LDAP User sync problem

Hi,
I have configured LDAP on NetWeaver WebAs ABAP using LDAP transaction. It is working fine and I am able to sync users from Microsoft AD to SAP Database. But the problem is It is also synchronizing the terminated users from the company, which are not useful. We have 2 entries under base entry need to be synced excluding the terminated users. If I use base entry it taking all users instead I want to sync only users under those two DNs. Is there any way to do this?
One more Question is I have synchronized all users later I have mapped some fields. For new users I am getting the mapped field updates but not for the already synced users when I run the sync report. Can I update already synced user fields also or do I need to delete all users and start re-sync again?
Thanks,
Ajay.

Hi Ajay,
Let me see if I understand you correctly:
1. You're running an LDAPSYNC from AD to ABAP?
The ldap connector works using the "subtree" method by defaul. It scans all OUs under the BaseDN you specified. If you wish to perorm this scan only on two specific DNs,  ou=department1,ou=users,dc=ldap,dc=corp and ou=department2,ou=users,dc=ldap,dc=corp and not the whole ou=users,dc=ldap,dc=corp, then you need to create two entries in trans. LDAPMAP.
If you copy your existing entry, it will copy the attribute mappings as well.
This will require you to run the RSLDAPSYNC_USER report for each of the server settings.
2. For a one time update, you can run the RSLDAPSYNC_USER report and choose "ignore timestamp" in the "objects that exist both in directory and database".
This will update the user's info, provided you set the "import" flag for the attributes in the 'synchronization' section for the server (trans. LDAPMAP).
Best regard,
Eric

Similar Messages

  • LDAP user sync - CanonicalName is null

    Hi!
    I need to setup user sync from LDAP to LiveCycle. It seems to be very intuitive and easy, but ...
    I can connect LDAP well, but no users are transfered. I found the LDAP query was OK and LDAP response was OK. LiveCycle complains about:
    This record is missing a required attribute and cannot be used. Specifically CanonicalName is null. Common Name: Adam Agama
    The LDAP entry is:
    dn: cn=Adam Agama, ou=Users, o=My org,c=CZ
    o: My org
    givenName: Adam
    sn: Agama
    ou: Users
    mail: [email protected]
    userCertificate;binary:: MIIIODCCB....
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: opencaEmailAddress
    objectClass: pkiUser
    uid: [email protected]
    cn: Adam Agama
    What does the LiveCycle mean by CanonicalName? I have not seen such an attribute anywhere.
    Any help would be appreciated.
    --- Jaroslav Pavlicek

    I reply myself:
    When configuring LDAP connection, there are predefined templates for various LDAP types: SunOne, ActiveDirectory, IBM Domino, ...
    You probably must select one. If you don't, "Unique identifier" field would not appear on following page and you are not allowed to edit it. And also you would have no idea, what the Unique identifier is expected to be :)

  • LDAP user sync in GRC.

    Hi Experts,
    We are trying to configure LDAP AD on a GRC system(sp 13).
    Done all the required configuration and field mapping.
    Connector is working and able to login to LDAP server with system user.
    LDAP connector name is same as LDAP Server name.
    Base Entry is maintained in LDAP tcode for  LDAP server.
    But, not able to perform repository sync,showing error message as "USER ADAPTER IS EMPTY".
    Not mentioned attributes for the connector in "maintain connector settings", do i need to maintain these to run repository sync.
    Please suggest,
    Thank you in advance.....

    Dear Sai,
    please follow the instructions below:
    1. LDAP connector name should be identical as LDAP Server name. Please check if this is same?
    2. What string is used while searching users in LDAP. Execute LDAP tcode and find the users with default string. for example ...(&(objectclass=*)(samaccountname = a*)). If you have some different string to serach users, then we need to find out from LDAP team if they can set your searchable string as default.
    3. Check whether Base Entry is maintained in LDAP tcodes for your LDAP server. If not, maintain that as well.
    4. Refer to SAP Note "1755767 - Repository object sync from LDAP fails".
    Following these steps will ensure that you have all the configuration as per recommendations.
    Regards,
    Alessandro

