SAP Mobile Platform supports multiple built-in authentication providers that authenticate users. The SMP administrators can create security profile and assign the authentication providers using Management Cockpit.

In this example I am going to show you how to use LDAP to authenticate from your mobile application.


When I started, I did’t find any existing LDAP setup, so I have configured one. If you don’t have an existing LDAP Server you can follow by blog, it’s quite easy using Apache Directory Studio: Configuring LDAP –  A Basic Tutorial

Configuring LDAP security profile

     1. Login to SMP Admin Cockpit.

     2. Click on Security Tab. Under Security Profiles click on New button. It will open Edit Security Profile window.

      IGWREST_25 Apr. 04 07.55.jpg

     3. On Name field enter “LDAP”, then click on Add button.

         It will open Add Authentication Provider window.

      IGWREST_25 Apr. 04 09.18.jpg

     4. Choose Authentication providers as Directory Service (LDAP/AD) and provide the below details:

Property Value
Control Flag Optional
Server Type sunone5
Provider URL ldap://localhost:10389
Security Protocol LDAP
Bind DN uid=admin,ou=system
Bind Password secret
Authentication Search Base ou=users,ou=system
Skip Role Lookup true
Role Member Attributes uniquemember
User Role Membership Attributes nsRoleDN
Default Search Base ou=users,ou=system


     Leave all other fields with default values.

     After entering the values the screen should look like below:

      /wp-content/uploads/2015/04/config_677821.jpg

     IGWREST_24 Apr. 03 14.07.jpg

     5. Click on Save.

Configuring Application

     1. Go to Applications panel.

     2. Click on New button. It will open New Application window.

     3. On ID field enter LDAPAuth and click on Save. It will open a new window.

      IGWREST_25 Apr. 04 08.26.jpg

     4. On field Endpoint enter http://services.odata.org/V2/Northwind/Northwind.svc/

     5. Under SSO Mechanisms, click on Add. Then click on Save.

      IGWREST_25 Apr. 04 08.38.jpg

     6. Click on Authentication Tab. For field Profile Name choose LDAP.

      IGWREST_25 Apr. 04 08.44.jpg

     7. Click on Save.

Authenticate using LDAP

     1. Run Post man rest client on Chrome and provide below values. Pass LDAP credentials to register.

       IGWREST_25 Apr. 04 09.04.jpg

     2. Click on on Send button. It will register the user on SMP server.

         Success response from Postman Rest Client:

      IGWREST_25 Apr. 04 09.08.jpg

On SMP Admin cockpit you can find the registered user.

    IGWREST_25 Apr. 04 09.10.jpg

To  register user from a mobile app there is no LDAP specific device code needed if you are using MAF Logon or LogonCore class or REST API.

CC:

SMP Developer Center

Regards, Midhun

SAP Technology RIG

To report this post you need to login first.

26 Comments

You must be Logged on to comment or reply to a post.

  1. Tauhid Hasan Shaikh

    Dear Mithun,

      This is the very helpful article.

    I want to know how to configure the same things with Windows AD 2008 R2.

    Means what is the server type and bind DN etc.

    and whether to restart the SMP services after the configuration.

    I am getting the

    “javax.naming.CommunicationExcept”

    from the server log

    Regard’s

    Tauhid Shaikh

    (0) 
      1. Tauhid Hasan Shaikh

        Dear Mithun,

           I am getting the “2015 04 08 17:57:55#+0400#WARN#com.sybase.security.ldap.LDAPLoginModule##anonymous#http-bio-8080-exec-2###Attempt to set maxActive configuration option of the LDAP connection pool ignored. A maximum of one attempt to set this option with a non-default value is allowed during the lifetime of the pool. |”

        even I changed the max Active LDAP connection to 0 for indefinite connection, but still getting the same error.

        and also, I want to know, for windows 2008 r2 AD role lookup is mandatory or not.

        because I am setting skip role.

        (0) 
  2. Narasimha Rao Yannabathina

    Hi Midhun,

    Thanks for the useful document.

    We have used Windows AD 2008 to configure LDAP on SMP for a Native Odata application.

    Users for SAP NetWeaver Gateway are maintained in LDAP server and when synchronized only User IDs will be synced to Gateway system. These users won’t have passwords maintained in Gateway.

    So when we configuire LDAP for authentication in SMP, authentication is successful but the service call fails.

    We have maintained Basic as SSO mechanism for the Backend connection in SMP, and the odata service call has failed, I believe bacause the login credentials does not with the Gateway credentials as we don’t have a password for this user in Gateway system.

