cancel
Showing results for 
Search instead for 
Did you mean: 

Document for Active Directory integration setup

Former Member
0 Kudos

Hi

Is there any document available how AD integration should be done with SAP Provisioning framework in IDM 7.2.

I need to create Provisioning,  Locking user, De-Provisioning,  Group assingment and password change From IDM to AD and reconcillation of AD created /changed users towards IDM.

BR

Veli-Matti

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Here is a document - http://scn.sap.com/docs/DOC-4370

Active directory is set up similarly to all the other systems you provision to.  Usually there are only 2 sections you have to configure for setting up provisioning. 

1.  Point your even tasks at the main CORE provisioning tasks.

2.  Point your hook tasks at your Plugin CONNECTOR tasks.  If you have to modify the plugin, copy it into a custom provisioning folder and point at your new task.

Former Member
0 Kudos

the Tutorial document is REALLY old

One thing I begun to ask this was that I couldn't find any advice to initial load as in ABAP. It has been a while for me not  using a SAP IDM product and I am catching up things and looking with new eys..

On ABAP initial load Jobs there are automatical creation of privileges PRIV:SYSTEM:repository / PRIV:repository:ONLY and ACCOUNTrepository attribute. I couldn't find any documentation which tells these should be created manually. So I have created them for AD Repository (DEV_GLOBAL_AD).

Repository config seems to be OK - Tasks on Provisioning framework starts when new privilege is added to user... I am running currently to error adding PRIV:DEV_GLOBAL_AD:ONLY Privilege to User --

AssignUserToADSGroup  gives error : privilege has no ACCOUNTDEV_GLOBAL_AD attribute (No account attribute value found - skipping entry) - Attribute is added to Schema and Assigned entrytypes MX_PERSON,MX_GROUP,MX_PRIVILEGE

BR

Vellu

former_member2987
Active Contributor
0 Kudos

As I recall the tutorial is more about basic sync via DSE or bulk loads in IDM/MIC.

As Chris has mentioned, AD is treated as any other external system.

When I connect AD I do the following:

  • Create the new repository in IDM and make sure all parameters are correct (I usually double check them with an LDAP browser like Apache Directory Studio or Softerra) I will also use the tool to directly copy/paste server names, starting points and other relevant Directory objects)
  • Set up the initial load and let that run through.  This will create the proper IDM objects.

Couple of things to think about as well:

  • Make sure that the account that IDM is using to access AD has sufficient rights to create, update, view and remove entries. This gets trickier in later versions of AD, such as AD 2K8.
  • If you are doing password changes, you'll need to make sure that the dispatcher is running as an administrator level account.  Preferably this should run off of a separate dispatcher on a domain controller.

Hope this helps somewhat!

Matt

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Veli,

I also want the document to integrate AD 2008 with my standalone SAP which is already implemented, if you have please help me out with same.

Our Requirement is also same as yours.

Thanks & Regards

Mitt Gori

former_member2987
Active Contributor
0 Kudos

Have you checked the landscape documents?

Matt

Former Member
0 Kudos

Hi Matt,

No I haven't, will look into it if possible can u share the link.

Thanks & Regards

Mitt Gori

former_member2987
Active Contributor
0 Kudos

Mitt,

All kinds of good stuff here!

Matt