Entering content frame

Procedure documentation Preparing and Starting Synchronization Locate the document in its SAP Library structure

Use

After you have define the mapping, you synchronize the data using report RSLDAPSYNC_USER. Before this, you define on the Directory Synchronization of Users screen how objects found in the search will be dealt with.

Note

User administration with the report RSLDAPSYNC_USER and transaction LDAPMAP works like a "remote control" for the Central User Administration (CUA). Therefore, all limitations and prerequisites of the CUA (such as for the BAPI_USER_CHANGE function module) are also valid for the synchronization function.

Procedure

  1. Execute report RSLDAPSYNC_USER with a background job for delta synchronization (for example, using transaction SA38).

    2. Caution

    The users SAP*, DDIC and EARLYWATCH are excluded from the synchronization, and you do not need to exclude them explicitly. On the other hand, other communication users, such as those for RFC connections, are treated like normal users.

  2. Specify the logical LDAP server.
  3. Choose an LDAP Connector. If you do not specify a particular LDAP Connector, the system automatically selects one.
  4. Define how the synchronization report should process the entries of the objects that are found during the search. The search result is made up of three subsets:

Setting in the Objects that exist in both the directory and the database group frame

Comment

Compare Time Stamp

Delta synchronization: Only objects whose time stamp was changed are synchronized. The synchronization is performed in accordance with the synchronization indicators in transaction LDAPMAP.

Ignore Time Stamp

Complete synchronization: All objects are synchronized according to the synchronization indicators in transaction LDAPMAP.

Ignore Objects

Delta synchronization: Objects that already exist are not updated, but, depending on the settings in the other group frames, objects that do not exist may be created.

*The settings are only different in terms of the scope of users to be synchronized.

Setting in the Objects that only exist in the directory group frame

Comment

Create in Database

The directory is the leading system; that is, it exports all entries to the SAP system

Delete from Directory

The SAP system is the leading system; that is, entries that do not exist in the SAP system are to be deleted from the directory

Caution

You must be absolutely certain that the directory entries that are to be deleted are only used for SAP applications and do not contain any external attributes. Otherwise, you may delete entries that other systems are still using.

Ignore Objects

For example, if the users are not used in the SAP system

 

 

Setting in the Objects that only exist in the database group frame

Comment

Create in Directory

The SAP system is the leading system; that is, it exports all entries to the directory.

Delete from Directory

The directory is the leading system; that is, entries that do not exist in the LDAP-compatible directory service are to be deleted from the SAP system.

Caution

We recommend that you only lock the users. This means that the master data is kept, and the actions of the user can be traced later (for example, for review purposes).

Lock in Database

The directory is the leading system; that is, entries that do not exist in the LDAP-compatible directory service are to be locked in the SAP system.

Ignore Objects

For example, if service users exist in the SAP system that are not used in the directory
  1. Save your entries.
  2. Choose Execute.

 

 

 Leaving content frame