Skip to Content
Product Information
Author's profile photo Denys van Kempen

LDAP-based Authentication and User Provisioning for SAP HANA – by the SAP HANA Academy

Introduction

SAP HANA 2.0 SPS 03 introduced LDAP-based user provisioning, that is, the capability to automatically create database accounts for LDAP users and map their LDAP roles. This significantly reduces both complexity and cost for maintaining users and authorizations in larger system landscapes.

To explain how you can set this up, we have created a playlist on our SAP HANA Academy YouTube channel with sample code on the associated GitHub repository with links to the documentation.

 

YouTube Playlist

All the video tutorials on the client-side data encryption topic are bundled in a single playlist on our channel:

 

What’s New?

In the first video, what’s new on the security topic for SAP HANA 2.0 SPS 03 concerning LDAP is discussed.

Tutorial Video

Create LDAP Provider

To configure a connection to an LDAP server in SAP HANA, you need to create an LDAP provider in the (tenant) database with the CREATE LDAP PROVIDER or ALTER LDAP PROVIDER statements.

Access to the LDAP server takes place using an LDAP server user with permission to perform searches as specified by the user look-up URL. The credential of this user is stored in the secure internal credential store.

Communication between SAP HANA and the LDAP server can be secured using the TLS/SSL protocol or Secure LDAP protocol (LDAPS).

For the code, see

For the documentation, see

Tutorial Video

LDAP Group Authorizations

You can use LDAP group membership to authorize existing SAP HANA database users. To implement LDAP group authorization, you need to

  • Map LDAP groups to SAP HANA catalog roles using the CREATE ROLE or ALTER ROLE statements
  • Configure SAP HANA users for LDAP group authorization

For the code, see

For the documentation, see

Tutorial Video

LDAP User Authentication – Automatic User Provisioning

LDAP authentication can be implemented for users accessing SAP HANA directly via JDBC/ODBC database clients. Using LDAP user passwords for authentication eliminates the need to manage user passwords and password policies in the SAP HANA database.

For the code, see

For the documentation, see

Tutorial Video

Thank you for watching

The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.

Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.

For the full library, see SAP HANA Academy Library – by the SAP HANA Academy.

For the full list of blogs, see Blog Posts – by the SAP HANA Academy.

Assigned Tags

      12 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Michael Howles
      Michael Howles

      After configuring LDAP, I can no longer authenticate with ODBC clients.  (Even something as simple as a DSN entry in the ODBC client configuration.)  Any tips on what I need to configure from an end-user workstation perspective?

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Hi Mike,

      LDAP requires the SAP CommonCrypto Library (CCL) and a SAP HANA 2.0 client (Driver 2.3.*).

      Steps:

      1. Download CCL (+ HANA client)
      2. Set Windows System Properties Environment Variables SECUDIR (path to HANA client) and PATH (add path to HANA client)
      3. Configure Advanced ODBC Connection Properties: Connect using SSL (Encrypt=true)

      Works?

       

      Author's profile photo Michael Howles
      Michael Howles

      Thanks for the details.  We got it working, however it seems that we can no longer replicate BW reporting authorizations over to HANA users that are authenticated via LDAP, so it turns out we probably will not be able to pursue LDAP after all 🙁

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      By the way, to debug, you can use the commands:

      hdbodbc_cons.exe config trace debug on
      odbcreg -t hdbodbc 

      Trace files are in current directory

      Author's profile photo Sumit Patel
      Sumit Patel

      Hi,

      Already LDAP provider and now when I try to validate using below command , it gives error.

      Also imported AD root certificate on Hana DB

      I am facing issue with command VALIDATE LDAP PROVIDER

      Error: (dberror) [4200]: Validate LDAP provider failed because of internal error: Unable to bind with LDAP provider

      Kindly suggest.

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Hi Sumit,

      For internal errors I suggest to contact SAP support / create a ticket/incident.

      Author's profile photo Azharuddin Shaik
      Azharuddin Shaik

      Hi Denys,

      Mapping LDAP groups to SAP HANA catalog roles, we are thinking of using a Nested AD group. Does HANA integration with LDAP support the Nested AD group?

      Kindly suggest.

      Thanks!
      ~Azhar

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Hi Azhar,

      I have not tried it out but according to the documentation this is supported (as I parse the text)

      Author's profile photo Azharuddin Shaik
      Azharuddin Shaik

      Hi Denys,

      Thanks for your response!!

      I did the PoC yesterday and I'm getting the below error.

      Could not execute 'VALIDATE LDAP PROVIDER TEST_NESTAD CHECK USER CREATION FOR LDAP USER AS00829' in 297 ms 319 µs .

      SAP DBTech JDBC: [4200]: Validate LDAP provider failed because of internal error: No roles mapped for the LDAP groups user AS00829 is part of

      As per the documentation that SAP Provided, Yes HANA supports Nested AD for user lookup. We are creating a role and alter it to map it to an LDAP group for automatic user creation. The LDAP group which we are using is a Nested Group. Even though user AS00829 is part of that Nested AD group, HANA is not able to find that user.

      ~Azhar

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Thanks Azhar,

      I have no access to an LDAP environment 1-2-3, so cannot give you a working code sample.

      Dennis Padia posted a blog on the topic some time ago, which provide some insights in what goes wrong.

      If you have access to SAP Support, probably best to create a request.

      If not, suggest to post this issue as a question (https://answers.sap.com) to loop in the experts from the Community. Tag with SAP HANA, Security, and LDAP. If possible, add print screens and code snippets to make it ease to reproduce.

      Author's profile photo anand muthu
      anand muthu

      Hello,

      Is there a way to link the XSA user from the application to the database user which is authenticated by LDAP ?

      I manage to get the database user validated with LDAP but I guess its not possible. SAML would be the only option ?

      Thanks.

      Anand Muthu

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Hi Anand,

      Best to post this question to the forum [answers.sap.com]; it has been a while since I worked on this project ...