cancel
Showing results for 
Search instead for 
Did you mean: 

Users not coming in Search from LDAP in GRC AC 10.0

Former Member
0 Kudos

Hi All

I have integrated the LDAP with my GRC box and made it as main data source for search,details n authentication.But when I try to create a new user request I am not able to find any users in the search.

Please help me for the same.

Regards

Pradeep

Accepted Solutions (1)

Accepted Solutions (1)

jtippini
Explorer
0 Kudos

Hello Pradeep,

I see the question was posted long back.

Did you try to update AC parameter 2050 to 'YES'. Please check

Cheers

Former Member
0 Kudos

Hi Jagadish

I have resolved this issue long back.It was an base entry issue after putting the correct base entry all the users.

Regards

Pradeep

santosh_krishnan2
Participant
0 Kudos

Hi everyone,

Having read this thread, I have a unique problem that's closely related to what you have discussed.  As noted, I have checked my config, the corresponding notes and my base entry.  When I go to transaction LDAP and login to the LDAP server, it binds successfully.  Then when I click on the find button, and go through the steps as noted on SAP note 1757906 - GRC 10.0 - LDAP user search does not work in NWBC, I find that the base entry returns results.

However when I synchronize from within GRC AC, I get successes, but 0 users returned.  Here are two screenshots to illustrate.

Below is the screen when you go into transaction LDAP, bind to the LDAP server and then click on the Find button.  I changed the filter to restrict object class to user, and to put S* as the wildcard, as it times out if I run it for Objectclass=*.  Anyway, this screen below returns a bunch of results.

Here is the screen from within GRC AC, where I run the repository object sync.  As you can see, it grabs roles but users are 0.

I'm not sure why this screen would show 0 users, while within tcode LDAP, I'm able to pull users IDs when I use the Find button.

Thanks for your help.

Santosh

Former Member
0 Kudos

Santosh

I have your exact same scenario. Were you able to it working?

Regards

Maria

santosh_krishnan2
Participant
0 Kudos

Hi Maria,

I solved the problem after getting some help from SAP.  Basically, there is a small issue in how GRC is configured so that if the user path is too long, it will not work.

So let me explain.  In the screenshot I had included above, notice the base entry.  That's too long for GRC.  When you copy and paste this base entry into the USER PATH in the GRC config, it will truncate.  That's one part of the problem.

SAP provides USER PATH, USER PATH1 and USER PATH2 instead of simply accommodating a longer user path.  So you need to split your base entry across these USER PATH entries.  I don't have screenshots or else I'd illustrate.

NOTE however there is still a problem.  When you split your base entry across user paths, you must put a trailing comma for USER PATH, and in case you have a USER PATH2, then a trailing comma for USER PATH1.  If you don't, then LDAP won't work and there will be no error or indication of what the issue is.


We found this solution because SAP ran a debug and I had to work with the developer to debug the whole process.

This should sort out our issue.  Let me know.


Santosh

former_member193066
Active Contributor
0 Kudos

Not necessary issue is always base entry.

might be authorization issue of ldap service user.

you can check with free ldap browsers available if you can read .

there are some issue as well which you can test if you can sync incremental if user are population or not.

REgards,

Prasant

Former Member
0 Kudos

Santosh,

Tried it but it didn't work. Used all 3 User Paths with a comma at the end (i.e. DC=CORP,) but had no luck with the synch.

I guess I'll keep trying.

Thanks!

santosh_krishnan2
Participant
0 Kudos

Maria,

Are you sure it's actually not working?  In other words, you don't have to have the synchronization job return results in order for it to work.

Basically, when you run the background sync job, it won't download all the users to the local database, though you can set it up to do that.

Instead, if you set up the configuration settings to look up LDAP for each request, then the server load will go up, but you will get results.

Do this - open up your access requests form, and then search for a user (e.g. M*) and see if it returns results.

Be sure, of course, to set your data sources config to use LDAP as the data source.  Remember that if you're using LDAP as the data source, and you have the setting to search LDAP in real time, then the other data sources won't be considered.

In my case, after the config., etc., the sync job would return 0 results, but when I searched for users in the access request form, it would work perfectly.

Good luck.

Santosh

Former Member
0 Kudos

Santosh

Did you add the ou=employees in the USER PATH?

Regards

Maria

santosh_krishnan2
Participant
0 Kudos

Hi Maria,

Not in the USER PATH.  OU=EMPLOYEES was set in the BASE ENTRY by our BASIS guy, and having it there did not have a negative influence on the data retrieved within GRC.  When I added OU=EMPLOYEES in the USER PATH, then the returned data was restricted to employees, and removing it in the USER PATH but leaving it in the BASE ENTRY allowed GRC to retrieve all users in LDAP.

Don't do a search for ALL users within GRC, it'll take forever.  Enter some wildcard search parameter to limit the search results so that you can get data back.

