Manage LDAP User Authentication with SAP Sybase IQ
WITH DROP ALL REFERENCES Example:
This example drops the LDAP server configuration object named ldapserver1 regardless of its current state and removes any references to ldapserver1 in all login policies:
DROP LDAP SERVER ldapserver1 WITH DROP ALL REFERENCES WITH SUSPEND
This DROP LDAP SERVER command fails if the LDAP server configuration object named
ldapserver2 is referenced in any login policies because the WITH DROP ALL
REFERENCES clause is not included:
DROP LDAP SERVER ldapserver1 WITH SUSPEND
See also
• DROP LDAP SERVER Statement on page 257 • LDAP Server Configuration Object States on page 175
LDAP Server Configuration Object States
List of possible states of an LDAP server configuration object.
The state of an LDAP server configuration object is maintained persistently on writeable databases in the ISYSLDAPSERVER system table to provide visibility for administrators into
LDAP user authentication. If an LDAP server configuration object is restarted, the state at the time of shutdown is retained. This permits maintenance on an LDAP server configuration object to remain in force throughout restarts. With read-only databases, state changes are not stored persistently – they occur only in memory, and are lost when the database is shut down. The connection state is set at start-up using the value from a read-only database, and transient state changes may occur in memory to provide LDAP user authentication.
The possible states of an LDAP server configuration object include:
• RESET – one or more attributes on the LDAP server configuration object have been
entered or modified since last activation.
• READY – the LDAP server configuration object is ready to accept connections.
• ACTIVE – the LDAP server configuration object has performed at least one successful
LDAP user authentication.
• FAILED – there is a problem connecting to the LDAP server configuration object.
• SUSPENDED – the LDAP server configuration object is in maintenance mode, and is
Enabling Secure LDAP
Secure LDAP uses TLS certificate authentication to provide protection against spoofing. Use of a TLS certificate provides the client connection to the LDAP server with proof that the server is who it says it is.
Enabling Secure LDAP on an LDAP server configuration object can take one of two forms: • ldaps:// – on the LDAP server configuration object, use ldaps:// when defining the
SEARCH DN URL or AUTHENTICATION URL attributes and set the TLS attribute to OFF.
• TLS parameter – on the LDAP server configuration object, use ldap:// when defining the
SEARCH DN URL attribute and set the TLS attribute to ON.
Note: Current versions of Active Directory (AD), Tivoli, SunONE Oracle DS, and
OpenLDAP support both options. Older versions may only support one option. For compatibility with all versions, both options are supported by SAP Sybase IQ.
Syntax and Parameters for the LDAP Server Configuration Object URL The URL identifies the host (by name or by IP address), port number, and search to be performed when executing a secure distinguished name (DN) lookup to the LDAP server. While the syntax of the URL can take one of two forms depending on how the secure connection to the LDAP server is to be made, the underlying parameters of the URL are the same for each form.
• ldaps:// – on the LDAP server configuration object, use ldaps:// when defining the
SEARCH DN URL or AUTHENTICATION URL attributes and set the TLS attribute to OFF.
ldapurl::=ldaps://host:[port]/[node]?[attributes]? [base | one | sub]? [filter]
• TLS parameter – on the LDAP server configuration object, use ldap:// when defining the
SEARCH DN URL attribute and set the TLS attribute to ON.
ldapurl::=ldap://host:[port]/[node]?[attributes]? [base | one | sub]? [filter]
Parameter Description
host The host name of the LDAP server. port The port number of the LDAP server.
Parameter Description
attributes A list of attributes returned in the result set. Each LDAP server may support a different attribute based on the schemas used by the LDAP server. However, for each LDAP server, only the first attribute is used and should return the distinguished name (DN) of the user.
base | one | sub Qualifies the search criteria.
base – Specifies a search of the base node. one – Specifies a search of node and one sublevel. sub – Specifies a search of node and all sublevels.
filter Specifies the attribute or attributes used to search for a database user's dis- tinguished name (DN). The filter can be simple, such as “uid=*,” or com- pound, such as “(uid=*)(ou=group).” The attributes in the filter are depend- ent on the LDAP server schema. LDAP user authentication replaces each wildcard character (*) with the database user ID when searching for a DN. The URL is initially defined as one of the server attributes when creating an LDAP server configuration object and can be changed at any time. There are no default values for these parameters. Creating or modifying the LDAP server configuration object requires the MANAGE ANY LDAP SERVER system privilege.
Note: Current versions of Active Directory (AD), Tivoli, SunONE Oracle DS, and
OpenLDAP support both options. Older versions may only support one option. For compatibility with all versions, both options are supported by SAP Sybase IQ.
LDAP User Authentication Login Policy Options
There are several login policy options that are specific to LDAP user authentication. You must define these options in any login policy (including root) assigned to any user using LDAP user authentication.
You can define the options that are specific to LDAP server database objects when initially creating a login policy, or you can add them to existing policies, including the root login policy. The MANAGE ANY LOGIN POLICY system privilege is required to set these login policy options.
Modifying the Root Login Policy
You can modify the option values for the root login policy, but you cannot drop the policy.
Prerequisites
Task
Each new database is created with a default login policy, called the root policy. When you create a user account without specifying a login policy, the user becomes part of the root login policy.
To modify the options of the root login policy, execute: ALTER LOGIN POLICY ROOT {login_policy_options} See also
• LDAP User Authentication Login Policy Options on page 177 • ALTER LOGIN POLICY Statement on page 233
Modifying an Existing Login Policy
Use Interactive SQL to change the options for an existing login policy.
Prerequisites
Requires the MANAGE ANY LOGIN POLICY system privilege.
Task
To alter the options of an existing login policy, execute:
ALTER LOGIN POLICY policy-name {login_policy_options} Example:
This statement alters the LOCKED and MAX_CONNECTIONS options on the Test1 login
policy:
ALTER LOGIN POLICY Test1 locked=on
max_connections=5
See also
• LDAP User Authentication Login Policy Options on page 177 • ALTER LOGIN POLICY Statement on page 233
Creating a New Login Policy
Any options that are not explicitly set when creating a login policy inherit their values from the root login policy..
Prerequisites
Requires the MANAGE ANY LOGIN POLICY system privilege.
Task
Login policy names must be unique. An error message appears if the login policy name already exists.
CREATE LOGIN POLICY policy_name {login_policy_options}
Example:
This statement creates the Test1 login policy with PASSWORD_LIVE_TIME option set to
60 days:
CREATE LOGIN POLICY Test1 password_life_time=60
See also
• LDAP User Authentication Login Policy Options on page 177 • CREATE LOGIN POLICY Statement on page 248
Assigning a Login Policy to an Existing User
Use Interactive SQL to assign a login policy to an existing user.
Prerequisites
Requires the MANAGE ANY LOGIN POLICY system privilege.
Task
1. To change the login policy assigned to a user, execute:
ALTER USER userID
LOGIN POLICY policy_name
2. Have the user log out and back in to apply the new login policy.
See also
• ALTER USER Statement on page 242