sci263 exercise-identity virtualization

8/8/2019 SCI263 Exercise-Identity Virtualization

http://slidepdf.com/reader/full/sci263-exercise-identity-virtualization 1/44

IDENTITY VIRTUALIZATION WITH SAP

NETWEAVER VIRTUAL DIRECTORYSERVER

SCI263

Exercises / Solutions

John Erik Setsaas SAP Labs NorwayKåre Indroy SAP Labs NorwayKristian Lehment SAP AGSerge Muts SAP Labs LLC



2

IntroductionThe goal of the exercises is to start with an empty configuration. Although there are configurations templates,

starting with an empty configuration will help you better understand how the data sources, virtual trees,

logging, access rules, and authentication fit together.

Exercise 1 – Creating a new Configuration

How to begin?Start the Virtual Directory Server using Start – Programs – SAP NetWeaver Identity Management, click on VirtualDirectory Server executable (not the folder). To create a new configuration, choose File – New. In the popup selectGroup = GenericTemplate = Empty Configuration.xmlDescription = My SCI263 configuration

Click OK and give it a file name (e.g. SCI263.xml). You should now see an empty configuration as in Figure 1.

Figure 1 Empty Configuration.

Check the port numberCheck the port number by choosing Deployments – LDAP Deployments; double click on main_listener. Choose portnumber 5389, click OK and select the „Update‟ button to update the configuration. Note that the „Update‟ button is no

longer grey when a configuration change is made, when you click on the „Update‟ button it is grayed out.



3

Figure 2

Verify allowed operations and start server

Double Click on „Virtual Directory Server” (main node) and check the server properties. Verify that all operations areallowed on the operations tab as shown in Figure 3. Start VDS configuration by choosing „start‟, check the console tabat the bottom to verify the port number (5389) and that the Status (bottom right) shows „running‟ (see Figure 4).



4

Figure 3

Figure 4



5

Exercise 2 – User Groups and Rules

Create a User Group and UserFirst, the configuration needs a user group and rules to determine who (the user group) can access what (the rule).Right-click on User Groups, choose New. On the General Tab, check mark “Allow general access to service” and enter display name Anonymous (Figure 5). Choose “tree 1” to associate with virtual tree, choose OK. Right click the just

created Anonymous group, choose New and create user by accepting all the defaults (Figure 6), click OK to save.

Figure 5

Figure 6

Create a RuleNow create a rule to give user groups access to the virtual tree. Right click on Rules and select New. On the „general‟

tab enable the rule and enter display name „Read Access‟ (Figure 7). On the „Search operation‟ tab enable „Allowsearch operation‟ and „Search for all attributes‟ (Figure 8). Choose OK to save the configuration.



6

Figure 7

Figure 8



7

Exercise 3 – Build a Virtual TreeThe Virtual Tree is what is visible to the client. Any client using the LDAP V3 standard will be able to connect to thevirtual tree and view data according to your configuration.Under Virtual Trees, right click on Tree 1 and select New. Enter the information as in figure 9. Use the “Append ObjectClass” dropdown to select the organization.

Figure 9

Next, select the “Access control list” tab and use the drop-down to select user group “Anonymous”, and Rule “ReadAccess”. Choose OK. To make the configuration changes active, select „Update‟ on the top right of the VDS screen.Monitor the status as it changes to „Reloading‟ and to „Running‟. If the status does not change to „Running‟ there is aproblem with the configuration, please check the configuration, if needed follow exercise 4 „Configure VDS Logging‟ totroubleshoot.

Check LDAP Browser Check the static node by clicking on the „LDAP Browser‟ tab and check refresh. You static node should be visible

including the description (Figure 10). Since we have not mapped a Data Source to the Virtual Tree yet, we see no dataand get an „no data‟ message when you double click on o=myorg



8

Figure 10



9

Exercise 4 - Configure VDS LoggingTo troubleshoot any issues we‟ll set logging to the debug level. This way we can see in detail what the VDS is doing.On the menu bar go to „Configure‟ – „Logging‟ – „Operation Log‟. Set level to „Debug‟ for both „Log Level‟ and „LogLevel for extensions‟. Choose OK and Update to effect the changes. Now you can choose the „Operation‟ button in theVDS screen to show the log. Use this log if you run into errors during any of the VDS exercises. See Figure 11 for theresult.

