Skip to Content

SAP HANA Cloud Integration is SAP’s strategic connectivity solution. If you are looking for integration support to LDAP based systems, this blog will definitely appeal to you. As of November 2016, the LDAP adapter is available for SAP HANA Cloud Integration customers. This adapter helps you to achieve integration scenarios that involve LDAP services (for example, MS Active Directory).

You have to use SAP HANA Cloud Connector to connect to LDAP services through the LDAP adapter.

The LDAP adapter supports Insert and Modify operations. Using the Insert operation, you can create new entries in LDAP service. You can use the Modify operation to edit existing entries in the LDAP service. You can perform these operations on only one record at a time; i.e. you can update or modify only one record in one message processing cycle. If you want to perform operations on multiple entries, you need to use Splitter step to split the message into individual records and then pass them on to the LDAP adapter.

Remember: The input to LDAP adapter should not contain input for performing operation on more than one record.

Important Note on Establishing Connectivity to LDAP Service

You always connect to the LDAP service through the SAP HANA Cloud Connector (SCC). You can see more information on the SAP HANA Cloud Connector here. You need to install and configure version 2.9 or above of the SCC to use the LDAP adapter for integration to LDAP services.

Supported Input Types for LDAP Adapter

The LDAP adapter allows you to provide input in two formats:

  1. XML
  2. Java (JNDI) Attributes.

The idea behind supporting different input types is to allow you the flexibility of modeling scenarios based on the type of payload or input that you have.

Configuring LDAP Adapter

Here’s an example of the Processing settings for the LDAP adapter.

In the Address field, you provide the Virtual Host that you have configured in the SAP HANA Cloud Connector. For more information see here.  The Proxy Type and Authentication fields are automatically filled with On Premise and Simple values respectively. Provide the Credential Name that you used while deploying credentials on the HCI tenant.

In the Operation field, choose either Modify or Insert based on the operation that you want to perform. You can provide input for the operation in the form of XML or Java (JNDI) attributes.

Using Mapping to Process XML Input Messages

If you are passing XML input to the LDAP adapter, you need to consider the fact that LDAP adapter recognizes messages in a specific format. In other words, your input should follow the schema that the LDAP adapter can recognize.

You can use a mapping step in this case to transform the input XML message according to the LDAP schema. Here’s how a typical scenario will look like when you are using a mapping step.

In this example scenario, the input message is fetched from a SuccessFactors system. This message is used as the source in the mapping step and the target is the LDAP schema that the LDAP adapter can understand.

Here’s an example of the LDAP schema that you can use as the target in mapping step:

 

<?xml version="1.0" encoding="UTF-8"?>
<schema xmlns="http://www.w3.org/2001/XMLSchema">
    <element name="Schema">
        <complexType>
            <sequence>
            <element name="DistinguishedName" maxOccurs="1" minOccurs="1" type="string"/>
            <element name="ObjectClass" maxOccurs="1" minOccurs="0" type="string"/>
                <element name="Attributes" maxOccurs="1" minOccurs="1">
                    <complexType>
                        <sequence>
                            <element name="cn" type="string" maxOccurs="1" minOccurs="0"></element>
                            <element name="sAMAccountName" type="string" maxOccurs="1" minOccurs="1"></element>
                            <element name="sn" type="string" maxOccurs="1" minOccurs="0"></element>
                            <element name="givenName" type="string" maxOccurs="1" minOccurs="0"></element>
                            <element name="displayName" type="string" maxOccurs="1" minOccurs="0"></element>
                            <element name="name" type="string" maxOccurs="1" minOccurs="0"></element>
                        </sequence>
                    </complexType>
                </element>
            </sequence>
        </complexType>
    </element>
</schema>

The next obvious question that you would have here is how to proceed in case the schema does not contain the fields that you want. The solution is quite straightforward. You just add the required field or fields to the above schema and proceed with the mapping.

It is very important that you add the additional field or fields under the <sequence> element of <Attributes> element before using the schema in the mapping step.

