Click here to view and discuss this page in DocCommentXchange. In the future, you will be sent there automatically.

SQL Anywhere 10.0.1 » SQL Anywhere Server - Database Administration » Database Options » Introduction to database options » Alphabetical list of options

verify_all_columns option [SQL Remote] Next Page

verify_password_function option [database]


Specifies a function that can be used to implement password rules (for example, passwords must include at least one digit). The function is called on a GRANT CONNECT TO userid IDENTIFIED BY password statement.

Allowed values

String

Default

Empty string (no function is called on a GRANT CONNECT statement)

Scope

DBA authority required.

Remarks

When the verify_password_function option value is set to anything other than an empty string, a GRANT CONNECT TO userid IDENTIFIED BY password statement calls the function specified by the option value. The option value should be of the form owner.function_name to prevent a user from overriding the function. Note that SQL Anywhere passwords are case sensitive.

Once it has been determined that the GRANT CONNECT statement is valid (for example, the user has permission to perform the grant), then the function specified by this option is called to verify the password by the rules it specifies. If the password conforms to the specified rules, the function must return NULL to indicate success, and the grant is performed. Otherwise, an error is indicated by setting an error or returning a non-NULL string. If a non-NULL string is returned, it is included in the error to the user as the reason for failure.

The password verification function takes two parameters: user_name VARCHAR(128) and new_pwd VARCHAR(255). It returns a value of type VARCHAR(255). It is recommended that you execute an ALTER FUNCTION function-name SET HIDDEN statement on the password verification function to ensure that it cannot be stepped through using the debugger. If the verify_password_function option is set, specifying more than one user ID and password with the GRANT CONNECT statement is not allowed.

For more information about password rules, including an example that includes advanced password rules such as disallowing password reuse and implementing password expiration, see Use a password verification function.

See also
Example

The following example creates a function named f_verify_pwd that checks whether the password is the same as a user's user ID. If the password and user ID are the same, then the user must specify a different password.

CREATE FUNCTION DBA.f_verify_pwd( user_name VARCHAR(128),
                               new_pwd VARCHAR(255) )
RETURNS VARCHAR(255)
BEGIN
    -- enforce password rules
    IF new_pwd = user_name THEN
        RETURN( 'password cannot be the same as the user name' );
    END IF;
    -- return success
    RETURN( NULL );
END;
ALTER FUNCTION DBA.f_verify_pwd SET HIDDEN;
GRANT EXECUTE On DBA.f_verify_pwd TO PUBLIC;
SET OPTION PUBLIC.verify_password_function = 'DBA.f_verify_pwd';