LDAP-based Authentication and User Provisioning for SAP HANA – by the SAP HANA Academy
Introduction
SAP HANA 2.0 SPS 03 introduced LDAP-based user provisioning, that is, the capability to automatically create database accounts for LDAP users and map their LDAP roles. This significantly reduces both complexity and cost for maintaining users and authorizations in larger system landscapes.
To explain how you can set this up, we have created a playlist on our SAP HANA Academy YouTube channel with sample code on the associated GitHub repository with links to the documentation.
YouTube Playlist
All the video tutorials on the client-side data encryption topic are bundled in a single playlist on our channel:
What’s New?
In the first video, what’s new on the security topic for SAP HANA 2.0 SPS 03 concerning LDAP is discussed.
Tutorial Video
Create LDAP Provider
To configure a connection to an LDAP server in SAP HANA, you need to create an LDAP provider in the (tenant) database with the CREATE LDAP PROVIDER or ALTER LDAP PROVIDER statements.
Access to the LDAP server takes place using an LDAP server user with permission to perform searches as specified by the user look-up URL. The credential of this user is stored in the secure internal credential store.
Communication between SAP HANA and the LDAP server can be secured using the TLS/SSL protocol or Secure LDAP protocol (LDAPS).
For the code, see
For the documentation, see
Tutorial Video
LDAP Group Authorizations
You can use LDAP group membership to authorize existing SAP HANA database users. To implement LDAP group authorization, you need to
- Map LDAP groups to SAP HANA catalog roles using the CREATE ROLE or ALTER ROLE statements
- Configure SAP HANA users for LDAP group authorization
For the code, see
For the documentation, see
Tutorial Video
LDAP User Authentication – Automatic User Provisioning
LDAP authentication can be implemented for users accessing SAP HANA directly via JDBC/ODBC database clients. Using LDAP user passwords for authentication eliminates the need to manage user passwords and password policies in the SAP HANA database.
For the code, see
For the documentation, see
Tutorial Video
Thank you for watching
The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.
Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.
For the full library, see SAP HANA Academy Library – by the SAP HANA Academy.
For the full list of blogs, see Blog Posts – by the SAP HANA Academy.
- Subscribe to our YouTube channel for updates
- Join us on LinkedIn: linkedin.com/in/saphanaacademy
- Follow us on Twitter: @saphanaacademy
- Facebook: facebook.com/saphanaacademy
After configuring LDAP, I can no longer authenticate with ODBC clients. (Even something as simple as a DSN entry in the ODBC client configuration.) Any tips on what I need to configure from an end-user workstation perspective?
Hi Mike,
LDAP requires the SAP CommonCrypto Library (CCL) and a SAP HANA 2.0 client (Driver 2.3.*).
Steps:
Works?
Thanks for the details. We got it working, however it seems that we can no longer replicate BW reporting authorizations over to HANA users that are authenticated via LDAP, so it turns out we probably will not be able to pursue LDAP after all 🙁
By the way, to debug, you can use the commands:
Trace files are in current directory
Hi,
Already LDAP provider and now when I try to validate using below command , it gives error.
Also imported AD root certificate on Hana DB
I am facing issue with command VALIDATE LDAP PROVIDER
Error: (dberror) [4200]: Validate LDAP provider failed because of internal error: Unable to bind with LDAP provider
Kindly suggest.
Hi Sumit,
For internal errors I suggest to contact SAP support / create a ticket/incident.