SAP HR - Active Directory encoding
Hi,
We're exporting data from SAP HR to Active Directory (we've followed this link).
Our ECC5.0 system is not Unicode enabled, the database is in iso8859-2 encoding.
Does it mean that if we send data through SPLDAP_RECEIVE_ATTRIBUTES module, that it will be sent in iso8859-2 encoding?
Is the default encoding for abap programs the same as in the ECC5.0?
I'm asking this because after export in Active Directory all the Polish characters such as ąęółćśżź are
not being displayed correctly. Maybe it has something to do with the Active Directory encoding?
Regards,
Ladislav
Edited by: Ladislav Pomezny on Nov 17, 2008 2:44 PM
Any ideas?
Similar Messages
-
Can you authenticate user/password from SAP to Active Directory
I don't want to implement SSO for ABAP because my company doesn't have the license for "SAP NW Single Sign-On"; but we would like to authenticate our users and their passwords to active directory. Our goal is to make sure the user/password in SAP is the same as their Active Directory user/password. Is this possible?
Thanks!This has been discussed many times, for example see SSO with LAN UserID/Password. The short answer is no, you can't synchronize passwords. You can however achieve the requirement assuming you are using Identity Management to provision users and passwords to all systems (AD, SAP, etc). In that case you will have to deal with users changing their password. Recommendation is to enable SSO. If you don't want to get licenses for NWSSO, try to look at other options (X.509 certificates, SPNEGO in AS JAVA and then issue a Logon Ticket, 3rd party solution, etc).
-
Hi,
It´s possible to integrate the sap sb1 login with the Microsoft Active Directory?
Best Regards,
TiagoHi Tiago,
I don't think that is possible. Simply because, B1 has to set and maintain its own user profiles. Could you list the advantages and disadvantages if the future version works like you want?
Thanks,
Gordon -
SAP HCM/Active Directory synchronization
Hi,
I am trying to integrate SAP R/3 (master database) to Active Directory.
And Active Directory will be used by rest all systems.Adding of new employee is done at SAP HCM and the same data should be created in Active Directory.
I went through couple of forum threads but did not get the solution,
Integrating SAP HR and active directory services
LDAP/Active Directory synchronization
http://forums.sdn.sap.com/click.jspa?searchID=47039448&messageID=7577288
Please le me know how can achieve this.Your help is greatly appreciated...
Regards,
Rudradev DevulapelliIt is a tool for user data synchronization, provisioning, compliance etc. It is an Java application so it is installed on AS Java.
I have played with it only for a few days and I was able to use it to synchronize some data from AD and ERP. So I guess your scenario would be something like this:
- HR adds new employee,
- IDM synchronizes data between HCM and AD ie. it creates new user in AD,
- user uses AD to authenticate to access, for example, file share.
But IDM can do a lot of things besides this simple example. So I suggest you to go through "Technical Overview Presentation":
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/7037d982-40aa-2a10-e283-a76a9dfc93ab
and "Working with Microsoft Active Directory":
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/40bba5aa-50f7-2a10-739d-e48e40730478 -
Creating users in Active Directory through LDAP connector
Hello,
If we need to create users in Active directory using LDAP connector, what are the options for the following:
1) Update back into SAP from AD. LDAP connector updates only in one direction i.e from SAP to Active directory.
2) Can we add additional fields in LDAPMAP which are not standard e.g can we we write our own code to extract data from HR to map the value with an attritube within Active directory?
Regards,
AhmadHello!
I noticed the email in my inbox and understand the reason for deleting it - checked the rules again - no problem with that.
Here is the posting again - sanitized this time.
You can create users in LDAP/AD from SAP without a problem. SAP provides function modules to create/maintain/delete users with LDAP attributes in the correct ou path.
You can also perform group membership assignment in LDAP from SAP if needed.
I have done this quite a few times at different companies that use SAP HCM.
A userid in SAP is created automatically during hiring action with default password e.g. birthday of employee and certain authorization roles based on configured information.
The userid is then created right away in LDAP in the correct ou path (controlled via custom configuration table) and LDAP group membership is assigned.
A job runs every 8 hours to perform delta updates in LDAP.
The userid in SAP and LDAP are locked automatically if the user is terminated using termination action in HR. -
BOBJ SAP Integration with Active Directory SSO via Portal
Hi all,
We are only interating BOBJ with BW/BI and the user experience is as follows:
Users login to the SAP Portal using their Windows Active Directory user id and password to gain access to the portal.
