cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IDM 8.0: list of possible user attributes for ldap connector

Go to solution
Steffi_Warnecke
Active Contributor

on ‎03-24-2022 3:46 PM

0 Kudos

Hello everyone! Long time no see. 😉

I need a list of all the user attributes the IDM LDAP connector knows.
I've found it can't "see" (meaning "read") every attribute that's present in our AD (even with the correct permissions), so there seems to be a limitation of sorts. Since we are trying to find out, which attributes are usable via the connector, I'm looking for a complete list.

We're on IDM 8.0, SP 7.

For IDM 7.2 there was a technical reference in the SAP Help that listed the attributes for some of the connectors (I remember at least ABAP & AD).

Now with 8.0 I was looking for the same thing for the AD connector, but all I could find was

  • the AD attribute mapping in the "SAP Identity Management Configuration Guide", which lists AD attributes and their IDM counterparts.
  • the list of default attributes in the identity store in the "Identity Store Schema"
  • and of course the "SAP IDM Connector Overview" from 2017 and is just that: an overview with not a lot of details (more like "none").

Maybe I'm just too blind to find it in the SAP documentation or maybe it really isn't there. Has any of you fellow IDM admins something like this available or knows where I can find the info?

Regards,

Steffi.

Show replies
Show replies
Answer
View Entire Topic
alexanderbrietz
Active Contributor
‎03-25-2022 7:40 AM

Hi Steffi,

unfortunately I cannot provide decent documentation either.

But I would try to find a workaround for your problem like this:

  1. Use a FromLDAP-Pass with almost no restritions for filter and read all attributes with it that come from the LDAP-object (presumeably users).
  2. Use an LDAP-Tool to find a filter that reads one ore more of your missing attributes, then use this filter in another LDAP-Pass to see whether it produces results.

Maybe my thoughts can help you to get around the problem. But it would also be nice and handy to have decent documentation for the standard connectors!

Regards,

Alex

P.S..: Additionally I would try to raise this as an OSS issue.

Show replies
Show replies
Steffi_Warnecke
Active Contributor
‎03-25-2022 8:09 AM
0 Kudos

Thanks for the input, Alex!

For a "FromLDAP" pass you need to add the attributes in the destination tab. At least I know of no way to just say: "Give me everything!". 😕 And the "Use template" button is useless for me, always saying it can't connect to the LDAP server to get the attributes.

BUT... you just gave me an idea what I could check with your second tip!
I'm using a list of attributes, that my AD jobs should read in and just noticed, that the attribute I'm missing is... you can guess it... missing in the list! I'll try adding it and see what that does. Maybe I played myself here. 😄

Regards,

Steffi.

alexanderbrietz
Active Contributor
‎03-25-2022 8:42 AM

Hi Steffi,

sorry, you are right... for the FromLDAP-Pass you would need the attribute name...

I just remembered I had a similar problem and solved it like that. But I guess I used an LDAP tool with a generic filter to get me all attributes. Maybe it does the trick for you, keep my fingers crossed.

Regards,

Alex

Steffi_Warnecke
Active Contributor
‎03-25-2022 9:11 AM

Found it! I can't believe, that I trolled myself like that and didn't realize it yesterday, when I was playing around with the LDAP URL. *facepalm*

Thank you so, so much for the nudge in the right direction, Alex! Your tips didn't help directly, but reminded me of something and that was it!

Like I wrote in the other comment, in my LDAP URL I use a list of attributes (for performance reasons & in a nice repository type constant) and this attribute just wasn't in the list. Just a simple, small thing, but it haunted me for months now! MONTHS! GRR!

Sometimes the best thing to do is explain a problem to somebody else and you get new ideas just by explaining. 😄 Should have come to the IDM community last year, when I encountered it the first time. Would have saved me so much time.

The list of AD attributes of the connector is therefor not really relevant or needed anymore, because now I think that pretty much every AD attribute could be read and written to. Checking in AD or via an LDAP tool should help.

So the question is answered for me. 🙂

Regards,

Steffi.

Ask a Question