LDAP user synchronization using scheduler

Similar Messages

• LDAP User Synchronization : Password

  Hi All,
  I have a question about LDAP User Synchronization to SU01 in ABAP. Does it create an initial password for the users being Synced? or It stores the LDAP Password in SU01 password field?
  I have doubt about the second, as LDAP will never return the password in plain text, and Password Hashing schemes can be different between LDAP and ABAP.
  If it doesn't store the password at all in SU01 for Synced users, then how does user login into SAP GUI?
  Please let me know.
  Thanks in Advance,
  Sanjeev

  Hi Tim,
  it's not possible to unhash cryptographic hash function. One of the main properties of each cryptographic hash function is preimage resistance which means that it's not feasible for a given hash h to find a message m that hash(m) = h. Even in case that it is possible to find this message you can't be sure that that was the original message because as we know a hash function maps message of arbitrary length to fixed size string. Obviously, there is more messages with variable length than messages with one fixed sized so there has to be at least one hash where there are two messages m1 and m2 and hash(m1) = hash(m2) (pigeon hole principle). So it could happen that user would choose password m1 but your unhasing algorithm would get m2. Obviously, it's highly improbable that second hash function hash m1 and m2 into same hash. Therefore such a solution will not be never available and the only solution is to get password in clear text and distribute it to each system in clear text form. As Julius mentioned this is supported but it has some disadvantages.
  Cheers

• How to only synchronize one specific LDAP user group with SAP?

  Hi,
  Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
  Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
  Thanks, Oscar

  We've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
  E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
  Then we also have a constant for the LDAP_STARTING_POINT
  For our AD Group Initial Load we filter according to these settings:
  LDAP_FILTER_GROUPS = (objectclass=group)
  LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
  The above example only reads AD groups starting at the specified OU
  Then in a Job From LDAP Pass the LDAP URL looks like this:
  LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
  I hope this helps
  Paul

• How to use DS 5.2 to create LDAP user ID and password to Login to Sun ONE I

  Hi all,
  I have just install Sun One Web server 6.1, Sun One Directory 5.2 and Sun One Instant Messaging 6.1 together on Win2K advance server. And I have successful launch Sun� ONE Instant Messenger.
  But I can not know, how to create LDAP user ID and password to Login to Sun ONE Instant Messenger???
  Could anyone help me to solve this problem?
  I'm looking forward to receive your reply soon.
  Thanks

  Hi Tuo,
  I think you better ask this in the forum where the ACS experts are, since this does not seem to be a problem on the ASA side.
  hth
  Herbert

• LDAP User sync problem

  Hi,
  I have configured LDAP on NetWeaver WebAs ABAP using LDAP transaction. It is working fine and I am able to sync users from Microsoft AD to SAP Database. But the problem is It is also synchronizing the terminated users from the company, which are not useful. We have 2 entries under base entry need to be synced excluding the terminated users. If I use base entry it taking all users instead I want to sync only users under those two DNs. Is there any way to do this?
  One more Question is I have synchronized all users later I have mapped some fields. For new users I am getting the mapped field updates but not for the already synced users when I run the sync report. Can I update already synced user fields also or do I need to delete all users and start re-sync again?
  Thanks,
  Ajay.

  Hi Ajay,
  Let me see if I understand you correctly:
  1. You're running an LDAPSYNC from AD to ABAP?
  The ldap connector works using the "subtree" method by defaul. It scans all OUs under the BaseDN you specified. If you wish to perorm this scan only on two specific DNs,  ou=department1,ou=users,dc=ldap,dc=corp and ou=department2,ou=users,dc=ldap,dc=corp and not the whole ou=users,dc=ldap,dc=corp, then you need to create two entries in trans. LDAPMAP.
  If you copy your existing entry, it will copy the attribute mappings as well.
  This will require you to run the RSLDAPSYNC_USER report for each of the server settings.
  2. For a one time update, you can run the RSLDAPSYNC_USER report and choose "ignore timestamp" in the "objects that exist both in directory and database".
  This will update the user's info, provided you set the "import" flag for the attributes in the 'synchronization' section for the server (trans. LDAPMAP).
  Best regard,
  Eric

• User synchronization issue between Active Directory and Solution manager.

