Product Information
Spotlight: LDAP Support in SAP HANA Cloud
As of the QRC 01/2021 release of SAP HANA Cloud, SAP HANA database, you can leverage LDAP authentication and authorization for your SAP HANA database users.
When and why would I use this feature?
You already knew that the Lightweight Directory Access Protocol (LDAP) is an open standard protocol that facilitates authorization between client applications and the data resources they connect to (for example, an SAP HANA Cloud database).
Integrate LDAP authentication and authorization when you want to strengthen and simplify user administration, especially in a large-scale SAP HANA system.
How do I enable the LDAP feature?
There is nothing to enable for this feature, you just need to be running QRC 01/2021 of SAP HANA Cloud, SAP HANA database, and have an LDAP-compliant directory server that manages users and their access to network resources.
If both of these conditions are true, then you can begin implementing LDAP user authentication to access the SAP HANA database and LDAP group membership to authorize your SAP HANA database users.
Visit the following three topics to do this:
- LDAP User Authentication
- LDAP Group Authorization
- Secure Communication Between SAP HANA and an LDAP Directory Server
What SQL and catalog objects support this feature?
An LDAP ADMIN privilege (GRANT statement) allows you to create LDAP providers and administer their settings using the { CREATE | ALTER | VALIDATE } LDAP PROVIDER statements.
Other SQL statements you might expect to use to configure users for LDAP authentication include:
- SET PSE statement – Sets the purpose of a Personal Security Environment (PSE) to LDAP.
- CREATE USER / ALTER USER – Sets the LDAP group authorization for a user.
- CREATE ROLE / ALTER ROLE – Maps a local role to the Distinguished Name (DN) of one or more LDAP groups.
After you’ve configured LDAP, you can peruse the LDAP-related configuration information by querying these system views:
- LDAP_PROVIDERS System View
- LDAP_PROVIDER_URLS System View
- LDAP_USERS System View
- ROLE_LDAP_GROUPS System View
What other types of learning are available for this feature?
- Blog: LDAP-based Authentication and User Provisioning for SAP HANA – by the SAP HANA Academy
- Video: Create an LDAP Provider
- Video: LDAP Group Authorizations
- Video: LDAP User Authentication Automatic User Provisioning
~ Happy simplified user administration!
Hello Laura
Is this configuration only available using a public LDAP server or a configuration using SAP Cloud Connector is also possible to integrate with an on-prem LDAP?
In such scenario, how the LDAP URL has to be set in the CREATE/ALTER LDAP provider statement? I don't see any details on how to specify that the URL has to point to the SAP Cloud Connector.
Thanks
Diego
Hi Diego, those are great question(s), and unfortunately I am not positive of the answer to the scenario question. I suggest you also post it here, Ask a Question, since this is an area that is monitored by folks who can reply (and more rapidly), and provide syntax guidance if required.
Hi Diego,
currently an LDAP server must be directly reachable from HANA. An integration via SAP Cloud Connector is not possible at this time.
Best wishes,
Martin.