From my understanding at the moment, the way the interation kit works is that the BOBJ system is configured as per the manual importing the SAP roles and SAP users who will access the Crystal reports via either GUI or Portal.
My question is: When creating a Crystal report is created, the connection details use SAP login credentials and in the CMC the SSO option can be set so that the SAP user who has logged onto GUI or Portal can launch the report... this is fine and works as intended taken that the user logged on with his/her SAP login. As per the user experience above, users log in using their AD Login into Portal, and never use GUI, where this in theory is SSO into Portal. So how does one get past the login screens (BOBJ and database) while preserving AD SSO to SAP and BOBJ?
Any guidance, documents or comments will be much appreciated.
Thanks
JacquesHI,
yes it is possible:
take a look at the blogs I did on the install and configuration (specially the SAP Authentication):
BusinessObjects and SAP - Installation and Configuration Part 1 of 4
Install Part #1
BusinessObjects and SAP - Installation and Configuration Part 2 of 4
Install Part #2
BusinessObjects and SAP - Installation and Configuration Part 3 of 4
Install Part #3
BusinessObjects and SAP - Installation and Configuration Part 4 of 4
Install Part #4
BusinessObjects and SAP - Configure SAP Authentication
SAP Authentication
Important here is that:
- the BI System is configured to accept tickets
- the portal and BI system are configured as trusted system
- the SAP authentication is configured
Ingo -
Integration of sap R/3 (4.7) and Microsoft active directory (2003)
Hi All,
I would like to know integration of sap R/3 (4.7) and Microsoft active directory (2003) and also SAP EP and Microsoft active directory. I have been working as a ep consultant with a local bank. I am new for this integration work, So please kindly provide me the steps for integrating these both directories.
Pls help me with this issue.
Thanks in advance,
Regards,
Raghav.Hi,
First You should read:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/bc72b890-0201-0010-3a8d-e31e3e266893
Regards,
Jarek -
SAP R/3 Enterprise 4.7 Sync with Active Directory on Win2k3 server
All,
I'm having a nightmare with this and I'm hoping someone can either confirm my problem or solve it for me.
We are running R/3 Enterprise 4.7 (Web AS 6.20) and would like to sync the users with Micsoroft Active Directory 2003.
We are exploring the option of using full Active Directory schema expansion for the SAP sync. i.e. so we have all SAP related fields in AD.
According to the SAP notes, I need the WEB AS 6.10 installation CD so that I can run R3SETUP to perform the Active Directory schema modifications.
I have tried to download this from the SWDC with no luck.
So I guess my questions are:
1, Do I really need the 6.10 install cd (it seems it's only the ADSINIT.R3S file).
2, If I do, where can I get it from?, do I need to order it through our SAP contract manager?
In the meantime, I have tried performing the manual schema extension using the RSLDAPSCHEMAEXT report, uploading this to the AD server and running "ldifde" command.
This has extended the schema (or so it says), but I can't see any SAP icon in the AD tree. Have I missed something?
Any help appreciated.
Thanks,
DarrylRainer,
Thanks for that.
I have been re-reading note 793191 and question 14 says exactly that.
I will checkout JXplorer.
I have found a couple of MS technet articles on how to add your own context menus to the snap-in but it seems like a lot of effort for no real gain.
Thanks again.
ps. awarded points -
SAP R/3 4.6 C Integration with Active Directory
Dear Friends,
We have a requirement to Integrate Active Directory User Authentication to SAP User authentication. Currently we are using following systems in our organization:
SAP R/3 4.6 C Kernel 46D
SAP ECC 6.0 with EHP4
Currently users are logging into Individual SAP systems with ther own User ID and passwords and they need to remember all the system passwords.
We are not looking for EP for SIngle Sign on.
Do we have any option to Integrate Active Directory User authentication with these 2 SAP systems using SSO method ?
Regards
GrahamHi Graham,
Depending on the server OS (Linux, Solaris, Windows, etc) and client (web browser, SAP GUI, etc), you can accomplish this several different ways ranging from using features provided by SAP directly ([SAP GUI and Windows to Windows|http://help.sap.com/saphelp_nw70ehp2/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/frameset.htm] for example) or by [several third party vendors|http://ecohub.sdn.sap.com/irj/ecohub/solutions?query=%22active+directory%22].
