How to use LDAP Authentication with SMP 3
SAP Mobile Platform supports multiple built-in authentication providers that authenticate users. The SMP administrators can create security profile and assign the authentication providers using Management Cockpit.
In this example I am going to show you how to use LDAP to authenticate from your mobile application.
When I started, I did’t find any existing LDAP setup, so I have configured one. If you don’t have an existing LDAP Server you can follow by blog, it’s quite easy using Apache Directory Studio: Configuring LDAP – A Basic Tutorial
Configuring LDAP security profile
1. Login to SMP Admin Cockpit.
2. Click on Security Tab. Under Security Profiles click on New button. It will open Edit Security Profile window.
3. On Name field enter “LDAP”, then click on Add button.
It will open Add Authentication Provider window.
4. Choose Authentication providers as Directory Service (LDAP/AD) and provide the below details:
| Property | Value |
|---|---|
| Control Flag | Optional |
| Server Type | sunone5 |
| Provider URL | ldap://localhost:10389 |
| Security Protocol | LDAP |
| Bind DN | uid=admin,ou=system |
| Bind Password | secret |
| Authentication Search Base | ou=users,ou=system |
| Skip Role Lookup | true |
| Role Member Attributes | uniquemember |
| User Role Membership Attributes | nsRoleDN |
| Default Search Base | ou=users,ou=system |
Leave all other fields with default values.
After entering the values the screen should look like below:
5. Click on Save.
Configuring Application
1. Go to Applications panel.
2. Click on New button. It will open New Application window.
3. On ID field enter LDAPAuth and click on Save. It will open a new window.
4. On field Endpoint enter http://services.odata.org/V2/Northwind/Northwind.svc/
5. Under SSO Mechanisms, click on Add. Then click on Save.
6. Click on Authentication Tab. For field Profile Name choose LDAP.
7. Click on Save.
Authenticate using LDAP
1. Run Post man rest client on Chrome and provide below values. Pass LDAP credentials to register.
2. Click on on Send button. It will register the user on SMP server.
Success response from Postman Rest Client:
On SMP Admin cockpit you can find the registered user.
To register user from a mobile app there is no LDAP specific device code needed if you are using MAF Logon or LogonCore class or REST API.
CC:
Regards, Midhun
SAP Technology RIG
Dear Mithun,
This is the very helpful article.
I want to know how to configure the same things with Windows AD 2008 R2.
Means what is the server type and bind DN etc.
and whether to restart the SMP services after the configuration.
I am getting the
"javax.naming.CommunicationExcept"
from the server log
Regard's
Tauhid Shaikh
Hi Tauhid,
You should look at the explanation on the fields you have to enter while configuring LDAP: Directory Service (LDAP/AD) Configuration Properties - Administrator - SAP Library
There is not need to restart the server unless you are configuring LDAP to login to SMP Admin management cockpit (you need to edit server config file in this case, which need a server restart).
Regards, Midhun
SAP Technology RIG
Dear Mithun,
I am getting the "2015 04 08 17:57:55#+0400#WARN#com.sybase.security.ldap.LDAPLoginModule##anonymous#http-bio-8080-exec-2###Attempt to set maxActive configuration option of the LDAP connection pool ignored. A maximum of one attempt to set this option with a non-default value is allowed during the lifetime of the pool. |"
even I changed the max Active LDAP connection to 0 for indefinite connection, but still getting the same error.
and also, I want to know, for windows 2008 r2 AD role lookup is mandatory or not.
because I am setting skip role.
Hi Midhun,
Thanks for the useful document.
We have used Windows AD 2008 to configure LDAP on SMP for a Native Odata application.
Users for SAP NetWeaver Gateway are maintained in LDAP server and when synchronized only User IDs will be synced to Gateway system. These users won't have passwords maintained in Gateway.
So when we configuire LDAP for authentication in SMP, authentication is successful but the service call fails.
We have maintained Basic as SSO mechanism for the Backend connection in SMP, and the odata service call has failed, I believe bacause the login credentials does not with the Gateway credentials as we don't have a password for this user in Gateway system.
How do handle this? can you please suggest.
Thanks,
Narasimha
Hi Narasimha,
I didn't get what you mean by no password for gateway. Could you please elaborate.
