GRC 10.x and LDAP management 2.
This document continues the content of the previously created one.
Here we try to use settings that were done for LDAP user and group management.
Part III. Using the settings
User synchronization
Just to remind, we use our ldap field ‘pager’ as a field for keeping SAP user id.
Before we start you can check table GRACUSER whether it has any records for the connector. Normally, just before the very first synchronization it should not contain any records for the selected LDAP connector.
In the picture you can see that the table already contains 900 entries, that happened because after customizing we ran full synchronization.
Start tcode GRAC_USER_SYNC and select your LDAP connector. For the very first time select ‘Full Synch mode’, but execute it successfully just once. Full synch mode as I found worked in the following manner: it clear the table for the selected connector and fill it from scratch again. So we used the following
synchronization just once and then use only incremental synchronization on the regular basis.
Afer synchronization in dialog mode you get a log:
The number of entries in the table is changed
The incremental mode works in the following manner: it selects users who were changed since last synchronization. So, if you start it very often the table may not be updated with new entries.
LDAP trace log contains the selected period:
ldap_paged_search_sU(base=”your_domain_base”, filter=”(&(ObjectClass=person)(whenChanged>=20160311132424.0Z)(whenChanged<=2016042814
0244.0Z))”, scope=2, pagesize=200)
Role synchronization
AD groups in BRM part of GRC 10.x can be uploaded with files only.
File for uploading looks like this (see attached file)
Then make role import
chose the file location
Then perform role synchronization using tcode GRAC_ROLE_SYNC.
After this the system knows that the role exists in AD
As you can see there is no users assigned to the group.
Create a request in AC for the group assignment
Check the group in AD again.
The group has the user among its members.
The only one moment that may confuse you is the information in SLG1 log.
Group assigned to Group. In fact, you can ignore this message if the required functional works.
It seems like a bug, but on the moment of writing the document no notes were released for this topic.
Regards,
Artem Ivashkin
Artem,
Thanks for sharing this information.
May you share why exactly we need to sync users from AD? I have integrated AD with GRC and without syncing users and roles from AD, things are moving successfully.
I would like to know why this is synced.
Secondly, is it necessary to have groups in AD to create/modify/delete users from AD? If in case these groups are not maintained can we still do provisioning/de-provisioning in AD through GRC?
Regards,
Faisal
Faisal,
Indeed, user synchronization is not an obligatory point, especially if you use online LDAP user records reading. So, it's up to you to synch or not to synch.
I haven't tried this scenario, but I'm sure that you should be able to maintain users without having groups in AD.
Regards,
Artem
Artem,
Thanks for sharing your inputs.
Regards,
Faisal
In our system, the realtime search using port 389 is not working but when we changed the port to 3286 the realtime search is working. However we cannot use this port as it is causing a performance issue when logging in to End User Logon. We also considered syncing users from LDAP to GRC since realtime search is not working using port 389 but the problem is we cannot successfully sync users GRACUSERCONN table entries are 0. Also, the 2050 parameter was already set to Yes.
Here is the error log file using port 389. Did someone encountered the same issue before?
Appreciate your response on this. Thanks.
How to test Modify option in LDAP transaction?
BR
Arya