Figure 11



10

Exercise 5 – Add an LDAP data sourceIn this exercise we will configure a SunOne Directory Server (called SunOne) as the data source. The SunOne isalready installed and users have been created. You will configure a data source to present the SunOne users in yourvirtual tree. In Figure 12 in the VDS we will map ou=LDAP to a starting point in a SunOne LDAP. To the clientou=LDAP is visible but the client is not aware of the data actually coming from the SunOne LDAP.

Figure 12

Connection details:LDAP host => localhostLDAP port => 390LDAP Starting Point = dc=wdf,dc=sap,dc=corpLDAP user => cn=directory managerLDAP user password => abcd1234

Select the „Config‟ tab and under „Data Sources„, right click on „Singles‟ and choose „New‟. In the template window,select Group „LDAP‟ and Template „Generic Directory‟ followed by „OK‟. In the next window fill out the connectiondetails as listed at the beginning of this section, click OK when all fields are filled out correctly.

On the next screen select the „General‟ tab and give it a display name, for example LDAP (Figure 13). Choose the„LDAP‟ tab and verify the connection details are correct (you may have to resize the window). Click „test connection‟ – ifyou see LDAP Groups the test was successful. Choose „OK‟ to save and close the window.



11

Figure 13

Create a Virtual Tree Structure and map to the SunOne Data SourceFirst create a Static Node. Under Virtual Trees – Tree 1, right click on o=myorg and select „New”. Checkmark „Enable‟,enter Relative DN as ou=LDAP and use the drop down to Append Object Class=OrganizationalUnit (Figure 14). Click„OK‟ to save and exit the window. Next under Static Node ou=LDAP create a dynamic node. Right Click on ou=LDAP,select „New‟, enable the node and choose Relative DN =*. Choose LDAP as the Data Source to map to (Figure 15),this creates the mapping between the Data Source and the dynamic node. Click OK and Update to reload theconfiguration. In this case the user group and rule are inherited from „Tree 1‟.

Now test the configuration in the LDAP Browser. Go to the LDAP Browser and Click „Refresh‟, browse down the virtualtree to reveal the SunOne users in ou=People, ou=LDAP, o=myorg. See the result in Figure 16.

Figure 14



12

Figure 15

Figure 16If you see the users as shown in Figure 16 the exercise was successful.



13

Exercise 6 Add Database ConnectionNow you will connect the VDS to a MS SQL Server 2005 database. Since the VDS presents data as an LDAP treestructure and the database stores data in tables, there are some attribute mapping steps to expose the table data.

Figure 17

Connection Details:Server localhostPort 1433Database mxmc_dbLogin ID mxmc_rtPassword abcd1234

In VDS „Config‟ tab, go to „Data Sources‟, right-click on „Singles‟ and select „New‟. In the template window select Group

„Database‟ and Template „Generic Database‟ and OK. In the next template window click on the icon to browse

the list of databases. Select „MS SQL Server 2005‟ and „Next‟ and provide the connection details in the next window(Figure 18). Click „Next‟, „Finish‟ and „OK‟ to save the configuration.

Figure 18In the Database Properties screen on the „General‟ tab enter HR Sample for the „Display Name‟. On the „Database‟ tab,the connection details are already filled in based on the wizard. The Size Limit for SQL Server is „TOP‟, for other databases see Figure 19. Click on „Get Database Schema‟ to select the database table you want to expose throughVDS.



14

Figure 19In the next screen select table „HR_Sample‟ (Figure 20) on the left side and make sure all table fields are included(default). Click OK to save. If this screen does not show up there is an issue with the jdbc connection string or the logincredentials, repeat the configuration setting by clicking „URL wizard‟.

Figure 20An LDAP requires a Distinguished Name (DN), however a database does not have a DN. Therefore a DN will need tobe constructed to expose a database table through VDS.In the „Database Properties‟ screen for “HR SAMPLE” go to tab „Data source attributes‟. Leave the defaults (Figure 21)

and click on „Define‟.



15

Figure 21Select the attribute type “UID=”, highlight the EmployeeID, and click on “Add Attribute” as depicted in Figure 22. Nowthe “Constructed Parameters” are automatically filled in and you can see that the DN is mapped toUID=<EmployeeID>. Click „OK‟ to save.

