All new databases include the root login policy. You can modify the values for the root login policy options, but you cannot delete the policy.
A user is assigned the root login policy when:
Login policy options and default valuesThe following table lists the options that are governed by a login policy and includes the default values for the root login policy:
| Policy-option-name | Description | Default value | Applies to: |
|---|---|---|---|
| auto_unlock_time | The time period after which locked accounts are automatically unlocked. | Unlimited | All users except those with the MANAGE ANY USER system privilege |
| change_password_dual_control |
When the value for this option is ON, setting the password requires two administrators. The setting for the verify_password_function option is ignored if this option is set to ON because the password is configured separately in two parts. No verification is performed. |
OFF | All users |
| ldap_primary_server | The name of the primary LDAP server. | (none) | All users |
| ldap_secondary_server | The name of the secondary LDAP server. | (none) | All users |
| ldap_auto_failback_period | The time period in minutes after which automatic failback to primary server is attempted. | 15 minutes | All users |
| ldap_failover_to_std | Whether to permit authentication with Standard authentication when authentication with the LDAP server fails due to failure to locate the Distinguished Name (DN) for a user, lack of system resources, network outage, connection timeouts, or similar system failures. This setting does not permit an actual authentication failure returned from an LDAP server to fail over to Standard authentication (as is the case when the user is located but the supplied password does not match). | ON | All users |
| ldap_refresh_dn |
At the time this policy option is specified by a CREATE LOGIN POLICY or ALTER LOGIN POLICY statement, the current time value is stored with the login policy. This value is the timestamp against which user authentication compares the user_dn_cached_at value found for the user in ISYSUSER. If the value in the policy is newer than the user_dn_cached_at value in ISYSUSER, a search for a user's Distinguished Name (DN) is done to refresh the user_dn value in ISYSUSER. The value NOW is the only valid value to assign to this policy option. All others result in an error. The value is in Coordinated Universal Time (UTC) and is stored as a string in the server default format. |
(none) | All users |
| locked | If the value for this option is ON, users are not allowed to establish new connections. The reason_locked column of the sa_get_user_status system procedure returns a string generated by the database server that shows why a user is locked. | OFF | All users except those with the MANAGE ANY USER system privilege |
| max_connections | The maximum number of concurrent connections allowed for a user. | Unlimited |
All users except those with the SERVER OPERATOR or DROP CONNECTION system privilege |
| max_failed_login_attempts | The maximum number of failed attempts since the last successful attempt to log in before the user is locked. Users with SYS_AUTH_DBA_ROLE compatibility role are unlocked after one minute has passed since the most recent failed login attempt. | Unlimited | |
| max_days_since_login | The maximum number of days that can elapse between two successive logins by the same user. | Unlimited | All users except those with the MANAGE ANY USER system privilege |
| max_non_dba_connections | The maximum number of concurrent connections that users can make. This option is only supported in the root login policy. | Unlimited |
All users except those with the SERVER OPERATOR or DROP CONNECTION system privilege |
| password_life_time | The maximum number of days before a password must be changed. | Unlimited | All users |
| password_grace_time | The number of days before the password expires during which login is allowed, but the default post_login procedure issues warnings. | 0 | All users |
| password_expiry_on_next_login | If the value for this option is ON, the user's password expires after the next login. | OFF | All users |
| root_auto_unlock_time | The time period after which locked accounts are automatically unlocked. This option is only supported in the root login policy. | 1 minute | Users with the MANAGE ANY USER system privilege |
See also |
Discuter à propos de cette page dans DocCommentXchange.
|
Copyright © 2013, SAP AG ou société affiliée SAP - SAP Sybase SQL Anywhere 16.0 |