LDAP Based User Management in SAP Cloud Connector

LDAP Based User Management in SAP Cloud Connector
Estimated read time 10 min read

In this blog I will explain about how we can use LDAP (Lightweight Directory Access Protocol) to manage Cloud Connector users and authentication.

After installation of the Cloud Connector, it uses file-based user management by default.

With file-base user management we can login with Administrator user.

Alternatively, the Cloud Connector also supports LDAP based user management.

With LDAP based user management, users are authenticated against your company’s LDAP directory service. We can check from the below screen as user store shows LDAP.

Advantage of using LDAP based user management:

LDAP based user management can authenticate the users based on provided roles. These roles can be used to differentiate between users who are only allowed to view the configuration and those who are responsible for the administration functions.

Below are the steps to activate LDAP for user administration in SAP Cloud Connector:

We need to connect with our LDAP team to get the below details:

 LDAP Server name and port – Default port is 389, but if we want to use secure connection then port 636 is being used. Make sure ports are open from cloud connector server to LDAP server.Root and Intermediate certificates of LDAP server– This need to be imported in Cloud Connector side.SCC user account details that can login to LDAP server.LDAP group sccadmin for SAP Cloud Connector – A role is a group in LDAP terms. The Cloud Connector provides the following roles: sccadmin, sccsupport, sccmonitoring and sccdisplay.

Once we get the above details we can start as per below steps:

Step 1: Login to SAP Cloud Connector with Administrator user and navigate to Configuration. Under User Interface tab select the Switch to LDAP button as mentioned in below screenshot:

Step 2: Provide the LDAP server’s host and port (port 389 is used by default) in the <Host> field. To use the secure protocol variant LDAPS based on TLS, select Secure and user port 636.

Step 3: Provide a service user and its password in the fields Connection Username and Connection Password.

Step 4: In the Search Rules configuration, the most important point is to mention the correct syntax and attribute based on your LDAP configuration settings. Below is the example which I used in my scenario.

roleBase: groups information we can get it from LDAP team, where they have created the roles.userbase: users information we can get it from LDAP team, where they have created the users or where the users are located.userRoleName=”memberOf”: This information we can get it from LDAP team, which syntax is for user role name.userSearch=”(sAMAccountName={0})”: This information we can get it from LDAP team, which syntax is for user search. This is the preferred attribute often used for Active Directory, sAMAccountName, the corresponding Search Rules configuration is userSearch=”(sAMAccountName={0})”. For example, userSearch=”(uid={0})” can also be used if uid attribute is being used in LDAP.roleSubtree=”true”: group nodes on the LDAP server may be located under several branches inside the “base” branch. In this case, add the boolean attribute roleSubtree=”true”.userSubtree=”true”: user nodes on the LDAP server may be located under several branches inside the “base” branch. In this case, add the boolean attribute roleSubtree=”true”.

Step 5: Below are the available roles that can be assigned to users based on the requirement:

sccadmin: This role has full administrative rights in the cloud connector.sccdisplay: This role enables the display of all data in the cloud connector.sccsupport: This role is used to display data and support activities (e.g., to activate traces).sccmonitoring: This role is required to access the monitoring APIs of the cloud connector.

Below is the example for setting up custom roles (sccadmin) in cloud connector

Step 6: Set up the LDAP Trust Store. When we are configuring LDAP for User, the LDAP Trust Store can be set up by adding certificates to the Allowlist and choosing a Trust Option.

There are three trust options:

Trust all: All certificates are trusted. This is the least secure option which does not consider any trusted certificates, in the allowlist or otherwise, and simply trusts all certificates.Use LDAP trust store only: Only the certificates listed in the allowlist are trusted.Use JDK and LDAP trust store: The certificates in the allowlist and those of the JDK are trusted.

An LDAP connection over TLS can cause TLS errors if the LDAP server uses a certificate that is not signed by a trusted CA. We can use the keytool utility for importing the certificates which we have received from LDAP team. Usually, the trust storage location is cacerts inside the java directory (jre/lib/security/cacerts).

Below is the command for importing the certificate:

“C:SAPsapjvm-8.1.107sapjvm_8jrebinkeytool.exe” -import -trustcacerts -file “D:Cert_Chaincertificate.cer” -alias certificate -keystore “C:SAPsapjvm-8.1.107sapjvm_8jrelibsecuritycacerts” -storepass changeit

Step 7: Once all the above steps are completed save the configuration as draft and test the configuration by using the below button:

Step 8: Once test LDAP configuration is successful, Activate the configuration. This will restart the cloud connector.

Step 9: After the restart of cloud connector, we can login to cloud connector with user as per company’s LDAP directory service.

Note:

In case of any issue in Test LDAP configuration, kindly check with LDAP team for the correct syntax and attribute for userbase and rolebase. You can also install ldp on the cloud connector server and check the connectivity and binding with the service users and find out the correct attributes.

