Follow this procedure to set up LDAP Server as a target system.
This system is available for standalone tenants running on SAP Cloud Identity infrastructure and SAP BTP, Neo environment. Bundle tenants running on SAP Cloud Identity Services infrastructure and Neo environment can use it only through SAP Identity Access Governance bundle option.
If you have purchased the Identity Provisioning service between September 1, 2020 and October 20, 2020, and you want to make a connection to this on-premise system, follow the procedure in: Connect to On-Premise Systems in SAP Cloud Identity Infrastructure.
- You have installed the Cloud Connector in your corporate environment and have done the initial configuration. For more information, see: Cloud Connector (Neo) or Cloud Connector (Cloud Foundry)
- For tenants running on the infrastructure of SAP Cloud Identity Services: You have a multi-environment subaccount in the Cloud Foundry region that maps the region of your Identity Authentication tenant and it is subscribed to the Cloud Identity Services application. For more information, see Connect to On-Premise Systems in SAP Cloud Identity Infrastructure.
- You have the credentials of a technical user in the LDAP Server, which is used to call the LDAP Server API to write users and their attributes.
You can use LDAP Server to write entities retrieved from a source system. This scenario supports writing users and group assignments.
There are two versions of the LDAP Server connector. Both consume the LDAP Server API to read and write users and groups. The versions are handled by the ldap.api.version property as follows:
-
When the value is set to 1 or the property is not defined (typical for systems created before versioning was introduced on May 25, 2023) LDAP Server API version 1 is used. This is the default value of
ldap.api.version.When using this version of the connector, the entities (users and groups) are read with all attributes.
-
When the value is set to 2 – LDAP Server API version 2 is used.
Тhis version of the connector comes with improved performance of the read operation for user and group attributes. You are now able to define which user and group attributes to be read. This is possible by adding values to the properties
ldap.user.attributesorldap.group.attributes.Via these properties, you are able to add also user and group operational attributes (attributes which the directory organizes for internal use). For more information, refer to the official LDAP server documentation. After the additional values of the properties are set, the default read or proxy read transformations should also be adjusted accordingly.
For more information on how to update to LDAP Server connector version 2, see Update Connector Version.
-
Add an access control system mapping for the LDAP Server in the Cloud Connector. This is needed to allow the Identity Provisioning service to access the LDAP server as a back-end system on the intranet. For more information, see Configure Access Control (LDAP).
-
Access the Identity Provisioning UI.
-
Sign in to the administration console of SAP Cloud Identity Services and navigate to Identity Provisioning > Target Systems.
-
Add LDAP Server as a target system. For more information, see Add New Systems.
-
Choose the Properties tab to configure the connection settings for your system.
If your tenant is running on SAP BTP, Neo environment, you can create a connectivity destination in your subaccount in the SAP BTP cockpit, and then select it from the Destination Name combo box in your Identity Provisioning User Interface.
If one and the same property exists both in the cockpit and in the Properties tab, the value set in the Properties tab is considered with higher priority.
We recommend that you use the Properties tab. Use a connectivity destination only if you need to reuse one and the same configuration for multiple provisioning systems.
Mandatory Properties
Property Name
Description & Value
TypeEnter: LDAP
ldap.urlSpecify the destination URL. It must be in the following format:
ldap://<external_host>:<external_port>ldap.proxyTypeEnter: OnPremise
ldap.authenticationEnter: BasicAuthentication
ldap.userEnter the distinguishedName of the technical LDAP user. This is the user you need to establish the connection and to perform all queries.
ldap.password(Credential) Enter the password for the LDAP technical user.
ldap.group.pathEnter the complete path to the node containing the groups in the LDAP tree.
ldap.user.pathEnter the complete path to the users in the LDAP tree.
(Optional)
ldap.api.versionDefines the version of LDAP Server API.
Possible values:
1- Indicates that LDAP Server API version 1 is used.2- Indicates that LDAP Server API version 2 is used.
If the property is not defined - LDAP Server API version 1 is used.
CloudConnectorLocationIdRelevant when the proxy type is OnPremise. Use it only if your SAP Business Technology Platform account uses more than one Cloud Connector.
(Optional)
ips.delete.threshold.groupsUse this property to control the number of groups to be deleted in a target system by defining a threshold. This will prevent you from accidentally deleting a huge number of groups, for example by adding a filter or condition.
For more information, see: List of Properties
(Optional)
ips.delete.threshold.usersUse this property to control the number of users to be deleted in a target system by defining a threshold. This will prevent you from accidentally deleting a huge number of users, for example by adding a filter or condition.
For more information, see: List of Properties
We strongly recommend that you enter different paths for LDAP users and groups. That means, the value of
ldap.user.pathshould be different than the value ofldap.group.path.To learn what additional properties are relevant to this system, see List of Properties. You can use the main search, or filter properties by the Name or System Type columns.
The LDAP Server target system is created by default with the properties listed below:
Default LDAP Properties
ldap.user.attributes=ldap.user.object.class=inetOrgPersonldap.group.object.class=groupOfNamesldap.group.uniquename.attribute=cnldap.attribute.group.id=cnldap.attribute.group.member= memberldap.attribute.group.object.class.required=cnldap.attribute.user.object.class.required=cnldap.attribute.user.id=uidldap.attribute.dn=distinguishedNameldap.page.size=100ldap.attribute.user.mail=mailldap.attribute.user.mobile=mobileldap.attribute.user.givenName=givenNameldap.attribute.user.surname=snldap.attribute.user.groups= memberOfldap.attribute.user.telephoneNumber= telephoneNumberThe ldap.attribute.* properties are used as parameterized properties in the default transformation. That is, if a property used in the transformation doesn't have a value, the provisioning job will fail when the transformation is loaded on runtime and the property value is substituted.
