Directory Service (LDAP/AD) Configuration Properties

Configure the Directory Service (LDAP/AD) provider to authenticate device applications and Management Cockpit administration logins.

Description

Administrators can use Management Cockpit to configure the Directory Service (LDAP/AD) provider. Configuration properties are saved to the <SMP_HOME>\Server\configuration\com.sap.mobile.platform.server.security\CSI directory.

Directory Service (LDAP/AD) provides authentication services, including certificate authentication. The Java LDAP provider includes three modules.

Note To enable LDAP users to log in to Management Cockpit, add the Directory Service (LDAP/AD) authentication provider to the Admin security profile.

Use this table to help you configure properties for one or more of the supported LDAP providers. When configuring providers or general server properties in Management Cockpit, note that properties and values can vary, depending on which provider or server type you configure.

Note The following characters have special meaning when they appear in a name in LDAP: , (comma), = (equals), + (plus), < (less than), > (greater than), # (number or hash sign), ; (semicolon), \ (backslash), / (forward slash), LF (line feed), CR (carriage return), " (double quotation mark), ' (single quotation mark), * (asterisk), ? (question mark), & (ampersand), and a space at the beginning or end of a string. LDAP providers do not handle these special characters in any of the names or DNs, in any of the configuration properties. Additionally, some of the properties, as identified below, cannot use these special characters in common names.