Figure 22



16

Now you need to create a mapping the LDAP Attributes and the Database Columns. Figure 23 is a generic example ofthe mapping.

Figure 23

To configure the mapping click on the „Conversion From‟ tab and enable „Enable conversion from internal attributes‟.Next choose „Add all data source attributes‟ and the „To‟ column is automatically filled in with the HR_SAMPLE tablecolumns. Manually fill in the „From‟ column based on the desired mapping. For some you can use the drop down, for others you have to type it in. Note that the viewpoint is from the VDS and „conversion from‟ is from the VDS to the HRSample database table, meaning conversion from the internal attribute to match the data source attribute.See Figure 24 for the completed mapping.



17

Figure 24Next we need to also perform the reverse mapping. Go to tab „Conversion To‟, enable „Enable conversion to internalattributes‟ and click „Synchronize‟ to automatically fill in the reverse mapping taking the data from the „ConversionFrom‟ tab. Choose „OK‟ to save. Again the viewpoint is from the VDS, so „conversion to‟ is from the HR Sample

database table to the VDS, meaning converting a data source attribute to an internal attribute.This concludes the connection from the VDS to the Database, next we will need to set up the Virtual Tree for the clientto connect to.

On the main configuration screen, open „Virtual Trees‟, „Tree 1‟, and „o=myorg‟. Right Click on „o=myorg‟ and create anew child node. On the „Data Source‟ tab, select „Enable‟ and enter static node ou=DB as the „Relative DN‟. For theObjectClass, use the drop down to select „organizationalUnit‟ (See Figure 25). Click „OK‟ to save.



18

Figure 25

Right Click static node „ou=DB‟ and choose „New‟. On the „Data Source‟ tab check „Enable‟ and enter * for the „RelativeDN‟. Use the drop down to select “HR Sample” as the Source (Figure 26). Click „OK‟ and „Update‟ to update theconfiguration. The user group and rule are inherited from „Tree 1‟.

Figure 26



19

To test the configuration, go to the „LDAP Browser‟ tab, click „refresh‟ and browse down the tree to reveal theHR_SAMPLE users represented as LDAP accessible users (Figure 27)

Figure 27

What is missing? For the answer see exercise 7



20

Exercise 7 Add ObjectClassThe LDAP specification (RFC 4512) uses objectClass to indicate the type of entry. Since a database does not have anobjectClass the next exercise will add the objectClass to the „Data Source‟ as a static attribute. By adding objectClasson-the-fly with the VDS we ensure the result set is compliant with the LDAP v3 specification.In the „HR Sample‟ Data Source properties follow the steps in Figure 28 and click „OK‟

Figure 28



21

Click Update to reload the configuration. Use the LDAP Browser to check the result and verify objectclass was added.See Figure 29

Figure 29



22

Exercise 8 Attribute ManipulationIn this exercise we will manipulate the telephone number attribute from a data source. We will add a country code toeach „telephonenumber‟ attribute which for example can be displayed in the global corporate directory.Import java code FixAttributes.java from \\10.64.0.21\session\SCI263\ImageFiles\ImageFiles\jxl.jar (desktop shortcut„Session (Teched SDP Share)). Right click on „Extension classes‟, choose attributes and import (Figure 30).

Figure 30

We will need to compile the java code. To compile the code we have to set some pre-requisites in VDS. Select „Tools‟ – „Options‟ from the menu bar. On the General tab enter Java Compiler data as in Figure 31.

http://10.64.0.21/session/SCI263/ImageFiles/ImageFiles/jxl.jar






23

Figure 31Check the java code, at the bottom you find the addPhonePrefix method. When selected the VDS will add the valuestored in the constant GLOBAL_PHONE_PREFIX, if the phone number does not start with a “+”. public String addPhonePrefix(String phoneNumber) {

String prefix = MVDGlobals.getGlobalParameter("GLOBAL_PHONE_PREFIX","+??");if (! phoneNumber.startsWith("+"))

return prefix + " " + phoneNumber;

return phoneNumber;}

Choose save and compile, wait for the “success” popup, choose „OK‟ and again „OK‟. To use the FixAttributes class, go to the Virtual Directory Server properties and select the „classes‟ tab. Now use thedrop down to select „attribute class‟ Fix Attributes (Figure 32) and select „OK‟.



