on 06-18-2013 4:14 PM
Hello,
We are unable to do a search based on root node after successful LDAP integration but if we add a particular OU within the base entry then we are able to search the users for that specific OU. Specifying a specific OU is not the right solution as we have different OU for North America, Europe,
Latin America etc. regions. We need to specify the root node so that it will search for all the users in different region. We are getting the below operation failed error when we don't specify OU in the base entry.
Message no. LDAPRC001
This is an error message that is triggered by the directory server.
It is not possible to analyze the error in the SAP system.
Check the log files for the directory server (if they exist), to see if they
contain more information.
Please let us know if you guys have faced this situation and what was the resolution.
Thanks,
Gautam.
Hi Gautam,
I am in the same situation as you , did you find any solution for the issue ? Please share .
Regards,
Prasad
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Prasad,
Are you able to provision Active Directory groups through GRC 10?
To do user serach from the root node we need 3268 port number but to assign the AD groups, we have to use 389 port number as 3268 doesn't do provisioning or de-provisioning. Again within 389 port, we are able to provision/de-provision AD groups provided AD users and AD groups exist in the same OU. If user exist in a different OU and AD group is in a different OU, this scenario doesn't work for us and we get the below error
Please let me know if you were able to provision/de-provision AD groups where users and groups exist at different OU.
Thanks,
Gautam.
Hi Elvira,
We are still not able to provision the AD groups through GRC 10. We had calls with SAP and our AD team but it looks like the issue is something tied to Windows AD configuration where we have referrals and as per SAP, GRC 10 doesn't support referral. SAP did show us a demo with their internal GRC 10 system where they were able to provision AD group/s. We are tyring to provision AD groups through our portal/UME but still trying to figure that out.
Thanks,
Gautam.
I don't remember the person who gave us the demo from SAP as it was done last year but it was schedule by our SAP liaison. All companies who have implemented SAP should have an SAP contact person. There are lot of documentation online on LDAP integration with GRC 10. There is one SAP standard note/document (1584110) on the set-up as well.
Hi Vinod,
We are unable to do the AD group provisioning/de-provisioning but what we found is if ID and AD group exist in the same OU then we are able to do it at OU level. The best practice is to do it at root level without having any dependency on ID/Group existing in the same OU. So after doing further research and talking to different team members including SAP and Microsoft, it looks like we have referrals in Windows AD and it is stopping us. So in a nutshell everything depends on how your AD is configured and in our case it is not possible to change any config. in AD. We haven't done anything yet but we are looking to do provisioning through UME.
I hope this helps.
Thanks,
Gautam.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.