  • New User - Sync Problems

    This is my first BB and I am syncing for the first time. I have a Curve 8900 and the Desk Top Manager is version 4.7. I am hoping to work on the calendar, task,  memo, and address book on my lap top and then sync to my BB. I have successfully transfered the Address Book to the Windows Contacts folder but when I try to sync the other applications the options that are offered are Yahoo or ACSII Importer/Exporter. I am not familiar with either of these programs and I am assuming that these are online programs. I am running Vista home version and Office 07 Home version. I do not have Outlook. If anyone can offer me some advice with respect to programs I can access or download it would be greatly appreciated.
                         Thanks 

    more information:
    I have unchecked the check box "Required for Authentication" on the OIDB Init Block, and now iBOT are again running.
    but still getting :
    and in NQServer.log
    2009-08-12 17:08:33
    nQSError: 13011 Query for Initialization Block 'OIDB' has failed.
    2009-08-12 17:08:33
    nQSError: 13011 Query for Initialization Block 'OIDB' has failed.
    and new users or users with changed password (LDAP) are still unable to login.
    Haim

  • LDAP user no longer able to log in

    We have CQ 5.3 set up using LDAP authentication.  We have one user who has been using CQ with her AD Userid/password for over a year with no issues, but she came in one day and now it's saying her user id and password don't match.
    We've tried on multiple different instances of CQ and she gets the same message every time.  She is able to log into other applicaitons that use LDAP for authentication just fine. We have tried resting CQ to see if that resolves the issue and it hasn't.  I originally thought it was some sort of issue with her LDAP account, but because she can log into other apps, I'm wondering if not? Or maybe there WAS an issue with her account, but it was resolved (she thought maybe her account was locked, so she ran an unlock procedure), but CQ just hasn't caught up to that fact?  This started happening a week ago.

    Hi Jennifer,
    Have you tried running a manual LDAP User sync for the single user (http://localhost:4502/crx/config/ldap.jsp)?  Since the user can login to other systems via LDAP, the problem is most likely with their account in CQ.  Maybe try deleting their account in CQ and re-creating/re-sync via LDAP User sync.
    Hope this helps.
    Ron

  • CUCM 8.6.2 LDAP User Delete Pending LDAP Sync Status Inactive

    BE6K ver 8.6.2
    Client has a user who recently got married.  They changed her account information in Active Directtory to reflect her new last name. At that point CUCM shows her as
    Delete Pending
    LDAP Sync Status Inactive
    CUC shows
    LDAP User has been deleted.
    The user still exists in both CUC and CUCM and is actively takign and receiving calls.  User has VM access.
    Shorrt of deleting the user in AD and recreating her, is there a way to force this to re-sync?
    Thanks
    Matt

    Then that's expected to happen, for all purposes to CUCM/CUC eyes, msmith no longer exists and will be deleted, and a new user mjones now will be imported.
    Depending on when the change was done and when CUCM detected this, it might take up to 48 hours maximum to delete the user
    You'll need to associate everything to the new user, and also add that new user into CUC.
    Or switch back her userID to the old one, and just change the surname for directory purposes.
    HTH
    java
    if this helps, please rate
    www.cisco.com/go/pdihelpdesk

  • Problem with Afaria and LDAP user authentication in Android device

    Hi all,
    I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
    I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
    I follow the next steps:
    1-Create a new tenant
    2- Configure LDAP integration
    3-Create a inventory policy with authentication required
    4-Create a static group associated to the inventory policy
    5-Create a enrolment policy associated to the static group.
    When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
    I have seen the log and seem the problem is that Afaria can't authenticate this user.
    I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
    The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
    Could you please help to solve this problem?
    Thanks in advance.  

    Hi all,
    I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
    I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
    I follow the next steps:
    1-Create a new tenant
    2- Configure LDAP integration
    3-Create a inventory policy with authentication required
    4-Create a static group associated to the inventory policy
    5-Create a enrolment policy associated to the static group.
    When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
    I have seen the log and seem the problem is that Afaria can't authenticate this user.
    I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
    The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
    Could you please help to solve this problem?
    Thanks in advance.  

