For an overview of Duet Enterprise 1.0 User Mapper, refer to the following post:
[User Mapping in Duet Enterprise 1.0 | User Mapping in Duet Enterprise 1.0]
For a production installation of Duet Enterprise, it is recommended that user mapping be done using an LDAP. This ensures that valid sap ids are mapped to valid Sharepoint User ids.
Usernames in SharePoint and Duet Enterprise are usually different (for example, in SharePoint: DOMAINADS-User; in SAP: SAPUSER).
This technique can be used if your company is using an LDAP field to map the SAP user id. This method can also be used if Sharepoint and SAP user ids are the same. In the latter case, you can use the ADS attribute sAMAccountName.
A connection to the LDAP is required. Before configuration, you will need to know the following information
- ADS Domain
- ADS field where the SAP User ID will be stored
- ADS base entry (folder) where users will be stored
The steps are also outlined in the Duet Enterprise SAP Deployment Guide as well as the Duet Enterprise Security Guide found on the SAP service marketplace.
To create the connection, follow these steps:
h3. 1) Create a type T (TCP/IP connection) RFC destination in the SCL in transaction SM59.
*RFC Destination: RFC-<LDAP System Name></p><p>Description: RFC Connection to <ADS Domain name> for LDAP sync</p><p>Program ID:* Prog-Save it. When you do Connection test, it will fail at first with a Logon Connection Error message.
h3. 2) Create a user for the LDAP Connection
On the SCL, go to transaction LDAP and click System Users
Click edit, then New Entries
Enter the details of the new user
*User ID: Make up the name of a system user </p><p>Distinguished Name:* Service user to connect to the ADS to read user entries (include domain)
Click on the edit icon next to credentials and add the password. Click Green check, then save the user.
h3. 3) Maintain an LDAP server (via transaction LDAP)
In the SCL, go to transaction LDAP
Click Edit and then New Entries and enter the following information:
*Server Name: Make up a name for the server for example, SRV-<ADS system name></p><p>Host Name: ADS Host Name</p><p>Port Number:* Default is 389
Product Name: Choose type of ADS you are using – use Microsoft Windows 2003
Active Directory (Domain Model) even if you have ADS 2008 (see note 983808)
Product Version: Choose Version of your ADS – LDAP Version 3
*LDAP Application: Choose User</p><p>Default:* Check this flag
Base Entry: The base entry on which the users are stored in the ADS. In our example, if you go to the ADS server and navigate to the Active Directory Users and Computers, all our users for Duet Enterprise are in the Duet_Enterprise folder. These are the only ones we want to map to SAP IDs in the SCL. We used the string:
System Logon: Use F4 to retrieve the user you created in the previous step
Save the configuration.
h3. 4) To activate the LDAP connection:
In the SCL, navigate to transaction LDAP and click LDAP Connectors
Click Edit and click New Entries.
*Connector Name: Press F4 and select the previously created RFC destination in step 1</p><p>Application Server: Press F4 and select the active instance of the SCL server </p><p>Status: *Select Connector is active.
*Trace Level: *Select Trace Off.
*Page Size: *Enter a page size (entries per page) if your ADS has more than 1000 entries, for example, 200
Click Save and start the connector by clicking on the activate button . The *Current Status *icon should change to yellow.
Click Save and then the *Current Status *icon should change to green.
h3. 5) Determine which LDAP attribute contains the SAP User ID.
In this example, we are using the ADS attribute extensionAttribute1.
h3. 6) To configure the user mapping types.
Navigate to transaction SIMGH and select *Service Consumption layer Administration *
Choose Consumer Settings and Select User Mapping type
Add a new entry and enter LDAP based user mapping, LDAP server you created in the previous steps and the LDAP attribute to be used for mapping. If the Sharepoint and SAP user ids are the same, enter the attribute sAMAccountName. Otherwise, enter the attribute from step 5.
h3. 6) Run the user mapping tool.
Navigate to the Service Consumption Layer Administration IMG and select Map SAP User Names to Consumer
Enter the following information
- SCL client
- User – you can run for a range of SAP user ids, individual or for all SAP user ids in the SCL
- External ID type = SA
- Prefix of External Name = SharePoint::
- Suffix is blank
- Name of Issuer – This refers to the Sharepoint Security Token Service. You can get this string from the imported Sharepoint Security Token Service Certificate in STRUST. Use the Owner string of the certificate. In most cases it will be “CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US”.
- BAdI Implementation: SharePoint Integration bulk user mapping
It is recommended to run this tool in test mode first to ensure mapping is found for users and to also delete all other entries for the SAP user id as there should only be one SharePoint User mapped per SAP user id.
Check the results of the tool to ensure the user ids are mapped correctly.
h3. 7) Check the mapping entries in transaction SM30 for table VUSREXTID
User Mapping is complete. This tool can be run multiple times to map new users as required.