  Requirement:
  Synchronize the users between Active directory and solution manager system.
  <u>What we did:</u>
  1.     Created RFC connection (LDAP_RFC) for LDAP connector.
  2.     Created new LDAP connector that utilize the RFC (LDAP_RFC).
  3.     Created new logical LDAP Server(CUA).Here we have to maintain the connection
  details to the physical directory.
  4.     We maintained the communication user that is used by the LDAP connector to bind the LDAP Directory Server.
  5.     In transaction LDAPMAP specific SAP data fields, we mapped to the desired
  directory attributes.
  6.     Testing from LDAP transaction working fine. We are able to see the attributes and
  values       from Active directory.
  <b><u>Issue:</u></b>
  When executed the program RSLDAPSYNC_USER for user synchronization from t-code se38 with below selection .
  LDAP Server = CUA (created earlier)
  LDAP Connector = LDAP_RFC (RFC connection created created ealier)
  In the tab: (Object that exist both in the directory and in the Database:)
  Selected: Compare Time Stamp.
  In the tab: (Objects the only exist in the Directory.)
  Selected : Create in Database.
  In the tab(Objects that only Exist in the Database:
  Selected: Ignore Object.
  Result from the report shows that connection to LDAP server is fine and ‘0’(zero) objects in Directory.
  The program does not create any new user in the Solution Manager system.
  Any help on this issue greatly appreciated.
  Thanks & Regards,
  Harish

  where did you see this error ? is there anymore details.
  i think the account you are using for Sync does not have Replicate Directory Changes permission in AD. follow below article and give Replicate directory changes permission.
  http://technet.microsoft.com/en-us/library/hh296982(v=office.15).aspx
  Thanks, Noddy

• Adding LDAP User store to UME

  We need to authenticate users against an LDAP server.  This works fine from the workbench where the UME ContentSource is database_only.  However, the central WebAs (Netweaver 2004) was installed with ContentSource of r3_rw.  According to the documentation, a prerequisite to adding an LDAP user store is: "You have installed a SAP Web Application Server Java where the UME is configured to use the database of the J2EE Engine as data source."  Since our WebAS Java is not configured this way, is there any way, short of re-installing the server, to add an LDAP user store?  TIA,
  Steve

  Hi Steve,
  Once you choose an ABAP data source, there is no going back.
  You can however synchronize the ABAP with the LDAP server. Have the ABAP user management periodically import users from the LDAP server.
  -Michael

• Sync LDAP users with ECC - Mapping required field

  Hello,
  I want to synchronize SAP ECC users with LDAP users.
  At this moment I succeed to synchronize all users existing from the LDAP to the ECC.
  But I want to filter users which need to be created by a specific attribute added in the LDAP.
  I changed the LDAP mapping to add the "required" check on the corresponding to the specific attribute field. But when I use the RSLDAPSYNC_USER program, this required attribute is not considered.
  What can I do to synchronize user which have the specific attribute filled. And not all users ?
  Thanks for regards.
  Edited by: Gaetan Bourgneuf on Jun 18, 2008 11:27 AM

  In detailled:
  - in the LDAP we have created a specific attribute name "SAP FIELD" (technical name is extensionAttribute10)
  - in the LDAPMAP transaction in the ECC I modified the following entry:
  " USERNAME    |    BAPIBNAME    |    sAMAccountName    | X | X | X | X |   | X |    |"
  By the following new:
  " USERNAME    |    BAPIBNAME    |    extensionAttribute10    | X | X | X | X |   | X |    |"
  So when I synchronize the LDAP, the LDAP specific extension is required (because linked to the SAP username). And if user doesn't has this specific attribute filled, it's not synchronized.