Santosh

Former Member
0 Kudos

Hi Santosh

Thank you for getting back to me so quickly

The search, you mean restrict it in the object class or where exactly? Also in the LDAP tcode (but it would be in the Find section I guess) or in the Assign Attributes to Connector?

Could it be possible to get a screenshot where you have it filtered? Hiding the actual data of course.

Regards

Maria!

santosh_krishnan2
Participant
0 Kudos

Hi Maria,

Sorry, I don't have access to my system this week for screenshots.  By search, I mean within your access request page, or anywhere else in NWBC where you might go to search for a user.  If your LDAP config is working, then within NWBC, in any field that is meant to search for a user ID, name, etc., it will return a result.  If it's not working, it'll give you an error pretty immediately.

So what I'm saying is, in case it is working, and the user data set is really big, then if you search for all users, the search will time out and you might think that it's not working.

So, instead, use a wild card like M* or whatever you think is appropriate, so as to limit the search.  If this returns results that are from LDAP, then your LDAP config is working.

Santosh

former_member193066
Active Contributor
0 Kudos

Hello maria,

do not maintain user path unless your base entry is very long.

just maintain base entry.

to test there is function module here is the note, that will help you

1978357

Regards,

Prasant

Former Member
0 Kudos

Prashant

I removed the USER PATH entries and executed the tests indicated in the notes. Both test were successfull, but my sync job is still not working and the user search in the Access Request is not showing either.

At this point I don't even know what else could I check.

Thank you so much for the tests!

Regards, Maria

santosh_krishnan2
Participant
0 Kudos

Hi Maria,

I think, without some additional information, such as screenshots, it's going to be difficult to debug.

Please confirm:

  • You've copied the mapping in LDAPMAP
  • The mapping copied is for USER
  • You've already followed all the steps in the GRC LDAP setup guide
  • You've configured your user data sources to use LDAP as the data source
  • You've brought the connector properly into GRC and have associated it with the profiles AUTH and PROV, at least.

If you've done all this and the sync job isn't giving you an error, then likely this is almost working, and I'll have to see the screenshots for the results of the sync as well as the configuration steps.  You can blank out the specific information and can PM me if you wish.

Thanks,
Santosh

Former Member
0 Kudos

Hi Maria

Please check if you have the right LDP admin userid and password mentioned in the transaction LDAP in GRC box.

Sometimes if this userid is not mentioned properly with the right password,GRC could not find any users.

I faced this issue once and found that it was due to the password of the LDAP server admin userid which was mentioned incorrectly in the binding.

Hope this helps.

Regards

Pradeep

former_member193066
Active Contributor
0 Kudos

hello,

please open a new thread.. and paste the details of your .. LDAP tcode and mapping of connector, RSLDAPUSER sync job and repository onject sync job.

Regards,

Prasant

Former Member
0 Kudos

Hello everyone that's trying to help me

I've created a thread with all the screenshots. Let me know if I missed something so I can upload it.

LDAP Search in Access Request shows no results

Regards

Maria

Answers (2)

Answers (2)

saksham
Advisor
Advisor
0 Kudos

Hi Pradeep,

Kindly, also make refer to  the below list of SAP notes:

1757906 - GRC 10.0 - LDAP user search does not work in NWBC

1745370 - LDAP search in GRC does not work anonymously

1718242- UAM: User search not working in Access Request

Hope it helps!

Best Regards,

Saksham Minocha

Former Member
0 Kudos

Hi Saksham

I checked all the 3 notes.Following are my comments for the same.

1757906 - GRC 10.0 - LDAP user search does not work in NWBC-Is it mandatory to maintain Base entry In my case it is empty  both for step 3 & 7.Even in the SAP document it was maintained empty.


1745370 - LDAP search in GRC does not work anonymously-Is marking 'Read Anonmously' option is mandatory? I did that earlier and it didn't work.


1718242- UAM: User search not working in Access Request-This not does not have  correction instruction so unable to implement this note.

Regards

Pradeep

Colleen
Advisor
Advisor
0 Kudos

Hi Pradeep

Have you maintained your field mappings for the LDAP connection with the GRC AC fields?

Maintain Mapping for Actions and Connector Groups

You will need action 3 and 4 set up for your LDAP connector. For action 4 (provisioning) you will need to "Assign group field mapping" and set "Assign group parameter mapping"

You may also need to set parameter 2052 - Use LDAP domain forest depending on your AD

suman_puthadi
Explorer
0 Kudos

Hi Colleen Lee,

Kindly refer to the notes for the LDAP user issue.

1623100   User Search does not work when LDAP is set as Data Source

1598336   User Search does not return any result

1584110   GRC Access Controls 10 - How to configure LDAP connectors

Best Regards

Suman Puthadi