Skip to Content
Product Information

LDAP-based Authentication and User Provisioning for SAP HANA – by the SAP HANA Academy

Introduction

SAP HANA 2.0 SPS 03 introduced LDAP-based user provisioning, that is, the capability to automatically create database accounts for LDAP users and map their LDAP roles. This significantly reduces both complexity and cost for maintaining users and authorizations in larger system landscapes.

To explain how you can set this up, we have created a playlist on our SAP HANA Academy YouTube channel with sample code on the associated GitHub repository with links to the documentation.

 

YouTube Playlist

All the video tutorials on the client-side data encryption topic are bundled in a single playlist on our channel:

 

What’s New?

In the first video, what’s new on the security topic for SAP HANA 2.0 SPS 03 concerning LDAP is discussed.

Tutorial Video

Create LDAP Provider

To configure a connection to an LDAP server in SAP HANA, you need to create an LDAP provider in the (tenant) database with the CREATE LDAP PROVIDER or ALTER LDAP PROVIDER statements.

Access to the LDAP server takes place using an LDAP server user with permission to perform searches as specified by the user look-up URL. The credential of this user is stored in the secure internal credential store.

Communication between SAP HANA and the LDAP server can be secured using the TLS/SSL protocol or Secure LDAP protocol (LDAPS).

For the code, see

For the documentation, see

Tutorial Video

LDAP Group Authorizations

You can use LDAP group membership to authorize existing SAP HANA database users. To implement LDAP group authorization, you need to

  • Map LDAP groups to SAP HANA catalog roles using the CREATE ROLE or ALTER ROLE statements
  • Configure SAP HANA users for LDAP group authorization

For the code, see

For the documentation, see

Tutorial Video

LDAP User Authentication – Automatic User Provisioning

LDAP authentication can be implemented for users accessing SAP HANA directly via JDBC/ODBC database clients. Using LDAP user passwords for authentication eliminates the need to manage user passwords and password policies in the SAP HANA database.

For the code, see

For the documentation, see

Tutorial Video

Thank you for watching

The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.

Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.

For the full library, see SAP HANA Academy Library – by the SAP HANA Academy.

For the full list of blogs, see Blog Posts – by the SAP HANA Academy.

10 Comments
You must be Logged on to comment or reply to a post.
  • After configuring LDAP, I can no longer authenticate with ODBC clients.  (Even something as simple as a DSN entry in the ODBC client configuration.)  Any tips on what I need to configure from an end-user workstation perspective?

  • Hi,

    Already LDAP provider and now when I try to validate using below command , it gives error.

    Also imported AD root certificate on Hana DB

    I am facing issue with command VALIDATE LDAP PROVIDER

    Error: (dberror) [4200]: Validate LDAP provider failed because of internal error: Unable to bind with LDAP provider

    Kindly suggest.

  • Hi Denys,

    Mapping LDAP groups to SAP HANA catalog roles, we are thinking of using a Nested AD group. Does HANA integration with LDAP support the Nested AD group?

    Kindly suggest.

    Thanks!
    ~Azhar

    • Hi Denys,

      Thanks for your response!!

      I did the PoC yesterday and I'm getting the below error.

      Could not execute 'VALIDATE LDAP PROVIDER TEST_NESTAD CHECK USER CREATION FOR LDAP USER AS00829' in 297 ms 319 µs .

      SAP DBTech JDBC: [4200]: Validate LDAP provider failed because of internal error: No roles mapped for the LDAP groups user AS00829 is part of

      As per the documentation that SAP Provided, Yes HANA supports Nested AD for user lookup. We are creating a role and alter it to map it to an LDAP group for automatic user creation. The LDAP group which we are using is a Nested Group. Even though user AS00829 is part of that Nested AD group, HANA is not able to find that user.

      ~Azhar

      • Thanks Azhar,

        I have no access to an LDAP environment 1-2-3, so cannot give you a working code sample.

        Dennis Padia posted a blog on the topic some time ago, which provide some insights in what goes wrong.

        If you have access to SAP Support, probably best to create a request.

        If not, suggest to post this issue as a question (https://answers.sap.com) to loop in the experts from the Community. Tag with SAP HANA, Security, and LDAP. If possible, add print screens and code snippets to make it ease to reproduce.