalAttribute name="technicalUserName"/>
</attribute>
<attribute name="technicalUserPassword">
<physicalAttribute name="technicalUserPassword"/>
</attribute>
</attributes>
</nameSpace>
</principal>
</principals>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.server_port>636</ume.ldap.access.server_port>
<ume.ldap.access.server_name>dev47dc1.wdf.sap.corp</ume.ldap.access.server_name>
<ume.ldap.access.user>DEVWDF47\etaxadminos</ume.ldap.access.user>
<ume.ldap.access.password>$ume.ldap.access.additional_password.1</ume.ldap.access.password>
<ume.ldap.access.base_path.grup>ou=JavaGroups,DC=dev47,DC=dev- wdf,DC=sap,DC=corp</ume.ldap.access.base_path.grup>
<ume.ldap.access.base_path.user>ou=JavaUsers,DC=dev47,DC=dev-wdf,DC=sap,DC=corp</ume.ldap.access.base_path.user>
<ume.ldap.access.base_path.uacc>ou=JavaUsers,DC=dev47,DC=dev- wdf,DC=sap,DC=corp</ume.ldap.access.base_path.uacc>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.ssl>true</ume.ldap.access.ssl>
<ume.ldap.access.objectclass.user>eTaxUser</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>eTaxUser</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>eTaxGroup2</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>cn</ume.ldap.access.naming_attribute.grup>
</privateSection>
</dataSource>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="user">
<nameSpace name="$serviceUser$">
<attribute name="SERVICEUSER_ATTRIBUTE">
<values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
<principal type="account">
<nameSpace name="$serviceUser$">
<attribute name="SERVICEUSER_ATTRIBUTE">
<values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
<principal type="team" />
<principal type="group"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor />
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<privateSection>
</privateSection>
</dataSource>
</dataSources>
