on 02-09-2014 12:58 PM
Hi All,
I am facing some strange problem all of a sudden.
LDAP is configured and I checked the same by logging into LDAP server from within LDAP tcode. I can search user from here.
This is the same configuration in our GRC development system and PSS is working fine in this system.
However, in GRC Quality system, I noticed that when a user id is entered PSS is not authenticating it!
First of all, I entered correct user id which is available in LDAP server and it worked fine.
I then entered dummy user id which is not available in LDAP server. This time also, it did not give me any error and simply logged into PSS home page!
I am not sure why PSS is showing such behavior. I did following steps for this:
I also followed note#1604946.
Surprisingly, what I see is, there is not change in the configuration steps. This is perfectly working fine in GRC Development system but not working in GRC quality system.
I am not sure what is missing here.
Can anyone please help me resolve this.
Regards,
Faisal
Hi Faisal
After running user sync were you able to check the GRACUSER* tables to see if your Id is actually there?
Have you compared the the IMG configuration between the two systems for connectors/data sources to check no issues?
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Colleen,
Thanks for your reply.
The configuration between these 2 systems seem to be the same as it was working fine initially in GRC quality system. But dont know later this problem started.
Secondly, I have seen some strange behavior of this "GRACUSERCONN" table. For LDAP connector, I could see some 600+ in development system.
However, in quality system, I could only find one entry! That too for my user id.
The sync jobs are successful in both the systems. I dont know why this strange behavior is shown by this application on different systems.
Can you please advise?
Regards,
Faisal
Hi Faisal
Is LDAP the first system for authentication or the last user sync you ran? Check the GRACUSER table first to see if LDAP entries appear there.
I tested the user syncs in relation to GRACUSER and GRACUSERCONN a while back. I noticed the last connector ran for user sync contains entries in GRACUSER table and all subsequent systems for the user are in GRACUSERCONN. If you ran LDAP user sync last the users may be in the GRACUSER table.
Did you manually setup your Integration Framework for Connectors, Logical Systems, maintain connector settings (flag PSS for LDAP) or did you transport these?
I think you need to go through each configuration item between DEV and QA GRC and compare to see if there is a difference. If you have done this (do again in case you missed) and still no difference you may need to consider running a trace on the sync and see if your System Admin can trace the LDAP connection.
In addition, have you compared the SM59 and LDAP configuration for the LDAP connector between DEV and QA?
If still stuck, can you please post some screen shots for what you have checked?
Cheers
Colleen
Colleen,
Thanks for your reply.
Firstly,LDAP is only the authentication system we use and secondly, I ran user sync for this connector last.
In table GRACUSER, I noticed there is only one entry of my name.
I just now ran user sync for LDAP connector. However, did not see entries as I told you, getting error in LDAP tcode while logging in to Directory server.
Thanks for sharing your experience with GRACUSER and GRACUSERCONN tables. I am yet to understand why this is happening like this and what is the use/purpose. Your input may be a great help.
I transported all these configurations through TR. Nothing is done manually in quality system. The LDAP connector in SM59 in both the systems is working fine.
I am trying to figure out what actually is missed when configurations are moved through TR. And initallyit worked and now it is not working!
Regards,
Faisal
Hi Faisal
"Connection Error Occurred"
that error is preventing the sync which in turn means no update to the table. Not exactly sure how the code words as to when the table entries are re-written
either way something between November and no changed. It would be the LDAP user's permissions on LDAP to read, possibly network security, etc.
Focus on getting transaction LDAP to work before you focus on user sync
Let us know what you find
Cheers
Colleen
Colleen,
Thanks for your reply.
The same LDAP user is being used in development system also. As told before, these configurations are moved through a transport request and LDAP connection was working fine earlier.
I re-imported the same TR. But , no luck.
I have run sync job not only from LDAP server, from SAP systems several times. But I still see last year's date. Not sure why.
Regards,
Faisal
Hi Colleen,
Now the LDAP problem is resolved!
I had the same in another thread: http://scn.sap.com/thread/3499795
That thread is closed now. Please refer the same how this was resolved.
Now user is getting authenticated appropriately
However, I have noticed something about table GRACUSERCONN. Will post this in another thread.
Thanks for your time!
Regards,
Faisal
Hi Faisal
Please check parameter 2051 value.If it is marked as 'No' then userid won't be validated against datasources in configuration and will allow.So if is No then please make it Yes.
Regards
Pradeep
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
maintain parameter LDAP enable domain forest to yes.
Regards,
Prasant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Prashant,
Thanks for your reply.
I have checked in our GRC development system.
Parameter Group: "LDAP"
Parameter ID : "2052" (Use LDAP Domain Forest)
is set to "NO" and it is working fine.
The same value is maintained in GRC quality system and it is showing different behavior.
Can you please help?
Regards,
Faisal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.