What it the credentials you are passing to login ?
Is the user you are using in the app has access to backend system?
What is the error you are getting?
Regards,Midhun
SAP Technology RIG
Hi Midhun,
In our case, Gateway system is integrated with Active Directory and when we sync Gateway with AD, only user ids will be updated to Gateway system. I mean users in Gateway are maintained with userID only and their passwords will be in deactivated status.
Yes, these users are maintained in backend system.
So, when I try to login from device I am getting "Response code from backend is 401 for request" error when the Endpoint URL of the application is called. However Device registration is completed and updated in SMP.
I think it is because SMP is passing LDAP credentials (that I use to login to application) to Gateway for the service call, and since we have no password maintained for that user in Gateway system it throws unauthorized error.
So our scenario is like when we use LDAP as authentication provider, user does login from device using his AD credentials and if the authentication successful the service call request has to be forwarded to gateway system and OData service should be executed successfully.
Is it possible with LDAP provider configuration on SMP?
Please let me know if I am not clear with my question.
Regards,
Narasimha
Hi Narasimha,
Have you got a solution for the above query. I have a similar situation. Is it mandatory to have the user's password for the AD/LDAP and NWGateway server to be same to call the Gateway service succesfully.
Regards
Hi Rajesh & Narasimha,
Did you get a solution for the above query, I am facing similar situation here.
Thanks
Krishna
Hi Midhun VP , when i register account using Post man rest client on chrome , it require username and password . Which username & password for this authentication. Thanks !
Hi Minh,
If you have followed my blog the values will be the credentials of the user in LDAP repository.
Regards,Midhun
SAP Technology RIG
thanks Midhun VP , you mean midhun and password when setup ldap server ?
Right, in this example I created only one user. Generally the repository will have multiple users hence these users could login to app using the credentials maintained in LDAP repository.
Regards,Midhun
SAP Technology RIG
in this case i use username=midhun, password=123456, but still can not authorized. Here is some information about my setting LDAP, can you check for me. Thanks a lot Midhun VP .
Minh Hoa Le
Were you able to test LDAP connection for uid=midhun as mentioned in the last paragraph ? Configuring LDAP - A Basic Tutorial
no, Jitendra Kansal because i use linux and LDAP admin tool doesn't support linux so i can't test connection yet . Which benefit for this step ? .Thanks a lot .
hi Jitendra Kansal i just test , test successfull
hiJitendra Kansal and Midhun VP , i configure my system follow by your guide but when i register account in smp, i has error. Here is trace log about error. Can you help me solve it, thanks so much.
2015 05 07 09:52:43#+00#ERROR#com.sap.mobile.platform.server.online.filter.application.SMPOnPremiseApplicationSettingsHandler##anonymous#http-bio-8080-exec-1####88e6d181-3e42-470a-84f7-0652c35e5de3#LDAPAuth#null#error#Other#tanhvn#null#8e263464-4c92-4e8c-83da-0397dbd63130#null#1430992363728#null#com.sap.mobile.platform.server.online.filter.application.AbstractSMPApplicationSettingsHandler:doFilter#Internal Server Error#null#672#Registration#1430992363705001#500 |
Minh Hoa Le
Can you raise a new discussion for your issue?
Meanwhile, i suggest you to debug your authentication using CSI tool as mentioned here?
Regards,
JK
Hi Midhun VP,
I am trying to configure LDAP as the authentication provider in SMP 3.0.6.0.
But I am getting 401 error when i try to test the connection with the POSTMAN client.
My LDAP is configured with e-Directory.
In LDAP server, am getting the following log.
