12-07-2010 11:44 AM
Hi @all
at first, i am not a SAP Guy. Hopefully you will support me too.
We try to use our LDAP-Directory as a single point for "basic user information adminstration".
This means: All our Basic-Informations like surenames, givennames, sap-logonname (equal the samaccountname), tel, and so on are administered in the LDAP.
Now we used in our testenvironment the LDAP-SYNC Report to synchronize the user from LDAP to SAP an the neccesarry attributes. This works fine.
But this report always sync all users!
In our case, we need to set a filter for all our sap systems.
This means: not all of our LDAP User are in all of our SAP-System. I must use a filteroption.
i understand there are two was to do this:
the first way is to put all users to an sperate OU in the LDAP - eg. all IS-U User in OU IS-U - all SRM User to SRM and so on. This don't work for us, cause many customers are in multiple sap-systems.
the second way ist to use a seperate LDAP attributt. eg. to extend the LDAP schema with attrbutes like sapsrmusername, sapisuusername and so. now i can use the filteroption in ldap_map report.
But we won't to extend out LDAP!
My plan is to use a filter in the RSLDAPSYNC_USER report by LDAP-Groups . eg. to use the "memberof" attribut or something else. Like: Sync only User if User a member of LDAP-Groupe SRM.
But i can't find any Option to do this.
Is it possble to filter by a membership?
There are to Options in the RSLDAPSYNC_USER for that i can't find definitions.
1.) "Use User Selection in LDAP Search Filter"
2.) User group (from / to)
Anyone an idea for me?
Best regards
12-07-2010 12:52 PM
Are you pushing AD users to SAP?
It sounds like you do not want to create AD/LDAP users in SAP and only want to sync SAP users with LDAP.
If that is the case than you can set this function in SAP configuration in transaction LDAP.
12-07-2010 9:07 PM
Are you pushing AD users to SAP?
Yes, I want to do this.
It sounds like you do not want to create AD/LDAP users in SAP and only want to sync SAP users with LDAP..
No, i want to create AD/LDAP users in SAP. And this works fine, but only for all Users in the LDAP - better, the defined OU an SUB-OUs.
But i want to select the Users by a LDAP Groupmembership.
The Goal:
All User in the LDAP Group "SRM" should be created an syncronized in our SAP SRM
All User in the LDAP Group "ISU" should be created an syncronized in our SAP ISU
an so on...
I hope this is much more clarify.
12-07-2010 11:48 PM
Not AD/LDAP expert however there should be way to flag users in AD for SAP users and if you want to even filter SAP users based on SRM, ISU, you can than explore group specific user sync with SAP.
04-29-2013 3:49 PM
Hello Sascha,
have you solved the issue?
I need the same configuration, but I didn't find any solution.
Thanks
Matteo
06-01-2013 10:50 AM
Hi Matteo,
take a look on "memberOf" filter option.You can create a filter like (&(objectclass=*)(memberOf=CN=MyGroup-Name,OU=Groups,OU=SomeOU,DC=localdomain,DC=local))
Best regards,
Andy
06-03-2013 1:57 PM
Hello Andy,
in report RSLDAPSYNC_USER is not possible to put an LDAP filter...
And also in transaction LDAPMAP I don't discover ho to make an LDAP filter.
Please take in to account that I have a pure ABAP environment.
Regards
Matteo Stocco
06-10-2013 8:31 PM
There are to Options in the RSLDAPSYNC_USER for that i can't find definitions.
1.) "Use User Selection in LDAP Search Filter" ->> program only takes the users defined in selection list
2.) User group (from / to) -> You can define the user group that you want to exclude.
We are doing the testing to synch the first name last name user group and valid to date from AD to SAP user master data. It works fine with test IDs ( 15-20) users but when we execute the program
RSLDAPSYNC_USER for ALL the user ( keeping "User selection in LDAP Search Filter empty),
the program generates the error message " Maximum number of find results exceeded" LDAPRC 004
SAP recommeded to review oss note 511141 but we are not still clear what OSS note asking us to do.
Thanks
Pranav
10-05-2015 10:41 AM
Hi guys,
ABAP system no IDM available.
Tcode: LDAP
using LDAP search as filter: (&(objectclass=*)(memberOf=CN=sapuserstest,OU=SAP,DC=XXX,DC=IT)) I am Able to get all users that are member of a specific AD group. Query woks properly!
So now I want to import those users with RSLDAPSYNC_USER where I could not able to set a LDAP filter.
my goal is to import users from AD, only some users based on LDAP filter that are memberOf to specific AD group >> to SAP DB.
Is there any chance to do that? importing only users memeberOf a specific AD group as exactely the LDap search do using the filter.
thanks in advance for your contribute.
10-09-2015 1:45 PM
Hi Michele,
I have exactly the same need as you : select users from a specific AD group and create/modify them in SAP ABAP system.
After several hours (…) I have understand that the filter used by report RSLDAPSYNC_USER comes from attribute defined as filter in transaction LDAPMAP.
This can be checked by generating a trace using the report RSLDAPTRACE.
So, the need is to map AD attribute “memberof” with an attribute from SAP userid structure.
It seems easy, but I havn’t yet managed to make it !
As soon I’ll find a solution I keep you in touch.
Also, if you manage to do it I’m interested by the solution.
Alain