Base entry

Former Member · ‎03-02-2007

Hi,

Does anyone know how to synchronize the users in active directory, which belong to admin group to SAP R/3 where the users are in different "ou". When I try to synchronize, I can only filter by "ou" using the base entry.

Can I filter by anything other than "ou"?

Thanks

Andre_Fischer · ‎03-04-2007

Hi Brian,

I am not sure whether I got your question correctly. You will find all users in the Active Directory if you use the root entry of the DIT (Directory Information Tree) as your root entry. You can use a simple Visual Basic script that I just posted.

How to get the 'Base entry' for an LDAP connector from Active Directory?

What do you mean by "I can only filter by "ou" using the base entry" ?

Best regards,

André

ceterum censeo RAP esse utendam

Andre_Fischer · ‎03-04-2007

Hi Brian,

the filtering is actually done by the attribute that is defined as the filter attribute in transaction LDAP.

If you choose an appropriate attribute you can assign values to this attribute only to a certain group of users.

As a result you may use the root entry as the base entry because the LDAP search will only synchronize those users having set the attribute that is defined in your LDAP mapping.

Best regards,

Andre

ceterum censeo RAP esse utendam

Former Member · ‎05-07-2009

Hello Andre,

I was wondering if you could elaborate on this answer and perhaps give an example of how the specify the filtering based on an AD attribute (I assume this is done in transaction LDAPMAP).

"the filtering is actually done by the attribute that is defined as the filter attribute in transaction LDAP.

If you choose an appropriate attribute you can assign values to this attribute only to a certain group of users.

As a result you may use the root entry as the base entry because the LDAP search will only synchronize those users having set the attribute that is defined in your LDAP mapping."

Thanks a lot

Carlos

Andre_Fischer · ‎05-08-2009

Hi Carlos,

please see "Figure 6 - Mapping of SAP data fields to directory attributes" in my whitepaper I[ Integration of SAP central user administration with Microsoft Active Directory|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/8302a929-0501-0010-05b5-d48f544bc572].

Best regards,

André

ceterum censeo RAP esse utendam

Former Member · ‎05-08-2009

Thanks, Andre. I'll check it out.

Carlos

former_member332274 · ‎03-06-2007

Thanks Andre,

We have used your advice and configured for testing. We've managed to sync the users and using one of the fields in the active directory to sync the SAP roles.

The only item is that in the program RSLDAPSYNC_USER where selection of users to be synchronized, we are now trying to filter this by the organization unit (ou).

Wondering if you have come across the filtering within RSLDAPSYNC_USER that enables us to configure in active directory by group members and sync this group of users.

Thanks for the advice. Rgds, Brian

Andre_Fischer · ‎03-08-2007

Hi Brian,

you could write a visual basic script that selects members of a specific group and that sets a users attribute (for example sapUsername or extenstionattribute1).

You could use the following script as a starting point that I have posted as a Wiki.

Best regards,

André

ceterum censeo RAP esse utendam

Andre_Fischer · ‎03-09-2007

I have updated the script.

Best regards,

Andre

ceterum censeo RAP esse utendam