Product Information
LDAP Adapter in SAP HANA Cloud Integration (SAP HCI)
SAP HANA Cloud Integration is SAP’s strategic connectivity solution. If you are looking for integration support to LDAP based systems, this blog will definitely appeal to you. As of November 2016, the LDAP adapter is available for SAP HANA Cloud Integration customers. This adapter helps you to achieve integration scenarios that involve LDAP services (for example, MS Active Directory).
You have to use SAP HANA Cloud Connector to connect to LDAP services through the LDAP adapter.
The LDAP adapter supportsInsertandModifyoperations. Using the Insert operation, you can create new entries in LDAP service. You can use the Modify operation to edit existing entries in the LDAP service. You can perform these operations on only one record at a time; i.e. you can update or modify only one record in one message processing cycle. If you want to perform operations on multiple entries, you need to use Splitter step to split the message into individual records and then pass them on to the LDAP adapter.
Remember:The input to LDAP adapter should not contain input for performing operation on more than one record.
Important Note on Establishing Connectivity to LDAP Service
You always connect to the LDAP service through the SAP HANA Cloud Connector (SCC). You can see more information on the SAP HANA Cloud Connectorhere. You need to install and configure version 2.9 or above of the SCC to use the LDAP adapter for integration to LDAP services.
Supported Input Types for LDAP Adapter
The LDAP adapter allows you to provide input in two formats:
- XML
- Java (JNDI) Attributes.
The idea behind supporting different input types is to allow you the flexibility of modeling scenarios based on the type of payload or input that you have.
Configuring LDAP Adapter
Here’s an example of theProcessingsettings for the LDAP adapter.
In theAddressfield, you provide theVirtual Hostthat you have configured in the SAP HANA Cloud Connector. For more information seehere. TheProxy TypeandAuthenticationfields are automatically filled withOn PremiseandSimplevalues respectively. Provide theCredential Namethat you used while deploying credentials on the HCI tenant.
In theOperationfield, choose eitherModifyorInsertbased on the operation that you want to perform. You can provide input for the operation in the form of XML or Java (JNDI) attributes.
Using Mapping to Process XML Input Messages
If you are passing XML input to the LDAP adapter, you need to consider the fact that LDAP adapter recognizes messages in a specific format. In other words, your input should follow the schema that the LDAP adapter can recognize.
You can use a mapping step in this case to transform the input XML message according to the LDAP schema. Here’s how a typical scenario will look like when you are using a mapping step.
In this example scenario, the input message is fetched from a SuccessFactors system. This message is used as the source in the mapping step and the target is the LDAP schema that the LDAP adapter can understand.
Here’s an example of the LDAP schema that you can use as the target in mapping step:
The next obvious question that you would have here is how to proceed in case the schema does not contain the fields that you want. The solution is quite straightforward. You just add the required field or fields to the above schema and proceed with the mapping.
It is very important that you add the additional field or fields under the
For example, let us assume that you want to add the fieldtelephoneNumber. As mentioned above, you add the field to the schema under
Now that we have a schema for mapping, and also know how to modify the schema to suit your requirement, the next step will be to add this schema as target in your mapping step and map the source to your target. Here’s how a typical mapping definition file will look like:
TheDistinguishedNameorDNshould be constructed as shown below using a mapping expression:
Manipulating Fields and Adding Them to the Message after Mapping
考虑这样一个场景,您想添加一个field to the message after mapping the message to the LDAP schema. For example, you would like to add password to the message. However, you cannot add it in plain text for security reasons. You would want to encode the password and then add it to the message. A typical integration flow in such a scenario would involve a Script step after the Mapping step. The script would encode the password value before adding it to the message that will be sent to the LDAP adapter. Here’s how the integration flow will look like:
Here’s an example of the script that you can use to encode password:
import com.sap.gateway.ip.core.customdev.util.Message; import java.util.HashMap; import javax.xml.bind.DatatypeConverter; import javax.naming.directory.Attribute; import javax.naming.directory.Attributes; import javax.naming.directory.BasicAttribute; import javax.naming.directory.BasicAttributes; def Message processData(Message message) { Attributes attributes = new BasicAttributes(); String quotedPassword = '"'+"Password"+'"'; byte[] unicodePasswordByteArray = quotedPassword.getBytes("UTF-16LE"); attributes.put(new BasicAttribute("unicodePwd", unicodePasswordByteArray)); message.setHeader("SAP_LDAPAttributes",attributes); return message; }Using Java (JNDI) Attributes Input
The LDAP adapter allows you to provide input in the form of Java attributes. In these scenarios, you use a Script step where you define a script that will read values for the attributes during runtime. These values are then built into a message that is then sent to the LDAP adapter. You can define values for these attributes during runtime before they are passed on the LDAP service and the operation is performed.
