uLDAPGetEntry()
Recently I have been working on IDM 7.2 – AD integration so thought to share some information on uLDAPGetEntry() that might help someone who is doing AD integration.
As we know, AD connector is not smart as SAP connectors. IDM will set status “Failed” if it tries to create/assign access to users if the user/assignment already exists in AD. So, I was implementing a solution where IDM checks if user already exists in AD.. if so, then do nothing (Status will be set to ‘OK’).. If not, then create the user.
I was using uLDAPGetEntry() to check if the user exists.. Contradicting the help documentation, uLDAPGetEntry did not return “NULL” if the user is not found. It returned error as below
ERROR – {err_category=ERROR, err_where=uLDAPGetEntry(ldaps://1xxxx:636/cn=TEST_JAI1,OU=Users,OU=X,DC=XDev,DC=com,DC=au?CN?BASE?(objectclass=person)), err_exception=javax.naming.NameNotFoundException: [LDAP: error code 32 – 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:’OU=Users,OU=X ,DC=XDev,DC=com,DC=au’]; remaining name ”}
Hence my script kept failing as I was checking for NULL value. SAP needs to update the code for uLDAPGetEntry() user function or update the help documentation. I do not have authorization to raise an incident to SAP so posting here. Hope someone from SAP takes note of this.
Also, I was using LDAP url,
ldap://1xxxx:636/cn=TEST_JAI1,OU=Users,OU=X,DC=XDev,DC=com,DC=au?CN?BASE?(objectclass=person))
and I kept getting error as below.
javax.naming.ServiceUnavailableException: XXX:636; socket closed..
After some Googling, figured that I should use LDAPS url as below,
ldaps://1xxxx:636/cn=TEST_JAI1,OU=Users,OU=X,DC=XDev,DC=com,DC=au?CN?BASE?(objectclass=person))
It would be nice if SAP adds a note about LDAPS url over LDAP url to establish secure connection while using uLDAPGetEntry.
Hope it helps someone.
Regards,
Jai
Hi Jai,
for this case and also for similar cases, like when you add a user as member of a group (which fails as well if the user is already member of that group), it is easier to just catch the exception in a script. So you don't need a separate action.
You write a script that you call in case of error, check for the error message and if you want to catch the error you set the status OK by usage of uSkip(1,1,"");.
Regards
Norman
Good stuff, Jai. I'd be very interested in the steps you needed to execute to get LDAPS going between IDM and AD.
Matt
Hi Matt,
Thanks.
For LDAPS connection,
1) I imported root CA certificate into cacerts in IDM. Usually, there would be more than one cacerts file in the system. We need to be careful about importing the certificate into correct cacert file. I imported into wrong cacert file and kept on encountering "Socket Closed" error. The correct cacerts file would be in %JAVA_HOME%/jre/lib/security folder..
2) Then, I changed the security option in all my toLdap passes to SSL instead of simple authentication.
Kind regards,
Jai
Nicely done! Norman has already mentioned the errorscript solution, so here's an example of that by my former SAP self 🙂
Custom error handler in Workflow actions
The disadvantage of the errorscript solution is that you get errors/warnings in the log, whereas this solution avoids that at the cost of an additional but low impact LDAP operation.
Br,
Chris
Thanks Chris, glad to see you back active in SCN. 🙂
I have read your blog previously and tried in my test system. That was more reactive measure.
My initial thought was to avoid error job log (customers just panic if there's any red line in job log 😐 ) so went on with proactive checking of user in AD.
But I guess there is no difference between both approach now, as uLDAPGetEntry() posts error in job log if the user is not found instead of returning NULL 😕 .
Kind regards,
Jai
Very informative for me..
Thanks