on 03-27-2013 6:23 PM
Hi All
I have integrated the LDAP with my GRC box and made it as main data source for search,details n authentication.But when I try to create a new user request I am not able to find any users in the search.
Please help me for the same.
Regards
Pradeep
Hello Pradeep,
I see the question was posted long back.
Did you try to update AC parameter 2050 to 'YES'. Please check
Cheers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi everyone,
Having read this thread, I have a unique problem that's closely related to what you have discussed. As noted, I have checked my config, the corresponding notes and my base entry. When I go to transaction LDAP and login to the LDAP server, it binds successfully. Then when I click on the find button, and go through the steps as noted on SAP note 1757906 - GRC 10.0 - LDAP user search does not work in NWBC, I find that the base entry returns results.
However when I synchronize from within GRC AC, I get successes, but 0 users returned. Here are two screenshots to illustrate.
Below is the screen when you go into transaction LDAP, bind to the LDAP server and then click on the Find button. I changed the filter to restrict object class to user, and to put S* as the wildcard, as it times out if I run it for Objectclass=*. Anyway, this screen below returns a bunch of results.
Here is the screen from within GRC AC, where I run the repository object sync. As you can see, it grabs roles but users are 0.
I'm not sure why this screen would show 0 users, while within tcode LDAP, I'm able to pull users IDs when I use the Find button.
Thanks for your help.
Santosh
Hi Maria,
I solved the problem after getting some help from SAP. Basically, there is a small issue in how GRC is configured so that if the user path is too long, it will not work.
So let me explain. In the screenshot I had included above, notice the base entry. That's too long for GRC. When you copy and paste this base entry into the USER PATH in the GRC config, it will truncate. That's one part of the problem.
SAP provides USER PATH, USER PATH1 and USER PATH2 instead of simply accommodating a longer user path. So you need to split your base entry across these USER PATH entries. I don't have screenshots or else I'd illustrate.
NOTE however there is still a problem. When you split your base entry across user paths, you must put a trailing comma for USER PATH, and in case you have a USER PATH2, then a trailing comma for USER PATH1. If you don't, then LDAP won't work and there will be no error or indication of what the issue is.
We found this solution because SAP ran a debug and I had to work with the developer to debug the whole process.
This should sort out our issue. Let me know.
Santosh
Maria,
Are you sure it's actually not working? In other words, you don't have to have the synchronization job return results in order for it to work.
Basically, when you run the background sync job, it won't download all the users to the local database, though you can set it up to do that.
Instead, if you set up the configuration settings to look up LDAP for each request, then the server load will go up, but you will get results.
Do this - open up your access requests form, and then search for a user (e.g. M*) and see if it returns results.
Be sure, of course, to set your data sources config to use LDAP as the data source. Remember that if you're using LDAP as the data source, and you have the setting to search LDAP in real time, then the other data sources won't be considered.
In my case, after the config., etc., the sync job would return 0 results, but when I searched for users in the access request form, it would work perfectly.
Good luck.
Santosh
Hi Maria,
Not in the USER PATH. OU=EMPLOYEES was set in the BASE ENTRY by our BASIS guy, and having it there did not have a negative influence on the data retrieved within GRC. When I added OU=EMPLOYEES in the USER PATH, then the returned data was restricted to employees, and removing it in the USER PATH but leaving it in the BASE ENTRY allowed GRC to retrieve all users in LDAP.
Don't do a search for ALL users within GRC, it'll take forever. Enter some wildcard search parameter to limit the search results so that you can get data back.
Santosh
Hi Santosh
Thank you for getting back to me so quickly
The search, you mean restrict it in the object class or where exactly? Also in the LDAP tcode (but it would be in the Find section I guess) or in the Assign Attributes to Connector?
Could it be possible to get a screenshot where you have it filtered? Hiding the actual data of course.
Regards
Maria!
Hi Maria,
Sorry, I don't have access to my system this week for screenshots. By search, I mean within your access request page, or anywhere else in NWBC where you might go to search for a user. If your LDAP config is working, then within NWBC, in any field that is meant to search for a user ID, name, etc., it will return a result. If it's not working, it'll give you an error pretty immediately.
So what I'm saying is, in case it is working, and the user data set is really big, then if you search for all users, the search will time out and you might think that it's not working.
So, instead, use a wild card like M* or whatever you think is appropriate, so as to limit the search. If this returns results that are from LDAP, then your LDAP config is working.
Santosh
Prashant
I removed the USER PATH entries and executed the tests indicated in the notes. Both test were successfull, but my sync job is still not working and the user search in the Access Request is not showing either.
At this point I don't even know what else could I check.
Thank you so much for the tests!
Regards, Maria
Hi Maria,
I think, without some additional information, such as screenshots, it's going to be difficult to debug.
Please confirm:
If you've done all this and the sync job isn't giving you an error, then likely this is almost working, and I'll have to see the screenshots for the results of the sync as well as the configuration steps. You can blank out the specific information and can PM me if you wish.
Thanks,
Santosh
Hi Maria
Please check if you have the right LDP admin userid and password mentioned in the transaction LDAP in GRC box.
Sometimes if this userid is not mentioned properly with the right password,GRC could not find any users.
I faced this issue once and found that it was due to the password of the LDAP server admin userid which was mentioned incorrectly in the binding.
Hope this helps.
Regards
Pradeep
Hello everyone that's trying to help me
I've created a thread with all the screenshots. Let me know if I missed something so I can upload it.
LDAP Search in Access Request shows no results
Regards
Maria
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Saksham
I checked all the 3 notes.Following are my comments for the same.
1757906 - GRC 10.0 - LDAP user search does not work in NWBC-Is it mandatory to maintain Base entry In my case it is empty both for step 3 & 7.Even in the SAP document it was maintained empty.
1745370 - LDAP search in GRC does not work anonymously-Is marking 'Read Anonmously' option is mandatory? I did that earlier and it didn't work.
1718242- UAM: User search not working in Access Request-This not does not have correction instruction so unable to implement this note.
Regards
Pradeep
Hi Pradeep
Have you maintained your field mappings for the LDAP connection with the GRC AC fields?
Maintain Mapping for Actions and Connector Groups
You will need action 3 and 4 set up for your LDAP connector. For action 4 (provisioning) you will need to "Assign group field mapping" and set "Assign group parameter mapping"
You may also need to set parameter 2052 - Use LDAP domain forest depending on your AD
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.