cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP integration for user authntication

Former Member

on ‎04-03-2008 9:49 PM

0 Kudos

Dear community,

Apologies if this is the wrong forum -

We are in the midst of an SAP rollout. Our current user population lives in LDAP servers.

Our objective is to use LDAP for user authentication so that we do not have to create/manage

separate user ID's and password inside SAP.

During the RFP process, SAP sales guy said .." no problem .. SAP will authenticate users against your LDAP directories....." Now that we are in early implementation phase, our SAP consultant is not so sure.

Is anybody out there authenticating SAP users against LDAP directories -- without using Single-sign-on that I have heard can be done using Windows Active directory.

Thanks,

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

tim_alsop
Active Contributor
‎04-03-2008 10:27 PM
0 Kudos

Asad,

Yes, authentication using Active Directory is possible, and very common. You will find a very large number of threads in SDN where other people have asked same question.

It is common to refer to Active Directory as an LDAP server, and it is one. However, for authentication it is better and more secure to use Active Directory Kerberos support, since this is the protocol used by Windows when a user logs onto a Windows workstation, and is more suited to SSO requirements.

You said you didn't want to use SSO, so can I assume that you have some concerns about SSO and just want to use Active Directory as a "common" method of authenticating users when they logon to SAP ?

Can you also confirm if you are wanting to logon to SAP via SAP GUI and also Web brower, or just SAP GUI, or just Web borwser ?

Can you also confirm the operating system you are running SAP application server on.

If you can provide more details based on my information given above I can give you a more detailed explanation on what is possible, and how.

Thanks,

Tim

Show replies
Show replies
Former Member
‎04-04-2008 2:14 PM
0 Kudos

Tim,

Thanks. Yes, we want to avoid SSO and just use LDAP (Sun Java Directory 6.2, formerly Sun iPlanet) for authentication.

We want to logon to SAP using SAP GUI. Our OS is Red Had AS 4, running on Dell HW.

I have been told that using LDAP connector, we can fetch all users from LDAP to SAP, but passwords will not sync potentially leaving users with two passworsd, one for their normal LDAP applications and one for SAP - we want to avoid another independent password.

Appreciate your help in this matter.

tim_alsop
Active Contributor
‎04-04-2008 2:45 PM
0 Kudos

Asad,

Firstly, I need to explain that SAP GUI can either use the normal SAP authentication which you are familiar with, where the userid and password is stored in the SAP user store, or it can use SNC-based authentication. The use of SNC also has security advantages because the session can be encrypted and data integrity can be used if required.

For SNC-based authentication, you need a GSS-API v2 compliant cryptographic library to give strong authentication, but this does not necessarily mean SSO. e.g. if you use the right product you can logon to Windows workstation, start SAP gui, and then be prompted for an Active Directory user account and password each time you logon to a SAP system - this would mean you are not using the SAP password anymore, only the Active Directory password, and the AD password and user are the exact same as used when user logged onto the workstation. This is possible since the Kebreros protocol is used to authenticate the user when a user logs onto a workstation, and can also be used if you use the right SNC library.

Since LDAP is not a cryptographic authentication method, but a protocol used to access a directory, and the directory can be used to store passwords, you cannot use LDAP with SAP GUI via SNC.

As you said - if you want to try and sync passwords using SAP LDAP connector, you will find that the password is unusable since it is stored in LDAP and hashed using a different method to what SAP uses. Also, you need to consider the security issues - if it is possible for you to write code to read passwrods from an LDAP directory, then an attacker could do the same and obtain somebody elses password.

My word of advice is to consider not using LDAP passwords, but use Active Directory instead. I am sure your users are logging onto Windows domain accounts and using Active Directory, so why not use the same secure method of authentication instead of trying to find a way to use a less secure method (e.g. LDAP passwords) ?

Thanks,

Tim

Former Member
‎04-04-2008 3:20 PM
0 Kudos

Tim,

Very helpful - just few more questions.

Does SAP provide "GSS-API v2 compliant cryptographic library"? Will it be a separate install on Windows user workstations provided by SAP? Or is it a third party SAP integration software?

As far as the motivation to use LDAP - we have other applications (such as PeopleSoft). They have the ability to

establish as SSL based LDAP bind with the LDAP servers and pass user password, as typed by the user. The LDAP directory then computes the HASH, using the same algorithm (e.g. SHA-1) that the user password field in the directory defines. If the new HASH matches the one already stored, the application is sent a successful match and user is granted access.

I was hoping the same model works for SAP - provides adequate security.

Nevertheless, the solution you propose sounds good and I will investigate it further.

Thanks,

tim_alsop
Active Contributor
‎04-04-2008 3:26 PM
0 Kudos

Asad,

No, SAP do not provide such an SNC library unless you are running SAP on Windows Servers. if you are using SAP on UNXI or Linux then you need to buy a product from a SAP certified partner. The products which relate to our discussion can be found by visiting [http://www.sap.com/sspcatalog|http://www.sap.com/sspcatalog] and searching for "Active Directory".

I can understand how you have configured PeopleSoft to use LDAP password - the SAP GUI software cannot do the same because of the way it works. If there was an authentication security exit implemented in SAP then it would be possible to write some code to do same and check passwords using LDAP bind to directory, but this is not availabloe. Instead the options I mentioned before are available for use, so I strongly suggest you look at the SNC option - this is also more secure and security is a good thing

Thanks,

Tim

Ask a Question