cancel
Showing results for 
Search instead for 
Did you mean: 

GRC 10 LDAP query issue at the root node

GBP
Explorer
0 Kudos

Hello,

We are unable to do a search based on root node after successful LDAP integration but if we add a particular OU within the base entry then we are able to search the users for that specific OU. Specifying a specific OU is not the right solution as we have different OU for North America, Europe,

Latin America etc. regions. We need to specify the root node so that it will search for all the users in different region. We are getting the below operation failed error when we don't specify OU in the base entry.

Operation failed

Message no. LDAPRC001

Diagnosis

This is an error message that is triggered by the directory server.

It is not possible to analyze the error in the SAP system.

 

Procedure

Check the log files for the directory server (if they exist), to see if they
contain more information.

Please let us know if you guys have faced this situation and what was the resolution.

Thanks,

Gautam.

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Gautam,

I am in the same situation as you , did you find any solution for the issue ? Please share .

Regards,

Prasad

GBP
Explorer
0 Kudos

Hi Vallamsetty,

So far we haven't find the solution but most likely we should know something by end of this month and once I have an update, I'll let you know for the same.

Thanks,

Gautam.

Former Member
0 Kudos

Hi Gautam,

I get it working for me by changing the port to 3268 . What port are you using ?

Regards,

Prasad

GBP
Explorer
0 Kudos

Hi Prasad,

We are using port 389 and changed it to 3268 and it is searching users at the root node.

Thanks for the reply.

Thanks,

Gautam

GBP
Explorer
0 Kudos

Hi Prasad,

Are you able to provision Active Directory groups through GRC 10?

To do user serach from the root node we need 3268 port number but to assign the AD groups, we have to use 389 port number as 3268 doesn't do provisioning or de-provisioning. Again within 389 port, we are able to provision/de-provision AD groups provided AD users and AD groups exist in the same OU. If user exist in a different OU and AD group is in a different OU, this scenario doesn't work for us and we get the below error

Please let me know if you were able to provision/de-provision AD groups where users and groups exist at different OU.

Thanks,

Gautam.

Former Member
0 Kudos

Hi Gautam,

I don't have the requirement to provision AD groups .

Regards,

Prasad

Former Member
0 Kudos

Hi, Gautam!

Could you please share some documents, links with decription of provisioning AD groups through GRC 10?

I'm trying to find, but nothing so far..

Best regards,

Elvira Huzina

GBP
Explorer
0 Kudos

Hi Elvira,

We are still not able to provision the AD groups through GRC 10. We had calls with SAP and our AD team but it looks like the issue is something tied to Windows AD configuration where we have referrals and as per SAP, GRC 10 doesn't support referral. SAP did show us a demo with their internal GRC 10 system where they were able to provision AD group/s. We are tyring to provision AD groups through our portal/UME but still trying to figure that out.

Thanks,

Gautam.

Former Member
0 Kudos

Thank you, Gautam !!

Could you please point who showed this demo from SAP?

You will assist a lot, I would contact this person and ask information.

We need to evaluate GRC AC for landscape.

Is there some documents about this integration?

Best regards,

Elvira Huzina

Former Member
0 Kudos

and

Do you mean assignment users to the security groups of AD by means of GRC AC? Or to the distribution groups of AD?

Best regards,

Elvira Huzina

GBP
Explorer
0 Kudos

I don't remember the person who gave us the demo from SAP as it was done last year but it was schedule by our SAP liaison. All companies who have implemented SAP should have an SAP contact person. There are lot of documentation online on LDAP integration with GRC 10. There is one SAP standard note/document (1584110) on the set-up as well.

vinod_kumar70
Explorer
0 Kudos

Gautam,

Did you fix the AD provisioning issue , if so can you share the details?

Thanks

Vinod

GBP
Explorer
0 Kudos

Hi Vinod,

We are unable to do the AD group provisioning/de-provisioning but what we found is if ID and AD group exist in the same OU then we are able to do it at OU level. The best practice is to do it at root level without having any dependency on ID/Group existing in the same OU. So after doing further research and talking to different team members including SAP and Microsoft, it looks like we have referrals in Windows AD and it is stopping us. So in a nutshell everything depends on how your AD is configured and in our case it is not possible to change any config. in AD. We haven't done anything yet but we are looking to do provisioning through UME.

I hope this helps.

Thanks,

Gautam.

vinod_kumar70
Explorer
0 Kudos

Thanks  Gautam, We had to use 2 different ports for provisioning/de-provisioning (368)  and  Sync/reads(3268), however we could not use both the functions since we could use only one connector and one port. Where you able to overcome this issue?

Vinod

Former Member
0 Kudos

thx! it works for me using 3268 port (first, i had filled no port number)

Answers (6)

Answers (6)

Former Member
0 Kudos

Hi All,

We are facing the same issue.

