Creates or lists an LDAP URL search string, verifies an LDAP URL search string or login, or specifies the access accounts and tunable LDAPUA-related parameters.


sp_ldapadmin command [, option1 [, option2]]

Valid command [, option1 [, option2]] options are:

	'set_primary_url', 'url'
	'set_secondary_url', 'url'
	'set_dn_lookup_url', 'url'
	'set_secondary_dn_lookup_url', 'url'
	'set_access_acct', 'distinguished_name', 'password'
	'set_secondary_access_acct', 'distinguished_name', 'password'
	'set_failback_interval', time_in_minutes
	'suspend', {'primary' | 'secondary'}
	'activate', {'primary' | 'secondary'} 
	'check_url', 'url'’
	'check_login', 'name'
	'set_timeout', timeout_in_milli_seconds
	'set_log_interval', log_interval_in_minutes
	'set_num_retries', num_retries
	'set_max_ldapua_native_threads', max_ldapua_native_threads
	'set_max_ldapua_desc', max_ldapua_desc
	'set_abandon_ldapua_when_full', {true|false}
	'starttls_on_primary', {true|false}
	'starttls_on_secondary', {true|false}




There are additional considerations when using sp_ldapadmin:
  • The LDAP vendor determines the syntax of the search string. In all cases, the search string specifies the attribute name that uniquely identifies the user in the form “attribute=wildcard” as in “cn=*”.

  • The first attribute in a compound filter must define the Relative Distinguished Name (RDN). For example, “...sub?(uid=*)(ou=group)”. Otherwise, the authentication fails.

  • When a search string is added, the SAP ASE server verifies that it uses valid LDAP URL syntax and that it references an existing node. To ensure that the valid string returns expected values, carefully choose and verify the search string when configuring the SAP ASE server.

  • The secondary URL search string enables failover to another LDAP server. The SAP ASE server uses the primary URL search string unless the LDAP Server is not active or the search string is invalid. In this event, the SAP ASE server uses the secondary URL search string for authentication.

  • The login sequence of searched DN algorithm requires the SAP ASE server to bind to the LDAP server using the access account before it can perform searches. The SAP ASE server obtains an LDAP descriptor (handle) as a result of the bind. This descriptor is used for searching the DN of the login on the LDAP server.

  • In order to access the server, users who are being authenticated with the LDAP server should either exist as a valid user in SAP ASE, or have a mapping defined.

See Creating and Managing ASE Logins Using LDAP in the System Administration Guide and sp_maplogin.


The permission checks for sp_ldapadmin differ based on your granular permissions settings.


With granular permissions enabled, you must be a user with manage security configuration privilege.


With granular permissions disabled, you must be a user with sso_role.


Values in event and extrainfo columns from the sysaudits table are:



Audit option


Command or access audited

Execution of a procedure

Information in extrainfo
  • Roles – Current active roles

  • Keywords or options – NULL

  • Previous value – NULL

  • Current value – NULL

  • Other information – All input parameters

  • Proxy information – Original login name, if set proxy in effect

Related reference