DoBind on connection 0x7cd39500
Bind name:cn=smpadminuser,ou=Users,ou=e-Directory,ou=Services,o=company, version:3, authentication:simple
Sending operation result 0:"":"" to connection 0x7cd39500
DoSearch on connection 0x7cd39500
Search request:
base: "ou=users,o=company"
scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(uid=myusername)(objectclass=person))"
attribute: "1.1"
nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
Sending search result entry "cn=myusername,ou=Users,o=company" to connection 0x7cd39500
Sending operation result 0:"":"" to connection 0x7cd39500
New cleartext connection 0x7cd39180 from smphost:64160, monitor = 0xb9f7a700, index = 2
DoBind on connection 0x7cd39180
Bind name:cn=smpadminuser,ou=Users,ou=e-Directory,ou=Services,o=company, version:3, authentication:simple
Sending operation result 0:"":"" to connection 0x7cd39180
DoBind on connection 0x7cd39180
Bind name:cn=myusername,ou=users,o=company, version:3, authentication:simple
Sending operation result 0:"":"" to connection 0x7cd39180
DoSearch on connection 0x7cd39500
Search request:
base: "cn=myusername,ou=users,o=company"
scope:0 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
attribute: "UserAccountControl"
nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
nds_back_search: Search Control OID 1.2.840.113556.1.4.319
Sending search result entry "cn=myusername,ou=Users,o=company" to connection 0x7cd39500
Sending operation result 0:"":"" to connection 0x7cd39500
DoSearch on connection 0x7cd39500
Search request:
base: "cn=myusername,ou=users,o=company"
scope:0 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
attribute: "passwordExpirationTime"
nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
nds_back_search: Search Control OID 1.2.840.113556.1.4.319
Sending search result entry "cn=myusername,ou=Users,o=company" to connection 0x7cd39500
per my understanding, UserAccountControl, and passwordExpirationTime are the two attributes causing the problem.
Can you please help in resolving this issue.
Dear Midhun, in the configuration LDAP security profile steps, you input the values as below.
==============
Bind DN uid =admin, ou=system
Bind Password secret
===============
Why do you input the LDAP user midhun and that password here? Is this uid different with the uid in the LDAP server? Could you please provide a more detailed explanation?
And we input the uid "admin" and password "secret" here, which step we will use it for what purpose?
Hi Kevin,
The username and password you provide here is the service user account which is required to look into the LDAP directory. They are not normal username and paasword.
If you are trying to integrate enterprise LDAP, you can ask administrator from your corporate LDAP team can create an account for you.
Thanks
Aditya
Hi Aditya,
Thanks for you reply. I followed this guide and as the prerequisites I also setup the LDAP server following the link: http://scn/sap.com/docs/DOC-63191
in this document, I created the midhun user and add it to administrator group.
I understand the midhun user will be required to look into the LDAP directory.
And in fact I also saw that he use the midhun user to test it using the Post man.
That is why I asked the question for the user "admin" configured in the smp cockpit.
If the admin user is required to look into the LDAP directory, what is useful of the midhun user, is there any difference between them?
Hi Midhun
On using LDAP/AD authentication and SSO mechanism "BASIC" , do we need to have the same password for AD User ID and Netweaver Gateway User ID to make a successful call of service from the Gateway Server.
Regards
Rajesh V
Hello Midhun,
Thanks for the blog which is really helpful.
I have followed the steps mentioned here and then was successfully able to register the device.But after that when I am tried to perform a get operation , I am being prompted for NWG credentials.
Could you please help me on this.
Hi Hirak,
If you choose option as Technical user, then it prompts to enter NWG creds (This will be shared / given by your ABAP / Basis team).
Regards
Naresh
Hello Naresh,
Thanks for your reply.
Please correct my understanding if I am wrong:-
U mentioned about Technical user,so do you mean Technical User(Basic) ?
In case I am selecting that, then I need to provide the NWG credentials provided by the ABAP Team.
But in my case, there are a couple of user accounts created in NWG. So, it is not possible to hard code all the credentials.Moreover, do you suggest hardcoding the credentails as a best practice?
Please help.
Thanks and Regards.
Hirak
Hello Midhun,
Need help on How to use OAuth Login (via Introspection Endpoint) Authentication with SMP 3.0.16.
Any Blog? so that i can refer.
Regards
Sumit Lal
Hi Sumit,
SMP 3 is under maintenance now. The recommended approach to build mobile apps is using SAP Cloud Platform Mobile Service.
Regards,
Midhun VP
Hi Midhun,
Thanks for response.
As this is a legacy app configured in SMP 3 years back, the client is not willing to migrate from smp to scp mobile service.
Is there any blog, so that i can refer.
It will be helpful for me.
Regards
Sumit Lal
Hi Sumit,
Unfortunately, I don’t have details about it. I worked on SMP around 4 years ago so, can’t remember details about Oauth.
Regards,
Midhun VP