LDAP user sync in GRC.

Hi Experts,
We are trying to configure LDAP AD on a GRC system(sp 13).
Done all the required configuration and field mapping.
Connector is working and able to login to LDAP server with system user.
LDAP connector name is same as LDAP Server name.
Base Entry is maintained in LDAP tcode for  LDAP server.
But, not able to perform repository sync,showing error message as "USER ADAPTER IS EMPTY".
Not mentioned attributes for the connector in "maintain connector settings", do i need to maintain these to run repository sync.
Please suggest,
Thank you in advance.....

Dear Sai,
please follow the instructions below:
1. LDAP connector name should be identical as LDAP Server name. Please check if this is same?
2. What string is used while searching users in LDAP. Execute LDAP tcode and find the users with default string. for example ...(&(objectclass=*)(samaccountname = a*)). If you have some different string to serach users, then we need to find out from LDAP team if they can set your searchable string as default.
3. Check whether Base Entry is maintained in LDAP tcodes for your LDAP server. If not, maintain that as well.
4. Refer to SAP Note "1755767 - Repository object sync from LDAP fails".
Following these steps will ensure that you have all the configuration as per recommendations.
Regards,
Alessandro

Similar Messages

  • LDAP user sync - CanonicalName is null

    Hi!
    I need to setup user sync from LDAP to LiveCycle. It seems to be very intuitive and easy, but ...
    I can connect LDAP well, but no users are transfered. I found the LDAP query was OK and LDAP response was OK. LiveCycle complains about:
    This record is missing a required attribute and cannot be used. Specifically CanonicalName is null. Common Name: Adam Agama
    The LDAP entry is:
    dn: cn=Adam Agama, ou=Users, o=My org,c=CZ
    o: My org
    givenName: Adam
    sn: Agama
    ou: Users
    mail: [email protected]
    userCertificate;binary:: MIIIODCCB....
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: opencaEmailAddress
    objectClass: pkiUser
    uid: [email protected]
    cn: Adam Agama
    What does the LiveCycle mean by CanonicalName? I have not seen such an attribute anywhere.
    Any help would be appreciated.
    --- Jaroslav Pavlicek

    I reply myself:
    When configuring LDAP connection, there are predefined templates for various LDAP types: SunOne, ActiveDirectory, IBM Domino, ...
    You probably must select one. If you don't, "Unique identifier" field would not appear on following page and you are not allowed to edit it. And also you would have no idea, what the Unique identifier is expected to be :)

  • LDAP User sync problem

    Hi,
    I have configured LDAP on NetWeaver WebAs ABAP using LDAP transaction. It is working fine and I am able to sync users from Microsoft AD to SAP Database. But the problem is It is also synchronizing the terminated users from the company, which are not useful. We have 2 entries under base entry need to be synced excluding the terminated users. If I use base entry it taking all users instead I want to sync only users under those two DNs. Is there any way to do this?
    One more Question is I have synchronized all users later I have mapped some fields. For new users I am getting the mapped field updates but not for the already synced users when I run the sync report. Can I update already synced user fields also or do I need to delete all users and start re-sync again?
    Thanks,
    Ajay.

    Hi Ajay,
    Let me see if I understand you correctly:
    1. You're running an LDAPSYNC from AD to ABAP?
    The ldap connector works using the "subtree" method by defaul. It scans all OUs under the BaseDN you specified. If you wish to perorm this scan only on two specific DNs,  ou=department1,ou=users,dc=ldap,dc=corp and ou=department2,ou=users,dc=ldap,dc=corp and not the whole ou=users,dc=ldap,dc=corp, then you need to create two entries in trans. LDAPMAP.
    If you copy your existing entry, it will copy the attribute mappings as well.
    This will require you to run the RSLDAPSYNC_USER report for each of the server settings.
    2. For a one time update, you can run the RSLDAPSYNC_USER report and choose "ignore timestamp" in the "objects that exist both in directory and database".
    This will update the user's info, provided you set the "import" flag for the attributes in the 'synchronization' section for the server (trans. LDAPMAP).
    Best regard,
    Eric

  • LDAP user no longer able to log in

    We have CQ 5.3 set up using LDAP authentication.  We have one user who has been using CQ with her AD Userid/password for over a year with no issues, but she came in one day and now it's saying her user id and password don't match.
    We've tried on multiple different instances of CQ and she gets the same message every time.  She is able to log into other applicaitons that use LDAP for authentication just fine. We have tried resting CQ to see if that resolves the issue and it hasn't.  I originally thought it was some sort of issue with her LDAP account, but because she can log into other apps, I'm wondering if not? Or maybe there WAS an issue with her account, but it was resolved (she thought maybe her account was locked, so she ran an unlock procedure), but CQ just hasn't caught up to that fact?  This started happening a week ago.