24

Figure 32

Next, create a „Constant‟ named PHONE_PREFIX with value +99 (Figure 33). Choose „OK‟ to save.



25

Figure 33Browse to „Data Sources‟, „Singles‟, „HR Sample‟ properties and select „Conversion to” tab. Change „Fax‟ and „Tel” andchange the method to „addPhonePrefix‟ using the drop down menu (Figure 34). Choose „OK‟ and „Update‟ to reload theconfiguration.

Figure 34Now verify that the attribute values have changed using the LDAP Browser (Figure 35). Do keep in mind that the datain the HR SAMPLE table is not changed!



26

Figure 35



27

Exercise 9 Create a Multi Search GroupIn this exercise we will combine the two created Data Sources into one virtual tree. From the client perspective itappears as one repository.In the VDS go to Data Sources, Groups, Operations, and Multi-search. Right click on Multi-search and select „New‟.Enable the Multi-search group and give it a name (i.e. MultiSearch). Next, under Group Members, select „New‟ (Figure36).

Figure 36Use the drop down to select Data Source SunOne LDAP (Figure 37), click OK and choose Add again to select the 2

nd

Data Source in the Multi-Search group. Select HR Sample as the Data Source and select OK (Figure 38).

Figure 37



28

Figure 38Select LDAP as the Master (Figure 39) and click OK. This is actually not necessary since the Master flag is only usedfor updating (Add, delete, modify), however it is good practice to select one.

Figure 39Next we need to create another node in the virtual tree. Follow the steps in Figures 40 through 42, finish up with

clicking „Update‟ to reload the configuration.



29

Figure 40

Figure 41



30

Figure 42Use the LDAP Browser to check the result. The result of the multi-search group is found in Figure 43. As you can seethere is a problem…

Figure 43 Figure 44The problem is that the LDAP Groups (ou=People etc) are shown at the same level as the users from ou=DB. To fixthis change the entry point for the SunOne LDAP data source. The end result should show both uid=Teched## anduid=30## and look like Figure 44.



31

Optional - Exercise 10 Create a Custom Connector One common question is how to create a custom connector if no connector is provided as part of the connectorframework. For SAP NetWeaver Identity Management the Virtual Directory Server is used to create customconnectors. This exercise outlines the steps to create a custom connector. We will simulate a 3

rdparty application by

using an open source MS Excel connector called jxl.jar. The jxl.jar represents the „Application Java Library‟ which in areal world situation will be provided as an API by the 3

rdparty vendor. For the Application Integration Code we will

import a java file called DemoXlsConnector.java. After configuring the VDS, we will have to create connector tasks inIdentity Center.

Figure 45First add the jxl.jar to the classpath under menu item „Tools‟ – „Options‟ – tab „Classpath‟. Choose „Add file‟ and browse to path \\10.64.0.21\session\SCI263\ImageFiles\ImageFiles\jxl.jar. (This location can also be found from the desktopshortcut „Session (Teched SDP Share)). The jxl.jar is called by the java code in DemoXlsConnector.java, which will beimported as a connector extension class (Figure 46).







32

Figure 46Browse to \\10.64.0.21\session\SCI263\ImageFiles\ImageFiles\DemoXlsConnector.java. (This location can also befound from the desktop shortcut 'Session (Teched SDP Share)). Save and compile (Figure 47), click OK.



33

Figure 47

Next, create a new „Data Sources‟, Singles and select templates „Generic‟, and „Generic‟. Enable the Data Source andgive it Display Name TechedXls. On the connectors tab use the „Use methods from‟ drop down to selectDemoXlsConnector, and allow Search, Add, Modify, and Delete for this connector (Figure 48).

Figure 48



34

Go to tab „Data Source Attributes‟, type in the Attribute list and select the options shown in figure 49. You may have togo full screen to see all the options.

Figure 49When complete click on „Define‟. In the Define Parameters screen select UID= as the attribute type, click on UserId inthe „Available Attributes‟ table and click „Add attribute‟ to construct the mapping parameters (Figure 50). Select „OK‟

Figure 50Next, select the „additional parameters‟ tab and add the FileName parameter with the value of users.xls in the samedirectory \\10.64.0.21\session\SCI263\ImageFiles\ImageFiles\. (This location can also be found from the desktop

shortcut 'Session (Teched SDP Share)). You may have to copy the file to a local directory.