Also, you can change a property and use a new one (with a new name). In this case, you must replace the old property with the new one at all corresponding places in the transformation.
The
ldap.attribute.dnproperty is auttomatically assigned and cannot be configured. It is used in the target system configuration for conflict resolution during user or group provisioning by the service. -
(Optional) Configure the transformations.
Transformations are used to map the user attributes from the data model of the source system to the data model of the target system, and the other way around. The Identity Provisioning offers a default transformation for the LDAP Server target system, whose settings are displayed under the Transformations tab after saving its initial configuration.
You can change the default transformation mapping rules to reflect your current setup of entities in your LDAP server. For more information, see Manage Transformations.
Currently, the default write transformations of the two connector versions have no differences, so there is no need to update them.
Before the write transformation (in the intermediate JSON data), the entity attributes are in SCIM format. After the transformation, the attributes in the LDAP Server are represented as arrays (single-element arrays, or multi-value arrays separated by comma (,)). For more information, see the official documentation for LDAP Server schema attributes in the Related Information section.
Default transformation:
{ "user": { "mappings": [ { "sourcePath": "$.userName", "targetPath": "$.%ldap.attribute.user.id%[0]", "targetVariable": "entityIdTargetSystem", "scope": "createEntity" }, { "sourcePath": "$.userName", "targetPath": "$.%ldap.attribute.user.object.class.required%[0]" }, { "sourcePath": "$.emails[*].value", "optional": true, "targetPath": "$.%ldap.attribute.user.mail%" }, { "sourcePath": "$.name.givenName", "optional": true, "targetPath": "$.%ldap.attribute.user.givenName%[0]" }, { "sourcePath": "$.name.familyName", "optional": true, "targetPath": "$.%ldap.attribute.user.surname%[0]" }, { "sourcePath": "$.phoneNumbers[*].value", "optional": true, "targetPath": "$.%ldap.attribute.user.mobile%" } ] }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$.displayName", "targetPath": "$.%ldap.attribute.group.id%[0]", "targetVariable": "entityIdTargetSystem", "scope": "createEntity" }, { "sourcePath": "$.displayName", "targetPath": "$.%ldap.attribute.group.object.class.required%[0]" }, { "constant": [], "targetPath": "$.member" }, { "sourcePath": "$.members[*]", "preserveArrayWithSingleElement": true, "optional": true, "targetVariable": "membersVariable", "functions": [ { "condition": "@.type != 'Group'", "entityType": "user", "type": "resolveEntityIds" }, { "condition": "@.type == 'Group'", "entityType": "group", "type": "resolveEntityIds" }, { "condition": "@.type != 'Group'", "function": "concatString", "applyOnElements": true, "applyOnAttribute": "value", "prefix": "%ldap.attribute.user.id%=", "suffix": ",%ldap.user.path%" }, { "condition": "@.type == 'Group'", "function": "concatString", "applyOnElements": true, "applyOnAttribute": "value", "prefix": "%ldap.attribute.group.id%=", "suffix": ",%ldap.group.path%" } ] }, { "sourceVariable": "membersVariable", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.member", "variablePath": "$[*].value" } ] } }Below is illustrated an example of how the data from LDAP Server looks like before and after executing a certain mapping from the write transformation:
Transformation Snippet
(from the group mapping)
Intermediate JSON Data
(before the transformation)
Target JSON Data
(written in the LDAP Server)
"group": { ... { "sourcePath": "$.members[*]", "preserveArrayWithSingleElement": true, "optional": true, "targetVariable": "membersVariable", "functions": [ { "condition": "@.type != 'Group'", "entityType": "user", "type": "resolveEntityIds" }, { "condition": "@.type == 'Group'", "entityType": "group", "type": "resolveEntityIds" }, { "condition": "@.type != 'Group'", "function": "concatString", "applyOnElements": true, "applyOnAttribute": "value", "prefix": "%ldap.attribute.user.id%=", "suffix": ",%ldap.user.path%" }, { "condition": "@.type == 'Group'", "function": "concatString", "applyOnElements": true, "applyOnAttribute": "value", "prefix": "%ldap.attribute.group.id%=", "suffix": ",%ldap.group.path%" } ] }, { "sourceVariable": "membersVariable", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.member", "variablePath": "$[*].value" } ] } }... "members":[ { "value": "SALES_US" }, { "value": "SALES_EU" }, { "value": "SALES_JA" } ] …... "member": [ "SALES_US", "SALES_EU", "SALES_JA" ] …By default, the cn attribute is used for writing the groups. An administrator can change this behavior by setting the following properties:
ldap.group.uniquename.attribute– the value can be either the CN or the whole DN (distinguishedName) of the group.ldap.attribute.group.id– the value can be CN or another attribute to be used as a group ID instead (for example, displayName or description).
For more information about these properties, see: List of Properties
-
Now, add a source system to read users and groups from it. Choose from: Source Systems
Related Information