In this blog post I would like to tell you how to configure the SAP Cloud Connector for Google's Secure LDAP service (Google Cloud Identity or G Suite). This article explains how you can switch the internal user management of the SAP Cloud Connector to LDAP. You do not need any previous knowledge about LDAP. Everything is explained step by step.
The Wikipedia writes about LDAP:
To simplify it, we simply consider LDAP as a user administration and use LDAP to configure SAP Cloud Connector authentication.
SAP recommends using LDAP for SAP Cloud Connector user management.
Google's Secure LDAP service provides a simple and secure way to connect your internal SAP Cloud Connector user management to Cloud Identity or G Suite. Since the service is operated by Google, you don't have to worry about anything as an SAP administrator. You do not need any know-how how to set up and manage an LDAP server.
We (Otto Group IT) operate all SAP systems in the Google Cloud Platform. Every SAP administrator already has a Google Cloud Identity. This should be used for the administrative access to the SAP Cloud Connector.
To use Secure LDAP you need to enable and configure the app "LDAP" in the Google Cloud Admin Console (https://admin.google.com/). If you can't see the app, you don't have the necessary license (Cloud Identity Premium or G Suite). Your Google sales contact can then help you. There is also a trial versions.
Next, you need to add a new client.
You can also restrict which users can authenticate via Secure LDAP. For example, I've limited it to only one unit. All SAP users are in the organisational unit "ottogroup.com" > "Group IT" > "SAP". This will differ in your setup.
Important: In addition to the certificate and key, you must also generate a username and password.
Save the certificate, key and user username/password. You will need everything later.
In my case I must assign the Cloud Identity Premium license to the user. If you have a license for all users of your company, you don't have to do this.
Please keep in mind that in my setup all users are created in the organisational unit "ottogroup.com" > "Group IT" > "SAP". This will differ in your setup.
Next we need to define the group for the SAP administrators. This group should get admin access to the SAP Cloud Connector.
Now we have all necessary information and can set up the SAP Cloud Connector.
All our SAP Cloud Connectors installations runs on CentOS or Red Hat Enterprise Linux as operating system. We use therefore the standard Google Compute Engine machine images.
To connect the SAP Cloud Connector to Secure LDAP you have to install "stunnel" on the SAP Cloud Coennector server. The stunnel program is an encryption wrapper (proxy) between the SAP Cloud Connector and the Secure LDAP server.
It is necessary because I have not found an easier way to store the certificate and key in the SAP Cloud Connector. Without certificate and key, it is not possible to authenticate to the Google Secure LDAP service.
Install the stunnel package by entering the following command as root...
RedHat/CentOS:
SUSE:
Next, copy the certificate and key to the directory "/etc/stunnel/".
Edit /etc/stunnel/stunnel.conf
Replace <CERT> and <KEY> with your own file names.
To start stunnel, enter the following command as root:
All further settings can be made via the web interface of the SAP Cloud Connector.
The SAP help describes the necessary steps quite well. But it leaves you a bit confused if you have no experience with LDAP.
It is important to know that we do not use the standard role names (sccadmin or admin).
You can use the following template for your Secure LDAP configuration:
Replace "dc=ottogroup,dc=com" with your organization. For example: ottogroup.com becomes "dc=ottogroup,dc=com"
userBase
userSearch
roleBase
roleName
roleSearch
As "Host" you define your local stunnel: 127.0.0.1:1636
"Connection User Name" and "Connection Password" are the user name and password created in the Google Admin Center for the LDAP service (client).
In the section "Custom Roles" enter the group names without @domain. For example: group-name@ottogroup.com becomes "group-name".
Before activating the LDAP authentication, you should really execute an authentication test by choosing the "Test LDAP Configuration" button. (Strongly recommended. Do it!)
In the pop-up dialog, you must specify username (email) and password of your Google Cloud Identity user who is allowed to logon after activating the configuration. The check verifies if authentication would be successful or not.
If something does not work you will get an helpful error message. The error messages helped me to configure everything correctly. The proof of the pudding is in the eating ?
After activation you can log in to the SAP Cloud Connector with your Google login data.
I hope the article helped you. If so, leave me a Like and follow me on Twitter. If you have questions, leave me a comment.
Many thanks also to ffad982802c345bdb6e7377a267f27ce for his blog post. His article "Use LDAP for your SAP Cloud Connector Authentication" helped me.
LDAP
The Wikipedia writes about LDAP:
The Lightweight Directory Access Protocol (LDAP) is an [...] application protocol for accessing and maintaining distributed directory information services over an [...] network. Directory services play an important role in developing [...] applications by allowing the sharing of information about users [...] throughout the network.
To simplify it, we simply consider LDAP as a user administration and use LDAP to configure SAP Cloud Connector authentication.
SAP recommends using LDAP for SAP Cloud Connector user management.
Secure LDAP
Google's Secure LDAP service provides a simple and secure way to connect your internal SAP Cloud Connector user management to Cloud Identity or G Suite. Since the service is operated by Google, you don't have to worry about anything as an SAP administrator. You do not need any know-how how to set up and manage an LDAP server.