35

Figure 51On the „Conversion from‟ tab, create a mapping between CN and UserId as shown in Figure 52 and close with „OK‟.Note that the viewpoint is from the VDS and „conversion from‟ is from the VDS to the excel spreadsheet, meaningconversion from the internal attribute to match the data source attribute.

Figure 52Now it is time to set up a virtual tree, we will create a new node at the same level as o=myorg. See Figure 53.

Figure 53On the „Access Control List‟ tab give full access to the anonymous group. Note; since we will also write to the datasource you have to create a new rule for this, be sure to allow search, add, modify, and delete in the rule. Give the rulea name i.e. FullAccess. You can check section „create a rule‟ early in the exercise guide to view the steps. The result isFigure 54.



36

Figure 54Add a new node under o=TechedConnector and choose Source=TechedXls (Figure 55), finalize with OK and „Update‟,next click „Stop‟ and „Start‟ to force a restart.

Figure 55Use the LDAP Browser tab to verify the VDS setup as shown is figure 56. The result should have User1 through

User40, from the users.xls file.



37

Figure 56

Start Identity Center, using the shortcut on the desktop. Verify that the dispatcher is in status „Running‟ (Figure 57)



38

Figure 57Create repository VDSXLS, use the „Directory‟ template (Figure 58)

Figure 58Create new folder as a sub folder of „Job folder‟ called SCI263, add an empty job called „ReadFromVDS‟. Enable the job and the „teched‟ dispatcher (Figure 59).



39

Figure 59Next add a „from ldap directory‟ pass and name it FromVDS. Set the repository to VDSXLS. On the source tab click onthe button to the right of „LDAP URL‟ and add return attributes = *, searchtype=one and (objectclass=*). Use the right-click context menu to select the „Directory login name‟ and „Directory login password‟ (Figure 60)



40

Figure 60On the destination tab, choose %$ddm.identitycenter% (use right-click) and tempVDSXLS as the name for the table,and select „insert template‟ and „insert data source template‟ – see Figure 61. Click „OK‟ to save.

Figure 61

In the SCI263 job folder, create a new „empty job‟, name it WriteToVDS, enable the job and choose „teched‟ as the

dispatcher, hit apply. Right-click on WriteToVDS and add a „To LDAP Directory‟ pass named WriteVDS. Set therepository to VDSXLS, hit apply and go to the source tab. Select „use identity store‟, „Enterprise People‟, and select„Build SQL query‟ to select the fields shown in figure 62. The end result can be found in Figure 62, choose „apply‟ tosave the changes

Figure 62



41

Figure 63On the destination tab use right-click and typing to reflect Figure 64.

Figure 64



42

To check the result, go to job „ReadFromVDS‟ and click „Run Now‟, go to the „job log‟, select refresh and the log shouldshow 41 added (Figure 65).

Figure 65Next open directory \\10.64.0.21\session\SCI263\ImageFiles\ImageFiles\ in „windows explorer‟ (this location can alsobe found from the desktop shortcut 'Session (Teched SDP Share) and check the size and date stamp of the users.xlsfile. This should be 20KB and 8/3/2010. Go back to Identity Center and run job „WriteToVDS‟. The job log now shows 1

record added. Go back to windows explorer and verify the time stamp has changed for the users.xls file. Open theusers.xls file with MS Excel to verify that the Teched10 user was added.

Figure 65

http://10.64.0.21/session/SCI263/ImageFiles/ImageFiles/






43

If you get a permission error, make sure the VDS rule for o=techedconnector is set to „full access, not read accessonly.

This concludes the exercise, you have created a custom connector to read and write data between SAP NetWeaverIDM 7.1 and MS Excel.



© 2010 SAP AG. All rights reserved.SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, and other SAP products and servicesmentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and othercountries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius,and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registeredtrademarks of Business Objects Software Ltd. in the United States and in other countries.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this documentserves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAPGroup") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errorsor omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth inthe express warranty statements accompanying such products and services, if any. Nothing herein should be construed asconstituting an additional warranty.

sci263 exercise-identity virtualization

Documents