Hi All,
I'm checking the option of implementing single-sign-on into Baan. Does anyone has implemented this to Baan application?
I would like to know the following:
1. What are the potential problems for such implementation?
2. Is any needed product should be purchased for this?


Any other insights or suggestions are needed.

Thanks for your input on this,
- Ranias

Hi All,
I'm checking the option of implementing single-sign-on into Baan. Does anyone has implemented this to Baan application?
I would like to know the following:
1. What are the potential problems for such implementation?
2. Is any needed product should be purchased for this?


Any other insights or suggestions are needed.

Thanks for your input on this,
- Ranias
Hello,
what do you understand for single-sign-on ?
Be more specific.

Regards

I assume you mean a control/check mechanism to assure that users don't have more than one active bshell running. If that is indeed the case, then use the board's search function, this issue has been discussed many times...

Hi,
I wasn't specific I meant to single sign on into Windows AD. What are the steps to implement such solutions for Baan users.
Any input is appreciated.

Thanks,
- Ranias

Hi,
I wasn't specific I meant to single sign on into Windows AD. What are the steps to implement such solutions for Baan users.
Any input is appreciated.

Thanks,
- Ranias

Hello,
is your requirement to syncronize the password / User from ActiveDirectory to Unix ?

Regards

Hi Bdittmar,
Yes, I want to synchronize passwords from AD to Unix system. When a user logs on the AD they don't need to provide a password for Baan client too. All will be synchronized. Any ideas? what should be done for the application/DB to work this way?

Thank you for your input,
- Ranias

won't work. Baan supports SSPI on microsoft machines only.

The only thing you could do would be to have your Windows password
be == to your HP-UX password by linking PAM to AD.

Which i've done on linux, but AD lookups from PAM are slow.

Dave

Hi Bdittmar,
Yes, I want to synchronize passwords from AD to Unix system. When a user logs on the AD they don't need to provide a password for Baan client too. All will be synchronized. Any ideas? what should be done for the application/DB to work this way?

Thank you for your input,
- Ranias

Hello,
last two weeks i've had discussions about this with HP.
I works (also with AIX .. ??), but .

- ADS against LDAP - Server - against HP-UX daemon
(when found, i will attach a whitepaper with description)

- complexity for administration is higher


Regards

Hi Bdittmar,
Thanks for the document you have attached, I will check it out. I still need to know if there is any need of any product for Oracle DB in order to implement Single Sign on for Baan application. Is the Password synchronization between AD LDAP and HPUX OS the only thing should be considered ?

Thanks for the input,
- Ranias

won't work. Baan supports SSPI on microsoft machines only.

The only thing you could do would be to have your Windows password
be == to your HP-UX password by linking PAM to AD.

Which i've done on linux, but AD lookups from PAM are slow.


hi Dave,
Thanks for your input. You have wrote that synchronization between AD-LDAP and HPUX won't work, if you have implemented on Lunix why do you think it won't work for HPUX also?
What is SSPI that Baan don't support?

Thanks,
- Ranias

Hi Bdittmar,
Thanks for the document you have attached, I will check it out. I still need to know if there is any need of any product for Oracle DB in order to implement Single Sign on for Baan application. Is the Password synchronization between AD LDAP and HPUX OS the only thing should be considered ?

Thanks for the input,
- Ranias

I wouldn't worry about baan-db connection. That is configured in ora_users/ora_groups files. As long as those are up to date you'll be fine.

hi ecarceller,
Thanks for your comment. So I would understand that if I connect the Baan server with LDAP this will synchronize the HPUX passwords with the LDAP and that would be the only level it should be taken care of to implement the SSO.

Thanks for your input,
- Ranias

We have implemented Kerberos & AD. It works find and simple to implement. I would not recommend Database login(s). (This will pose a security issue when a regular user is given access to database directly. It is better to control oracle passwords for users separately. In my opinion.)

Thanks

hi ecarceller,
Thanks for your comment. So I would understand that if I connect the Baan server with LDAP this will synchronize the HPUX passwords with the LDAP and that would be the only level it should be taken care of to implement the SSO.

Thanks for your input,
- Ranias

I've never implemented SSO.

What I can tell you is that the connection to the DB is done by the DB driver using the encrypted passwords stored in ora_users and ora_groups without users ever knowing that is even happening. From Baan perspective there is absolutely no need for users to know those passwords. Actually there is absolutely no need for anybody AT ALL to know them as long as they are properly kept in the files. So why incorporating them into SSO? You want SSO so users will not have to enter a passwords for every application they run. In the case of the DB used by Baan it is already working like that.

hi Dave,
Thanks for your input. You have wrote that synchronization between AD-LDAP and HPUX won't work, if you have implemented on Lunix why do you think it won't work for HPUX also?
What is SSPI that Baan don't support?

Thanks,
- Ranias

You can sync your password between Windows and your Linux/HP Box
however that is not Single Sign, on because the user will have to login to Baan.

Single signon, to me, implies that I've logged into my workstation, and when i start Baan i should not have to type a username or password.
(obviously saving username/password in the bw configuration file, doesn't count here...)

Dave

We have implemented Kerberos client on Aix and Active Directory. Although this works fine to login to an Aix shell it fails on the LN client (worktop and webtop) - we are using baan login.

does anyone know how to get ERP LN client to authenticate via kerberos and AD?
Our ERP LN application server is on Aix 6.1

thanks