CREATE LDAP SERVER Statement
Creates a new LDAP server configuration object for LDAP user authentication. Parameters defined during the creation of an LDAP server configuration object are stored in the ISYSLDAPSERVER (system view SYSLDAPSERVER) system table.
Syntax
CREATE LDAP SERVER <ldapua-server-name> [ ldapua-server-attribs ] [ WITH ACTIVATE ] ldapua-server-attribs SEARCH DN URL { <‘URL_string’ | NULL> } | ACCESS ACCOUNT { <‘DN_string’ | NULL> } | IDENTIFIED BY ( <‘password’ | NULL> } | IDENTIFIED BY ENCRYPTED { <encrypted-password | NULL> } | AUTHENTICATION URL { <‘URL_string’ | NULL> } | CONNECTION TIMEOUT <timeout_value> | CONNECTION RETRIES <retry_value> | TLS { ON | OFF }
Parameters
- identifies the host (by name or by IP address), port number, and the search to be performed for the DN lookup for a given user ID. This value is validated for correct LDAP URL syntax before it is stored in the ISYSLDAPSERVER system table. The maximum size for this string is 1024 bytes.
- user created in the LDAP server for use by SAP IQ, not a user within SAP IQ. The distinguished name (DN) for this user is used to connect to the LDAP server. This user has permissions within the LDAP server to search for DNs by user ID in the locations specified by the SEARCH DN URL. The maximum size for this string is 1024 bytes.
- provides the password associated with the ACCESS ACCOUNT user. The password is stored using symmetric encryption on disk. Use the value NULL to clear the password and set it to none. The maximum size of a clear text password is 255 bytes.
- configures the password associated with the ACCESS ACCOUNT distinguished name in an encrypted format. The binary value is the encrypted password and is stored on disk as is. Use the value NULL to clear the password and set it to none. The maximum size of the binary is 289 bytes. The encrypted key should be a valid varbinary value. Do not enclose the encrypted key in quotation marks.
- identifies the host (by name or IP address) and the port number of the LDAP server to use for authentication of the user. This is the value defined for URL_string and is validated for correct LDAP URL syntax before it is stored in ISYSLDAPSERVER system table. The DN of the user obtained from a prior DN search and the user password bind a new connection to the authentication URL. A successful connection to the LDAP server is considered proof of the identity of the connecting user. The maximum size for this string is 1024 bytes.
- specifies the connection timeout from SAP IQ to the LDAP server for both DN searches and authentication. This value is in milliseconds, with a default value of 10 seconds.
- specifies the number of retries on connections from SAP IQ to the LDAP server for both DN searches and authentication. The valid range of values is 1– 60, with a default value of 3.
- defines whether the TLS or Secure LDAP protocol is used for connections to the LDAP server for both DN searches and authentication. When set to ON, the TLS protocol is used and the URL would being with "ldap://" When set to OFF (or not specified), Secure LDAP protocol is used and the URL begins with “ldaps://”. When using the TLS protocol, specify the database security option TRUSTED_CERTIFICATES_FILE with a file name containing the certificate of the Certificate Authority (CA) that signed the certificate used by the LDAP server.
- activates the LDAP server configuration object for immediate use upon creation. This permits the definition and activation of LDAP User Authentication in one statement. The LDAP server configuration object state changes to READY when WITH ACTIVATE is used.
Examples
-
sets the search parameters, the authentication URL, and sets a three second timeout, and activates the server so it can begin authenticating users. It connects to the LDAP server without TLS or SECURE LDAP protocols.
SET OPTION PUBLIC.login_mode = ‘Standard,LDAPUA’ CREATE LDAP SERVER apps_primary SEARCH DN URL 'ldap://my_LDAPserver:389/dc=MyCompany,dc=com??sub?cn=*' ACCESS ACCOUNT 'cn=aseadmin, cn=Users, dc=mycompany, dc=com' IDENTIFIED BY 'Secret99Password' AUTHENTICATION URL 'ldap://my_LDAPserver:389/' CONNECTION TIMEOUT 3000 WITH ACTIVATE
-
uses the same search parameters as example 1, but specifies “ldaps” so that a Secure LDAP connection is established with the LDAP server on host my_LDAPserver, port 636. Only LDAP clients using the Secure LDAP protocol may now connect on this port. The database security option TRUSTED_CERTIFICATE_FILE must be set with a file name containing the certificate of the certificate authority (CA) that signed the certificate used by the LDAP server at "ldaps://my_LDAPserver:636". During the handshake with the LDAP server, the certificate presented by the LDAP server is checked by the SAP IQ server (the LDAP client) to ensure that it is signed by one of the certificates listed in the file. This establishes trust by the client that the server is who it says it is. The ACCESS ACCOUNT and IDENTIFIED BY parameters establish trust by the LDAP server that the client is who it says it is.Note The TLS parameter must be OFF when Secure LDAP is used instead of TLS protocol.
SET OPTION PUBLIC.login_mode = ‘Standard,LDAPUA’ SET OPTION PUBLIC.trusted_certificates_file = ‘/mycompany/shared/trusted.txt’ CREATE LDAP SERVER secure_primary SEARCH DN URL 'ldaps://my_LDPAserver:636/dc=MyCompany,dc=com??sub?cn=*' ACCESS ACCOUNT 'cn=aseadmin, cn=Users, dc=mycompany, dc=com' IDENTIFIED BY 'Secret99Password' AUTHENTICATION URL 'ldaps://my_LDAPserver:636/' CONNECTION TIMEOUT 3000 TLS OFF WITH ACTIVATE
- establishes the TLS protocol on port 389. It also requires
database security option TRUSTED_CERTIFICATE_FILE to be set with a file name
and provides the same type of security as example 2. In this example, the
TLS protocol is ON to facilitate wider support by LDAP server vendors.
Note Check the requirements of all your LDAP servers when deciding how to configure Secure LDAP or TLS for an SAP IQ server.
SET OPTION PUBLIC.login_mode = ‘Standard,LDAPUA’ SET OPTION PUBLIC.trusted_certificates_file = ‘/mycompany/shared/trusted.txt’ CREATE LDAP SERVER tls_primary SEARCH DN URL 'ldap://my_LDAPserver:389/dc=MyCompany,dc=com??sub?cn=*' ACCESS ACCOUNT 'cn=aseadmin, cn=Users, dc=mycompany, dc=com' IDENTIFIED BY 'Secret99Password' AUTHENTICATION URL 'ldap://my_LDAPserver:389/' CONNECTION TIMEOUT 3000 TLS ON WITH ACTIVATE
Standards
ANSI SQL–Compliance level: Transact-SQL extension.