Please let us know what OS and clients are you working with and I'm sure we can point you in the right direction.
Thanks!
Kyle -
SAP R/3 Authentication with Active Directory on Win2k server.
Hello list ,
We are running SAP R/3 4.7 with WebAS 6.2 on Solaris and a Windows 2000 Active Directory domain. Our users access SAP in 3 ways
1) SAP GUI .
2) SAP BW
3) Travel & Expense - a java application that records users travel details and posts a transaction to SAP using the SAP userid and password.
Wish to implement SSO for all our users.
Some research we have done suggests
1) Using Kerberos for authentication. while it appears that microsoft krb 5 implementation will work only on windows servers, it is not clear how well are other krb implementations supported by SAP. OSS note # 150380 and link http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm
2) OSS note # 352295 suggest there could be some issue using KRB 5 shipped with unixes.
"All of the major Unix vendors seem to be shipping a version of Kerberos 5 these days. These implementations should be wire-interoperable with each other and with Microsoft W2K (not necessarily W2K3!), however they may not be interoperable with SAP's shared library interface to GSS-API v2 mechanisms."
3) There are some commercial solutions like - CyberSafe that provides krb based SSO at a fee. Has anyone tried this software ?
I have created an OSS ticket but we are still in a queue since 5 days already.
Has any one from the list implemented a similar solution ? What are the best practices and way to go for a robust solution.
4) Another option that we have is to start with user synchronization. Where in Users created in Active Directory get synchronized with SAP .
What is mandatory for us is that Users marked disabled in Active Directory should be blocked in SAP by synchronizing user information at regular interval. If anyone has implemented this solution I will appreciate if they give me some pointers.
Thanks in advance.
Harsh BusaTim,
you are perfectly right: that Vintela product is not certified (as SNC solution).
But you are not quite right regarding the separate treatment. The major difference between that product and the SNC certified products (such as CyberSafe, Entrust, ...) is: Vintela uses different SNC libraries on the client side (=> our Windows SSPI wrappers, see <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/352295">SAP note 352295</a>) and the server side (=> their own SNC library, not certified). And that is actually also one reason why that solution cannot be certified ...
Well, those Windows SSPI wrappers provided by SAP (=> gsskrb5.dll, for example) are also not "SNC certified", but SAP provides support (being in contact with Microsoft). Well, as some people might know, there are also some interoperability issues between different Microsoft OS versions ... - resulting in reactive patches of our SSPI wrappers.
I really do <u>not</u> want to promote <u>any</u> product - neither the one of Quest Software Inc., nor the one of <a href="http://www.cybersafe.ltd.uk/">CyberSafe Ltd</a>, nor <a href="http://www.entrust.com">Entrust Inc.</a>, nor <a href="http://www.secude.com/">SECUDE IT Security GmbH</a>, nor ...
I do not even want to disencourage anyone from implementing his own Kerberos-based solution (or any other solution which provides an GSS API), provided that this person is able to help himself. Reason: if products of different vendors are used and interoperability problems occur the usual finger-pointing will start. In the end you'll not get support by anyone ... - as long as you are aware of this (and capable of helping yourself) you can go ahead. Some (known) universities are belonging to that group ... - but it might not be appropriete to the vast majority of customers. -
Dear all,
I am looking to setup the use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature. We SSO to the backened ABAP AS via an SAP NW Portal to which SPNEgo kerberos authentication is setup. Today we specify R3 user id/password to digitally approvae a lot release. The idea is to have users maintain one AD password and don't have to remember the R/3 password anymore and also our Security team to avoid password maintenance.
I know there are 3 options for digital signature and
System signature with authorization by user ID and password (We use this currently)
Digital User signature with verification - (We would like to use this with AD userid/password, so the system still ask the users their AD userid/password for the authentication when they try to "sign" a document.)
User signature without verification
Do you think there is a way to configure the system in order to ask and check the active directory userid/password instead of SAP R/3 password? Where can I found documentation about it ?
I have several different versions of AS ABAP starting from NW 7.02 to NW 7.31.
My active directory is based on Windows 2008.
Thanks in advance!!
