Recently I have been working on IDM 7.2 - AD integration so thought to share some information on uLDAPGetEntry() that might help someone who is doing AD integration.

As we know, AD connector is not smart as SAP connectors. IDM will set status "Failed" if it tries to create/assign access to users if the user/assignment already exists in AD. So, I was implementing a solution where IDM checks if user already exists in AD.. if so, then do nothing (Status will be set to 'OK').. If not, then create the user.

I was using uLDAPGetEntry() to check if the user exists.. Contradicting the help documentation, uLDAPGetEntry did not return "NULL" if the user is not found. It returned error as below

ERROR - {err_category=ERROR, err_where=uLDAPGetEntry(ldaps://1xxxx:636/cn=TEST_JAI1,OU=Users,OU=X,DC=XDev,DC=com,DC=au?CN?BASE?(objectclass=person)), err_exception=javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:'OU=Users,OU=X ,DC=XDev,DC=com,DC=au']; remaining name ''}

Hence my script kept failing as I was checking for NULL value. SAP needs to update the code for uLDAPGetEntry() user function or update the help documentation. I do not have authorization to raise an incident to SAP so posting here. Hope someone from SAP takes note of this.

Also, I was using LDAP url,

ldap://1xxxx:636/cn=TEST_JAI1,OU=Users,OU=X,DC=XDev,DC=com,DC=au?CN?BASE?(objectclass=person))

and I kept getting error as below.

javax.naming.ServiceUnavailableException: XXX:636; socket closed..

After some Googling, figured that I should use LDAPS url as below,

ldaps://1xxxx:636/cn=TEST_JAI1,OU=Users,OU=X,DC=XDev,DC=com,DC=au?CN?BASE?(objectclass=person))

It would be nice if SAP adds a note about LDAPS url over LDAP url to establish secure connection while using uLDAPGetEntry.

Hope it helps someone.

Regards,

Jai