SAP BI 4.2 – Setting up LDAP Connector In 10 Easy Steps

Document Purpose:

This document details how to set up connection to Lightweight Directory Access Protocol (LDAP) connector running on Windows Server 2008 / 2012 for your SAP BI 4.2 Platform Server.

Links and References:

Softerra LDAP Administrator (Free tool to confirm x.500 Communication)

https://www.ldapadministrator.com

Microsoft On-Line Documents:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd349801(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh801901(v%3dws.11)

SAP BI 4.2 SP7 Platform Documents:

https://help.sap.com/viewer/product/SAP_BUSINESSOBJECTS_BUSINESS_INTELLIGENCE_PLATFORM/4.2.7/en-US

 

Prerequisites

• Create Windows AD Service Account that will be used to query the Windows AD using LDAP queries.
• Confirm your Active Directory is running in X.500 standards and SAP BI can integrate
• Download and Softerra LDAP Browser

• Connect to Windows Domain, search a for all available Servers. Select host.

• After selecting Host, next select Base DN for the Domain.

• Select Base DN for Host associated with Domain using SSL, if supported.

• Enter the Windows NT Service Account and password in LDAP format

• Screenshot above show working LDAP connection to Windows AD Domain.

Background Information

The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

What is LDAP in Active Directory?

Active Directory is a database based system that provides authentication, directory, policy, and other services in a Windows environment. LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP.

What is an Active Directory?

Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management.

Difference between AD vs LDAP

Active Directory is a database based system that provides authentication, directory, policy, and other services in a Windows environment. LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP.

Short answer: AD is a directory services database, and LDAP is one of the protocols you can use to talk to it.

 

Configuring LDAP Authentication:

When we install BI platform, the LDAP authentication plug-in is installed automatically, but not enabled by default. To use LDAP authentication, you need to first ensure that you have your respective LDAP directory set up.

To simplify administration, BI platform supports LDAP authentication for user and group accounts. Before users can use their LDAP user name and password to log into the system, we need to map their LDAP account to BI platform. When we map an LDAP account, we can choose to create a new account or link to an existing BI platform account.

To configure the LDAP host, it is recommended that you install your LDAP server and have it running before configuring the LDAP host.

STEP 1: Go to the Authentication management area of the CMC, and then double-click LDAP.

Login into CMC Administration and Start LDAP Configuration Wizard

STEP 2: Add LDAP Host(s) name and Port

Enter the name and port number of your LDAP hosts in the “Add LDAP host (hostname:port)” field (for example, “myserver:123”), click Add, and then click OK.

Repeat this step to add more than one LDAP host of the same server type if you want to add hosts that can act as failover servers. If you want to remove a host, highlight the host name and click delete. Click NEXT

STEP 3: Select your server type from the LDAP Server Type list.

If you are mapping LDAP to AD, select “Microsoft Active Directory Application Server” for your server type.

STEP3a: Update Attribute Mapping (Default Settings)

If you want to view or change any of the LDAP Server Attribute Mappings or the LDAP Default Search Attributes, click Show Attribute Mappings.

STEP 3b: Custom Attribute Mapping (Custom Settings)

If you want retail AD Logon Name, change the LDAP Server Attribute Mappings.

Custom Attribute Mapping

By default, the server attribute mappings and search attributes of each supported server type are already set.

Click Next.

STEP 4: Enter Base LDAP Distinguished Name

In the “Base LDAP Distinguished Name” field, enter the distinguished name (for example, “o=SomeBase”) for your LDAP server, then click Next.

STEP 5: LDAP Distinguished Name

In the “LDAP Server Credentials” area, specify the distinguished name and password for a user account that has read rights to the directory. Administrator credentials are not required.  This is where you would enter the AD Service Account to be used to search.  It is recommended to create NT Service Account and enter credentials here.

If your LDAP Server allows anonymous binding, leave this area blank; BI platform servers and clients will bind to the primary host via anonymous login.

If you have configured referrals on your LDAP host, provide the authentication information in the “LDAP Referral Credentials” area, then enter the number of referral hops in the “Maximum Referral Hops” field.

The “LDAP Referral Credentials” area must be configured if all of the following apply:

• The primary host has been configured to refer to another directory server that handles queries for entries under a specified base.
• The host being referred to has been configured to not allow anonymous binding.
• A group from the host being referred to will be mapped to BI platform.

