cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PSS: User Id entered is not authenticated???

Go to solution
former_member184114
Active Contributor

on ‎02-09-2014 12:58 PM

0 Kudos

Hi All,

I am facing some strange problem all of a sudden.

LDAP is configured and I checked the same by logging into LDAP server from within LDAP tcode. I can search user from here.

This is the same configuration in our GRC development system and PSS is working fine in this system.

However, in GRC Quality system, I noticed that when a user id is entered PSS is not authenticating it!

First of all, I entered correct user id which is available in LDAP server and it worked fine.

I then entered dummy user id which is not available in LDAP server. This time also, it did not give me any error and simply logged into PSS home page!

I am not sure why PSS is showing such behavior. I did following steps for this:

  1. Configured LDAP using standard SAP document. It is working fine as I checked from within LDAP tocde.
  2. I ran full user sync for that LDAP connector
  3. My user authentication server is LDAP

I also followed note#1604946.

Surprisingly, what I see is, there is not change in the configuration steps. This is perfectly working fine in GRC Development system but not working in GRC quality system.

I am not sure what is missing here.

Can anyone please help me resolve this.

Regards,

Faisal

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
‎02-09-2014 11:35 PM
0 Kudos

Hi Faisal

After running user sync were you able to check the GRACUSER* tables to see if your Id is actually there?

Have you compared the the IMG configuration between the two systems for connectors/data sources to check no issues?

Regards

Colleen

Show replies
Show replies
former_member184114
Active Contributor
‎02-10-2014 4:47 AM
0 Kudos

Colleen,

Thanks for your reply.

The configuration between these 2 systems seem to be the same as it was working fine initially in GRC quality system. But dont know later this problem started.

Secondly, I have seen some strange behavior of this "GRACUSERCONN" table. For LDAP connector, I could see some 600+ in development system.

However, in quality system, I could only find one entry! That too for my user id.

The sync jobs are successful in both the systems. I dont know why this strange behavior is shown by this application on different systems.

Can you please advise?

Regards,

Faisal

former_member184114
Active Contributor
‎02-10-2014 5:10 AM
0 Kudos

Dear Colleen,

I have noticed that LDAP connection is not working in quality system. When I tried to log on to director server, it gave me error:

"Connection Error Occurred"

But the same connection is working in development system.

Can you please advise?

Regards,

Faisal

Colleen
Advisor
Advisor
‎02-10-2014 5:19 AM
0 Kudos

Hi Faisal

Is LDAP the first system for authentication or the last user sync you ran? Check the GRACUSER table first to see if LDAP entries appear there.

I tested the user syncs in relation to GRACUSER and GRACUSERCONN a while back. I noticed the last connector ran for user sync contains entries in GRACUSER table and all subsequent systems for the user are in GRACUSERCONN. If you ran LDAP user sync last the users may be in the GRACUSER table.

Did you manually setup your Integration Framework for Connectors, Logical Systems, maintain connector settings (flag PSS for LDAP) or did you transport these?

I think you need to go through each configuration item between DEV and QA GRC and compare to see if there is a difference. If you have done this (do again in case you missed) and still no difference you may need to consider running a trace on the sync and see if your System Admin can trace the LDAP connection.

In addition, have you compared the SM59 and LDAP configuration for the LDAP connector between DEV and QA?

If still stuck, can you please post some screen shots for what you have checked?

Cheers

Colleen

former_member184114
Active Contributor
‎02-10-2014 6:24 AM
0 Kudos

Colleen,

Thanks for your reply.

Firstly,LDAP is only the authentication system we use and secondly, I ran user sync for this connector last.

In table GRACUSER, I noticed there is only one entry of my name.

I just now ran user sync for LDAP connector. However, did not see entries as I told you, getting error in LDAP tcode while logging in to Directory server.

Thanks for sharing your experience with GRACUSER and GRACUSERCONN tables. I am yet to understand why this is happening like this and what is the use/purpose. Your input may be a great help.

I transported all these configurations through TR. Nothing is done manually in quality system. The LDAP connector in SM59 in both the systems is working fine.

I am trying to figure out what actually is missed when configurations are moved through TR. And initallyit worked and now it is not working!

