|
You can specify a central LDAP server to keep track of all database servers in an enterprise if you are operating on a Windows (except Windows CE), Unix, or NetWare platform. When the database server registers itself with an LDAP server, clients can query the LDAP server and find the database server they are looking for, regardless of whether they are on a WAN, LAN, or going through firewalls. Clients do not need to specify an IP address (HOST=). The Server Enumeration utility (dblocate) can also use the LDAP server to find other such servers.
LDAP is only used with TCP/IP, and only on network database servers.
To enable this feature, a file containing information on how to find and connect to the LDAP server must be created on both the database server computer and on each client computer. By default the name of this file is saldap.ini, but it is configurable. If this file doesn't exist, LDAP support is silently disabled.
The file must be located in the same directory as the SQL Anywhere executables (for example, install-dir\win32 on Windows) unless a full path is specified with the LDAP parameter. The file must be in the following format:
[LDAP] server=computer-running-LDAP-server port=port-number-of-LDAP-server basedn=Base-DN authdn=Authentication-DN password=password-for-authdn search_timeout=age-of-timestamps-to-be-ignored update_timeout=frequency-of-timestamp-updates read_authdn=read-only-authentication-domain-name read_password=password-for-authdn
You can add simple encryption to obfuscate the contents of the saldap.ini file using the File Hiding utility (dbfhide). If the name of the file is not ldap.ini, then you must use the LDAP parameter to specify the file name.
See File Hiding utility (dbfhide).
server The name or IP address of the computer running the LDAP server. This value is required on NetWare and Unix. If this entry is missing on Windows, Windows looks for an LDAP server running on the local domain controller.
port The port number used by the LDAP server. The default is 389.
basedn The domain name of the subtree where the SQL Anywhere entries are stored. This defaults to the root of the tree.
authdn The authentication domain name. The domain name must be an existing user object in the LDAP directory that has write access to the basedn. This is required for the database server, and ignored on the client.
password The password for authdn. This is required for the database server, and ignored on the client.
search_timeout The age of timestamps at which they are ignored by the client and/or the Server Enumeration utility (dblocate). A value of 0 disables this option so that all entries are assumed to be current. The default is 600 seconds (10 minutes).
update_timeout The frequency of timestamp updates in the LDAP directory. A value of 0 disables this option so that the database server never updates the timestamp. The default is 120 seconds (2 minutes).
read_authdn The read-only authentication domain name. The domain name must be an existing user object in the LDAP directory that has read access to the basedn. This parameter is only required if the LDAP server requires a non-anonymous binding before searching can be done. For example, this field is normally required if Active Directory is used as the LDAP server. If this parameter is missing, the bind is anonymous.
read_password The password for authdn. This parameter is only required on the client if the read_authdn parameter is specified.
The following is a sample saldap.ini file:
[LDAP] server=ldapserver basedn=dc=iAnywhere,dc=com authdn=cn=SAServer,ou=iAnywhereASA,dc=iAnywhere,dc=com password=secret
The entries are stored in a subtree of the basedn called iAnywhereASA. This entry must be created before SQL Anywhere can use LDAP. To create the subtree, you can use the LDAPADD utility, supplying the following information:
dn: ou=iAnywhereASA,basedn objectClass: organizationalUnit objectClass: top ou: iAnywhereASA
When the server starts, it checks for an existing entry with the same name in the LDAP file. If one is found, it is replaced if either the location entries in LDAP match the database server attempting to start, or the timestamp field in the LDAP entry is more than 10 minutes old (the timeout value is configurable).
If neither of these is true, then there is another database server running with the same name as the one attempting to start, and startup fails.
To ensure that entries in LDAP are up-to-date, the database server updates a timestamp field in the LDAP entry every 2 minutes. If an entry's timestamp is older than 10 minutes, clients ignore the LDAP entry. Both of these settings are configurable.
On the client, the LDAP directory is searched before doing any broadcasting, so if the database server is found, no broadcasts are sent. The LDAP search is very fast, so if it fails, there is no discernible delay.
The Server Enumeration utility (dblocate) also uses LDAP—all database servers listed in LDAP are added to the list of database servers returned. This allows the Server Enumeration utility (dblocate) to list database servers that wouldn't be returned normally, for example, those which broadcasts wouldn't reach. Entries with timestamps older than 10 minutes are not included.