cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

¿does guide within note 1584110 really work? LDAP Connector

Go to solution
Former Member

on ‎07-20-2012 12:32 AM

0 Kudos

I follow the entire guide but I am not able to see users when I am creating an acces request.

could you help me? please

Thank you.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-31-2012 6:12 PM
0 Kudos

Hi,

I hope your issue has been  resolved if not ask below parameters from your LDAP team. best way call them in a meeting and once you add all below information and still not working ask for wire trace. that's how I resolved my issue.

LDAP Connector action 0003

LASTNAME

FIRSTNAME

USERID

ROLE_NAME

EMAIL

MANAGERID

LDAP Connector action  0004

USERID

MANAGERID

EMAIL

ROLENAME

FIRSTNAME

LASTNAME

LDAP Connector action 0003

User:OC

Roles:OC

GROUPMEMBER

LDAP_END_USER_AUTH_SUFFIX (MOST IMPORTANT)

LDAP Connector action  0004

GROUPMEMBER

Roles:OC

User:OC

  

GROUP PATH          OU=GROUPS, OU=FAP, O=??

USER PATH          OU=PEOPLE, OU=FAP, O=??

Let me know how it goes.

Khurram

Show replies
Show replies
former_member541582
Participant
‎08-01-2012 3:04 PM
0 Kudos

Hi Khurram,

I have a query regarding the user and group paths. Are they necessary? As they are limited to 30 characters our full path doesn't fit. I left them blank and it seems that our base entry is sufficient to fetch the user data from our LDAP during request creation. But our sync with LDAP fails. First the role sync and then the user sync.

former_member541582
Participant
‎08-07-2012 4:41 PM
0 Kudos

Hi folks,

Just wanted to report in that my sync job now is running.

I found out that the job was canceled due to max records exceeded. After some researching I set the Page Size parameter to 500. And it seems to work! 

PS. Don't forget to switch off the trace before you trigger the sync job 

Kind Regards,

Vit

Answers (7)

Answers (7)

Former Member
‎08-03-2012 3:18 PM
0 Kudos

Do not use USER_PATH if its length is greater than 30, for realtime search.

regards.

Leon

Show replies
Show replies
Former Member
‎08-01-2012 3:11 PM
0 Kudos

Guys


I could sync roles and users, Thank you for all your recommendations.


I had to debug the program in order to see why sync was failing and I found that base entry was missing so I add this value at the LDAP Server configuration and I could sync succesfully.

the next question is what for GROUP_PATH and USER_PATH?

Thanks everybody!


Regards,


Leon.

Show replies
Show replies
Former Member
‎08-01-2012 8:30 PM
0 Kudos

Hi,

Group paths n user paths are maintained in LDAP. good news.. not our job to maintain as GRC consultant.

User Path

branch of directory where information about users is stored

ou=CorporateUsers,c=us,o=mycompany

Group Path

branch of your directory where information about the groups of portal users is stored

ou=CorporateGroups,c=us,o=mycompany

Former Member
‎08-01-2012 8:41 PM
0 Kudos

Hi


I supposed that, but the program never take in count these parameters for base entry, base entry is empty so sync job return 0 records sync.


so i had to specify a base entry at server ldap level.


It would be better if we were able to use these parameter,


Thank you.


Leon

Former Member
‎07-31-2012 1:39 PM
0 Kudos

The guide works up to the point of getting the basic connection established. The users will need ot be sync'd in via the Object Repository job.

Having said that, I had flaky response time issues once configured at one implementation and it required the Networks and Basis team members help to fix the issue.

Show replies
Show replies
Former Member
‎07-27-2012 2:30 PM
0 Kudos

I will apply note 1736230, I hope this could fix it

Thank you.

Leon

Show replies
Show replies
Former Member
‎07-27-2012 6:18 PM
0 Kudos

Hi Leon,

Additionally,also check that if the parameter LDAP_END_USER_AUTH_SUFFIX is blank.

