LDAP Sync - Filter Options

Former Member · ‎2010 Dec 07

Hi @all

at first, i am not a SAP Guy. Hopefully you will support me too.

We try to use our LDAP-Directory as a single point for "basic user information adminstration".

This means: All our Basic-Informations like surenames, givennames, sap-logonname (equal the samaccountname), tel, and so on are administered in the LDAP.

Now we used in our testenvironment the LDAP-SYNC Report to synchronize the user from LDAP to SAP an the neccesarry attributes. This works fine.

But this report always sync all users!

In our case, we need to set a filter for all our sap systems.

This means: not all of our LDAP User are in all of our SAP-System. I must use a filteroption.

i understand there are two was to do this:

the first way is to put all users to an sperate OU in the LDAP - eg. all IS-U User in OU IS-U - all SRM User to SRM and so on. This don't work for us, cause many customers are in multiple sap-systems.

the second way ist to use a seperate LDAP attributt. eg. to extend the LDAP schema with attrbutes like sapsrmusername, sapisuusername and so. now i can use the filteroption in ldap_map report.

But we won't to extend out LDAP!

My plan is to use a filter in the RSLDAPSYNC_USER report by LDAP-Groups . eg. to use the "memberof" attribut or something else. Like: Sync only User if User a member of LDAP-Groupe SRM.

But i can't find any Option to do this.

Is it possble to filter by a membership?

There are to Options in the RSLDAPSYNC_USER for that i can't find definitions.

1.) "Use User Selection in LDAP Search Filter"

2.) User group (from / to)

Anyone an idea for me?

Best regards

Former Member · ‎2010 Dec 07

Are you pushing AD users to SAP?

It sounds like you do not want to create AD/LDAP users in SAP and only want to sync SAP users with LDAP.

If that is the case than you can set this function in SAP configuration in transaction LDAP.

Former Member · ‎2010 Dec 07


 Are you pushing AD users to SAP?

Yes, I want to do this.


It sounds like you do not want to create AD/LDAP users in SAP and only want to sync SAP users with LDAP..

No, i want to create AD/LDAP users in SAP. And this works fine, but only for all Users in the LDAP - better, the defined OU an SUB-OUs.

But i want to select the Users by a LDAP Groupmembership.

The Goal:

All User in the LDAP Group "SRM" should be created an syncronized in our SAP SRM

All User in the LDAP Group "ISU" should be created an syncronized in our SAP ISU

an so on...

I hope this is much more clarify.

Former Member · ‎2010 Dec 07

Not AD/LDAP expert however there should be way to flag users in AD for SAP users and if you want to even filter SAP users based on SRM, ISU, you can than explore group specific user sync with SAP.

Former Member · ‎2013 Apr 29

Hello Sascha,

have you solved the issue?

I need the same configuration, but I didn't find any solution.

Thanks

Matteo

Former Member · ‎2013 Jun 01

Hi Matteo,

take a look on "memberOf" filter option.You can create a filter like (&(objectclass=*)(memberOf=CN=MyGroup-Name,OU=Groups,OU=SomeOU,DC=localdomain,DC=local))

Best regards,

Andy

Former Member · ‎2013 Jun 03

Hello Andy,

in report RSLDAPSYNC_USER is not possible to put an LDAP filter...

And also in transaction LDAPMAP I don't discover ho to make an LDAP filter.

Please take in to account that I have a pure ABAP environment.

Regards

Matteo Stocco

Former Member · ‎2013 Jun 10

There are to Options in the RSLDAPSYNC_USER for that i can't find definitions.

1.) "Use User Selection in LDAP Search Filter" ->> program only takes the users defined in selection list

2.) User group (from / to) -> You can define the user group that you want to exclude.

We are doing the testing to synch the first name last name user group and valid to date from AD to SAP user master data. It works fine with test IDs ( 15-20) users but when we execute the program

RSLDAPSYNC_USER for ALL the user ( keeping "User selection in LDAP Search Filter empty),

the program generates the error message " Maximum number of find results exceeded" LDAPRC 004

SAP recommeded to review oss note 511141 but we are not still clear what OSS note asking us to do.

Thanks

Pranav

former_member1175188 · ‎2015 Oct 05

Hi guys,

ABAP system no IDM available.

Tcode: LDAP

using LDAP search as filter: (&(objectclass=*)(memberOf=CN=sapuserstest,OU=SAP,DC=XXX,DC=IT)) I am Able to get all users that are member of a specific AD group. Query woks properly!

So now I want to import those users with RSLDAPSYNC_USER where I could not able to set a LDAP filter.

my goal is to import users from AD, only some users based on LDAP filter that are memberOf to specific AD group >> to SAP DB.

Is there any chance to do that? importing only users memeberOf a specific AD group as exactely the LDap search do using the filter.

thanks in advance for your contribute.

Former Member · ‎2015 Oct 09

Hi Michele,

I have exactly the same need as you : select users from a specific AD group and create/modify them in SAP ABAP system.

After several hours (…) I have understand that the filter used by report RSLDAPSYNC_USER comes from attribute defined as filter in transaction LDAPMAP.

This can be checked by generating a trace using the report RSLDAPTRACE.

So, the need is to map AD attribute “memberof” with an attribute from SAP userid structure.

It seems easy, but I havn’t yet managed to make it !

As soon I’ll find a solution I keep you in touch.

Also, if you manage to do it I’m interested by the solution.

Alain

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

LDAP Sync - Filter Options