Directory Service (LDAP/AD) Properties

Table 1: Directory Service (LDAP/AD) General Properties
Property	Default Value	Description
Control Flag	Optional	Indicates how the security provider is used in the login sequence. Optional – the authentication provider is not required, and authentication proceeds down the authentication provider list, regardless of success or failure. Sufficient – the authentication provider is not required, and subsequent behavior depends on whether authentication succeeds or fails. Required – the authentication provider is required, and authentication proceeds down the authentication provider list. Requisite – the authentication provider is required, and subsequent behavior depends on whether authentication succeeds or fails.
Description	None	(Optional) A brief description of the provider that you can use to differentiate between multiple instances of the same provider type; for example, when you have multiple authentication providers of the same type stacked in a security profile, and each targets a different repository.
Server Type	None	(Optional) Type of LDAP server to which you are connecting: `sunone5` -- SunOne 5.x OR iPlanet 5.x `msad2k` -- Microsoft Active Directory, Windows 2000 `nsds4` -- Netscape Directory Server 4.x `openldap` -- OpenLDAP Directory Server 2.x The value you choose establishes default values for these other authentication properties: Role Filter User Role Membership Attributes Role Member Attributes Authentication Filter Digest MD5 Authentication Use User Account Control
Provider URL	ldap://localhost:389	The URL used to connect to the LDAP server. Without this URL configured, SAP Mobile Platform Server cannot contact your server. Use the default value if the server is: Located on the same machine as your product that is enabled with the common security infrastructure. Configured to use the default port (389). Otherwise, use this syntax for setting the value: `ldap://<hostname>:<port>`
Security Protocol	None	The protocol to be used when connecting to the LDAP server. The specified value overrides the environment property java.naming.security.protocol. To use an encrypted protocol, use SSL instead of ldaps in the URL.
Bind DN	None	The user DN to bind against when building the initial LDAP connection. In many cases, this user may need read permissions on all user records. If you do not set a value, anonymous binding is used. Anonymous binding works on most servers without additional configuration. Note When you use this property to authenticate a user in Management Cockpit: The property value may not contain any special characters, as listed above, in any of the common names or distinguished names. Do not use Chinese or Japanese characters in user names or passwords of this property.
Bind Password	None	The password for Bind DN, which is used to authenticate any user. Bind DN and Bind Password separate the LDAP connection into units. See the note for Bind DN. The Authentication Method property determines the bind method used for this initial connection.
Enable LDAP Connection Trace	Disabled	Determines whether LDAP connection tracing is enabled. The output is logged to a file in the temp directory. The location of the file is logged to the server log.
Referral	Ignore	Determines the response when a referral is encountered. Valid values are dictated by LdapContext, for example: follow, ignore, throw.
Authentication Filter	For most LDAP servers: `(&(uid={uid})(objectclass=person))` or For Active Directory e-mail lookups: `(&(userPrincipalName={uid}) (objectclass=user)) [ActiveDirectory]` For Active Directory Windows user name lookups: `(&(sAMAccountName={uid})(objectclass=user))`	The filter to use when looking up the user. When performing a user name based lookup, this filter is used to determine the LDAP entry that matches the supplied user name. The string "{uid}" in the filter is replaced with the supplied user name.
Authentication Scope	onelevel	Determines whether the search for a user should be limited to the search base or the subtree rooted at the search base. The supported values for this are: `onelevel` `subtree` If you do not specify a value or if you specify an invalid value, the default value is used.
Authentication Search Base	None	The search base used to authenticate users. If this property is not configured, the value for Default Search Base is used.
Role Search Base	None	The search base used to retrieve lists of roles. If this property is not configured, the value for Default Search Base is used. Setting the Role Search Base to the root in Active Directory (for example "DC=example,DC=com") may result in a PartialResultsException error when validating the configuration or authenticating a user. If users encounter the PartialResultsException, they should confirm they can reach example.com:389. The DNS lookup may successfully resolve example.com to an IP address, but port 389 may not be open with an Active Directory server listening on that port. In this case, add an entry to the hosts file (for example, systemroot\system32\drivers\etc\hosts or /etc/hosts) on the machine where SAP Mobile Platform is installed to resolve any communication error. Note Only manual configuration validation is supported.
Role Scope	onelevel	Determines whether the search for the roles should be limited to the search base or the subtree rooted at the search base. Supported values include: `onelevel` `subtree` If you do not specify a value or if you specify an invalid value, the default value is used.
Role Filter	For SunONE/iPlanet: `(&(objectclass=ldapsubentry) (objectclass=nsroledefinition))` For Netscape Directory Server: `(\|(objectclass=groupofnames) (objectclass=groupofuniquenames))` For ActiveDirectory: `(\|(objectclass=groupofnames) (objectclass=group))`	The role search filter. This filter should, when combined with the role search base and role scope, return a complete list of roles within the LDAP server. There are several default values, depending on the chosen server type. If the server type is not chosen and this property is not initialized, no roles are available.
Role Member Attributes	For Netscape Directory Server and OpenLDAP Server: member,uniquemember	A comma-separated list of role attributes from which LDAP derives the DNs of users who have this role. These values are cross-referenced with the active user to determine the user's role list. One example of the use of this property is when using LDAP groups as placeholders for roles. This property has a default value only when the Netscape server type is chosen.
User Role Membership Attributes	For iPlanet/SunONE: nsRoleDN For Active Directory: memberOf For all others: none	A user attribute that contains the DNs of all of the roles a user is a member of. These comma-delimited values are cross-referenced with the roles retrieved in the role search base and search filter to generate a list of user's roles. If Skip Role Search property is set to true, these comma-delimited values are not cross-referenced with the roles retrieved in the role search base and role search filter. Note If you use nested groups with Active Directory, you must set this property to tokenGroups.