If yes then kindly  add a value to this to see if this resolves.

Best Regards,

Nandita

saksham
Advisor
Advisor
‎07-20-2012 8:49 AM
0 Kudos

Hi Leon,

Kindly check the parameter value for the defined object class at spro->Governance, Risk & Compliance-> Access Control-> Maintain Mappin for Actions & Connector groups.If the object class is defined as user, change it to *.Refer to the screenshot.

Regards,

Saksham

Show replies
Show replies
Former Member
‎07-20-2012 2:16 PM
0 Kudos

Saksham

Done, but Im still not able to see users.

Thank you.

Regards,

Leon

Former Member
‎07-20-2012 4:29 PM
0 Kudos

Hi Leon,

When you select the server and conector in the LDAP transaction, it gets connected or not?

Regards,

Former Member
‎07-20-2012 4:46 PM
0 Kudos

Yes, It gets connected (Green)!

Thank you.

Regards,

Leon

Former Member
‎07-20-2012 4:51 PM
0 Kudos

Ok, in this transaction if you browse the LDAP directory can you see users?

Regards,

Former Member
‎07-20-2012 4:54 PM
0 Kudos

No, I can not see users.

Within Find option I tried to search a user with CN=XXXX but I got an operation fail message.

Thank you

Former Member
‎07-20-2012 5:03 PM
0 Kudos

Hi Leon,

I Think that is one of the problem. You have to do something with the LDAP administrator to allow the user used in the connection to browse users.

We made the following to correct this over the ldap user:

  • To read (read-only) on the whole tree
  • The password never expires.
  • In the options the user account, choose the option: Use DES encryption types for this account.
  • In the command line enter the following command to register the Service Principal Name (SPNs) for the J2EE engine host name and associate AD service user created for this purpose:
  • setspn-A HTTP / <server grc> SRV_PORTAL_PRD
  • Check configuration results in a command line entry for each registered SPN following:

ldifde-r servicePrincipalName = HTTP / <server grc>-f out.ldf

The result should show an entry for the user created previously.

Hope its helps

regards,

Former Member
‎07-20-2012 5:41 PM
0 Kudos

I will test this solution.

thanl you.

Former Member
‎07-21-2012 6:27 PM
0 Kudos

Hi Leon,

After testing the solution if you still face issue then kindly ref the below SAP Note

#1598336: User Search does not return any result

#1663546: UAM: LDAP user sync failure

#1698372: UAM: LDAP Group Parameter Setup is Case Sensitive

#1728322: UAM: Issues with LDAP connector regarding datasearch

#1736230: UAM: LDAP User Synch job synching non user records  from LDAP

Regards,

Shaily

Former Member
‎07-24-2012 6:58 PM
0 Kudos

User is ok, I test and I was able to search users within LDAP transaction, but I still have problem with access requests.

Thank you.

Regards,

Leon

Former Member
‎07-24-2012 7:59 PM
0 Kudos

Hi Leon,

Can you set the parameter 2050 to yes and test it?

Also, in the source of users search, set the LDAP connector.

Hope this help.

Regards,

Former Member
‎07-24-2012 8:47 PM
0 Kudos

in fact the parameter 2050 is already set to yes and the source of users search is LDAP.

When I sync I see that total of users sync are 0.

Thank you.

Leon

Former Member
‎07-24-2012 10:49 PM
0 Kudos

I suggest checking field mapping or deleting group mapping. Thank you.

Former Member
‎07-25-2012 2:59 AM
0 Kudos

Hi Leon,

Please check your object class mapping under the parameter mapping in SPRO.

Best Regards,

Nandita

Former Member
‎07-25-2012 10:53 PM
0 Kudos

Hi

the parameter mapping:

GROUPMEMBER = member

Roles:OC = group

User:OC = *

Thank you

Regards,

Leon

former_member184114
Active Contributor
‎07-29-2012 12:31 PM
0 Kudos

Leon,

Can you please tell me how I can log on to LDAP from "LDAP" transaction?

