- SAP Community
- Products and Technology
- Additional Q&A
- LDAP Configuration
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
LDAP Configuration
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 02-01-2013 6:24 PM
Hello Experts,
We are currently implementing AC 10.0 to integrate with LDAP to pull user information for access requests.
The problem we are running into is the Active Directory user accounts do not align with the SAP ECC user accounts. There is not a 1-1 match between the user ID's and therefore they are not using the SSO feature. How does this impact the LDAP integration? There are 2 options that have been requested by the organization.
1) In the Access Request Form the organization would like to enter in the Active Directory User Name to pull the user information (manager for workflow approvals, first/last name, etc). With this approach they have agreed to uploading the ECC user name information to AD. This way when they enter the AD user name the SAP user name will be pulled directly, and where the access request will be provisioned to. Is this possible to configure?
2) The unique identifer the organization uses to identify users is the SAM account name (employee ID) in AD. Instead of searching for the AD user name above, they would like to enter the employee user ID in the Access Request form then this would pull the ECC User Name from AD as well.
What is the level of effort thats associated with these options? And is this possible to configure? Is customizing required?
Thanks in advance!
Justin
Accepted Solutions (0)
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Justin -
We had a similar situation at one of the implementations i did where the AD user names were greater than 12 characters and hence posed challenges with SAP account creation. We resolved the issue through SSO, though i note that in your case that's not an option.
Here are my thoughts:
A new AD (eg. SAPUserName) attribute can be defined to hold the ECC user name within the Active directory. For this to happen, a one-time ECC - AD user mapping exercise has to happen for the current user base and a process defined for new users who will get created in AD in the future.
We did this using an auto generation logic defined for this SAPUserName attribute in AD. In your LDAP connector mapping, use the SAPUserName field as your user name.
From an effort perspective, the attribute definition and mapping for existing users took ~3weeks for 4500 users by the AD team. Add 1-2 days of GRC testing time to make sure all the data is pulled in as expected.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Justin,
I am in the same boat, as you mentioned if we create a new AD attribute and maintain his sap user name in that attribute, how this mapped sap user information passed to ECC?
other then creating AD attribute and maintaining sap user name, is there any additional work involved in SAP Portal side?
Please can you give the solution in bit detail, appreciate your help.
Thanks
Krishna
- Global filter definition for Country Compliance WTPA forms in Human Capital Management Blogs by SAP
- Can we configure a custom branding of the IAS after login ? in Technology Q&A
- How to configure odata Service to be readonly for technical user in Technology Q&A
- How to configure Custom SAPUI5 app to Fiori launchpad in S/4 HANA 2022 on premise? in Technology Q&A
- Capture Your Own Workload Statistics in the ABAP Environment in the Cloud in Technology Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.