  • Essbase 9.3.1 and problem with LDAP users

    Essbase 9.3.1 users externalized to Shared Services. Windows boxes. LDAP users set in Shared users. Provisioned with Essbase rights (administration and speciific cube access). Then in EAS have refreshed security from Shared Services. LDAP users show up now in EAS.
    However when attempting to connect through excel add-in or through EAS or through Financial reports to any Essbase app receving and error message that "login fails due to invalid credentials".
    Users setup in Shared services as Native Users are able to access Essbase apps.
    any ideas?

    It came down to a Novell E Directory LDAP setting. ID Attribute. We had it set to CN (based on a recommendation by a LDAP resource, although the default is GUID and GUID is recommended by the documentation).
    Turns out that Essbase when authenticating the LDAP user was forcing it back to GUID and causing some sort of mismatch.
    Setting the ID Attribute in the LDAP Configuration back to GUID resolved the issue.

  • Sync LDAP users with ECC - Mapping required field

    Hello,
    I want to synchronize SAP ECC users with LDAP users.
    At this moment I succeed to synchronize all users existing from the LDAP to the ECC.
    But I want to filter users which need to be created by a specific attribute added in the LDAP.
    I changed the LDAP mapping to add the "required" check on the corresponding to the specific attribute field. But when I use the RSLDAPSYNC_USER program, this required attribute is not considered.
    What can I do to synchronize user which have the specific attribute filled. And not all users ?
    Thanks for regards.
    Edited by: Gaetan Bourgneuf on Jun 18, 2008 11:27 AM

    In detailled:
    - in the LDAP we have created a specific attribute name "SAP FIELD" (technical name is extensionAttribute10)
    - in the LDAPMAP transaction in the ECC I modified the following entry:
    " USERNAME    |    BAPIBNAME    |    sAMAccountName    | X | X | X | X |   | X |    |"
    By the following new:
    " USERNAME    |    BAPIBNAME    |    extensionAttribute10    | X | X | X | X |   | X |    |"
    So when I synchronize the LDAP, the LDAP specific extension is required (because linked to the SAP username). And if user doesn't has this specific attribute filled, it's not synchronized.

  • Outlook 2003 + iPhone calendar sync problem solved

    Here is how I solved my sync problem. Seems a lot of people have the same problem here with Outlook sync suddenly not working after it worked fine for a long time.
    I've had Outlook 2003 calendar sync with my iPhone for a few month without any problem, but a few days ago the sync suddenly stopped without any error message. iTunes Diagnostic found no problem and I followed all the steps that Apple outlines to fix the problem but nothing worked (TS2776).
    As Apple asked to, I created a new user account on my Windows machine and setup a few test calendar entries to sync with my iPhone. That all worked fine.
    So I did what Apple doesn't tell you, and I copied my original Outlook Data file (.PST) over to my new user account and tried to sync that one. Now this didn't work. So I knew the problem lies somewhere in my PST file.
    I have then tried to create a new one from scratch in my original Windows account, and copy all the data over. Again, it didn't work. So I emptied the file again, and copied all my calendar entries over to the new PST file in batches (first 10, then another 10, etc).
    What I found at the end is that one single calendar entry I created a few days ago caused my sync to stop working. Once I removed this entry, everything worked fine again. Don't ask me what was wrong with it (I made a backup just in case Apple wants to see it), but now everything works again.
    If you want to save some time to find which one it is, you may start deleting entries that you created just recently before it stopped working.
    Hope that helps.

    Hi im having the same problem. I use outlook 2003 on windows xp and until recently my sync (using usb) was working fine. Now it would seem that calendar items are no longer syncing. can you give any further details of the calendar entry which was causing your problem? im wondering if it was added on a certain date perhaps.
    I am running the inbox repair tool to see if my pst file has any problems but would appreciate any other help in the mean time.
    Cheers

  • How to force a new password in portal with LDAP user? external users

    With an external portal (used by agents that do not work for you or reside in your office), company policy is for password to be changed every qtr.
    If the users are creating as LDAP users how to force them to change their password when required?
    Is this a custom application that needs to be written so when they log into the portal if the qtr has expired the portal ask them to enter a new password that becomes valid for the next qtr.
    Versus internally deleting and emailing all the users a new password?