DheeActually enabling Kerberos for SSO purposes and enabling Kerberos for digital signatures are two different topics although the latter is because of the former. I'm interested in the topic as well and I'm currently looking at different options. SAP provides a BAdI for the digital signature API which can be used for external authentication but they do not provide the solution to invoke Kerberos authentication based on username and password. SAP provides a semi solution with NWSSO 2.0 SP2 which works only on Windows with classic dynpros meaning SAP GUI for Windows is assumed. The solution is based on an ActiveX component which does the actual Kerberos authentication using the Secure Login Client which is part of the NWSSO suite. Extending that implementation to non-Windows and non-GUI applications would require some sort of web enabled service that could be used to authenticate the user with username and password. In case authentication is successful, a Kerberos token would be returned to SAP which would then be validated. All the required pieces are there since SAP has Kerberos support now in both stacks of the NetWeaver Application Server, some bits are still missing though which leaves customers looking at 3rd party or custom solutions.
-
SAP User Authentication via Windows Active Directory
The non-profit company I work for as an SAP Security Admin has been using SAP since 1999. We are currently running ECC 6.0, BI 7.0, and CRM 7.0. With fewer than 300 SAP users, we have not implemented CUA, so each of our multiple clients in these systems is managed independently.
The company recently licensed and implemented some non-SAP software to be used by all of our employees (~1200) in keeping track of & catagorizing their work time; a very handy feature of this software is that it depends upon Windows Active Directory for user authentication. Therefore, each employee logs into this time-keeping package by entering his/her standard PC userID & password. If you can log onto your PC, you can log into the time-keeping software.
That got me thinking & researching, because our SAP users - especially those who have access to three or more SAP clients - must maintain their passwords independently in each SAP client that they hope to access in the future. I'm certainly not the first person who has thought of how nice it would be to permit SAP users to log into all SAP clients across the landscape in which they have defined userIDs, using the same password that they are using to log into their PCs (i.e., the password that is stored & maintained in Windows Active Directory). My quest has led me to find presentations on this topic that typically involve modules we aren't using & very complicated configurations that we really lack the time & resources to employ; or, to third-party solution providers who claim to be certified SAP partners who would love to sell us more software to provide this convenience, usually irelated to single sign-on, LDAP, etc. The lowest pricing tier for such software usually would cover many times the number of SAP users we have to serve here - and it feels like trying to push in a tack using a sledgehammer. It is true that we have not used the same userID for our PCs that we have defined in SAP, so there would need to be some way to translate from one to the other, but our PC password rules are consistent with those we have configured in SAP clients, so it seems to me it should be very simple. Can anyone lead me to a more straightforward solution? If not, can you articulate why this has to be so complicated using SAP software when it seems so simple using relatively inexpensive timekeeping sotware?>
Gagan Deep Kaushal wrote:
> Hi Tim,
>
> Its nice to see video.
>
> Is that mean using different username on OS and SAP level still we can achieve SSO.
>
> Correct if if am wrong.
> The only thing we need to maintain SNC name.
Once installed, yes. This is all you need to maintain when users are added. You can even use LDAP if you like to sync all user info between SAP and MS AD domain, but this cannot sync the password, so using SNC authentication instead of using SAP passwords is ideal.
>
> So for user test1 i can manage name as p:test2..... ??
Yes, that is correct. The mapping is maintained using standard SAP user management, such as su01. The user in AD domain might have long account name, e.g. "firstname.verylonglastname" which is too big for use as a SAP username so you can map this long AD account name onto a SAP user called FIRSTLAST in one or more SAP clients.
>
> I think that is what Ronald is also looking, user name need not to be same.
>
> Regards,
> Gagan Deep Kaushal -
SAP ECC 6.0 / Active Directory Password synchronization
Hello,
We have a need to synchronize our users Windows passwords (AD) to our SAP systems (ECC 6.0, BW 3.5, and SCM 5.0). We do not use CUA and currently do not use a Portal and are not looking at doing SSO. We simply want to have one repository (AD) that will manage passwords for our Windows apps as well as our SAP systems. So far, we have not found a way to do this. SAP Note 603208 says this kind of synchronizing is not possible due to encryptions, among other things. However, we did find a white paper that stated the following:
~snip
<i>The Management Agents delivered with MIIS generally support password management: <b>they can take a password from some source (either from a user password change from the Windows interface, or from a self-service web-based password reset interface) and can set the same password in the various connected systems</b>. The Management Agent developed by Oxford is no exception. To change a password in an R/3 System the Susr_User_Change_Password_Rfc function can be used, but this is only possible if the old password is known and the SAP system allows the password change for this user. In cases where the old password is not known (for example the setting of an initial password) the password can be reset using the BAPI_User_change function.</i>~snip
Does anyone have any information on how we can achieve the password synchronization between Active Directory and Abap-based SAP Systems?
