SAP Note

2975780 - FAQ: SAP HANA LDAP Based Authentication and Authorization

Component: HAN-DB-SEC (SAP HANA > SAP HANA Database > SAP HANA Security & User Management),
Version: 25, Released On: 16.01.2024

Symptom
You are interested in details related to Lightweight Directory Access Protocol (LDAP) based authentication for SAP HANA.
1. What is LDAP?

2. Which SAP HANA releases support LDAP?

3. Where do I find information about LDAP Based Authentication and Authorization for SAP HANA?

4. Which LDAP Directory Servers does SAP HANA support?

5. How can I encrypt the connection between the LDAP directory server and the SAP HANA database?

6. Which user names does SAP HANA allow for LDAP?

7. How does the LDAP log on procedure to SAP HANA database works?

8. How can I troubleshoot LDAP on SAP HANA side?

9. Which information do I need to provide in an LDAP-related customer incident?

10. Which HANA users can be configured to use LDAP Authentication?

11. Is LDAP in combination with MSCrypto for Client-Side Encryption supported?

12. What are the typical issues in an SAP HANA LDAP environment?

Other Terms
LDAP, LDAPS, HANA

Reason and Prerequisites

You want to use LDAP-based authentication to access a SAP HANA system.

Solution
1. What is LDAP?
The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing directory services. In
combination with the SAP HANA database, you can use two LDAP scenarios:
Single Sign On: LDAP-based user authentication to access the SAP HANA database
Authorization: LDAP groups can be mapped to SAP HANA roles

2. Which SAP HANA releases support LDAP?

LDAP-based authentication and authorization is supported as of SAP HANA 2 only.

3. Where do I find information about LDAP Based Authentication and Authorization for SAP HANA?
Find comprehensive information on
SAP HANA Security Guide for SAP HANA Platform
> LDAP User Authentication
> LDAP Group Authorization
 > Communication Configuration Properties for LDAP
SAP HANA Administration Guide for SAP HANA Platform
> Configure an LDAP Server Connection for LDAP User Authentication
> Secure Communication Between SAP HANA and an LDAP Directory Server
See also blog LDAP Based Authentication for SAP HANA 2.0

4. Which LDAP Directory Servers does SAP HANA support?

The following LDAP directory servers are supported:
 DAP in Microsoft Windows Active Directory (WinAD)
L
OpenLDAP on Linux
Also see SAP Note 2746716 - openLDAP server support for LDAP Authentication or Authorization in SAP HANA

5. How can I encrypt the connection between the LDAP directory server and the SAP HANA database?
LDAP is an unencrypted communication between the LDAP directory server and the SAP HANA database and uses port
686. It can be configured as "Start TLS" using SSL/TLS.
LDAPS is the encrypted version of LDAP using port 636.
See SAP HANA Security Guide for SAP HANA Platform > Secure Communication Between SAP HANA and an LDAP
Directory Serverand blog: LDAP Based Authentication for SAP HANA 2.0.
Microsoft started introducing LDAPS as the default connection type, for details see 2020 LDAP channel binding and
LDAP signing requirements for Windows

6. Which user names does SAP HANA allow for LDAP?

Not all user names that are allowed in the LDAP directory server are supported as well as user names in SAP HANA.
In WinAD, choose user names that do not include characters that are not supported by SAP HANA SAP HANA
Administration with SAP HANA Cockpit > Unpermitted Characters in User Names

7. How does the LDAP logon procedure to SAP HANA database work?
The client provides the LDAP log on credentials (user name and password) to the SAP HANA database. The SAP HANA
database passes these to the LDAP directory server for authentication.
Note: The LDAP user does not have a password maintained in the SAP HANA database.
For details refer to chapter LDAP Authentication with Automatic User Creation on SAP HANA Security Guide for SAP
HANA Platform > LDAP User Authentication

8. How can I troubleshoot LDAP on SAP HANA side?

On HANA side, you can activate traces to collect more detailed information about the LDAP connection:
SAP Note 2812540 - How-To: Enable LDAP Tracing for LDAP Group Authentication Errors
SAP Note 2380176 - FAQ: SAP HANA Database Trace