    Hi Glenn,
    We are getting one problem when we are creating user in LDAP and login with that user in  Portal that time we are getting Password change screen , but when we create a user in LDAP and change the password of that user in LDAP then when the user tries to  Login to portal that time we are not able to see the password change screen.
    But again if we change the password of that user through Portal we are able to see change password screen.
    can you help on this how we can force the user to change password when we are changing password in LDAP or in SAP System.
    Regards
    Trilochan

  • IPhone Sync Problems with VISTA After iTunes Upgrade to 7.4

    Upon upgrading to iTunes 7.4 I was unable to sync my Outlook calendar or contacts to the iPhone. Called Apple Support that they seemed to know nothing about this problem general problem despite all of the discussions on this and many other tech. boards.
    After being told remove and reinstall iTunes and Outlook, set-up a new user account, etc... (none of which worked) I finally concluded that perhaps the .pst file being used by outlook was simply incompatible with iTunes for some reason (e.g. unsupported recurring calendar items).
    SOLUTION: Create a new outlook .pst data file. Once created, open up that new file along with the defective .pst file. Then, simply change the view of calendars and contacts in your old calendar such that you can see all of the items in a list. Highlight the items you want to keep and simply click-and-drag them to the nes .pst file. This solves all of the sync. problems I had post-7.4 upgrade. It takes less than 3 minutes to complete this painless fix.
    This was so annoying for me that I'd be happy to help someone complete this simple task if they need help. < Edited by Host, for your protection, no personal information please. >

    Then it would appear to be an issue with your router. What router? Model? Is the firmware up to date?

  • Error while configuring external LDAP user store with weblogic

    Hi,
    I have weblogic 10.3 installed and I can access weblogic admin console using weblogic (admin) user. I want to use external ldap user store to access admin console with users present in external ldap.
    To do this, I have configured authentication provider and provided all the required details to connect to ldap.
    For example:
    Base DN: cn=admin,cn=Administrators,cn=dscc (user with which we will connect to LDAP)
    User DN: ou=People,dc=test,dc=com
    Group DN: ou=Groups,dc=test,dc=com
    This authentication provider is set to SUFFICIENT mode. I have deleted the default authentication provider.
    In the boot.properties file I have given the user name and password of the user with which LDAP instance was created something like below.
    password=xxxxxxx
    username=admin
    Now while starting the admin weblogic server, I am getting the below error:
    <Jul 25, 2012 2:22:28 PM IOT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
    <Jul 25, 2012 2:22:28 PM IOT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
    weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
    at weblogic.security.SecurityService.start(SecurityService.java:141)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
    Truncated. see log file for complete stacktrace
    Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User admin javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User admin denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    Truncated. see log file for complete stacktrace
    >
    <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
    <Jul 25, 2012 2:22:28 PM IOT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
    <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
    Can anyone please suggest how to resolve this problem? If, anyone can suggest the exact steps to configure external ldap store to manage admin console via ldap users.
    Regards,
    Neeraj Tati.

    Hi,
    Please refer the below content that I found for Oracle 11g in the docs.
    "If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
    By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group.
    The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name (DN) so that the Administrators group is found.
    If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role."
    Now in my LDAP directory, setup is in such a way that Administrators is a group created under following heirarchy " cn=Administrators,ou=Groups,dc=test,dc=com" and there is one user added in this Administrators group.
    The problem that I am having is when I modify the Admin role in which Administrators group should be added what exaclty I should give in Admin role. Whether I should give only Administrators or full DN: cn=Administrators,ou=Groups,dc=test,dc=com ???
    When i give full DN, it takes every attribute as different, i mean cn=Administrators as different and ou=Groups as different and shows a message that cn=Administrators does not exist.
    Here not sure what to do.
    Also if external ldap authentication provider is the only provider then I need to give the user information in boot.properties file also for weblogic to boot properly. Now, what should I give there in user? still complete DN ??
    Regards,
    Neeraj Tati.

