on 04-11-2016 9:01 AM
Dears,
I am facing above issue in GRC system while syncing user data from LDAP connector. LDAP configuration is completed and seems to be working fine because of below details:
I have tried syncing using user id having SAP_ALL profile but still could not get the proper result.
Please advise.
Regards,
Faisal
Hi Faisal,
What exactly do you need to read? Do you use LDAP as a source for user searching?
Please provide us with the details.
I also have some opened issues with LDAP and we can help to each other.
Regards,
Artem
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Artem,
I only need to read the users from LDAP. Yes, LDAP is being used aas a user search.
When I am trying to log onto End User Logon portal using AD User id and password, it was absolutely working fine. However, when trying to sync details from the AD, this is causing problem.
Not sure why and what is causing this issue.
Regards
I changed port in LDAP tcode from 389 to 3268. Job did not fail, however no users were synced.
I also tried with port#3269 in LDAP tcode.
I noticed that, from within LDAP tcode configuration, I could search user using 'Find' button for all the above ports.
However, while running repository sync I got different results!
Can anybody help me understand this behavior of the system?
Regards
Artem,
Please find attached screen for mappings. I accepted default proposal.
I noticed that user sync is getting completed successfully, but total count is showing as 0 (zero). This means not user is synced but job is getting completed successfully.
May you share your view on this?
I have seen such behavior for the first time.
Regards
Faisal,
Have you tried to run full synchronization? Because incremental synch selects users for a certain period, so if they were not modified they will not get into you selection.
My settings differ from the standard because we keep userid of SAP in the pager field of AD, so I changed mapping for this field and synchronize USERNAME with pager, but not with sapUsername (as you have). Do you have such field in you AD? As I understand you use this field as a filter (ticked on the first tick-field) for you selection. Try to change it for example on sAMAccountName, but you can get miss match with the lenght between sap filed and AD field.
Regards,
Artem
I will try since I recently had similar questions and still have an opened message for group assignment at SAP side.
As I understood on LDAP map we select which field will be imported/exported from/to SAP/AD. When we decided which fields will be equal to each other (in my example it's pager AD field to userid in SAP) we make settings for "Maintain Mapping for Actions and Connector Groups" (in SPRO), where we put for LDAP 0004 Provisioning, USERID=PAGER.
So, after synchronization my pager goes to userid in table GRACUSER and I have this view:
During request creation USER_ID field goes to User ID field of the ARQ form.
Regards,
Artem
Artem,
Thanks for your reply.
I think I did not get your question in your earlier post.
I had referred to the "mapping" of LDAP tcode and the same screen I had shared with you.
If you asked me about "mapping" in "Maintain Mapping for Actions and Connector Groups" (in SPRO), I have very simple mapping, find them below:
This does not seem to be the problem to me. Because earlier I had done the same mapping and it worked. In my scenarios, SAP ID=SAMACCOUNTNAME (AD Field) and this is ok.
The problem is, this job is getting completed successfully but no records are fetched. This I dont understand.
There could be one possibility, that BASE entry where I am trying to pull users from might not have users. But when I try to pull the users from LDAP tcode, this is pulling and it gives me the error:
"Maximum number of find results exceeded"
Above message signifies that LDAP tcode is finding users in the base entry. But while syncing, why it is not pulling users from this base entry, I am not sure.
We maintain base entry in LDAP itself and the same is used by the job while syncing.
Please share your view.
Regards,
Faisal
Faisal,
As I can see you have activated maximum trace level for LDAP, so you can see what's inside the log in accordance with the note 1823253. Besides the recommendation to limit page size to 200, it also contains other checks. Please share your results after following the note recommendations.
Bear in mind that setting trace file for LDAP to maximum may overflow you file system and the file also will not be available for reading, I faced with this issue during my customization of LDAP.
Regards,
Artem
Artem,
I made some changes in base entry of LDAP configuration. While searching the users from within LDAP code, I changed the filter to:
(&(objectclass=user)(cn=ra*))
This gave me result of users starting with 'RA'. This seems to be working fine now.
Also, after making changes in the base entry of LDAP tcode, I can search the users while raising the access request.
However, while syncing users, still I did not get any success.
I would close this thread as I can search users from LDAP and while raising request.
However, I have some other points to be discussed and will open another thread.
Thanks for your help.
Regards,
Hello guys,
I am also facing the same issue.
when I perform URP sync, I ma getting the error--cannot perform read operation on the LDAP systems. Is the user in LDAP should require any permissions. I kept as my userid while defining the connections. and also I dnt maintained any BASE ENTRY.. Is it mandatory to have the base entry?
Do the user maintained in LDAP should have SAP_ALL?
please suggest.
Regards,
Ravi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Faisal,
Thanks for the reply.
yes i am getting this error in the Synchronization. So do the LDAP User maintained in LDAP connector should have any permissions in LDAP system. When i contacted the ldap team they said all users have the read access no special permissions are required. Please let us know if any permissions required for the LDAP User.
For time being i configured 2050 parameter- real time search.. it is fetching the details. But when i login as End user-- end userlogon i am again facing the issue--cannot connect to LDAP System.
Please suggest.
Regards,
Ravi.
Ravi,
Yes, all users have read access so no need to have any special permission.
Secondly, I think you need to use "LDAP_END_USER_AUTH_SUFFIX" with value "@yourdomain" for LDAP connector, Connector Action#3 and 4 under..Maintain Mapping....->Assign Mapping Group Parameter.
Hope this helps. Please share your feedback.
Regards,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.