cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP Search in Access Request shows no results

Go to solution
Former Member

on ‎10-01-2014 8:01 PM

0 Kudos

Hello

I've been trying to configure LDAP as the User Data source for the Access Request functionality within Access Control.

I used the LDAP Configuration guide provided by SAP in the note. Unfortunately I haven't been able to get a successfull result in the Sync Job and in the Access Request Form.

I have been able to get results in the LDAP tcode when I do Find, but I can't get any in the Business Client.

I'm adding screenshots of all the configuration I've done so you can get the idea of what I've done.

I left the mapping provided by default in the LDAP tcode, didn't do any changes to it.

Here's the connectors config. Two things here. 1- the USER ID is provided by our LDAP team (not sure if I have to change it to match in LDAP tcode) 2- the group field mapping and parameters is maintained for scenarios 3 and 4, I just included the screenshots for 3.

Config:

Lastly here's the sync job result. I get a User Adapter Empty when checking SLG1.

Regards

Maria Alejandra Piedra

SAP Basis/Security

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-24-2014 4:16 PM
0 Kudos


Hello everyone out there,

My issue got resolved doing two things. SAP gave me the following instructions:

  1. Removed all entries from "Assign attributes to the connector" in Maintain Connector Settings.
  2. Implement note 2025895

Regards

Maria Alejandra Piedra

Show replies
Show replies
AbassMassalay
Explorer
‎12-26-2014 12:33 AM
0 Kudos

Hi Maria. I have the same issue as you. I have Access Control 10.1 but have not implemented note 2025895. Are you saying that SAP instructed you to remove all entries from "Assign Attributes To The Connector" in Maintain Connector Settings and it worked?

former_member185447
Active Contributor
‎12-26-2014 2:43 AM
0 Kudos

Hello Maria,

Thanks a lot for sharing the solution.

Will be useful for someone who might face the same issue.

Regards

Deepak m

Former Member
‎12-26-2014 1:46 PM
0 Kudos

Hello Abass

Yes, that's right we have no attributes in that section.

One thing you can do is if your LDAP search works in the LDAP tcode, then you can go to the Access Request screen, type in a user you know it's in LDAP and then go to the User Details tab and hit enter, the details of the user should show up. The note just brings in the details automatically.

Regards

Maria

AbassMassalay
Explorer
‎12-27-2014 12:25 AM
0 Kudos

Thanks Maria,

I tried that and it looks like it is retrieving user data from another source which is the GRACUSER table. It appears to match exactly what is on the Access Request "select" user interface and not what is through the LDAP transaction code. I have a few questions. Are you currently using a CUA to ECC and LDAP as your main connection source for user data? Also, which Path ID are you using? Is it A002 or B012?

Former Member
‎12-29-2014 12:39 PM
0 Kudos

Abass

We don't use CUA so I don't have that configured. Have you checked in the User Search Data Source if you have SU01 as the User Data Type? Did you use the LDAP connector in Target Connector?

Also, did you configure the parameter for realtime queries to LDAP in the Configuration screen?

I'm not sure what Path ID you're mentioning, what screen would it be?

Cheers!

Maria

AbassMassalay
Explorer
‎12-30-2014 9:24 AM
0 Kudos

Thanks for your reply Maria. So My Target Connector, Connection Type, Source Connector and Logical Port all are configured to LDAP. The User Search Data Source does have SU01 as the Data User Type. I am using the LDAP Connector in Target Connector. Also, I did configure the parameter for real time queries to LDAP in the Configuration screen. Pretty much my configuration matches yours with the exception of not implementing note 2025895. The Path ID I was referring to is from the Maintain Connector Setting screen. I probably need to send a message to SAP. Thank you again for your help. I definitely appreciate it.

Former Member
‎12-30-2014 2:05 PM
0 Kudos

Abass,

I have the PATH ID emtpy actually so I guess you don't need that. I would remove the SU01 in the User Source and try the note.

I actually didn't do the synch because it failed but the real time setting works so I don't need the synch.

Regards,

Maria

Answers (2)

Answers (2)

santosh_krishnan2
Participant
‎10-01-2014 8:13 PM
0 Kudos

For us, we found that the LDAP config worked with the port number you specified, but GRC wouldn't pull data.  We ended up using port 3268.

Check this out.

Santosh

Show replies
Show replies
Former Member
‎10-01-2014 9:04 PM
0 Kudos

Hi Santosh

I tried with the suggested port but it didn't work either.

Thanks!

Maria

Former Member
‎10-02-2014 8:49 PM
0 Kudos

Hi Maria

Uncheck the Read Anonymously checkbox in your LDAP Server config. Also, are you able to search for users from find button in the LDAP Tcode?

Thanks
Anthony

Former Member
‎10-02-2014 9:47 PM
0 Kudos

Hi Anthony

Unchecked the Read Anonymously checkbox but it didn't work. I am able to get hits with the Find button in LDAP. I added a screenshot of it in my description.

Regards,

Maria

Former Member
‎10-02-2014 10:09 PM
0 Kudos

Hi Maria

If you are able to see data from find button in LDAP tcode, then it should also work in NWBC Access Request form. Please test and let us know if this works. If so, I wouldn't worry about the synch job as you have Param 2050 set to Yes.

Thanks

Anthony

Former Member
‎10-02-2014 10:12 PM
0 Kudos

Anthony

The reason I created this thread is just that, I'm able to get users using Find but I can't get any results in NWBC.

Regards

Maria

Former Member
‎10-02-2014 10:18 PM
0 Kudos

Maria

Ok. Then the issue is related to LDAP mapping config in SPRO. In SPRO, Assign group field mappings for AUTH and PROV, change the system field names from Lower to Uppercase. I had a scenario where this worked.

Thanks

Anthony

FilipGRC
Contributor
‎10-01-2014 8:11 PM
0 Kudos

Hi Maria,

check authorization for account on LDAP side - maybe your LDAP user does not have sufficient authorization to read data.

Did you maintain entries for authorization link scenario for LDAP rfc?

Also I would double check the base entry in LDAP configuration'

Thanks,

Filip

Show replies
Show replies
Former Member
‎10-01-2014 9:03 PM
0 Kudos

Hi Filip

The authorization for the account is not the issue because we have other systems using that same user.

I did maintain the link scenario, I believe I added the screenshot.

What should I check with the base entry? I get results when I do Find in LDAP tcode.

Thanks!

Maria

FilipGRC
Contributor
‎10-01-2014 9:10 PM
0 Kudos

Hi Maria,

try change the base entry to link it to higher hierarchy node.

Make a few attempts, in my case my base entry was to low level - I have put it one level up and it started to work.

Filip


Ask a Question