• How to force a new password in portal with LDAP user? external users

  With an external portal (used by agents that do not work for you or reside in your office), company policy is for password to be changed every qtr.
  If the users are creating as LDAP users how to force them to change their password when required?
  Is this a custom application that needs to be written so when they log into the portal if the qtr has expired the portal ask them to enter a new password that becomes valid for the next qtr.
  Versus internally deleting and emailing all the users a new password?

  Hi Glenn,
  We are getting one problem when we are creating user in LDAP and login with that user in  Portal that time we are getting Password change screen , but when we create a user in LDAP and change the password of that user in LDAP then when the user tries to  Login to portal that time we are not able to see the password change screen.
  But again if we change the password of that user through Portal we are able to see change password screen.
  can you help on this how we can force the user to change password when we are changing password in LDAP or in SAP System.
  Regards
  Trilochan

• Error at configuring LDAP Synch by using post installation steps of OIM

  Hi All ,
  I am getting error while configuring LDAP synch.......
  i am doing LDAP synch by using following link http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oid_oim.htm#IDMIG4357
  While Running patch_weblogic.sh script i am getting following error
  Error:
  patch:
  explode-archived-apps-was:
  seed-ootb-jobs:
  seed-ootb-jobs:
  [echo] ----> SEEDING OUT OF THE BOX SCHEDULE JOBS AND TRIGGERS
  [java] Exception in thread "main" java.lang.ClassNotFoundException: oracle.jdbc.xa.client.OracleXADataSource
  BUILD FAILED
  /apps/Oracle/Middleware/Oracle_IDM1/server/setup/deploy-files/setup.xml:21: The following error occurred while executing this line:
  /apps/Oracle/Middleware/Oracle_IDM1/server/setup/deploy-files/setup.xml:84: The following error occurred while executing this line:
  /apps/Oracle/Middleware/Oracle_IDM1/server/seed_data/seed-rcu-data.xml:37: Java returned: 1
  Total time: 26 seconds
  *********I can't trouble shoot this error.....because i am not able to find out oracle.iam.scheduler.seed.SeedSchedulerData class is in which jar.
  Please help me to solve this problem
  Regards,
  idmr2

  Open weblogic.profile and change the value for property operationsDB.driver to oracle.jdbc.OracleDriver and retest the issue.

• Assigning roles to LDAP users through BIP API

  Hi.
  My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
  One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
  I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
  We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
  Is it possible to make that assignments through BIP API?
  If not, any other ideas? New ideas or different approaches are welcome.
  Thanks in advance.

  In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
  During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
  I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
  There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
  Let me know if that helps.

• LDAP user no longer able to log in

  We have CQ 5.3 set up using LDAP authentication.  We have one user who has been using CQ with her AD Userid/password for over a year with no issues, but she came in one day and now it's saying her user id and password don't match.
  We've tried on multiple different instances of CQ and she gets the same message every time.  She is able to log into other applicaitons that use LDAP for authentication just fine. We have tried resting CQ to see if that resolves the issue and it hasn't.  I originally thought it was some sort of issue with her LDAP account, but because she can log into other apps, I'm wondering if not? Or maybe there WAS an issue with her account, but it was resolved (she thought maybe her account was locked, so she ran an unlock procedure), but CQ just hasn't caught up to that fact?  This started happening a week ago.

