cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ldap as source repository documentation

Go to solution
Former Member

on ‎03-03-2013 8:25 AM

0 Kudos

Hi, all

We have just finished installing the IDM 7.2 and are planning to use the LDAP as the source repository. The SAP and other non-SAP systems will be the destination for provisioning. It is a proof of concept exercise as we are planning to bring in HCM data as certain attributes later on.

As I am new to IDM, would you kindly to point me to useful blogs/documentation on setting up MSAD as the source repository? I have spent the whole day searching in SDN and help.sap.com and did not come up with much info.

Thanks,

Jonathan.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-05-2013 11:36 PM
0 Kudos

Hi, Peter

Thank you again for your information. I only saw your update now but have just deleted the identity store and load the data again. This time I am still running into the same error above:

Any advice on what is wrong?

Thanks,

Jonathan.

Show replies
Show replies
Former Member
‎03-06-2013 12:04 AM
0 Kudos

Hi Jonathan

Yup - this issue occurs when the MX_ENTRYTYPE attribute gets confused.

Even if its set in the job (and it should be) in the entrytype as MX_PERSON, you can get this error.

To resolve it, set a row in the job MX_ENTRYTYPE = MX_PERSON.

This should then resolve and you can remove the row you've just added.

Peter

Answers (7)

Answers (7)

Former Member
‎03-08-2013 9:55 PM
0 Kudos

Hi, Peter

Thanks again for your help. I noticed that I cannot add the mx_entrytype into the mapping even if I do it manually. It will somehow not get saved. But even though I got the error above, all the records from the ldap were getting loaded. So I am good with it.

Thank you again for your help

Jonathan.

Show replies
Show replies
Former Member
‎03-05-2013 8:31 PM
0 Kudos

Never mind about my last update, the problem was fixed.

Now I have 2 other issues:

I) I noticed that some of the attributes were loaded wrongly into the MX_PERSON. Is there an easy way to "cleanup" the wrong attributes? Can I use delta tab to "update" the wrong field?

2) In the NW UI(idm) link, it looks like you can only setup one identity store. Is there a way to point to 2 different identity stores? I know you can configure the storeid in nwa, but it is very clumsy and users can only logon to one identity store at a time.

Thanks,

Jonathan.

Show replies
Show replies
Former Member
‎03-05-2013 9:39 PM
0 Kudos

Hi Jonathan

1) There are any number of ways.  If you set up delta at the start it can be used to update only specific attributes.  Otherwise, you can just rerun the task with the correct data and it'll update the data that needs changing.

2) No - the UI can only point to one IDStore.  You can have multiple UIs if you need them for some reason.

Peter

Former Member
‎03-05-2013 6:21 PM
0 Kudos

Hi, Peter

Really appreciate the tips. I will go through that document this afternoon.

When I am loading the data into MX_PERSON from the temporary table, I am getting the following error:

It looks like it is complaining about the the MX_ENTRYTYPE. However, that attribute is not loaded from the destination template. Should I manually add it in? What value should I give if I do? Is there a way to query what are the existing entries in MX_PERSON and the value of the attribute using a sql tool?

Thanks,

Jonathan.

Show replies
Show replies
Former Member
‎03-05-2013 6:01 AM
0 Kudos

Hi, Peter

Thanks. So let's say I want to create a task so that I can assign a priviledge to a user listed under the manage tab, where do you see the documentation on how to do it. A walkthru, even high level, will be very help.

Regards

Jonathan.

Show replies
Show replies
Former Member
‎03-05-2013 7:00 AM
0 Kudos

All the IDM doco is here:  http://scn.sap.com/docs/DOC-8397

There's a 'Working with Roles and Privileges' one that may give you some pointers.

The easiest thing to do is import the SAP Provisioning Framework and have a look at how they've done it.  There are default jobs for most basic things in there (like assigning roles, editing users etc).