  • Itunes 10.2.2.12 - All Itunes 10 Version Sync problems

    I am using Windows XP PC latest service pack, I have  a newer 5th Gen 16GB Ipod Nano, I now have the latest Itunes 10.2.2.12. Every since I have had this newer Ipod Nano,and with first version of Itunes 10, nothing but syncing problems. After calling  Apple Ipod Tech Support, and scouring Apple Help screens and forums, just like Apple Tech Support reps, the recommendation is mostly the same, they have me go through the grueling, time consuming process of Uninstalling and Re-installing Itunes, which I have done many times, sometimes it would help in syncing, many times not.Also tried other Apple support recommendation tricks with Apple Mobile Device too, and even upgraded to a Higher speed USB Port,again it would sync for a while and then eventually would start having same sync problems again, even after updating to the latest Itunes. Errors: Itunes is Unable to locate Ipod attached, or The required folder cannot be found.
      When exactly will Apple tech Support put out a New Fully Stable Itunes Version to correct and remove these problems that occur over and  over again, with so many Ipod users online?? I am getting so frustrated, that I am looking for Itunes and even Ipod better alternatives to avoid these big time consuming headaches. Anybody have a Full solution, or at least somewhat permanent Solution to these Ipod sync Errors?? Thanks for your time.

    well i'm running iTunes same vsn on a brand new iMac i7 2.93GHz and i'm constantly having to wait while the old beach ball of death appears. it usually only halts normal operation for 15 to 40secs but thats ridiculous enough. i've got 16Gb of DRAM and even with no other apps running this happens - and it happens about every 3 mins or so. crazy.
    9037 songs in the library.
    i guess this is better than iPhoto 9 which crashed and refuses to boot full stop, in spite of several re-instals.
    and i thought the new world of apple was gonna be rosy. hmmmm.

  • LDAP User Synchronization : Password

    Hi All,
    I have a question about LDAP User Synchronization to SU01 in ABAP. Does it create an initial password for the users being Synced? or It stores the LDAP Password in SU01 password field?
    I have doubt about the second, as LDAP will never return the password in plain text, and Password Hashing schemes can be different between LDAP and ABAP.
    If it doesn't store the password at all in SU01 for Synced users, then how does user login into SAP GUI?
    Please let me know.
    Thanks in Advance,
    Sanjeev

    Hi Tim,
    it's not possible to unhash cryptographic hash function. One of the main properties of each cryptographic hash function is preimage resistance which means that it's not feasible for a given hash h to find a message m that hash(m) = h. Even in case that it is possible to find this message you can't be sure that that was the original message because as we know a hash function maps message of arbitrary length to fixed size string. Obviously, there is more messages with variable length than messages with one fixed sized so there has to be at least one hash where there are two messages m1 and m2 and hash(m1) = hash(m2) (pigeon hole principle). So it could happen that user would choose password m1 but your unhasing algorithm would get m2. Obviously, it's highly improbable that second hash function hash m1 and m2 into same hash. Therefore such a solution will not be never available and the only solution is to get password in clear text and distribute it to each system in clear text form. As Julius mentioned this is supported but it has some disadvantages.
    Cheers

Maybe you are looking for

  • Excel ActiveX invoke nodes are broken

    I am using LabVIEW 2007.  We are using a VI that runs on most of the PC's in our facility however on some the "invoke node" related to Excel functions don't operate. They are broken and the VIs won't run.  We get errors that the "Invoke Node: contain

  • APN is not specified

    Hey all. I am presented with a weird problem with the App World in my bold 9700. At times when I try to open the App world I get the error: APN is not specified However at times restarting the phone works and at times it doesn't. Does it have somethi

  • Errors when writing ejb

    Hi all, I am writing struts and EJB using Sun one App and Studio. I have written a order cmp and a ordermanager session bean. I can add and get the records but can't update the records. It throw an exception like this: Some remote or transactional ro

  • Error message when trying to upgrade to 9.0

    every time i try to upgrade to the new version for windows vista it always says "invalid drive:F" can someone please tell me what that means?

  • Purpose of table of APPROVAL_ADMINISTRATORS in BADI BBP_WFL_APPROV_BADI

    Hi Gyus, what is the purpose of the table parameter APPROVAL_ADMINISTRATORS in BADI BBP_WFL_APPROV_BADI? Is it to pass on approval information to the WF-Administrator? Where can I find a useful description on this? Kind regards, Thomas