Regards,

Faisal

Colleen
Advisor
Advisor
‎02-10-2014 6:50 AM
0 Kudos

Hi Faisal



getting error in LDAP tcode while logging in to Directory server.

sorry does that mean you LDAP transaction is failing now? If so, you need to talk to Basis and possibly network operations to check why this is failing.

Regards

Colleen

former_member184114
Active Contributor
‎02-10-2014 12:32 PM
0 Kudos

Colleen,

Yes, I some how feel that due to this, users are not getting fetched from LDAP server. I need to fix this first and then see.

Will keep you posted on this.

Regards,

Faisal

former_member184114
Active Contributor
‎02-10-2014 1:30 PM
0 Kudos

Colleen,

I forgot to tell you that, the "UPDATED_ON" field in table GRACUSER has Novenber 2013 date! I have run sync job several time after though!

Any idea why this is like this?

Regards,

Faisal

Colleen
Advisor
Advisor
‎02-10-2014 10:21 PM
0 Kudos

Hi Faisal



"Connection Error Occurred"

that error is preventing the sync which in turn means no update to the table. Not exactly sure how the code words as to when the table entries are re-written

either way something between November and no changed. It would be the LDAP user's permissions on LDAP to read, possibly network security, etc.

Focus on getting transaction LDAP to work before you focus on user sync

Let us know what you find

Cheers

Colleen

former_member184114
Active Contributor
‎02-11-2014 4:45 AM
0 Kudos

Colleen,

Thanks for your reply.

The same LDAP user is being used in development system also. As told before, these configurations are moved through a transport request and LDAP connection was working fine earlier.

I re-imported the same TR. But , no luck.

I have run sync job not only from LDAP server, from SAP systems several times. But I still see last year's date. Not sure why.

Regards,

Faisal

Colleen
Advisor
Advisor
‎02-11-2014 5:01 AM
0 Kudos

Hi Faisal

Is transaction LDAP working? If not, manually compare DEV and QA for transactions LDAP and SM59 for the configuration

If QA isn't working for transaction LDAP then it could be network related

Regards

Colleen

former_member184114
Active Contributor
‎02-11-2014 5:27 AM
0 Kudos

Colleen,

LDAP tcode is not working in quality where as it is perfectly working fine in development. Let me see if this is related to network.

Regards,

Faisal

former_member184114
Active Contributor
‎02-17-2014 4:50 AM
0 Kudos

Hi Colleen,

Now the LDAP problem is resolved!

I had the same in another thread: http://scn.sap.com/thread/3499795

That thread is closed now. Please refer the same how this was resolved.

Now user is getting authenticated appropriately

However, I have noticed something about table GRACUSERCONN. Will post this in another thread.

Thanks for your time!

Regards,

Faisal

Colleen
Advisor
Advisor
‎02-17-2014 4:54 AM
0 Kudos

Hi Faisal

Glad to hear it's working and thinks for detailing your solution.

Cheers

Colleen

Answers (2)

Answers (2)

Former Member
‎02-10-2014 6:15 AM
0 Kudos

Hi Faisal

Please check parameter 2051 value.If it is marked as 'No' then userid won't be validated against datasources in configuration and will allow.So if is No then please make it Yes.

Regards

Pradeep

Show replies
Show replies
former_member184114
Active Contributor
‎02-10-2014 1:25 PM
0 Kudos

Pradeep,

If this is set to "YES" then while submitting request in ARQ, it will search for even new user in data source.

Regards,

Faisal

former_member193066
Active Contributor
‎02-10-2014 3:22 AM
0 Kudos

maintain parameter LDAP enable domain forest to yes.

Regards,

Prasant

Show replies
Show replies
former_member184114
Active Contributor
‎02-10-2014 4:41 AM
0 Kudos

Prashant,

Thanks for your reply.

I have checked in our GRC development system.

Parameter Group:  "LDAP"

Parameter ID      :   "2052" (Use LDAP Domain Forest)

is set to "NO" and it is working fine.

The same value is maintained in GRC quality system and it is showing different behavior.

Can you please help?

Regards,

Faisal

Ask a Question