    Hi Jennifer,
    Have you tried running a manual LDAP User sync for the single user (http://localhost:4502/crx/config/ldap.jsp)?  Since the user can login to other systems via LDAP, the problem is most likely with their account in CQ.  Maybe try deleting their account in CQ and re-creating/re-sync via LDAP User sync.
    Hope this helps.
    Ron

  • CUCM 8.6.2 LDAP User Delete Pending LDAP Sync Status Inactive

    BE6K ver 8.6.2
    Client has a user who recently got married.  They changed her account information in Active Directtory to reflect her new last name. At that point CUCM shows her as
    Delete Pending
    LDAP Sync Status Inactive
    CUC shows
    LDAP User has been deleted.
    The user still exists in both CUC and CUCM and is actively takign and receiving calls.  User has VM access.
    Shorrt of deleting the user in AD and recreating her, is there a way to force this to re-sync?
    Thanks
    Matt

    Then that's expected to happen, for all purposes to CUCM/CUC eyes, msmith no longer exists and will be deleted, and a new user mjones now will be imported.
    Depending on when the change was done and when CUCM detected this, it might take up to 48 hours maximum to delete the user
    You'll need to associate everything to the new user, and also add that new user into CUC.
    Or switch back her userID to the old one, and just change the surname for directory purposes.
    HTH
    java
    if this helps, please rate
    www.cisco.com/go/pdihelpdesk

  • GRC 10.0: Access Request Creation - LDAP user advanced search not working

    Dear Experts,
    We are implementing SAP GRC Access Control and we have an issue in Access Request Creation. If we put the user name in “User” field and press intro, the user details are updated, but if we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
    Scenario 1: If we put the user name in “User” field and press intro, the user details are updated:
    Scenario 2: If we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
    We are using the Active Directory as Data Source.
    Thanks and Regards.

    Hi Jose,
    Try maintaning the parameter 2050 as YES and check once.
    Kindly, also make refer to  the below list of SAP notes:
    1757906 - GRC 10.0 - LDAP user search does not work in NWBC
    1745370 - LDAP search in GRC does not work anonymously
    1718242- UAM: User search not working in Access Request.
    Regards,
    Neeraj Agarwal

  • Sync LDAP users with ECC - Mapping required field

    Hello,
    I want to synchronize SAP ECC users with LDAP users.
    At this moment I succeed to synchronize all users existing from the LDAP to the ECC.
    But I want to filter users which need to be created by a specific attribute added in the LDAP.
    I changed the LDAP mapping to add the "required" check on the corresponding to the specific attribute field. But when I use the RSLDAPSYNC_USER program, this required attribute is not considered.
    What can I do to synchronize user which have the specific attribute filled. And not all users ?
    Thanks for regards.
    Edited by: Gaetan Bourgneuf on Jun 18, 2008 11:27 AM

    In detailled:
    - in the LDAP we have created a specific attribute name "SAP FIELD" (technical name is extensionAttribute10)
    - in the LDAPMAP transaction in the ECC I modified the following entry:
    " USERNAME    |    BAPIBNAME    |    sAMAccountName    | X | X | X | X |   | X |    |"
    By the following new:
    " USERNAME    |    BAPIBNAME    |    extensionAttribute10    | X | X | X | X |   | X |    |"
    So when I synchronize the LDAP, the LDAP specific extension is required (because linked to the SAP username). And if user doesn't has this specific attribute filled, it's not synchronized.

  • LDAP Setup in SAP GRC 10 system

    Hello All,
    We are implementing SAP GRC 10 and trying to connect GRC with LDAP to sync users but we are facing below error while doing configuration in LDAP t-code
    Errro “Could not login to directory “
    But it’s working fine when we are trying to login throw ldap.exe to check host and other things.
    Please let me know where we I can check the configuration in GRC and LDAP system to correct the same.
    Thanks & Regards,
    Jagat

    Hello,
    Please check other configuration screens from GRC and LDAP.exe tool
    Screen 1 – LDAP Server
    Screen 2 – System User
    Screen 3 – LDAP Connector Setting
    Screen 4 – LDAP.exe

  • LDAP User Synchronization : Password

    Hi All,
    I have a question about LDAP User Synchronization to SU01 in ABAP. Does it create an initial password for the users being Synced? or It stores the LDAP Password in SU01 password field?
    I have doubt about the second, as LDAP will never return the password in plain text, and Password Hashing schemes can be different between LDAP and ABAP.
    If it doesn't store the password at all in SU01 for Synced users, then how does user login into SAP GUI?
    Please let me know.
    Thanks in Advance,
    Sanjeev

    Hi Tim,
    it's not possible to unhash cryptographic hash function. One of the main properties of each cryptographic hash function is preimage resistance which means that it's not feasible for a given hash h to find a message m that hash(m) = h. Even in case that it is possible to find this message you can't be sure that that was the original message because as we know a hash function maps message of arbitrary length to fixed size string. Obviously, there is more messages with variable length than messages with one fixed sized so there has to be at least one hash where there are two messages m1 and m2 and hash(m1) = hash(m2) (pigeon hole principle). So it could happen that user would choose password m1 but your unhasing algorithm would get m2. Obviously, it's highly improbable that second hash function hash m1 and m2 into same hash. Therefore such a solution will not be never available and the only solution is to get password in clear text and distribute it to each system in clear text form. As Julius mentioned this is supported but it has some disadvantages.
    Cheers

