04-16-2007 6:59 PM
Hi, my question is:
Can i create and synchronize sap users from Active Directory groups ?
04-16-2007 8:22 PM
This can be done but it requires a schema extension and I think its a SAP program. There's also a third party software that can help with this called Realtech.
Once the schema is extended this adds a SAP tab in the AD users and computers MMC. This tab has all the SAP fields. Then its a simple LDAP sync which will create all the users and properties in SAP. If you combine it with a program called Cybersafe for LDAP authentication you have yourself a secure and easy to manage system
04-16-2007 8:22 PM
This can be done but it requires a schema extension and I think its a SAP program. There's also a third party software that can help with this called Realtech.
Once the schema is extended this adds a SAP tab in the AD users and computers MMC. This tab has all the SAP fields. Then its a simple LDAP sync which will create all the users and properties in SAP. If you combine it with a program called Cybersafe for LDAP authentication you have yourself a secure and easy to manage system
04-16-2007 9:00 PM
As i understand, there isn't any methot to synchronize sap users with Active Directory without third party software.
And i can't synchronize by members from group
I have structure like this:
CN=SAPAS,CN=Users,DC=root,DC=sbs
member CN=mindaugas vaitkus,CN=Users,DC=root,DC=sbs
member CN=test1 test0101,CN=Users,DC=root,DC=sbs
member CN=test2 test02,CN=Users,DC=root,DC=sbs
and
CN=test4 test04,OU=City,OU=Area,DC=root,DC=sbs
In this situation how can i synchronize users ?
Is i need base entry DC=root,DC=sbs ?
04-17-2007 2:12 PM
I think you can do this without any third party software. I'll try to explain what we did. I have to go by memory because I don't have my notes or my LDAP environment anymore.
I'm assuming you have a LDAP server and have created your LDAP connector
OK, lets say you have users in Active directory and you want to create them in SAP. first you run LDAPMAP and confirm your mapping. This is pretty easy to do, you just match the SAP mapping with the AD mapping. it looks something like this
BAPIBNAME BAPIBNAME sAMAccountName
BAPIADDR3 FIRSTNAME givenname
BAPIADDR3 LASTNAME sn
Then you run RSLDAPSYNC_USER and you'll see options that say,
objects that only exist in the directory
- create in database (this one will create users in SAP)
- delete from directory (this will delete user from AD)
- ignore (I think this just shows a report)
This is pretty much it. I don't know what you'll do for passwords unless you decide to use a third party solution. We used a product called Trustbroker to help with our SSO solution. Worked very well
thanks
Dave
04-18-2007 8:56 AM
actually there is some documentation about the LDAP sync for abap on the help portal, where this info can be found as well Just have a look at the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/10/1a063415c611d4b61f0000e835363f/frameset.htm">docs of the LDAP Connector</a>.
It's a small programm that can be installed on the LDAP server or an SAP system and enables synchronization of ABP user/roles into the LDAP and vice versa.
regards,
Patrick