1) Log on to the HANA database and increase the trace level be executing command:
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('trace', 'ldap') = 'debug' WITH
RECONFIGURE;
2) Reproduce the issue and note down the timestamp and the name of the user you used to reproduce the issue
3) Reset the trace level:
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') UNSET ('trace', 'ldap') WITH
RECONFIGURE;
4) Find the trace records in the indexserver trace files for tenant databases and in the nameserver trace file for system
databases.
5) Create a full system info dump of the HANA system DB and each affected tenant DB.
When recording and interpreting traces, please consider:
LDAP trace records on SAP HANA database side always show [OpenLDAP], as HANA internally uses
the OpenLDAPlibraries, e.g.:
  LDAP filter.c(00365) : [OpenLDAP]
d
There is no need to collect SAP HANA Client traces, even if he connection is established using the SAP HANA
Client (JDBC, SQLDBC, etc.)

9. Which information do I need to provide in an LDAP-related customer incident?

You face an LDAP-related issue which appears to be caused by a malfunction in software delivered by SAP. You want to
report it to SAP in a customer incident and want to know which information is required to be included.
When opening such an incident, please always provide:
the type of LDAP directory server you are using (see point 3)
the traces collected by following point 8

10. Which HANA users can be configured to use LDAP Authentication?

All HANA users which can log on by username and password can be configured for LDAP authentication. Thus, from the
list of the Predefined Database Usersthose having "Password Specification" = "Not applicable" cannot be used for LDAP.
11. Is LDAP in combination with MSCrypto for Client-Side Encryption supported?
No, currently LDAP with client-side encryption using MSCrypto library is not supported. Please refer to Configuring the Client for Client-Side
Encryption and LDAPand use the CommonCryptoLib instead.

12. What are the typical issues in an SAP HANA LDAP environment?

To troubleshoot LDAP issues on HANA side, always collect traces as described in point 9 of this note

Issue Details Solution

The HANA database (DB) c The HANA DB keeps connecting to th The LDAP DS is temporarily not reachable from the HANA sy
annot connect to the LDAP e LDAP DS to verify the user's authent stem due to:
directory server (DS) ication and authorization. Wrong configuration of the LDAP DS connection param
If the connection attempt fails, the foll eters on HANA side
owing error message is issued in the H Network routing or bandwidth issue between the HANA
ANA indexserver trace file: system and the LDAP DS

e LDAP Session.cpp(00398) : LDAP s You can influence the waiting time of the HANA DB for the L
earch failed, error code: -1 error string DAP DS to reply by a parameter described at Communication
: Can't contact LDAP server Configuration Properties for LDAP

 lobal.ini
g
[ldap]
timeout = <timeout in seconds> (default=0 - which mea
ns no timeout)

Software Components
Software Component From To

HDB 2.00 2.00+

This document refers to

SAP Component Title
Note/KBA

2812540 HAN-DB-SEC How-To: Enable LDAP Tracing for LDAP Group Authentication Errors - SAP HANA

2380176 HAN-DB FAQ: SAP HANA Database Trace

3119384 HAN-DB-SEC Indexserver Crash at Authentication::LDAP::LDAPSessionPool::returnSession With Exception

"terminate was called"

3017378 HAN-DB-SEC [CVE-2021-21484] Possible authentication bypass in SAP HANA LDAP scenarios

2929927 HAN-DB-ENG When Jobworkers Are Occupied to Make LDAP Connection But Fail,Then Other Operations May
Not Function Properly

2645916 HAN-DB-SEC User cannot connect to SAP HANA 2.0 SPS 03 in SAP HANA studio using LDAP user password

2627046 HAN-DB-SEC Validating Configuration of an LDAP Provider for LDAP Authentication

2438641 HAN-DB-SEC TLS Connections to LDAP Server After Upgrade from SAP HANA 2.0 SPS 00 to SAP HANA 2.0
SPS 01

1848999 BC-IAM-SSO- Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB)

CCL

This document is referenced by

SAP Component Title
Note/KBA

2159014 FAQ: SAP HANA Security

3244349 HAN-DB XSA can not start up since : Error while resolving username <sid>crypt rc=111: Connection
refusedException System error: $msg$, rc=13: Permission denied