LDAP user authentication

Lightweight Directory Access Protocol (LDAP) is an industry standard for accessing directory services. LDAP user authentication allows client applications to send user ID and password information to the database server for authentication by an LDAP server instead of using the catalog. Authentication using an LDAP server allows organization-wide password management.

LDAP user authentication is ideal for organizations with an existing computing environment who want to simplify and centralize user administration, or for users in a new computing environment who want to avoid unnecessary complexities for administering users in disparate applications and databases.

The login_mode database option includes an LDAPUA mode, which extends the possible authentication mechanisms to include LDAP user authentication. The SQL Anywhere LDAP user authentication support allows SQL Anywhere to be integrated into existing enterprise-wide directory access frameworks based on LDAP.

How LDAP user authentication works

Each user is associated with a login policy. The login policy can optionally reference a primary LDAP server object, a secondary LDAP server object, or both for user authentication. You can define multiple login policies with different options to specify multiple domains.

To authenticate a user whose login policy specifies an LDAP server object, the Distinguished Name (DN) for that user and the password associated with the DN are used to connect to a trusted LDAP directory server.

The client application typically does not know or send its LDAP DN to the database server; instead, it knows and sends its database user ID and password. The association of the database user ID with its DN is then done by searching for the DN of a given user ID on the LDAP server using a predefined search string. The DN returned to the database server from a search on the LDAP server is then stored in the ISYSUSER system table (user_dn column) along with the current UTC time (user_dn_cached_at column). The stored DN value continues to be used until the associated login policy is updated using an ALTER LOGIN POLICY...LDAP_REFRESH_DN=NOW statement.

LDAP server configuration objects

The configuration information for connecting to an LDAP server is stored in an LDAP server configuration object. Each row in the ISYSLDAPSERVER system table reflects the settings for an LDAP server configuration object. Each configuration object contains a set of attributes for connecting, including the LDAP search string used to obtain the DN for a given user ID. These attributes and the state of an LDAP server can be examined by querying the SYSLDAPSERVER view.

High availability and LDAP user authentication

High availability for an LDAP server is provided by designating it as either a primary or secondary server for a given user via the user's login policy. In the event that a primary LDAP server is unreachable for any reason (for example, LDAP server maintenance, a network failure, or an LDAP server crash), the secondary LDAP server is used for user authentication. The ability to fail over from a primary to a secondary and then fail back from a secondary to a primary can be managed manually using SQL statements or can be performed automatically by the database server when it detects that a change is appropriate.

Inheritance on LDAP login policy options

Inheritance from the default root login policy occurs for LDAP policy options as a group. For example, if the root login policy defines a primary LDAP server and a login policy, policy_X, is defined that does not specify LDAP policy options, then users associated with policy_X inherit the primary LDAP server and LDAP policy options from the root policy.

If another login policy, policy_Y, defines only a secondary LDAP server, then users associated with policy_Y only use the secondary LDAP server and related settings from that policy; none of the LDAPUA policy options from the root policy are inherited.