Showing results for 
Search instead for 
Did you mean: 

HCM to IDM Connection Problem

Former Member
0 Kudos

I' m working on connecting HCM (SAP ECC 6.0) with IDM (IDM 7.2)  by

referring the document IDM for SAP System Landscape Configuration Guide.

I have done all the steps, everything rans fine up to the report that should transmit the data to the VDS and Identity Center (RPLDAP_EXTRACT_IDM).

I get the meaningful error message:

LDAP connection to Server LDAP_IDM_NEW could not be made

Message no. HRLDAP020

The LDAP connector, the RFC connection and the connection to the LDAP server are working just fine.

I can connect to the VDS with the communication user "hruser".

I also can find entries in the VDS. But in TA LDAP --> LogON--> Create   I get the message:  Authorizations are insufficient. My system user has write permission too!

I'm not 100% sure about some things:

RFC Destination:

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Additionally, check the Operations log of the VDS, may be some clues in there if the above doesn't help.

Former Member
0 Kudos

how can I find it?

Active Contributor
0 Kudos


In 7.1 / 7.2 -- Click on the Operation button in the VDS toolbar. You can adjust Operation Log settings by clicking Configure -> Logging -> Operation Log.

If you're using VDS 7.0, you'll need to edit the standalonelog.prop file as mentioned here:

Hope this helps!


Answers (1)

Answers (1)

Former Member
0 Kudos

In the pics you sent, your setup looks good.

9 times out of 10, the problem is the mapping attributes you created.  You have to go through them 1 by one and make sure there are no typos and that you have the correct attributes mapped from the query to what it's sending to VDS.  There are 2 transactions to fill out (tcode hrldap_map) and then also the mapping you create in tcode LDAP.  If you used the xml import method in the 2nd mapping step, I can almost guarantee you that's the problem.

Former Member
0 Kudos

Of course I did the xml method^ ^

Is it necessary to use all fields in hrldap_map or only the "active" fields for the query in (tcode) SQ01 (The green highlighted)?

I'm very insecure about the mapping!!!

Former Member
0 Kudos

Ok, first things first, start with the hrldap_map transaction, and you're correct, you only have to map the "active" fields that are brought in.  When you enter this function it will ask you to type in the query and then it will only bring in the active fields.  Go through the fields carefully, one by one - make sure there's no typos and that every single field is filled out.

After you're done, copy everything into a spreadsheet, cause you'll need to use this in the next step, LDAP transaction mapping.

Now when you get into the LDAP mapping section, you will have the same number of fields + 1 (i might be wrong there but that's what i remember).  Go through each field one by one.  Every field that you have in your spreadsheet needs to be in the LDAP mapping transaction, no more, no less.  I don't use the xml method because it never works.  I manually type everything in so I don't miss anything.

Hope that helps.  If you're still having trouble after this, there are some logging transactions we can look at.

Former Member
0 Kudos

Thank you for your reply.

Now I perform the mapping manually. What an act!

The problem is still the same.

Read access works:


UserName:hruser_|_ClientIP:IP_of_SAP_HCM_|_UserGroup:Authenticated_|_StartingPoint:o=idstore_|_OperationType:SEARCH_|_OperationSubType:sub_|_Filter:(objectclass=*)_|_RequestedAttributes:_|_ReturnedEntries:1_|_Fetched from cache: false_|_ResultCode:0_|_ResultMessage:(IC Identity store:0:OK)_|_Operation duration (ms):14748_|_System load (engines):1

I get a response in the SAP System.

But write accesses does not work. Perhaps this is also the problem of data transmission with the report RPLDAP_EXTRACT_IDM.

UserName:hruser_|_ClientIP:IP_of_SAP_HCM_|_UserGroup:Authenticated_|_DN:o=idstore_|_OperationType:ADD_|_ResultCode:50_|_ResultMessage:Insufficient access_|_Operation duration (ms):1_|_System load (engines):1

Looks like a permission problem. But maybe the message is misleading?

Former Member
0 Kudos


That error message is a new one for me.  The good thing is that it's getting to the VDS server.  When the mapping is wrong, it usually won't get that far.

Looks like hruser is created correctly but can you double check you did create the hruser in the VDS configuration correct?

So if the hruser is in the VDS and they're able to log in, then maybe the persmissions error is elsewhere. 

So go over to the MMC, any error logs there?  When you created the VDS configuration, did you make sure to point it at the HCM Staging area Id Store rather than your SAP_Master id Store?