Skip to end of metadata
Go to start of metadata

Using LDAP authentication

When we install BI platform, the LDAP authentication plug-in is installed automatically, but not enabled by default. To use LDAP authentication, you need to first ensure that you have your respective LDAP directory set up.

LDAP security plug-in

The LDAP security plug-in allows us to map user accounts and groups from our LDAP directory server to BI platform; it also enables the system to verify all login requests that specify LDAP authentication. Users are authenticated against the LDAP directory server, and have their membership in a mapped LDAP group verified before the CMS grants them an active BI platform session. User lists and group memberships are dynamically maintained by the system.

Configuring LDAP authentication

To simplify administration, BI platform supports LDAP authentication for user and group accounts. Before users can use their LDAP user name and password to log into the system, we need to map their LDAP account to BI platform. When we map an LDAP account, we can choose to create a new account or link to an existing BI platform account.

To configure the LDAP host, it is recommended that you install your LDAP server and have it running before configuring the LDAP host.

 

  1. Go to the Authentication management area of the CMC, and then double-click LDAP.
  2. Enter the name and port number of your LDAP hosts in the "Add LDAP host (hostname:port)" field (for example, "myserver:123"), click Add, and then click OK.

    Repeat this step to add more than one LDAP host of the same server type if you want to add hosts that can act as failover servers. If you want to remove a host, highlight the host name and click Delete.
  3. Select your server type from the LDAP Server Type list.

    If you are mapping LDAP to AD, select "Microsoft Active Directory Application Server" for your server type.
  4. If you want to view or change any of the LDAP Server Attribute Mappings or the LDAP Default Search Attributes, click Show Attribute Mappings.

    By default, the server attribute mappings and search attributes of each supported server type are already set.
  5. Click Next.
  6. In the "Base LDAP Distinguished Name" field, enter the distinguished name (for example, "o=SomeBase") for your LDAP server, then click Next.
  7. In the "LDAP Server Credentials" area, specify the distinguished name and password for a user account that has read rights to the directory. Administrator credentials are not required.

    If your LDAP Server allows anonymous binding, leave this area blank; BI platform servers and clients will bind to the primary host via anonymous login.
  8. If you have configured referrals on your LDAP host, provide the authentication information in the "LDAP Referral Credentials" area, then enter the number of referral hops in the "Maximum Referral Hops" field.

    The "LDAP Referral Credentials" area must be configured if all of the following apply:

    • The primary host has been configured to refer to another directory server that handles queries for entries under a specified base.
    • The host being referred to has been configured to not allow anonymous binding.
    • A group from the host being referred to will be mapped to BI platform.


    Although groups can be mapped from multiple hosts, only one set of referral credentials can be set. Therefore if you have multiple referral hosts, you must create a user account on each host that uses the same distinguished name and password.

    In addition, if the "Maximum Referral Hops" field is set to zero, no referrals are followed.

  9. Click Next.
  10. Choose the type of Secure Sockets Layer (SSL) authentication to use, then click Next.

    You can select one of the following authentication types:
    • Basic (no SSL)
    • Server Authentication
    • Mutual Authentication

  11. Choose a method of LDAP single sign-on authentication, then click Next.

    You can select one of the following authentication types:
    • Basic (No SSO)
    • SiteMinder

  12. Select how aliases and users are mapped to BI platform accounts.

    1. In the "New Alias Options" area, select an option for mapping new aliases to Enterprise accounts:
      • Assign each added LDAP alias to an account with the same name
        Select this option when you know users have an existing Enterprise account with the same name; that is, LDAP aliases are assigned to existing users (automatic alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and LDAP account, are added as new users.
      • Create a new account for every added LDAP alias
        Select this option when you want to create a new account for each user.

    2. In the "Alias Update Options" area, select an option for managing alias updates for the Enterprise accounts:
      • Create new aliases when the Alias Update occurs
        Select this option to automatically create a new alias for every LDAP user mapped to BI platform. New LDAP accounts are added for users without BI platform accounts, or for all users if you selected the Create a new account for every added LDAP alias option.
      • Create new aliases only when the user logs on
        Select this option when the LDAP directory you are mapping contains many users, but only a few of them will use BI platform. The platform does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log into BI platform.
    3. In the "New User Options" area, select an option for creating new users:
      • New users are created as named users
        New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access BI platform based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option.
      • New users are created as concurrent users
        New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BI platform at the same time. This type of licensing is flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access the system, a 100-user concurrent license could support 250, 500, or 700 users.
  13. In the "Attribute Binding Options" area you can specify the attribute binding priority for the LDAP plugin:
    • Click the Import Full Name and Email Address check box.
      The full names and descriptions used in the LDAP accounts are imported and stored with the user objects in BI platform.
    • Specify an option for Set priority of LDAP attribute binding relative to other attributes binding.
      If the option is set to "1", LDAP attributes take priority in scenarios where LDAP and other plugins (Windows AD and SAP) are enabled. If the option is set to "3", attributes from other enabled plugins take priority.

  14. Click Finish.

You have configured LDAP authentication.

Mapping LDAP against Windows AD

If you configure LDAP against Windows AD, note the following restrictions:

  • If you configure LDAP against AD, you will be able to map your users but you will not be able to configure AD single sign-on or single sign-on to the database. However, LDAP single sign-on methods like SiteMinder and trusted authentication will still be available.
  • Users who are only members of default groups from AD will not be able to log in successfully. Users must also be a member of another explicitly created group in AD and this group must be mapped. An example of such a group is the "domain users" group.
  • If a mapped domain local group contains a user from a different domain in the forest, the user from a different domain in the forest will not be able to log in successfully.
  • Users from a universal group from a domain different than the DC specified as the LDAP host will not be able to log in successfully.
  • You cannot use the LDAP plug-in to map users and groups from AD forests outside the forest where BI platform is installed.
  • You cannot map in the Domain Users group in AD.
  • You cannot map a machine local group.
  • LDAP Attribute mapping should be configured to allow login via sAMAccountName (instead of CN):
    • User Name: sAMAccountName
    • Default User Search Attribute: sAMAccountName
  • If you are using the Global Catalog Domain Controller, there are additional considerations when mapping LDAP against AD:

Configuring the Group security

Groups are collections of users who share the same account privileges; therefore, you may create groups that are based on department, role, or location. Groups enable you to change the rights for users in one place (a group) instead of modifying the rights for each user account individually. Also, you can assign object rights to a group or groups and add LDAP groups to the appropriate security group.

2 Comments

  1. I recently followed this for setting up LDAP against Active Directory.  One item to note is according to note 1245218 SAP recommends adjusting the "Default User Search Attribute" to sAMAccountName and the "User Name" to sAMAccountName.  This gives the end user the ability to login using sAMAccountName instead of CN.


    Title: How to connect the LDAP plugin to Active Directory
    Link: https://launchpad.support.sap.com/#/notes/1245218

    1. This has been updated; thanks Gabe Mensching!