  Hi Jennifer,
  Have you tried running a manual LDAP User sync for the single user (http://localhost:4502/crx/config/ldap.jsp)?  Since the user can login to other systems via LDAP, the problem is most likely with their account in CQ.  Maybe try deleting their account in CQ and re-creating/re-sync via LDAP User sync.
  Hope this helps.
  Ron

• How to find list of users who have scheduling privileges

  I am tryig to find sql to run on discoverer meta data to find which users have acces to schedule workbook. Can someone help please?
  Jiten

  Hi,
  You can use the following sql to see which users have the schedule privilege:
  SELECT PRIV.AP_EU_ID USER_ID, USR.EU_USERNAME USERNAME
  FROM EUL5_ACCESS_PRIVS PRIV,
           EUL5_EUL_USERS USR
  WHERE PRIV.AP_EU_ID = USR.EU_ID
  AND GP_APP_ID = 1012Rod West

• Creation of Public Sector Planning application fails for LDAP user

  The environment is on Windows 2008 R2 & EPM 11.1.2.2.302 of Planning. The creation of "general" planning applications works fine, regardless of the method of creation, Native User/LDAP User or Classic/EPMA. The creation of Public Sector Planning application using Classic Administration fails when using an LDAP user.
  It works when using a Native User. It also works fine if EPMA is used, for both Native as well as LDAP users.
  Our developers are not comfortable with EPMA yet, so want/need the ability to create the applications using Classic Administration.
  Looking at the Planning sysout log, the only error message indicates a timeout with Calculation Manager:
  Calc manager rules initialization failed. Please load and deploy the rules from Calc Manager UI
  ERROR:Error while loading rules in Calc Manager. <HTML><HEAD><TITLE>Weblogic Bridge Message</TITLE></HEAD> <BODY><H2>Failure of server APACHE bridge:</H2><P><hr>No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent.<hr> </BODY></HTML>
  Calculation Manager itself seems to be working fine.
  Any suggestions/thoughts anyone?
  Thanks,
  Andy

  Hi Vivek,
  The LDAP port is open to all the servers in the environment. LDAP users have no issues logging in to any of the tools that they have access to.
  I think it has something to do with how Classic Planning passes the security token to Calculation Manager for an LDAP user. For a "general" Planning app, there is no evidence of such a transfer, because the Rules are created after the app has been created. And there the user logs in directly to Calculation Manager to create the rules.
  When using EPM Architect, it would lead to reason that such a token is also passed, however, that mechanism does not seem to have any trouble.
  This is the first time I am using a pre-packaged application like PSB, and have so far worked with only with "general" Planning apps. Wanted to see if anyone else has created PSB apps using external users successfully, so I can trade environment notes and may be come to a cause/solution.
  Thanks,
  Andy

• Server App not seeing external LDAP users & groups

  I have a clean 10.8.2 + Server install set up with our standard external LDAP directory (Novell's eDirectory in our case) configuration that is known to support Lion & Mountain Lion client LDAP authentication. With this same configuration on OS X 10.8.2 Server both Directory Utility and WGM can see all the LDAP users and groups as expected.
  When I look for the external users & groups in the LDAP domain under the Server App "Accounts" heading I cannot see any entries in either users or groups lists. Should I be able to or is this a Server App quirk?
  I can add individual LDAP users to a local group and enable access to individual services. How can I give access to services to all LDAP users without having to build & maintain a massive "All LDAP Users" local group?
  Is there a published list of required LDAP attributes for users & groups for Mountain Lion Server? I suspect there are new requirements over and above those for 10.6 server but I have failed to find a good reference. I've noticed I get different behaviours for LDAP templates that includes a mapping for GeneratedUID to one which does not for example.
  This is all so much more opaque than our superbly reliable Snow Leopard servers!
  TIA

  Ok, and again:
  You want to see Users and Groups , which are stored in an third Party directory service like OpenLDAP, in your Server.app? This is what you have to do:
  Connect the third party ldap to your server
  Have all your external LDAP entries made so you can see them in the Workgroup Manager and are able to Login with them
  When you see your LDAP-entry in the Directory Manager, change it from "From Server" to "RFC2307"
  Edit the entry, add the following mapping to it:GeneratedUUID maps to apple-generateduuid
  To your group and user entries in the external LDAP add the follwing attribute:apple-generateduuid gets the value taken from the output of "uuidgen"
  Feel lucky
  And there ist ist; now you are able to use The accounts taken from an external LDAP.