Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Synchronize with AD

Former Member

‎04-07-2008 6:35 AM

0 Kudos

Hi

We are currently implementing the LDAP connector to create new users and synchronize oredy create users information with a Windows 2003 server Active Directory.

But the problem we are facing is that we have a mismatch between the SAP user IDs and the Active Directory users.

Has any one had this problem before and how did you overcome it?

Thank you.

9 REPLIES 9

tim_alsop
Active Contributor

‎04-07-2008 8:18 AM

0 Kudos

David,

I am not sure if you have considered the authentication yet, but when/if you decide to use Active Directory based authentication to allow users to logon to SAP you will need to consider the mapping of AD account name onto SAP user name. For example your AD account name might be firstname.lastname and your SAP user might be something completely different.

Once you have considered the mapping for authentication purposes, and this depends on what product you use for the authentication of users to SAP via AD credentials, you can use the same mapping information when you sync other user information via LDAP protocol.

Note: You cannot sync the users password in AD, so authentication has to be considered in addition to the use of the LDAP connector for synchronising user information.

Regards,

Tim

Former Member
In response to tim_alsop

‎04-07-2008 8:35 AM

0 Kudos

Hi Tim

Thank you for the reply.

How would you do the mapping of AD account name onto SAP user name?

David

tim_alsop
Active Contributor
In response to tim_alsop

‎04-07-2008 9:06 AM

0 Kudos

David,

The mapping solution I am most familiar with involves using a table in SAP system called USRACL. If SNC is enabled in SAP ABAP system the USRACL table contains details of the AD account name and domain (Kerberos realm) for each SAP user who can logon to ABAP stack. This is a standard feature in SAP ABAP when SNC-based authentication is implemented.

Are you also wanting to use AD account name to authenticate to SAP via Web browser, or just with SAP GUI ?

Thanks,

Tim

Former Member
In response to tim_alsop

‎04-07-2008 9:27 AM

0 Kudos

We have already successfully implemented SNC via Kerberos authentication.

What we want to do with the LDAP connector is as HR creates a new user on the org structure a batch programme will running and created the relevant SAP user ID and the user will get its authorization from the position it is assigned to. Ones the SAP user ID is created an inactive AD user must be created. The network team will then manually create the e-mail and assign the network access.

As we maintain all employee information on SAP like tel number; office number and so on. From the HR table we would like to populate this information from SAP to AD.

As I understand the LDAP connector is that the user ID must match for the information to synch.

Will your mapping process work for my problem?

David

tim_alsop
Active Contributor
In response to tim_alsop

‎04-07-2008 9:38 AM

0 Kudos

David,

It sounds to me now that the mapping is already in place for authentication of existing users - if it wasn't then your existing SNC/Kerberos authentication would not work ?

It sounds like you are looking for an identity management solution ?

If your HR person creates a new user for a new employee, they must be following a naming convention you have decided to use, e.g. first letter of first name followed by surname (FBLOGGS, JSMITH etc.). When they do this, the name used to create the account in AD could be the same as the SAP user name used, or based on it using a consistent approach.

Perhaps you could explain why you cannot use above method when creating new users, or give me some examples so I understand better.

Thanks,

Tim

Former Member
In response to tim_alsop

‎04-07-2008 11:28 AM

0 Kudos

Our problem stem from before we implemented SAP. During the SAP implementation the naming convention was changed. Now we sit with a percentage of the users on the AD with a different naming convention (First name) from there SAP user naming convention (first 4 of surname and initials).

Now we want to start synchronization between SAP and AD and these differences in user IDs is posing a problem.

Will a mapping table resolve this issue?

David

tim_alsop
Active Contributor
In response to tim_alsop

‎04-07-2008 11:38 AM

0 Kudos

David,

ok, I understand now. Thanks for the background.

You could add the SAP user name as an attribute in the AD account, and use this when you sync. This might be difficult to manage using standard AD tools. Alternatively, it might be possible to write some code on ABAP side to read the USRACL table and use the information already in this table which will show you what the AD account name is for a specific SAP user. This can then be used during the LDAP sync.

Thanks,

Tim

koehntopp
Product and Topic Expert
Product and Topic Expert
In response to tim_alsop

‎04-07-2008 4:41 PM

0 Kudos

Don't make me go into sales mode, but isn't this exactly what Netweaver Identity Management sets out to do?

Frank.

Former Member
In response to tim_alsop

‎04-08-2008 1:51 PM

0 Kudos

Thank you for your help. I will have a look at IM.

Dawid