Here’s how an integration flow will look like if you are passing input in the form of Java (JNDI) attributes:
Here’s an example of the script that you can use in the script step.
importClass(com.sap.gateway.ip.core.customdev.util.Message); importClass(java.util.HashMap); importClass(javax.naming.directory.Attribute); importClass(javax.naming.directory.BasicAttribute); importClass(javax.naming.directory.BasicAttributes); importClass(javax.naming.directory.Attributes); function processData(message) { var body = message.getBody(); var dn= "cn=Markus,ou=users,dc=testcompany,dc=com"; var givenNameAttr = new BasicAttribute("givenName", "Jack"); var displayNameAttr = new BasicAttribute("displayName", "Reacher"); var telephoneNumberAttr = new BasicAttribute("telephoneNumber", "100-100-100"); var attributes = new BasicAttributes(); attributes.put(givenNameAttr); attributes.put(displayNameAttr); attributes.put(telephoneNumberAttr); var titleAttr =new BasicAttribute("title", "Developer"); attributes.put(titleAttr); snAttr =new BasicAttribute("sn", "Brutus"); attributes.put(snAttr); var resultingMap = new HashMap(); resultingMap.put("dn", dn); resultingMap.put("attributes", attributes); message.setBody(resultingMap); return message; }LDAP Adapter Error Logging
In case there is any failure in the operation, the message processing log in SAP HANA Cloud Integration will contain the error that the LDAP service has returned. You can refer to thislinkfor detailed information on error codes.
Hi ,
好的了解人机交互的一个适配器。
But Can I know in which use case/circumstance this adapter is more useful ( I know that user integration can be done with the LDAP/Active Directory) ..
In terms of the business processes with respect to successfactors/Ariba/HCP can this be used ? if so it will be great if you can either elaborate or provide use case.
Thanks & Regards
Rajesh
Hi Rajesh,
To answer your question “In terms of the business processes with respect to successfactors/Ariba/HCP can this be used ?” => Yes, it can be used.
New Employee hire in SuccessFactors system and hired employee’s (user) record insertion in LDAP backed can be mentioned as one of the use cases in which HCI LDAP adapter can be used. And a relevant example has been given in the blog which addresses this use case.
Hope it answers your question.
Thanks
Deepak
Hi, Deepak.
We have been trying this scenario Successfactors <-> AD via LDAP adapter in SCC.
Our problems are that is seems that LDAP adapter mapping in SCC isn't handled correctly. Our LDAP server is using port 636 but in the logs, it always states the port 389.
And in the SCC logs, it is trying to connect to the internal LDAP using ip 0.0.0.6.
Any help is appreciated
Regard, Gunnlaugur
Hi Gunnlaugur,
Please make sure the mapping in SCC are maintained correctly, one virtual host is mapped to one internal host only. Make sure you use this virtual host in your integration flow.
Also, since you are trying to connect to the secure port, 636, make sure to add the necessary public certificates on the SCC being used and it should be using LDAPS protocol instead of LDAP.
Regards,
Sana
Hi All,
I am trying to insert a single record in ldap directory using below schema:
< DistinguishedName > . < / DistinguishedName >
Hi All,
I am trying to insert a single record in ldap directory using below schema:
< DistinguishedName > . < / DistinguishedName >
Below is the exception I am getting :
java.lang.IllegalStateException: LDAP适配器失败s due to: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: Error while attempting to resolve reference [Root exception is javax.naming.NamingException: Exception occurred while trying to resolve object using ObjectFactory search [Root exception is com.sap.core.connectivity.api.DestinationException: Internal problem, Reference from type "com.sap.core.connectivity.api.http.HttpDestination" or "com.sap.core.connectivity.api.DestinationFactory" expected, but the object is: javax.naming.directory.DirContext. Please edit your web.xml or ejb-jar.xml or the type in your annotation.]], cause: com.sap.core.connectivity.api.DestinationException: Internal problem, Reference from type "com.sap.core.connectivity.api.http.HttpDestination" or "com.sap.core.connectivity.api.DestinationFactory" expected, but the object is: javax.naming.directory.DirContext. Please edit your web.xml or ejb-jar.xml or the type in your annotation.
Please help if anyone has idea regarding this.
Thanks,
RajKumar
Hi Rajkumar,
This issue might be because of the discrepancy in your payload data. It usually happens when either your DN value is incorrect or the absolute DN and the CN are inconsistent.
Hope this resolves your issue.
Regards,
Sana
Hi, we neeed to load data from the LDAP server.
We saw that in the adapter there is no query method, this is a huge problem for us, do you plan to add this feature?
We are even trying to call the server from a Groovy script, too bad that we can't figure how to reach the exposed back-end system through Cloud Connector because we can't get the address of the host, can you help us?
HelloMassimo Nanni
Were you able to create a Groovy script to accomplish this task?
Cheers, Scott
No, we tried every single example on blog posts with no success.
So we installed a Java server on premise that we call via HTTP.
We wasted an incredible amount of time on this, setting up the server was so fast and we can code much better on a real server than the SCPI interface.
Hi,
Even I have the same scenario where I need to update the data from Active Directory back to EC, IS there any possibility on how to do this?
Dear Massimo & Sethuraman,
This feature is a part of the roadmap. We will keep you posted once this feature is available. Thank you for your patience.
Best Regards, Gautham
Hi在Krishna,
Can you please advise the release of the LDAP User Query operation in LDAP connector?
Kind Regards
Emre
HiEmre,
Thanks for your question. As mentioned earlier, we have it as a part of the roadmap. I can point you to the officialroadmap document.Unfortunately, i cannot provide you an exact date on the feature's availability.
Thanks & Best Regards, Gautham
Hello在Krishna
I reviewed the SAP Cloud Platform and SAP Cloud Platform Integration roadmap and I do not see this item listed on there. Can you provide the exact document this is listed in and on what page?
Thanks,
Scott