Table 2: Directory Service (LDAP/AD) Advanced Properties
Property	Default Value	Description
Initial Context Factory	com.sun.jndi.ldap.LdapCtxFactory	Determines the JNDI provider that the LDAP provider uses.
Authentication Method	Simple	The authentication method to use for all authentication requests into LDAP. Legal values are generally the same as those of the java.naming.security.authentication JNDI property. Choose one of: simple – for clear-text password authentication. DIGEST-MD5 – for more secure hashed password authentication. This method requires that the server use plain text password storage and only works with JRE 1.4 or later.
Digest MD5 Authentication Format	DN For OpenLDAP: User name	The DIGEST-MD5 bind authentication identity format.
Default Search Base	None	The LDAP search base that is used if no other search base is specified for authentication, roles, attribution and self registration: `dc=<domainname>,dc=<tld>` For example, a machine in sap.com domain would have a search base of dc=sap,dc=com. `o=<company name>,c=<country code>` For example, this might be o=SAP,c=us for a machine within the SAP organization.
Use User Account Control Attribute	For Active Directory: true	Determines whether the User Account Control attribute is used to detect if a user account is disabled, if the account has expired, if the password associated with the account has expired, and so on. Active Directory uses this attribute to store this information.
Role Name Attribute	cn	The attribute of the role entry used as the role name in SAP Mobile Platform. This is the role name displayed in the role list or granted to the authenticated user.
User Freeform Role Membership Attributes	None	The freeform role membership attribute list. Users who have attributes in this comma-delimited list are automatically granted access to roles whose names are equal to the attribute value. For example, if the value of this property is department and user's LDAP record has the following values for the department attribute, { sales, consulting }, then the user will be granted roles whose names are sales and consulting.
LDAP Pool Max Active	8	The maximum number of concurrent LDAP connections allowed to the LDAP server. A non-positive value indicates no limit. If this option is set for multiple LDAP providers, the value set by the first LDAP provider loaded takes precedence over all the others. When LDAP Pool Max Active is reached, any further attempts by the LDAP provider classes to borrow LDAP connections from the pool are blocked indefinitely until a new or idle object becomes available in the pool. Connection pooling improves the LDAP provider's performance and resource utilization by managing the number of TCP connections established with configured LDAP servers. A separate pool is associated with different SAP Mobile Platform security profiles, ensuring that the LDAP connections in the connection pool for a particular security profile are isolated from any changes occurring outside this security configuration. A separate pool also ties the connection pool life cycle to that of the security profile.
Connect Timeout	0	The timeout, in milliseconds, when connecting to the LDAP server. The property value sets the JNDI com.sun.jndi.ldap.connect.timeout property when attempting to establish a connection to a configured LDAP server. If the LDAP provider cannot establish a connection within the configured interval, it aborts the connection attempt. An integer less than or equal to zero results in the use of the network protocol's timeout value.
Read Timeout	0	Tthe length of time, in milliseconds, the client waits for the server to respond to a read attempt after the initial connection to the server has been established. The property values sets the JNDI com.sun.jndi.ldap.read.timeout property, when attempting to establish a connection to a configured LDAP server. If the LDAP provider does not receive an LDAP response within the configured interval, it aborts the read attempt. The read timeout applies to the LDAP response from the server after the initial connection is established with the server. An integer less than or equal to zero indicates no read timeout is specified.
Enable Certificate Authentication	Disabled	Determines whether certificate authentication is enabled when this provider is configured with X.509 User Certificate.
Certificate Authentication Filter	None	The filter to use when authenticating the user with a certificate. The filter determines the LDAP entry that matches the supplied certificate encoded form.
Certificate Attributes	None	Comma-separated list of attributes in the certificate to be used for authenticating the user, instead of the certificate binary.
LDAP Attributes	None	Comma-separated list of attributes that map to the certificate attributes, to be used to select the LDAP entry that matches the values in the certificate.
Unmapped Attribute Prefix	LDAP	Prefix assigned to unmapped LDAP attributes when moving them into the CSI namespace. A period is added to the prefix, followed by the LDAP attribute name. For example, employeeNumber is converted to LDAP.employeeNumber.
Serialization Key	None	A unique configuration serialization key. Within a CSI configuration file, each LDAP configuration block must have a unique value. The default value is computed automatically based upon the LDAP URL. This is sufficient for most situations. However, if multiple LDAP login providers are configured against the same LDAP URL, this property must be set to a unique value for each LDAP login provider to identify which configurations are active when serializing sessions. By default, the value of Provider URL configuration option is used.
key:value Pair	None	Attributes identified using an arbitrary name, where the key is the name, and the value is the content. Because SAP Mobile Platform does not make use of user attributes retrieved from LDAP, there is no need to set any custom properties.