Skip to Content
avatar image
Former Member

EP6 and AD LDAP - Pointing the User Path to a Security Group

Hi experts,

Our company will be reorganizing its Active Directory LDAP structure (which we don't have much control over) similar to the following:

MyCompany (Root)

|_Production (OU)

|__NY (Security Group)



|__FL (Security Group)



|__CA (Security Group)



  • = User referenced from another domain. [These users are merely pointers/references to the actual user objects which reside in other domains]

We are currently testing this structure against EP6 using a flat hierarchy. However, we are unable to authenticate users.

Using the ConfigTool, we set the Group Path to the OU -> Production and User Path to the same OU -> Production. But we have no success authenticating.

We have tried varies combinations for the Group/User paths, as well as switching between the two hierarchies, flat and deep. But still no luck.

Basically, we'd like our User Path to point the Organizational Unit -> Production, which cascades into the referenced users.

We have searched all of SAP Marketplace/SDN and googled but came up with very little. Any help will be greatly appreciated.

Many thanks,


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Jun 13, 2007 at 02:35 PM

    Before the restructure, are you able to authenticate right now? There are some LDAP tools you should use, outside of SAP, to make sure that the users path can be reached through the new LDAP setting.

    Add comment
    10|10000 characters needed characters exceeded

    • Michael,

      Some more info related to my last post :

      When using Kerberos to authenticate with AD the OU of the user account is not required in the authentication request. Instead, the AD account name, domain and password are required. If the user account is in a different domain to the domain being used for the authentication request, then AD handles this by referring the client (where the request was sent from) to another domain where the actual user resides - this all happens automatically and without client side configuration.

      I hope this info helps you to understand some of the advantages of using Kerberos to authenticate to AD instead of LDAP.