I very much appreciate your time and help.
PaulPaul,
You can achieve this using "common authentication". Since Active Directory uses Kerberos, if you allow your SAP systems to support Kerberos authentication as well, then you will be able to logon to Windows workstation, and use the Kerberos credentials issued by Active Directory during this logon to log the user onto SAP.
This is common, and easy to acheive. You need to use the SNC capability which is provided in SAP GUI and also in SAP ABAP engine, and you also need a GSS-API library for both workstations and for the SAP servers that implements the Kerberos protocol. If your SAP server is running on Windows Servers then you can get this GSS-API library from SAP, but if (like many companies) you are running SAP ECC, BW, SCM etc. on UNIX or Linux servers then you need to license a third-party product which provides the GSS-API library etc. I represent a vendor (CyberSafe) that provides this exact product, but you can also find other vendors by looking on SAP partner website, under SNC certified products list. If you want to find out more about our product, please ask me offline by getting my email address from my business card.
I hope this helps. Of course, if there are any questions for me related to this which are appropriate for public viewing then please ask them via this forum instead of via email.
Regards,
Tim -
Active Directory cn field not updated from sap HR using ldap.
Hi,
Apologies if this is in the wrong forum area.
I am using the LDAP facility to create and modify Active Directory records from sap HR. Initially, the name field cn that was coming across into AD was in the format of the logical system and employee number, eg, RD4CLNT22000000711.
I then implemented the BADI HRLDAP_ATTRIBUTES which then changed this name field cn in the active directory listing to the format; surname, forename.
It works fine when I create a new user, however the problem comes when I update the persons name in the sap hr module. The data that comes across into Active Directory shows the change to the persons surname sn, forename and displayname fields is there but the cn field is still showing as the previous name.
In short, when a new user is created, the cn field in active directory is correct
(surname, forename) but when the employees name is modified, that change is not brought across to the cn field even though the surname, forename and displayname fields are updated correctlyon AD.
We are on release 4.70.
Anyway, if anyone could help I would be very grateful.
Thanks
DavidHi
The problem it is causing us is that the cn field is incorrect and does not mirror the change in sap HR, therefore the Active Directory entry for the employee is not totally accurate.
When an employee changes their name in SAP HR - usually their surname, we would then want to update the employees active directory account to show this change and this includes the cn field also. At the moment the firstname, lastname fields do get updated with the change so we would want the cn field to show this as well otherwise the cn field would be incorrect and not match up with the employee's AD firstname & lastname fields.
Dave -
Import Active Directory Data into SAP HR
We are currently working on updating user data in Active directory from data stored in SAP HR via the LDAP Connector. This is working great! The question is what is required to make this happen the other way around. Ex Employee email address is stored in AD and we want to update IT105 email address from Active directory.
Thanks in Advance!
Tariq KhanHello Tariq,
I am also trying to find out the way for flowing data from AD to SAP HCM IT0105.
If you found the solution, it would be a great help if you could pls share the solution.
Hoping for the favorable response.
Thanks in advance.
Best Regards,
Tauseef
Maybe you are looking for
-
Changes to Purchase Order in SRM
Hello, I have a requirement for a report in SRM which should update the account assignment in SRM-PO with the new WBS Element / Fund. Now, I am little new to SRM programming. Could some one give me detailed steps as to what FMs do I need to use and h
-
XML Reports end with WARNING Status, Using Virtual Hostname by Veritas HA
Dear Experts, We have upgraded our Application from 11.5.10.2 to R12, 12.1.3. Now in the Upgraded Application we are unable to open/view any of the XML based Concurrent Reports. All the XML Concurrent Reports are ending in Status WARNING. When we cli
-
ADSL via Motorola SBV 5220 plugged directly into my Vista PC and works fine. Plugged into brand new MacBook Pro Snow Leopard... nothing. Tried all the usual resets and reboots... nothing. Purchased airport express... same problem. No IP address... se
-
Installation of acrobat pro on dell workstation precision t3600 with the raid and Widows 7 Professional was interrupted with a request to insert DVD, even though DVD was already in the tray. Thank you for your help.
-
I would like to know if exists a way of to call external program in windows ce. I'm using cvm J9.