Hi
I was under the impression that you can user LDAP to authenticate your SAP GUI user . ( so users do not have to maintain and remember multiple passwords )..
However - note #603208 claims that this is not possible.
This is quite an old note , is this still true ?
note #793191 ( FAQ ) says :
9. Can I synchronize user passwords?
Response: No.
The password cannot be synchronized. For more information, see Note 603208.
and note #603208 says :
A comparison of the production password with a directory is not possible.
The following reasons are responsible for this:
- The password is not stored in the plain text or in in "enciphered" form, neither in SAP Web Application Server nor in the directory, rather is is stored as a "hash value" that is calculated from the password that is entered. The function used for this is especially designed so that the password CANNOT be reconstructed from the hash value.
For technical reasons, the user master synchronization cannot therefore extract the plain text of the password and send this to another system. - The user's password has a size that is known only to the user. Even the system administrator and database administrator cannot obtain any information about the password.
A comparison in plain text form would violate this basic rule. For this reason, the use of a hash value is a generally applied standard. - Often the adjustment of passwords in several systems is equated with the term "Single Sign-On".
However, this term must only be applied if the user logs on once and this logon information is transferred within the system infrastructure.
The SAP Web Application Server supports real Single Sign-Ons (note 138498).