For example, let us assume that you want to add the field telephoneNumber. As mentioned above, you add the field to the schema under <sequence> tag of the <Attributes> element. Here’s how the modified schema will look like with the telephoneNumber field added:

<?xml version="1.0" encoding="UTF-8"?>
<schema xmlns="http://www.w3.org/2001/XMLSchema">
    <element name="Schema">
        <complexType>
            <sequence>
            <element name="DistinguishedName" maxOccurs="1" minOccurs="1" type="string"/>
            <element name="ObjectClass" maxOccurs="1" minOccurs="0" type="string"/>
                <element name="Attributes" maxOccurs="1" minOccurs="1">
                    <complexType>
                        <sequence>
                            <element name="sAMAccountName" type="string"></element>
                            <element name="sn" type="string"></element>
                            <element name="givenName" type="string"></element>
                            <element name="displayName" type="string"></element>
                            <element name="name" type="string"></element>
                            <element name="telephoneNumber" type="string"></element>
	                    <!--The above element has been added to the schema. 
                                   If you want to add or remove elements, ensure that 
                                   you make changes within the sequence tag-->	
                        </sequence>
                    </complexType>
                </element>
            </sequence>
        </complexType>
    </element>
</schema>

Now that we have a schema for mapping, and also know how to modify the schema to suit your requirement, the next step will be to add this schema as target in your mapping step and map the source to your target. Here’s how a typical mapping definition file will look like:

The DistinguishedName or DN should be constructed as shown below using a mapping expression:

Manipulating Fields and Adding Them to the Message after Mapping

Consider a scenario where you would like to add a field to the message after mapping the message to the LDAP schema. For example, you would like to add password to the message. However, you cannot add it in plain text for security reasons. You would want to encode the password and then add it to the message. A typical integration flow in such a scenario would involve a Script step after the Mapping step. The script would encode the password value before adding it to the message that will be sent to the LDAP adapter. Here’s how the integration flow will look like:

Here’s an example of the script that you can use to encode password:

import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;
import javax.xml.bind.DatatypeConverter;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;

def Message processData(Message message) 
{
	Attributes attributes = new BasicAttributes();
	String quotedPassword = '"'+"Initial@1"+'"';
    byte[] unicodePasswordByteArray = quotedPassword.getBytes("UTF-16LE");
	attributes.put(new BasicAttribute("unicodePwd", unicodePasswordByteArray));
	message.setHeader("SAP_LDAPAttributes",attributes);
	return message;
}

 

Using Java (JNDI) Attributes Input

The LDAP adapter allows you to provide input in the form of Java attributes. In these scenarios, you use a Script step where you define a script that will read values for the attributes during runtime. These values are then built into a message that is then sent to the LDAP adapter. You can define values for these attributes during runtime before they are passed on the LDAP service and the operation is performed.

Here’s how an integration flow will look like if you are passing input in the form of Java (JNDI) attributes:

Here’s an example of the script that you can use in the script step.

importClass(com.sap.gateway.ip.core.customdev.util.Message);
importClass(java.util.HashMap);
importClass(javax.naming.directory.Attribute);
importClass(javax.naming.directory.BasicAttribute);
importClass(javax.naming.directory.BasicAttributes);
importClass(javax.naming.directory.Attributes);
 
function processData(message) {
	var body = message.getBody();
	var dn= "cn=Markus,ou=users,dc=testcompany,dc=com";
	var givenNameAttr = new BasicAttribute("givenName", "Jack");
	var displayNameAttr = new BasicAttribute("displayName", "Reacher");
	var telephoneNumberAttr = new BasicAttribute("telephoneNumber", "100-100-100");
	var attributes = new BasicAttributes();
	attributes.put(givenNameAttr);
	attributes.put(displayNameAttr);
	attributes.put(telephoneNumberAttr);
    var titleAttr =new BasicAttribute("title", "Developer");
    attributes.put(titleAttr);
    snAttr =new BasicAttribute("sn", "Brutus");
    attributes.put(snAttr);
	var resultingMap = new HashMap();
	resultingMap.put("dn", dn);
	resultingMap.put("attributes", attributes);
	message.setBody(resultingMap);
	return message;
}

LDAP Adapter Error Logging

In case there is any failure in the operation, the message processing log in SAP HANA Cloud Integration will contain the error that the LDAP service has returned. You can refer to this link for detailed information on error codes.

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Rajesh pasupula

    Hi ,

    Good to know about one more adapter in the HCI.

    But  Can I know in which use case/circumstance this adapter is more useful ( I know that user integration can be done with the LDAP/Active Directory) ..

    In terms of the business processes with respect to successfactors/Ariba/HCP can this be used ? if so it will be great if you can either elaborate or provide use case.

    Thanks & Regards
    Rajesh
     

    (0) 
    1. Deepak Govardhanrao Deshpande

       

      Hi Rajesh,
      To answer your question “In terms of the business processes with respect to successfactors/Ariba/HCP can this be used ?” => Yes, it can be used.

      New Employee hire in SuccessFactors system and hired employee’s (user) record insertion in LDAP backed can be mentioned as one of the use cases in which HCI LDAP adapter can be used. And a relevant example has been given in the blog which addresses this use case.

      Hope it answers your question.

      Thanks
      Deepak

      (1) 

Leave a Reply