Although groups can be mapped from multiple hosts, only one set of referral credentials can be set. Therefore if you have multiple referral hosts, you must create a user account on each host that uses the same distinguished name and password.

In addition, if the “Maximum Referral Hops” field is set to zero, no referrals are followed.

Click Next.

STEP 6: Type of SSL Authentication

Choose the type of Secure Sockets Layer (SSL) authentication to use, then click Next.

You can select one of the following authentication types:

• Basic (no SSL)
• Server Authentication
• Mutual Authentication

STEP 7: Authentication Type

Choose a method of LDAP single sign-on authentication, then click Next.

You can select one of the following authentication types:

• Basic (No SSO)
• SiteMinder

STEP 8: LDAP Users Created by SAP BI Platform

Select how aliases and users are mapped to BI platform accounts.

1. In the “New Alias Options” area, select an option for mapping new aliases to Enterprise accounts:
   1. Assign each added LDAP alias to an account with the same name:
      Select this option when you know users have an existing Enterprise account with the same name; that is, LDAP aliases are assigned to existing users (automatic alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and LDAP account, are added as new users.
   2. Create a new account for every added LDAP alias:
      Select this option when you want to create a new account for each user.

2. In the “Alias Update Options” area, select an option for managing alias updates for the Enterprise accounts:
   1. Create new aliases when the Alias Update occurs:
      Select this option to automatically create a new alias for every LDAP user mapped to BI platform. New LDAP accounts are added for users without BI platform accounts, or for all users if you selected the Create a new account for every added LDAP alias
   2. Create new aliases only when the user logs on:
      Select this option when the LDAP directory you are mapping contains many users, but only a few of them will use BI platform. The platform does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log into BI platform.

3. In the “New User Options” area, select an option for creating new users:
   1. New users are created as named users:
      New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access BI platform based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option.
   2. New users are created as concurrent users:
      New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BI platform at the same time. This type of licensing is flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access the system, a 100-user concurrent license could support 250, 500, or 700 users.

STEP 9: LDAP Alias Options

In the “Attribute Binding Options” area you can specify the attribute binding priority for the LDAP plugin:

Click the Import Full Name and Email Address check box.
The full names and descriptions used in the LDAP accounts are imported and stored with the user objects in BI platform.

Specify an option for Set priority of LDAP attribute binding relative to other attributes binding.
If the option is set to “1”, LDAP attributes take priority in scenarios where LDAP and other plugins (Windows AD and SAP) are enabled. If the option is set to “3”, attributes from other enabled plugins take priority.

Click Update.
 

You have configured LDAP authentication.

STEP 10: Configuring the Group security

Groups are collections of users who share the same account privileges; therefore, you may create groups that are based on department, role, or location. Groups enable you to change the rights for users in one place (a group) instead of modifying the rights for each user account individually. Also, you can assign object rights to a group or groups and add LDAP groups to the appropriate security group.

SAP best practice to have your SAP BI 4.2 Enterprise Groups already created and apply security / access rights against the BI Enterprise Groups.  Once the LDAP Groups have been mapped to your BI 4.2 Platform add them to BI Enterprise Groups and continue to manage security.  This is recommended so that if you ever loose sync to the LDAP Server your security policies are never lost.

APPENDIX: Configuring LDAP against Windows AD Restrictions:

• If you configure LDAP against AD, you will be able to map your users but you will not be able to configure AD single sign-on or single sign-on to the database. However, LDAP single sign-on methods like SiteMinder and trusted authentication will still be available.
• Users who are only members of default groups from AD will not be able to log in successfully. Users must also be a member of another explicitly created group in AD and, in addition, this group must be mapped. An example of such a group is the “domain users” group.
• If a mapped domain local group contains a user from a different domain in the forest, the user from a different domain in the forest will not be able to log in successfully.
• Users from a universal group from a domain different than the DC specified as the LDAP host will not be able to log in successfully.
• You cannot use the LDAP plug-in to map users and groups from AD forests outside the forest where the BI platform is installed.
• You cannot map in the Domain Users group in AD.
• You cannot map a machine local group.
• If you are using the Global Catalog Domain Controller, there are additional considerations when mapping LDAP against AD.