    How do handle this? can you please suggest.

    Thanks,

    Narasimha

    (0) 
    1. Midhun VP Post author

      Hi Narasimha,

      I didn’t get what you mean by no password for gateway. Could you please elaborate.

      What it the credentials you are passing to login ?

      Is the user you are using in the app has access to backend system?

      What is the error you are getting?

      Regards,Midhun

      SAP Technology RIG

      (0) 
      1. Narasimha Rao Yannabathina

        Hi Midhun,

        In our case, Gateway system is integrated with Active Directory and when we sync Gateway with AD, only user ids will be updated to Gateway system. I mean users in Gateway are maintained with userID only and their passwords will be in deactivated status.

        Yes, these users are maintained in backend system.

        So, when I try to login from device I am getting “Response code from backend is 401 for request” error when the Endpoint URL of the application is called. However Device registration is completed and updated in SMP.


        I think it is because SMP is passing LDAP credentials (that I use to login to application) to Gateway for the service call, and since we have no password maintained for that user in Gateway system it throws unauthorized error.


        So our scenario is like when we use LDAP as authentication provider, user does login from device using his AD credentials and if the authentication successful the service call request has to be forwarded to gateway system and OData service should be executed successfully.


        Is it possible with LDAP provider configuration on SMP?


        Please let me know if I am not clear with my question.

        Regards,

        Narasimha

        (0) 
        1. Rajesh V

          Hi Narasimha,

          Have you got a solution for the above query. I have a similar situation. Is it mandatory to have the user’s  password for the AD/LDAP and NWGateway server to be same to call the Gateway service succesfully.

          Regards

          (0) 
  3. Minh Hoa Le

    Hi Midhun VP ,  when i  register account using Post man rest client on chrome , it require username and password . Which username & password  for this authentication. Thanks !

    /wp-content/uploads/2015/05/login_698073.png

    (0) 
    1. Midhun VP Post author

      Hi Minh,

      If you have followed my blog the values will be the credentials of the user in LDAP repository.

      Regards,Midhun

      SAP Technology RIG

      (0) 
        1. Midhun VP Post author

          Right, in this example I created only one user. Generally the repository will have multiple users hence these users could login to app using the credentials maintained in LDAP repository.

          Regards,Midhun

          SAP Technology RIG

          (0) 
  4. Minh Hoa Le

    in this case i use username=midhun, password=123456, but still can not authorized. Here is some information about my setting LDAP, can you check for me. Thanks a lot Midhun VP .

    /wp-content/uploads/2015/05/2_698197.png/wp-content/uploads/2015/05/1_698205.png/wp-content/uploads/2015/05/3_698206.png/wp-content/uploads/2015/05/4_698210.png/wp-content/uploads/2015/05/5_698211.png

    (0) 
  5. Minh Hoa Le

    hiJitendra Kansal   and Midhun VP , i configure my system follow by your guide but when i register account in smp, i has error. Here is trace log about error. Can you help me solve it, thanks so much.

    2015 05 07 09:52:43#+00#ERROR#com.sap.mobile.platform.server.online.filter.application.SMPOnPremiseApplicationSettingsHandler##anonymous#http-bio-8080-exec-1####88e6d181-3e42-470a-84f7-0652c35e5de3#LDAPAuth#null#error#Other#tanhvn#null#8e263464-4c92-4e8c-83da-0397dbd63130#null#1430992363728#null#com.sap.mobile.platform.server.online.filter.application.AbstractSMPApplicationSettingsHandler:doFilter#Internal Server Error#null#672#Registration#1430992363705001#500 |

    (0) 
  6. Ady D

    Hi Midhun VP,

    I am trying to configure LDAP as the authentication provider in SMP 3.0.6.0.

    But I am getting 401 error when i try to test the connection with the POSTMAN client.

    My LDAP is configured with e-Directory.

    In LDAP server, am getting the following log.