  • LDAP Active Sync is Hanging

    Howdy all,
    I'm looking for some advice on debugging an active sync issue. We are running IDM 7.0, and do a lot of processing via our LDAP active sync workflows. Currently we are experiencing an increasing amount of hung active sync threads. When looking at the active sync logs, and the jakarta tomcat logs, we don't really see any errors or clues. If we examine the Show_Provisioning debug page, we can often see that a provision thread is fetching a user from some resource when it hangs. It is not hanging up on the same user, or same resource. Has anyone experienced anything like this before? Does anyone have any ideas on good ways to debug it? I was thinking about trying to trace some of the java classes that are executing, but am not sure which ones are likely candidates. Please let me know if you have any other debugging ideas.
    Thanks!

    Did you set the java heap size in Tomcat?

  • ALUI "Native" vs LDAP user accounts

    Our existing setup syncs with AD to bring user accounts into the portal. We're expanding the functionality to allow public user accounts, but we're not sure the best way to implement. We would like users to have a single login to the portal which would then authenticate them against other applications automatically. Our current understanding of the Credential Vault suggests that this functionality is supported, but the details are not known or understood.
    Should these public user accounts be created as "native" portal accounts, or LDAP accounts?
    What are the advantages/disadvantages of using one method over the other?
    Are there any other sources of information on using Credential Vault for integration with applications? General architecture and workflow information would also be helpful.

    In general, you're better off using AD, especially if your other applications use AD, because then at least the user names will match.
    There are many many different ways to pass credentials to backend applications -- you can use a PEI, a custom SSO integration or the credential vault. None of these is dependent on having your users sync'd from AD -- it's just that if you DON'T sync your users, it's often hard to tell how to match a Plumtree portal account with a backend system's corresponding account.
    This page has some somewhat helpful information about the credential vault:
    http://edocs.bea.com/alui/ali/docs61/admin/content.html#wp1068049
    The cruel reality of this situation is that every backend application that you try to integrate into the portal will have a different way of authenticating users, so each application will probably require a different credential-passing architecture. Some may work with the credential vault while others may require native code (PEI or SSO) with perhaps remote code as well.
    If you'd like to share more on the forums about what you're trying to integrate, we can perhaps provide some more specific guidance. Alternatively, you're welcome to contact us offline.
    HTH,
    Chris Bucchere | bdg | [email protected] | http://www.thebdgway.com
    Edited by bucchere at 01/27/2007 9:37 AM

  • Problem with Afaria and LDAP user authentication in Android device

    Hi all,
    I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
    I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
    I follow the next steps:
    1-Create a new tenant
    2- Configure LDAP integration
    3-Create a inventory policy with authentication required
    4-Create a static group associated to the inventory policy
    5-Create a enrolment policy associated to the static group.
    When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
    I have seen the log and seem the problem is that Afaria can't authenticate this user.
    I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
    The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
    Could you please help to solve this problem?
    Thanks in advance.  

    Hi all,
    I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
    I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
    I follow the next steps:
    1-Create a new tenant
    2- Configure LDAP integration
    3-Create a inventory policy with authentication required
    4-Create a static group associated to the inventory policy
    5-Create a enrolment policy associated to the static group.
    When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
    I have seen the log and seem the problem is that Afaria can't authenticate this user.
    I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
    The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
    Could you please help to solve this problem?
    Thanks in advance.  

  • How to force a new password in portal with LDAP user? external users

    With an external portal (used by agents that do not work for you or reside in your office), company policy is for password to be changed every qtr.
    If the users are creating as LDAP users how to force them to change their password when required?
    Is this a custom application that needs to be written so when they log into the portal if the qtr has expired the portal ask them to enter a new password that becomes valid for the next qtr.
    Versus internally deleting and emailing all the users a new password?

    Hi Glenn,
    We are getting one problem when we are creating user in LDAP and login with that user in  Portal that time we are getting Password change screen , but when we create a user in LDAP and change the password of that user in LDAP then when the user tries to  Login to portal that time we are not able to see the password change screen.
    But again if we change the password of that user through Portal we are able to see change password screen.
    can you help on this how we can force the user to change password when we are changing password in LDAP or in SAP System.
    Regards
    Trilochan

  • Assigning roles to LDAP users through BIP API

    Hi.
    My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
    One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
    I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
    We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
    Is it possible to make that assignments through BIP API?
    If not, any other ideas? New ideas or different approaches are welcome.
    Thanks in advance.

    In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
    During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
    I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
    There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
    Let me know if that helps.

  • How to only synchronize one specific LDAP user group with SAP?

    Hi,
    Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
    Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
    Thanks, Oscar

    We've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
    E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
    Then we also have a constant for the LDAP_STARTING_POINT
    For our AD Group Initial Load we filter according to these settings:
    LDAP_FILTER_GROUPS = (objectclass=group)
    LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
    The above example only reads AD groups starting at the specified OU
    Then in a Job From LDAP Pass the LDAP URL looks like this:
    LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
    I hope this helps
    Paul

Maybe you are looking for