We (Otto Group IT) operate all SAP systems in the Google Cloud Platform. Every SAP administrator already has a Google Cloud Identity. This should be used for the administrative access to the SAP Cloud Connector.
To use Secure LDAP you need to enable and configure the app "LDAP" in the Google Cloud Admin Console (https://admin.google.com/). If you can't see the app, you don't have the necessary license (Cloud Identity Premium or G Suite). Your Google sales contact can then help you. There is also a trial versions.
Next, you need to add a new client.
You can also restrict which users can authenticate via Secure LDAP. For example, I've limited it to only one unit. All SAP users are in the organisational unit "ottogroup.com" > "Group IT" > "SAP". This will differ in your setup.
Important: In addition to the certificate and key, you must also generate a username and password.
Save the certificate, key and user username/password. You will need everything later.
In my case I must assign the Cloud Identity Premium license to the user. If you have a license for all users of your company, you don't have to do this.
Please keep in mind that in my setup all users are created in the organisational unit "ottogroup.com" > "Group IT" > "SAP". This will differ in your setup.
Next we need to define the group for the SAP administrators. This group should get admin access to the SAP Cloud Connector.
Now we have all necessary information and can set up the SAP Cloud Connector.
SAP Cloud Connector
All our SAP Cloud Connectors installations runs on CentOS or Red Hat Enterprise Linux as operating system. We use therefore the standard Google Compute Engine machine images.
To connect the SAP Cloud Connector to Secure LDAP you have to install "stunnel" on the SAP Cloud Coennector server. The stunnel program is an encryption wrapper (proxy) between the SAP Cloud Connector and the Secure LDAP server.
It is necessary because I have not found an easier way to store the certificate and key in the SAP Cloud Connector. Without certificate and key, it is not possible to authenticate to the Google Secure LDAP service.
Install the stunnel package by entering the following command as root...
RedHat/CentOS:
yum install stunnelSUSE:
zypper install stunnel Next, copy the certificate and key to the directory "/etc/stunnel/".
Edit /etc/stunnel/stunnel.conf
[ldap]
client = yes
accept = 127.0.0.1:1636
connect = ldap.google.com:636
cert = /etc/stunnel/<CERT>.crt
key = /etc/stunnel/<KEY>.keyReplace <CERT> and <KEY> with your own file names.
To start stunnel, enter the following command as root:
service stunnel startAuthentication
All further settings can be made via the web interface of the SAP Cloud Connector.
The SAP help describes the necessary steps quite well. But it leaves you a bit confused if you have no experience with LDAP.
It is important to know that we do not use the standard role names (sccadmin or admin).
You can use the following template for your Secure LDAP configuration:
userBase="ou=SAP,ou=Group IT,ou=Users,dc=ottogroup,dc=com"
userSearch="(mail={0})"
roleBase="ou=Groups,dc=ottogroup,dc=com"
roleName="cn"
roleSearch="(member={0})"Replace "dc=ottogroup,dc=com" with your organization. For example: ottogroup.com becomes "dc=ottogroup,dc=com"
userBase
- The entry that is the base of the subtree containing users.
- All users are always in the "ou=Users".
- In addition, I specify that only users are considered as part of the group "Group IT" > "SAP" ("ou=SAP,ou=Group IT"). Your configuration will of course differ!
userSearch
- Pattern specifying the LDAP search filter to use after substitution of the username.
- I want the email to be the username. Therefore mail in userSearch="(mail={0})".
roleBase
- The base entry for the role search. If not specified, the search base is the top-level directory context.
- All groups are always in the "ou=Groups".
roleName
- The attribute in a role entry containing the name of that role.
- Always "cn".
roleSearch
- The LDAP search filter for selecting role entries.
- Always "(member={0})".
As "Host" you define your local stunnel: 127.0.0.1:1636
"Connection User Name" and "Connection Password" are the user name and password created in the Google Admin Center for the LDAP service (client).
In the section "Custom Roles" enter the group names without @domain. For example: group-name@ottogroup.com becomes "group-name".
Before activating the LDAP authentication, you should really execute an authentication test by choosing the "Test LDAP Configuration" button. (Strongly recommended. Do it!)
In the pop-up dialog, you must specify username (email) and password of your Google Cloud Identity user who is allowed to logon after activating the configuration. The check verifies if authentication would be successful or not.
If something does not work you will get an helpful error message. The error messages helped me to configure everything correctly. The proof of the pudding is in the eating ?
Done ?
After activation you can log in to the SAP Cloud Connector with your Google login data.
I hope the article helped you. If so, leave me a Like and follow me on Twitter. If you have questions, leave me a comment.
Many thanks also to ffad982802c345bdb6e7377a267f27ce for his blog post. His article "Use LDAP for your SAP Cloud Connector Authentication" helped me.
- SAP Managed Tags:
1 Comment