Peter

Former Member
‎03-04-2013 7:42 PM
0 Kudos

Hi, Matt/Peter

Thank you again for your input. I guess I am not very clear on my question. I am aware of the tutorial. But what I would like to find out is:

1) What is the best practice to use LDAP as the source? Do you load the data into a table in the identity store as said in the tutorial or directly into MX_PERSON itself. However, I don't see any template to load into MX_PERSON from LDAP

2) How do you list the users setup in MX_PERSON? I have not found any way to do this simple activity in IDM. The only doc I found is how to setup the netweaver link to assign priviledge. But I was not able to even list the entries in MX_PERSON.

Thanks,

Jonathan.

Show replies
Show replies
Former Member
‎03-04-2013 9:29 PM
0 Kudos

Hi Jonathan

1) Use a temporary table.  There are a number of good reasons for doing this:

- It allows you to 'preprocess' the data (eg: convert userAccountControl to MX_DISABLED 1/0, MX_LOCKED 1/0 etc).

- It allows you to process deletes and trigger jobs based on users disappearing

- It allows the use of Deltas to ensure that you don't trigger off random jobs on users who haven't changed.

2) I'm not sure what you're trying to do here.  If its search for a user, the UI is the only real place for it.  There's a reason that I have an SQL tool on my DEV box - you need to directly query the database if you want to get info out about users without using the UI.

Peter

Former Member
‎03-04-2013 11:35 PM
0 Kudos

Hi, Peter

Thank you for your advice. I will load the data into the MX_PERSON from the temp table I just populated with LDAP data.

For question 2, I am really struggling with the UI where the IDM UI designer is obviously from another planet. For example, everything in the manage tab is read only and the simple tasks in other software like assigning priviledge to a user is really hard to do. I have followed the SCI261 workflow configuration demo and have certain success on configuring the self-service tab. But I have no luck on making the manage button changeable. Would you be able to point me to a wiki or blog that deals with user provisioning that is easily followable? It looks like all the provisioning has to go through "tasks" which are also very very hard to understand.

I guess earning more experience on IDM would definitely help.

Thanks,

Jonathan.

Former Member
‎03-04-2013 11:55 PM
0 Kudos

I'm not a huge fan of any of the demos - they usually offer a step-by-step guide but don't actually go into the depths of why which is great if you want what they offer but doesn't help when things go wrong (which happens...).

Essentially - anything on the manage screen directly is read only.  In order to effect an object you must execute a 'task' on it.  Tasks are created and can be configured to operate on a specific object type.  When you select an object of the specific type and then 'choose task' it'll allow you to select from your configured tasks.  This assumes you satisfy the Access Control for the task.

The task will be opened in a new window/tab.

In general (unless an approval is configured) anything entered in the UI is written directly to the object.

I don't think there's anything better out there than the walkthroughs on the SAP doco page.  If anyone else knows of any perhaps they can post them.

Peter

former_member2987
Active Contributor
‎03-05-2013 12:57 PM
0 Kudos

Jonathan,

Remember that the default tasks are a just a first step.  Feel free to rearrange to UI, create/remove tabs, fields, etc.  There is no UI that will be universally liked by all clients and users, so adapt it to your organization's style and culture.  There are not a lot of tools open to us at the moment, but you'll be surprised to see what you can do.

Supposedly many NetWeaver modules will get new HTML5 based interfaces soon.  Let's hope that IDM is among them.  In the meantime, you can also look into leveraging the REST APIs to create your own interfaces.

Cheers,

Matt

Former Member
‎03-03-2013 9:26 PM
0 Kudos

Hi Jonathan

The tutorial Matt mentioned is good.  One thing that often trips people up is using a java dispatcher rather than a windows dispatcher.  There are some features that do not work unless you use a Windows dispatcher to run the AD integration jobs.

I've found that the default templates in 7.2SP6 seem to work well out of the box if you get your configuration options correct.

Peter

Show replies
Show replies
former_member2987
Active Contributor
‎03-03-2013 9:11 PM
0 Kudos

Jonathan,

Take a look at the AD tutorial for NW IDM. (http://scn.sap.com/docs/DOC-4370) That should show you how to work with AD in IDM.

Regards.

Matt

Show replies
Show replies
Ask a Question