Any possible work around except using UME?

Regards,

Patrick

Former Member
0 Kudos

This message was moderated.

Former Member
0 Kudos

Hello !

Facing the same issue here. Not able provision AD groups to user through GRC 10.1 SP 11  .

So did it finally worked for you guys?

Can you please let me know the steps under taken..

I did used port - 368, but still showing me as -

LDAP server cannot execute operation

Message No. LDAPRC053

Thanks !

Akshat

Former Member
0 Kudos

Akshat,

This might sound obvious, but are you certain that your LDAP directory allows you write privileges? We cannot provision AD groups because Access Control is allowed just read only privileges to the LDAP.

Gretchen

GBP
Explorer
0 Kudos

Hi Akshat,

Please see my detailed response to Vinod Kumar on 08/10/2015. In a nutshell we were able to use port 3268 to get data populated in ARQ from AD. Since 3268 is a global read port we were not able to do the AD group provisioning. The only scenario were we able to do AD group provisioning was using port 389 but ID and group has to exist in the same OU which is not the case for our AD architecture. The issue for us was tied to referral in AD which has a global impact for us. So instead of doing provisioning to AD from GRC what we end up doing was provisioning AD group from GRC to Portal.

I hope this helps.

Thanks,

Gautam.

Former Member
0 Kudos

This message was moderated.

Former Member
0 Kudos

Hi Gautam,

As mentioned in the  SAP Note 511141, the error you're facing means:

LDAPRC 001 (Operation is aborted):

"This message indicates that the directory could not process the request

for internal reasons, but cannot send a more detailed error message.

This error message does not mean that the SAP System sent incorrect

data."

In other words, the LDAPRC001 means that the error message was provided

by the directory side, but not an specific error message that could be

interpreted by the SAP. In this case you have to look at

your directory services.

Then, in order to find more information, you should contact the vendor

of your directory server as they can better assist.

Additionally,please review note 934177 which contains some useful information relating to your issue.

Best Regards,

Nandita

Former Member
0 Kudos

Gautam,

We got that error message at one point. I think we had several things wrong in our configuration; we have an LDAP forest  of 3 LDAPs plus another LDAP that is not part of the forest. It took us a bit of trial and error, but we finally have all 4 of them retrieving user details.

Be sure you have the host name right, the port right, and that all the connector groups are listed under:

SPRO > GRC >Access Control >Maintain Mappings for Actions and Connector Groups

Gretchen

GBP
Explorer
0 Kudos

We just have one LDAP server/connector set-up and it is working fine if we specifiy OU within the base entry along with the domain but it doesn't work if we remove OU and leave the base entry with the root node/domain. I have checked with our Basis team and we have only one forest..going to check with our AD team for the same. Since specifying OU in the base entry is pulling result from Active directory within LDAP t-code in GRC 10 system, I believe everything is fine from LDAP configuration standpoint and also SPRO configuration in GRC 10 system will come into scope when we try to retrive/populate those field in ARQ/CUP configuration in NWBC.

Below is the structure of our AD. If we leave the base entry with the root node/domain (DC=NR,DC=AD,DC=NEWELLCO,DC=COM) then it doesn't work and give the operation failed error message but if we add OU (OU=EMEA,DC=NR,DC=AD,DC=NEWELLCO,DC=COM) along with the root node then it does provide us with the result.

I'm going to follow up with the AD team but let me know if anyone got any ideas to resolve the above error.

Thanks,

Gautam.

Former Member
0 Kudos

Did you ever find a resolution to this? I am faced with the same situation.

Former Member
0 Kudos

Could you check first in LDAP tcode itself and see if you are able to search users?

In LDAP tcode connector tab you will find a button "Find" to do that.

Regards,

Amit

Former Member
0 Kudos

Did you try to add multiple LDAPs per region by individual OU in here and put them in a sequence.

SRPO -> IMG -> GRC -> AC -> Maintain Data Sources Configuration

Gp.

GBP
Explorer
0 Kudos

Nope...no solution so far.....Opened a message with SAP and they told nothing wrong from SAP side and We need to contact the vendor on AD side for the resolution. If we get it resolved then will update the message for the same.

GBP
Explorer
0 Kudos

We created another entry for LDAP server and LDAP connectors with a different OU specified in base entry for LDAP server configuration which work fines but I don't think that is the right way to do it as it will add up multiple entries for LDAP server and LDAP connectors.

GBP
Explorer
0 Kudos

I'm able to find the users using LDAP t-code that resides in the OU which have been specified in the base entry but if try to find a user that reside in a different OU then it doesn't give any result.

former_member193066
Active Contributor
0 Kudos

Well you need to specify,multiple base entry,network team can provide separate with ; long time but it worked for me hope it helps u