on 06-18-2013 4:14 PM
Hello,
We are unable to do a search based on root node after successful LDAP integration but if we add a particular OU within the base entry then we are able to search the users for that specific OU. Specifying a specific OU is not the right solution as we have different OU for North America, Europe,
Latin America etc. regions. We need to specify the root node so that it will search for all the users in different region. We are getting the below operation failed error when we don't specify OU in the base entry.
Message no. LDAPRC001
This is an error message that is triggered by the directory server.
It is not possible to analyze the error in the SAP system.
Check the log files for the directory server (if they exist), to see if they
contain more information.
Please let us know if you guys have faced this situation and what was the resolution.
Thanks,
Gautam.
Hi Gautam,
I am in the same situation as you , did you find any solution for the issue ? Please share .
Regards,
Prasad
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Prasad,
Are you able to provision Active Directory groups through GRC 10?
To do user serach from the root node we need 3268 port number but to assign the AD groups, we have to use 389 port number as 3268 doesn't do provisioning or de-provisioning. Again within 389 port, we are able to provision/de-provision AD groups provided AD users and AD groups exist in the same OU. If user exist in a different OU and AD group is in a different OU, this scenario doesn't work for us and we get the below error
Please let me know if you were able to provision/de-provision AD groups where users and groups exist at different OU.
Thanks,
Gautam.
Hi Elvira,
We are still not able to provision the AD groups through GRC 10. We had calls with SAP and our AD team but it looks like the issue is something tied to Windows AD configuration where we have referrals and as per SAP, GRC 10 doesn't support referral. SAP did show us a demo with their internal GRC 10 system where they were able to provision AD group/s. We are tyring to provision AD groups through our portal/UME but still trying to figure that out.
Thanks,
Gautam.
I don't remember the person who gave us the demo from SAP as it was done last year but it was schedule by our SAP liaison. All companies who have implemented SAP should have an SAP contact person. There are lot of documentation online on LDAP integration with GRC 10. There is one SAP standard note/document (1584110) on the set-up as well.
Hi Vinod,
We are unable to do the AD group provisioning/de-provisioning but what we found is if ID and AD group exist in the same OU then we are able to do it at OU level. The best practice is to do it at root level without having any dependency on ID/Group existing in the same OU. So after doing further research and talking to different team members including SAP and Microsoft, it looks like we have referrals in Windows AD and it is stopping us. So in a nutshell everything depends on how your AD is configured and in our case it is not possible to change any config. in AD. We haven't done anything yet but we are looking to do provisioning through UME.
I hope this helps.
Thanks,
Gautam.
Hi All,
We are facing the same issue.
Any possible work around except using UME?
Regards,
Patrick
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This message was moderated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello !
Facing the same issue here. Not able provision AD groups to user through GRC 10.1 SP 11 .
So did it finally worked for you guys?
Can you please let me know the steps under taken..
I did used port - 368, but still showing me as -
Message No. LDAPRC053
Thanks !
Akshat
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Akshat,
Please see my detailed response to Vinod Kumar on 08/10/2015. In a nutshell we were able to use port 3268 to get data populated in ARQ from AD. Since 3268 is a global read port we were not able to do the AD group provisioning. The only scenario were we able to do AD group provisioning was using port 389 but ID and group has to exist in the same OU which is not the case for our AD architecture. The issue for us was tied to referral in AD which has a global impact for us. So instead of doing provisioning to AD from GRC what we end up doing was provisioning AD group from GRC to Portal.
I hope this helps.
Thanks,
Gautam.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Gautam,
As mentioned in the SAP Note 511141, the error you're facing means:
LDAPRC 001 (Operation is aborted):
"This message indicates that the directory could not process the request
for internal reasons, but cannot send a more detailed error message.
This error message does not mean that the SAP System sent incorrect
data."
In other words, the LDAPRC001 means that the error message was provided
by the directory side, but not an specific error message that could be
interpreted by the SAP. In this case you have to look at
your directory services.
Then, in order to find more information, you should contact the vendor
of your directory server as they can better assist.
Additionally,please review note 934177 which contains some useful information relating to your issue.
Best Regards,
Nandita
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Gautam,
We got that error message at one point. I think we had several things wrong in our configuration; we have an LDAP forest of 3 LDAPs plus another LDAP that is not part of the forest. It took us a bit of trial and error, but we finally have all 4 of them retrieving user details.
Be sure you have the host name right, the port right, and that all the connector groups are listed under:
SPRO > GRC >Access Control >Maintain Mappings for Actions and Connector Groups
Gretchen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We just have one LDAP server/connector set-up and it is working fine if we specifiy OU within the base entry along with the domain but it doesn't work if we remove OU and leave the base entry with the root node/domain. I have checked with our Basis team and we have only one forest..going to check with our AD team for the same. Since specifying OU in the base entry is pulling result from Active directory within LDAP t-code in GRC 10 system, I believe everything is fine from LDAP configuration standpoint and also SPRO configuration in GRC 10 system will come into scope when we try to retrive/populate those field in ARQ/CUP configuration in NWBC.
Below is the structure of our AD. If we leave the base entry with the root node/domain (DC=NR,DC=AD,DC=NEWELLCO,DC=COM) then it doesn't work and give the operation failed error message but if we add OU (OU=EMEA,DC=NR,DC=AD,DC=NEWELLCO,DC=COM) along with the root node then it does provide us with the result.
I'm going to follow up with the AD team but let me know if anyone got any ideas to resolve the above error.
Thanks,
Gautam.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.