Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP user synchronization with Active Directory by groups

Former Member
0 Kudos

Hi, my question is:

Can i create and synchronize sap users from Active Directory groups ?

1 ACCEPTED SOLUTION

Former Member
0 Kudos

This can be done but it requires a schema extension and I think its a SAP program. There's also a third party software that can help with this called Realtech.

Once the schema is extended this adds a SAP tab in the AD users and computers MMC. This tab has all the SAP fields. Then its a simple LDAP sync which will create all the users and properties in SAP. If you combine it with a program called Cybersafe for LDAP authentication you have yourself a secure and easy to manage system

4 REPLIES 4

Former Member
0 Kudos

This can be done but it requires a schema extension and I think its a SAP program. There's also a third party software that can help with this called Realtech.

Once the schema is extended this adds a SAP tab in the AD users and computers MMC. This tab has all the SAP fields. Then its a simple LDAP sync which will create all the users and properties in SAP. If you combine it with a program called Cybersafe for LDAP authentication you have yourself a secure and easy to manage system

0 Kudos

As i understand, there isn't any methot to synchronize sap users with Active Directory without third party software.

And i can't synchronize by members from group

I have structure like this:

CN=SAPAS,CN=Users,DC=root,DC=sbs

member CN=mindaugas vaitkus,CN=Users,DC=root,DC=sbs

member CN=test1 test0101,CN=Users,DC=root,DC=sbs

member CN=test2 test02,CN=Users,DC=root,DC=sbs

and

CN=test4 test04,OU=City,OU=Area,DC=root,DC=sbs

In this situation how can i synchronize users ?

Is i need base entry DC=root,DC=sbs ?

0 Kudos

I think you can do this without any third party software. I'll try to explain what we did. I have to go by memory because I don't have my notes or my LDAP environment anymore.

I'm assuming you have a LDAP server and have created your LDAP connector

OK, lets say you have users in Active directory and you want to create them in SAP. first you run LDAPMAP and confirm your mapping. This is pretty easy to do, you just match the SAP mapping with the AD mapping. it looks something like this

BAPIBNAME BAPIBNAME sAMAccountName

BAPIADDR3 FIRSTNAME givenname

BAPIADDR3 LASTNAME sn

Then you run RSLDAPSYNC_USER and you'll see options that say,

objects that only exist in the directory

- create in database (this one will create users in SAP)

- delete from directory (this will delete user from AD)

- ignore (I think this just shows a report)

This is pretty much it. I don't know what you'll do for passwords unless you decide to use a third party solution. We used a product called Trustbroker to help with our SSO solution. Worked very well

thanks

Dave

0 Kudos

actually there is some documentation about the LDAP sync for abap on the help portal, where this info can be found as well Just have a look at the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/10/1a063415c611d4b61f0000e835363f/frameset.htm">docs of the LDAP Connector</a>.

It's a small programm that can be installed on the LDAP server or an SAP system and enables synchronization of ABP user/roles into the LDAP and vice versa.

regards,

Patrick