Hi,
I have installed SMP 2.3 SP04 and deployed Retail Execution 3.2 in its own domain and with its own security configuration.
I configured the LDAP login module in both the admin and the REx configurations. The configurations are quite similar.
Here is my problem: It seems that any LDAP user in our Active Directory is able to register a device. I have had AD groups (custom named according to company standard) created for admins, supporters and device users, but users can register their device even though they are not a member of any of the groups.
User and role lookup as well as authentication works fine, so I suspect I am just missing a simple configuration step.
The LDAP login module in the admin security configuration was configured to connect to AD more or less according to this excellent document: http://scn.sap.com/docs/DOC-56672, which unfortunately only deals with the authentication part (unless I missed something). When the configuration parameters had been entered and the LDAP module had been validated and saved, I continued to the mapping tab. I was able to map to my AD roles and everything works as I expected in SCC: in accordance with their AD role assignment my administrators have read/write access and my supporters have read-only access in SCC. Device users and others are not able to log into SCC.
Then I set up the LDAP login module in the REx security configuration the same way. Again I am able to see all my AD roles and I can also do the mapping, but it looks like the mapping is not taken into account when validating the user’s group membership.
So I figure that device user authorization works different than SCC authorization.
The LDAPLoginModule is configured like this:
Provider URL: ldap://myADserver.myCompany.com
Control Flag: sufficient
Authentication Scope: subtree
Role Scope: subtree
Bind DN: <some account>
Bind Password : <password>
Default Search Base: OU=ou_users,DC=myCompany,DC=com
Role Search Base : OU=ou_groups,DC=myCompany,DC=com
Server Type: msad2k
Authentication method: simple
Authentication filter: (&(sAMAccountName={uid})(objectclass=user))
The automatically generated LDAPAuthorizer was deleted and the LDAPAttributer left unmodified.
How do I ensure that only AD users, who are a member of a specific group, are able to register in the domain?
Can I do some magic with the Role Filter, so that it only looks up my dedicated device user role? For msad2k it is supposed to default to (|(objectclass=groupofnames)(objectclass=group)).
Any help is greatly appreciated.
Thanks/Stig