 

 

​ In this blog I will explain about how we can use LDAP (Lightweight Directory Access Protocol) to manage Cloud Connector users and authentication.After installation of the Cloud Connector, it uses file-based user management by default.With file-base user management we can login with Administrator user.Alternatively, the Cloud Connector also supports LDAP based user management.With LDAP based user management, users are authenticated against your company’s LDAP directory service. We can check from the below screen as user store shows LDAP.Advantage of using LDAP based user management:LDAP based user management can authenticate the users based on provided roles. These roles can be used to differentiate between users who are only allowed to view the configuration and those who are responsible for the administration functions.Below are the steps to activate LDAP for user administration in SAP Cloud Connector:We need to connect with our LDAP team to get the below details: LDAP Server name and port – Default port is 389, but if we want to use secure connection then port 636 is being used. Make sure ports are open from cloud connector server to LDAP server.Root and Intermediate certificates of LDAP server– This need to be imported in Cloud Connector side.SCC user account details that can login to LDAP server.LDAP group sccadmin for SAP Cloud Connector – A role is a group in LDAP terms. The Cloud Connector provides the following roles: sccadmin, sccsupport, sccmonitoring and sccdisplay.Once we get the above details we can start as per below steps:Step 1: Login to SAP Cloud Connector with Administrator user and navigate to Configuration. Under User Interface tab select the Switch to LDAP button as mentioned in below screenshot:Step 2: Provide the LDAP server’s host and port (port 389 is used by default) in the <Host> field. To use the secure protocol variant LDAPS based on TLS, select Secure and user port 636.Step 3: Provide a service user and its password in the fields Connection Username and Connection Password.Step 4: In the Search Rules configuration, the most important point is to mention the correct syntax and attribute based on your LDAP configuration settings. Below is the example which I used in my scenario.roleBase: groups information we can get it from LDAP team, where they have created the roles.userbase: users information we can get it from LDAP team, where they have created the users or where the users are located.userRoleName=”memberOf”: This information we can get it from LDAP team, which syntax is for user role name.userSearch=”(sAMAccountName={0})”: This information we can get it from LDAP team, which syntax is for user search. This is the preferred attribute often used for Active Directory, sAMAccountName, the corresponding Search Rules configuration is userSearch=”(sAMAccountName={0})”. For example, userSearch=”(uid={0})” can also be used if uid attribute is being used in LDAP.roleSubtree=”true”: group nodes on the LDAP server may be located under several branches inside the “base” branch. In this case, add the boolean attribute roleSubtree=”true”.userSubtree=”true”: user nodes on the LDAP server may be located under several branches inside the “base” branch. In this case, add the boolean attribute roleSubtree=”true”.Step 5: Below are the available roles that can be assigned to users based on the requirement:sccadmin: This role has full administrative rights in the cloud connector.sccdisplay: This role enables the display of all data in the cloud connector.sccsupport: This role is used to display data and support activities (e.g., to activate traces).sccmonitoring: This role is required to access the monitoring APIs of the cloud connector.Below is the example for setting up custom roles (sccadmin) in cloud connectorStep 6: Set up the LDAP Trust Store. When we are configuring LDAP for User, the LDAP Trust Store can be set up by adding certificates to the Allowlist and choosing a Trust Option.There are three trust options:Trust all: All certificates are trusted. This is the least secure option which does not consider any trusted certificates, in the allowlist or otherwise, and simply trusts all certificates.Use LDAP trust store only: Only the certificates listed in the allowlist are trusted.Use JDK and LDAP trust store: The certificates in the allowlist and those of the JDK are trusted.An LDAP connection over TLS can cause TLS errors if the LDAP server uses a certificate that is not signed by a trusted CA. We can use the keytool utility for importing the certificates which we have received from LDAP team. Usually, the trust storage location is cacerts inside the java directory (jre/lib/security/cacerts).Below is the command for importing the certificate:”C:SAPsapjvm-8.1.107sapjvm_8jrebinkeytool.exe” -import -trustcacerts -file “D:Cert_Chaincertificate.cer” -alias certificate -keystore “C:SAPsapjvm-8.1.107sapjvm_8jrelibsecuritycacerts” -storepass changeitStep 7: Once all the above steps are completed save the configuration as draft and test the configuration by using the below button:Step 8: Once test LDAP configuration is successful, Activate the configuration. This will restart the cloud connector.Step 9: After the restart of cloud connector, we can login to cloud connector with user as per company’s LDAP directory service.Note:In case of any issue in Test LDAP configuration, kindly check with LDAP team for the correct syntax and attribute for userbase and rolebase. You can also install ldp on the cloud connector server and check the connectivity and binding with the service users and find out the correct attributes.    Read More Technology Blog Posts by Members articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author