We are planning on moving BO authentication from our current LDAP system to Windows AD. I couldn’t find anything related to this in the Admin guides/KBA’s. I want to know the possibilities and, we have a few other concern too
Issues we are looking at are
Win AD group creates a new ID which does match with existing LDAP setup so, do we have to manually alias all of them?
Ex: Existing LDAP username: SRITAT01
New Win AD username: sri.tatineni
As it creates a new user, it creates a new favorites, how can it be merged with old one
What happens if we delete LDAP user id? Will their schedules, Favorites and Inboxes
Since we have thousands of users, How can do this in bulk?
Our Current Environment:
SAP BO: 4.X (We have both 4.1 and 4.2 systems in different landscapes of the company)
There is an option in the Windows AD config screen in BO to “Assign each new AD alias to an existing User Account with the same name”. So, if the user name in LDAP is the same as the one in Windows AD, you make sure that this option is turned on and aliases will be created for the users that will match up their LDAP and WinAD user objects. This also means that all of the user assignments to Enterprise user groups will also transfer to the WinAD alias.
However, the same is not true for the User groups. So, you’ll get new user groups.
If you have set up security correctly using Enterprise user groups for security instead of the LDAP groups, all you’ll need to do is assign the WinAD groups to the same Enterprise groups as the corresponding LDAP groups.
Once this is all complete and verified, you can deactivate the LDAP authentication.
The LDAP config has the same option.
it will assign (new) LDAP names “as alias” to existing users.
Was I wrong, when I thought this ONLY works if the users “already exist” in your sustem ?
But then , users CAN exist in your system multiple times (having multiple aliasses)
We did have (quite some) users who were first “imported” through LDAP, but later got an Enterprise alias assigned to them.
( Be careful: maintenance of those may be hell, and once a user logged in once using his Enterprise account, he may try to do that again. or “guess” the “123” password that got associated to the EA because admin needed “to test something with a normal user” … )
As long as your LDAP connection stays up, all users “are there”.
If a second (or third) authentification method is added (AD), indeed all “new names who are exactly the same names as those in LDAP” will be mapped.
I have NO idea how the AD connector or BI/CMC would “find out” the mapping of AD-name “John.Smith@domain” to the existing LDAP user “JOHSMI” if that is your setup.
Maybe SAP has a “script” that can do that?
But if your AD can present “JOSMI” to BI, when John Smith loggs in, there 'd be no problem.
The LDAP GROUPS and AD GROUPS … will need manual remapping I guess, or scripted. Or … third party tools (scripted)
( On this board “third parties” have been advertised, e.g; in message footers. So they do exist )
(BOB member since 2007-04-16)
(BOB member since 2007-06-18)