on 11-04-2010 8:29 PM
We are using transaction LDAP in SAP to setup a connection between SAP and Active Directory to prepare for SSO. We have the Connector configured, the server configured, and can read the Active Directory data from within SAP. Our AD is structured like below:
DOMAIN. (Base DN is: DC=Domain, DC=Domain Name, DC=Net)
OU=Site
OU=Users
CN=Username (All names are first name (space) last name
OU=Site2
OU=Users
CN=Username (All names are first name (space) last name
OU=Site3
OU=Users
CN=Username (All names are first name (space) last name
CN=Computers (this is the default, empty container)
CN=Users (this is the default, empty container but contains some groups and Exchange recipients)
The users which we are trying to read are all of the CN users under the OU=Site containers.
The LDAP settings that we are using to search the directory are:
Base entry: DC=Domain, DC=Domain Name, DC=Net
Filter: (&(objectclass=*))
Search Depth: Basis Entry and All Levels Below
With the above settings, we can see all of the users and groups listed in the default Computers and Users groups but these containers do not contain the user ID's needed to sync. If we change the LDAP Settings to:
Base entry: OU=Users, OU=Site, DC=Domain, DC=Domain Name, DC=Net
Filter: (&(objectclass=*))
Search Depth: Basis Entry and All Levels Below
Now, we can read all users and attributes in that particular site.
In order to setup the mapping between SAP and AD correctly, we need to be able to read all of the user ID's in all of the Sites (OU's). Is there a wildcard that I can use in place of, "OU=Site" in the Base DN so that it will retrieve all users from all OU's?
Example: OU=Users, OU=*, DC=Domain, DC=Domain Name, DC=Net
Additional Questions:
1. Do we even need to keep the LDAP connection open at all times or is it a one-time sync for all current users? If it is a one time sync, then I can change the base DN as required for each site.
2. Our SAP users are all first initial, last name (i.e - FLASTNAME) while our Domain Users are all, "Firstname Lastname". Can you provide help in picking the correct attributes to use to map the two identities?
Hopefully this post is somewhat understandable. Thank you for any assistance you can provide.
Hello,
Please check
note 861461 Activating LDAP registration manually
The LDAP directory to be used (e.g. Microsoft Active Directory)
needs to be prepared/configured. SAP's schema extension needs to
be installed, a root node in the directory tree where the SAP
should be registered must be created, a registration user or
SAPService<SID> / <SID>adm user group membership must be configured.
All this has to be done once per directory to be used.
SAPInst / R3Setup can be used to do this for Microsoft Active
Directory. For other directories like OpenLDAP SAP just provides
a schema extension and some general instructions (note 729614).
You need to configure the directory using that, according to the
directory vendor guidelines.
regards,
John Feely
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I thought that I had this issue resolved after reading your responses and the associated notes. I had everything setup and was able to create an SAP user ID in the Active Directory. The only outstanding issue was, what I thought, going to be resolved by modifying the mapping. Instead of adding the SAP name: FNAME to an existing user ID of: FIRST NAME in the Active Directory, I added a new user in AD called, "FNAME".
After this, I began tuning and tweaking and now am unable to even add a user to AD. When I run RSLDAPSYNC_USER, with the parameters, "Create in Directory" and/or "Create in DB", I get one of the following two errors:
Naming Rules not Satisfied OR Attribute does not exist
The next lines are:
LDAP_CREATE failed
Error while writing object FNAME to the directory
The message numbers I've found to be no help:
LDAPRC064, LDAPACCESS 103 - I've tried to implement note: 492964 but it is already included in the version that I am testing with.
Version: 700 - SP14
I have a message open with SAP but so far, your responses have given the most help so I'm trying again; any idea's?
Hi Bob,
Please find the answers, below;
1) As far as I remember that, there's no wildcard option for "Base entry", but you can create several LDAP servers with different "Base Entires",
2) Yes, this is one time sync for all users. You should schedule, regarding your needs, "RSLDAPSYNC_USER" program in order to syncronize users between SAP and AD,
3) You should use "mapping using function modules" in order to picking the correct attributes to use to map the two identities,
Best regards,
Orkun Gedik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
83 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.