I tried to click on "Log On" button under operations pane. Then I input the user name/password shared by AD Admin team. But it says "Connection Error Occurred" as error and no further details of the error are provided.

Please suggest.

Regards,

Faisal

Former Member
‎07-31-2012 1:18 AM
0 Kudos

Hello

Try to use System user defined instead of typing user.

Also you should verify LDAP connector is Active.

Regards,

Leon

former_member184114
Active Contributor
‎07-31-2012 9:12 AM
0 Kudos

Leon,

Thanks for your reply.

I have now registered a system user. This user id and password was given to me by MS Active Directory Administrators.

However, I am getting a error called "Connection error occurred".

Any idea how to troubleshoot it?

Former Member
‎07-31-2012 4:45 PM
0 Kudos

Is the connector active?

former_member184114
Active Contributor
‎08-01-2012 10:31 AM
0 Kudos

Yes, it is

Former Member
‎08-01-2012 3:19 PM
0 Kudos

You should verify that user has permission to access AD

Early Claudio shared this:

We made the following to correct this over the ldap user:

  • To read (read-only) on the whole tree
  • The password never expires.
  • In the options the user account, choose the option: Use DES encryption types for this account.
  • In the command line enter the following command to register the Service Principal Name (SPNs) for the J2EE engine host name and associate AD service user created for this purpose:
  • setspn-A HTTP / <server grc> SRV_PORTAL_PRD
  • Check configuration results in a command line entry for each registered SPN following:

ldifde-r servicePrincipalName = HTTP / <server grc>-f out.ldf

The result should show an entry for the user created previously.

Hope its helps

regards,

former_member184114
Active Contributor
‎08-05-2012 11:56 AM
0 Kudos

Leo,

Thanks for your reply.

Admin team has given me a user id and its password.

But as I told you earlier, when I try to log on to LDAP server using it in TXN code LDAP, it is causing error.

Can you please help me perform step-by-step process from here?

Regards,

Faisal

Former Member
‎08-06-2012 7:31 PM
0 Kudos

1. Create a connector type T

2. at TXN LDAP:

a) Define system users (Domain\user)

b) Define LDAP Server, using User ID of previous step

c) Then at LDAP Connectors config and active the connector

d) at the main window select: Server and connector

e) and click Log on button

f) Active check Use System User

g) and click execute button

status would be green.

- try to use IP address instead of hostname

- especify the user with the format -> domain\user

Hope its helps

regards,

former_member184114
Active Contributor
‎08-11-2012 11:45 AM
0 Kudos

Leon,

Thanks for your nice help.

I did as you suggested and when I tried to logon, I got the below error:

Can you please suggest how I can get into the details of the error?

Regards,

Faisal

Former Member
‎08-11-2012 7:39 PM
0 Kudos

Hi

Try with Transaction SE11 and review error message (double click on "Connection error ocurred"),

Regards

Leon

Former Member
‎07-20-2012 5:03 AM
0 Kudos

Hi Leon,

Have you got the result after running the sync job for the LDAP connector? Or you are facing error in running the sync job.

Regards,

Shaily

Show replies
Show replies
Former Member
‎07-20-2012 2:23 PM
0 Kudos

Shaily

I have already run sync job and I did not get any error but Im not sure that users are sync because Im getting message No records found.

Thank you.

Leon

Former Member
‎07-20-2012 2:43 AM
0 Kudos

Hi Leon,

The guide provided in SAP Note:- will help in setting up the LDAP as the data source.

As per the initial description of the issue that user details are not getting fetched, I would recommend

you to please follow SAP Notes: 1663546, 1698372,1684059 and 1702714.

All parameters and corrections till now are briefly explained.

Regards,

Akhil Chopra

Show replies
Show replies
Ask a Question