Solved: LDAP User Synchronization : Password

Former Member · ‎03-23-2011

Hi All,

I have a question about LDAP User Synchronization to SU01 in ABAP. Does it create an initial password for the users being Synced? or It stores the LDAP Password in SU01 password field?

I have doubt about the second, as LDAP will never return the password in plain text, and Password Hashing schemes can be different between LDAP and ABAP.

If it doesn't store the password at all in SU01 for Synced users, then how does user login into SAP GUI?

Please let me know.

Thanks in Advance,

Sanjeev

tim_alsop · ‎03-23-2011

Sanjeev,

If your LDAP server is Active Directory, then you cannot get the password via LDAP, not even as a hashed password. This is because Active Directory is also a Kerberos Authentication Server (e.g. a KDC) which means the password for a user is used to generate encryption keys, which are used to issue Kerberos tickets.

Most people, use LDAP sync with ABAP to sync user information, and then use SNC to authenticate from SAP GUI. This means that the SAP stored password is not needed, and instead the user is authenticating using cryptography, e.g. using Kerberos tickets issued by Active Directory when they logon to their Workstation.

Thanks,

Tim

tim_alsop · ‎03-23-2011

Sanjeev,

If your LDAP server is Active Directory, then you cannot get the password via LDAP, not even as a hashed password. This is because Active Directory is also a Kerberos Authentication Server (e.g. a KDC) which means the password for a user is used to generate encryption keys, which are used to issue Kerberos tickets.

Most people, use LDAP sync with ABAP to sync user information, and then use SNC to authenticate from SAP GUI. This means that the SAP stored password is not needed, and instead the user is authenticating using cryptography, e.g. using Kerberos tickets issued by Active Directory when they logon to their Workstation.

Thanks,

Tim

Former Member · ‎03-23-2011

Hi Tim,

Thanks for the reply, but I was asking more in generic Terms. Like what if the LDAP is Sun Directory Server or let's say Open LDAP?

In that case how would a user login into SAP GUI?

Thanks again,

Sanjeev

tim_alsop · ‎03-23-2011

Sanjeev,

I think you will find that that the answer is similar. Lets suppose you were able to get the hashed password out of the LDAP directory - you would have to then write some code to unhash this password and hash it again using the SAP hash algorithm. I think you will find it almost impossible to write such code, and even if it is possible, it would be extremely difficult, and not secure. Such a solution is certainly is not available at moment, since SAP or any other vendor do not encourage this kind of LDAP sync.

Thanks,

Tim

Former Member · ‎03-23-2011

MS AD offers a "password hook" which captures the AD password in cleartext and sends it to SAP via the IdM system.

SAP supports this due to popular demand but does not seriously encourage it as a secure procedure (the warnings are in the installation guides).

A google search though site:sap.com for "password hook" will find the docs in the IdM area and some discussions here.

A real SSO is a better way to go...

Cheers,

Julius

mvoros · ‎03-23-2011

Hi Tim,

it's not possible to unhash cryptographic hash function. One of the main properties of each cryptographic hash function is preimage resistance which means that it's not feasible for a given hash h to find a message m that hash(m) = h. Even in case that it is possible to find this message you can't be sure that that was the original message because as we know a hash function maps message of arbitrary length to fixed size string. Obviously, there is more messages with variable length than messages with one fixed sized so there has to be at least one hash where there are two messages m1 and m2 and hash(m1) = hash(m2) (pigeon hole principle). So it could happen that user would choose password m1 but your unhasing algorithm would get m2. Obviously, it's highly improbable that second hash function hash m1 and m2 into same hash. Therefore such a solution will not be never available and the only solution is to get password in clear text and distribute it to each system in clear text form. As Julius mentioned this is supported but it has some disadvantages.

Cheers

tim_alsop · ‎03-23-2011

>


> MS AD offers a "password hook" which captures the AD password in cleartext and sends it to SAP via the IdM system.
Sanjeev said he was looking for a solution which was for any LDAP server, not for MS AD.
> 
> SAP supports this due to popular demand but does not seriously encourage it as a secure procedure (the warnings are in the installation guides).
I think you mean "not a secure procedure" instead of "a secure procedure" ?
> 
> A google search though site:sap.com for "password hook" will find the docs in the IdM area and some discussions here.
> 
> A real SSO is a better way to go...  
Yes, SNC to authenticate to SAP ABAP via SAP GUI is the way to go.
> 
> Cheers,
> Julius

tim_alsop · ‎03-23-2011

>


> Hi Tim,
> 
> it's not possible to unhash cryptographic hash function. 
Yes, I know - this is why I said it was impossible to do what was being requested.
> 
> Cheers