Configuring an LDAP Authentication Module

Configure an LDAP authentication module for SAP Control Center by editing the security configuration file to point to the correct LDAP server.

  1. Open the <SCC-install-dir>\conf\csi_config.xml file.
  2. Uncomment the LDAP module in the configuration file by removing the surrounding <!-- and --> characters (or, if necessary, add an LDAP module to the file). The sample module below specifies the LDAP server that will provide user authentication.

    The sample module shows the properties used for an OpenDS LDAP server. See the example at the end of this task for values that work for ActiveDirectory. Configuration properties you can use in the LDAP module are described in a subtopic.

    <authenticationProvider controlFlag="sufficient" name="">
        <options name="BindDN" value="cn=Directory Manager"/>
        <options name="BindPassword" value="secret"/>
        <options name="DefaultSearchBase" value="dc=example,dc=com"/>
            <options name="ProviderURL" value="ldap://localhost:10389"/>
        <options name="ServerType" value="openldap"/>
    <provider name="" type="attributer"/>
    Note: Change only values shown in bold. If BindPassword is encrypted (which SAP recommends), the line that defines it must include encrypted="true". The line should look similar to this:
    <options name="BindPassword" encrypted="true" value="1snjikfwregfqr43hu5io..."/>
  3. Save the file.
  4. If your LDAP server’s SSL certificate is signed by a nonstandard certificate authority (for example, if it is a self-signed certificate), use the keytool utility to configure your JVM or JDK to trust the certificate. Execute a command similar to this:


    keytool -import -keystore %SAP_JRE7%\lib\security\cacerts -file <your cert file and path> 
    -alias ldapcert -storepass changeit


    keytool -import -keystore $SAP_JRE7/lib/security/cacerts -file <your cert file and path> 
    -alias ldapcert -storepass changeit

LDAP Configuration Values for ActiveDirectory

For an ActiveDirectory server, use these values for configuration properties in your LDAP login module:
ServerType: msad2K
DefaultSearchBase: dc=<domainname>,dc=<tld> or o=<company name>,c=<country code>
                E.g. dc=sybase,dc=com or o=Sybase,c=us
ProviderUrl: ldaps://<hostname>:<port>
                E.g.:  ldaps://myserver:636
AuthenticationFilter: (&amp;(userPrincipalName={uid}) (objectclass=user))
BindDN: <User with read capability for all users>
BindPassword: <Password for BindDN user>
RoleFilter: (|(objectclass=groupofnames) (objectclass=group))
controlFlag: sufficient
Map SCC roles to LDAP groups.