cancel
Showing results for 
Search instead for 
Did you mean: 

Setting up LDAP between MS AD and SAP

Former Member
0 Kudos

We are using transaction LDAP in SAP to setup a connection between SAP and Active Directory to prepare for SSO. We have the Connector configured, the server configured, and can read the Active Directory data from within SAP. Our AD is structured like below:

DOMAIN. (Base DN is: DC=Domain, DC=Domain Name, DC=Net)

OU=Site

OU=Users

CN=Username (All names are first name (space) last name

OU=Site2

OU=Users

CN=Username (All names are first name (space) last name

OU=Site3

OU=Users

CN=Username (All names are first name (space) last name

CN=Computers (this is the default, empty container)

CN=Users (this is the default, empty container but contains some groups and Exchange recipients)

The users which we are trying to read are all of the CN users under the OU=Site containers.

The LDAP settings that we are using to search the directory are:

Base entry: DC=Domain, DC=Domain Name, DC=Net

Filter: (&(objectclass=*))

Search Depth: Basis Entry and All Levels Below

With the above settings, we can see all of the users and groups listed in the default Computers and Users groups but these containers do not contain the user ID's needed to sync. If we change the LDAP Settings to:

Base entry: OU=Users, OU=Site, DC=Domain, DC=Domain Name, DC=Net

Filter: (&(objectclass=*))

Search Depth: Basis Entry and All Levels Below

Now, we can read all users and attributes in that particular site.

In order to setup the mapping between SAP and AD correctly, we need to be able to read all of the user ID's in all of the Sites (OU's). Is there a wildcard that I can use in place of, "OU=Site" in the Base DN so that it will retrieve all users from all OU's?

Example: OU=Users, OU=*, DC=Domain, DC=Domain Name, DC=Net

Additional Questions:

1. Do we even need to keep the LDAP connection open at all times or is it a one-time sync for all current users? If it is a one time sync, then I can change the base DN as required for each site.

2. Our SAP users are all first initial, last name (i.e - FLASTNAME) while our Domain Users are all, "Firstname Lastname". Can you provide help in picking the correct attributes to use to map the two identities?

Hopefully this post is somewhat understandable. Thank you for any assistance you can provide.

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member189546
Active Contributor
0 Kudos

Hello,

Please check

note 861461 Activating LDAP registration manually

The LDAP directory to be used (e.g. Microsoft Active Directory)

needs to be prepared/configured. SAP's schema extension needs to

be installed, a root node in the directory tree where the SAP

should be registered must be created, a registration user or

SAPService<SID> / <SID>adm user group membership must be configured.

All this has to be done once per directory to be used.

SAPInst / R3Setup can be used to do this for Microsoft Active

Directory. For other directories like OpenLDAP SAP just provides

a schema extension and some general instructions (note 729614).

You need to configure the directory using that, according to the

directory vendor guidelines.

regards,

John Feely

Former Member
0 Kudos

I thought that I had this issue resolved after reading your responses and the associated notes. I had everything setup and was able to create an SAP user ID in the Active Directory. The only outstanding issue was, what I thought, going to be resolved by modifying the mapping. Instead of adding the SAP name: FNAME to an existing user ID of: FIRST NAME in the Active Directory, I added a new user in AD called, "FNAME".

After this, I began tuning and tweaking and now am unable to even add a user to AD. When I run RSLDAPSYNC_USER, with the parameters, "Create in Directory" and/or "Create in DB", I get one of the following two errors:

Naming Rules not Satisfied OR Attribute does not exist

The next lines are:

LDAP_CREATE failed

Error while writing object FNAME to the directory

The message numbers I've found to be no help:

LDAPRC064, LDAPACCESS 103 - I've tried to implement note: 492964 but it is already included in the version that I am testing with.

Version: 700 - SP14

I have a message open with SAP but so far, your responses have given the most help so I'm trying again; any idea's?

Former Member
0 Kudos

Hi Bob,

Please find the answers, below;

1) As far as I remember that, there's no wildcard option for "Base entry", but you can create several LDAP servers with different "Base Entires",

2) Yes, this is one time sync for all users. You should schedule, regarding your needs, "RSLDAPSYNC_USER" program in order to syncronize users between SAP and AD,

3) You should use "mapping using function modules" in order to picking the correct attributes to use to map the two identities,

Best regards,

Orkun Gedik