GRC 10.x and LDAP management
I wanted to get helpful howto guide when I started to work on GRC integration with LDAP (Windows AD). Unfortunately, for a man with poor or no knowledge of LDAP mechanism SAP documents not helpful, especially in case of specific customer needs. This document describes how we coped with the task of LDAP integration.
The purpose of this document is to give one more example and clarify some points of other documents.
Special thank to Neeraj Manocha who helped me to resolve the group assignment issue.
Part I. Connect GRC and LDAP
In all document the very first thing you have to do is creating connection.
Creating LDAP connection is a basis part well described here.
Go to SM59 and make the following settings
Create TCP/IP Connection (T type)
Make the following settings in tcode LDAP
To catch any problems with LDAP on first steps it’s recommended to keep trace level switched on. In the example above it’s set to 2.
Then you should maintain the user you will manage LDAP.
See further how we will use this user. Note that this user have to have all authorizations for managing users and groups.
Create server where LDAP is located.
In this example base entry is set for the root node and it should be defined in this manner:
DC=3rd level domain,DC=2nd level domain,DC=1st level domain. Note that you should use no spaces between values. For example: DC=WDF,DC=SAP,DC=COM.
If you have several connectors you can set one as a default.
The next step is defining mapping fields for managing in LDAP-GRC and GRC-LDAP directions.
At first you can use proposal mapping for the mapping (click appropriate button to do this operation).
In my example all SAP user ids are kept in the ‘pager’ field, so I select it as attribute for mapping and filtering. So that it’s not obligatory to use the proposal field ‘sapUsername’ if you don’t have it in AD.
In sum, we have determined in subnode ‘mapping’ first five fields that will be used for mapping.
As you can see in picture above we ticked two values (pager and mail) for Import (the last two columns). This setting specifies that ticked attributes are to be imported into GRC tables. Note that no export values are ticked here, because in this example GRC should not write any data to AD, however you can tick any field for export in accordance with your needs.
In sum, we have opted those fields that will be synchronized from AD to GRC (LDAP-GRC direction).
Now everything looks prepared for the first test, click on ‘Logon’ button in tcode LDAP
Now we can use some LDAP functions, for instance, searching. Click on ‘Find’ button, determine your filter command and click ‘Execute’.
Here we get the list of attribute of the user whose pager field is equal to 101DIT00037.
If you get any problem during connection or during execution of LDAP command, please look at the trace file. It’s located in ‘work’ directory and named as ‘dev_<your_LDAP_connector_name>.trc’
Part II. GRC customizing
If you are successful with with the previous customizing part go to the next step.
Make customizing in ‘Maintain Connection Settings’ point of SPRO.
Set previously maintained connector for both PROV and AUTH scenarios.
Ensure that class CL_GRAC_AD_ACCESS_MGMT_LDAP is determined for LDAP connection type.
Ensure that class CL_GRAC_AD_AUTH_MGMT_LDAP is determined for LDAP connection type.
After this go to SPRO and find ‘Maintain Connectors and Connection Types’
Make the following settings
In sum, we have created logical group that will unite all our LDAP connectors.
Again go to SPRO and start ‘Maintain Connector Settings’
Determine the role of the connector
Select the entry and click on the subnode of the dialog structure ‘Assign attributes to the connector’
As it was in the Part I don’t use space between values. In the example above I used variables ‘User path1’, ‘User path’ since the length of the value field is limited.
So, if you have a very long path for group/user search you can divide using this variables. Let’s say, you have domain myldaporganization.ruscompany.com and you need to manage user in OU=SPB, OU=USERS and groups in OU=SPB, OU=SHAREDGROUPS for this connector.
Your setting will be looked as: USER PATH1 – DC=MYLDAPORGANIZATION,DC=RUSCOMPANY,DC=COM ; USER PATH – OU=USERS,OU=SP
Note that values are in upper case.
‘Maintain Mapping for Actions and Connector Groups’
Here action 3 is provisioning and 4 is authorizations.
For provisioning we will use these fields.
On the left hand side there are GRC fields, on the right hand side – AD fields (letters are in upper case).
These settings are provided in the guide ‘AC10_LDAP_Config_Guide’, unfortunately, the guide doesn’t say why we use them. On SCN you can find many examples of using another parameters, but not their purpose. It’s understood that OC should mean Object Class, but it’s not clear why then GROUPMEMBER is written without this suffix.
In order to use LDAP as user data source make the following setting
SPRO – ‘Maintain Data Sources Configuration’
Don’t confuse that LDAP connector has SU01 in the last column, it’s was found on one scn thread when I was searching for a solution of user data source.
In this example, system PRD420 is used as CUA central system. So when you make search GRC first goes to LDAP, if the information is not found, the search will be carried out in CUA central system.
Similar settings may be done for the other nodes.
SPRO – ‘Maintain Provisioning Settings’
You can use global setting for LDAP connector or specific
SPRO – ‘Maintain Configuration Settings’
For further group management make settings in SPRO – ‘Maintain Project and Product Release Name’
In the Part III will be described how to use what we customized.