    DoBind on connection 0x7cd39500

    Bind name:cn=smpadminuser,ou=Users,ou=e-Directory,ou=Services,o=company, version:3, authentication:simple

    Sending operation result 0:””:”” to connection 0x7cd39500

    DoSearch on connection 0x7cd39500

    Search request:

            base: “ou=users,o=company”

            scope:2  dereference:3  sizelimit:0  timelimit:0  attrsonly:0

            filter: “(&(uid=myusername)(objectclass=person))”

            attribute: “1.1”

    nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2

    Sending search result entry “cn=myusername,ou=Users,o=company” to connection 0x7cd39500

    Sending operation result 0:””:”” to connection 0x7cd39500

    New cleartext connection 0x7cd39180 from smphost:64160, monitor = 0xb9f7a700, index = 2

    DoBind on connection 0x7cd39180

    Bind name:cn=smpadminuser,ou=Users,ou=e-Directory,ou=Services,o=company, version:3, authentication:simple

    Sending operation result 0:””:”” to connection 0x7cd39180

    DoBind on connection 0x7cd39180

    Bind name:cn=myusername,ou=users,o=company, version:3, authentication:simple

    Sending operation result 0:””:”” to connection 0x7cd39180

    DoSearch on connection 0x7cd39500

    Search request:

            base: “cn=myusername,ou=users,o=company”

            scope:0  dereference:3  sizelimit:0  timelimit:0  attrsonly:0

            filter: “(objectClass=*)”

            attribute: “UserAccountControl”

    nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2

    nds_back_search: Search Control OID 1.2.840.113556.1.4.319

    Sending search result entry “cn=myusername,ou=Users,o=company” to connection 0x7cd39500

    Sending operation result 0:””:”” to connection 0x7cd39500

    DoSearch on connection 0x7cd39500

    Search request:

            base: “cn=myusername,ou=users,o=company”

            scope:0  dereference:3  sizelimit:0  timelimit:0  attrsonly:0

            filter: “(objectClass=*)”

            attribute: “passwordExpirationTime”

    nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2

    nds_back_search: Search Control OID 1.2.840.113556.1.4.319

    Sending search result entry “cn=myusername,ou=Users,o=company” to connection 0x7cd39500

    per my understanding, UserAccountControl, and passwordExpirationTime are the two attributes causing the problem.

    Can you please help in resolving this issue.

    (0) 
  7. Kevin Xu

    Dear Midhun, in the configuration LDAP security profile steps, you input the values as below.

    ==============

    Bind DN uid =admin, ou=system

    Bind Password secret

    ===============

    Why do you input the LDAP user midhun and that password here? Is this uid different with the uid in the LDAP server? Could you please provide a more detailed explanation?

    And we input the uid “admin” and password “secret” here, which step we will use it for what purpose?

    (0) 
    1. Aditya Dhulipala

      Hi Kevin,

      The username and password you provide here is the service user account which is required to look into the LDAP directory. They are not normal username and paasword.

      If you are trying to integrate enterprise LDAP, you can ask administrator from your corporate LDAP team can create an account for you.

      Thanks

      Aditya

      (0) 
      1. Kevin Xu

        Hi Aditya,

        Thanks for you reply. I followed this guide and as the prerequisites I also setup the LDAP server following the link: http://scn/sap.com/docs/DOC-63191

        in this document, I created the midhun user and add it to administrator group.

        I understand the midhun user will be required to look into the LDAP directory.

        And in fact I also saw that he use the midhun user to test it using the Post man.

        That is why I asked the question for the user “admin” configured in the smp cockpit.

        If the admin user is required to look into the LDAP directory, what is useful of the midhun user, is there any difference between them?

        (0) 
  8. Rajesh V

    Hi Midhun

    On using LDAP/AD authentication and SSO mechanism “BASIC” , do we need to have the same password for AD User ID and Netweaver Gateway User ID to  make a successful call of service from the Gateway Server.

    Regards

    Rajesh V

    (0) 
  9. Hirak Bhowmick

    Hello Midhun,

    Thanks for the blog which is really helpful.

    I have followed the steps mentioned here and then was successfully able to register the device.But after that when I am tried to perform a get operation , I am being prompted for NWG credentials.

    Could you please help me on this.

    (0) 
    1. Naresh Chittoor

      Hi Hirak,

      If you choose option as Technical user, then it prompts to enter NWG creds (This will be shared / given by your ABAP / Basis team).

      Regards

      Naresh

      (0) 
      1. Hirak Bhowmick

        Hello Naresh,

        Thanks for your reply.

        Please correct my understanding if I am wrong:-
        U mentioned about Technical user,so do you mean Technical User(Basic) ?
        In case I am selecting that, then I need to provide the NWG credentials provided by the ABAP Team.

        But in my case, there are a couple of user accounts created in NWG. So, it is not possible to hard code all the credentials.Moreover, do you suggest hardcoding the credentails as a best practice?

        Please help.

        Thanks and Regards.
        Hirak

        (0) 

Leave a Reply