Alters an existing login policy.
SyntaxALTER LOGIN POLICY policy-name policy-optionspolicy options : policy-option [ policy-option ... ]
policy-option :
policy-option-name = policy-option-valuepolicy-option-value :
{ UNLIMITED
| DEFAULT
| legal-option-value } Parameterspolicy-name The name of the login policy. Specify root to modify the root login policy.
policy-option-name The name of the policy option.
policy-option-value The value assigned to the login policy option. If you specify UNLIMITED, no limits are used. If you specify DEFAULT, the default limits are used.
| Policy-option-name | Description | Default value | Applies to: |
|---|---|---|---|
| auto_unlock_time | The time period after which locked accounts are automatically unlocked. | Unlimited | All users except those with the MANAGE ANY USER system privilege |
| change_password_dual_control |
When the value for this option is ON, setting the password requires two administrators. The setting for the verify_password_function option is ignored if this option is set to ON because the password is configured separately in two parts. No verification is performed. |
OFF | All users |
| ldap_primary_server | The name of the primary LDAP server. | (none) | All users |
| ldap_secondary_server | The name of the secondary LDAP server. | (none) | All users |
| ldap_auto_failback_period | The time period in minutes after which automatic failback to primary server is attempted. | 15 minutes | All users |
| ldap_failover_to_std | Whether to permit authentication with Standard authentication when authentication with the LDAP server fails due to failure to locate the Distinguished Name (DN) for a user, lack of system resources, network outage, connection timeouts, or similar system failures. This setting does not permit an actual authentication failure returned from an LDAP server to fail over to Standard authentication (as is the case when the user is located but the supplied password does not match). | ON | All users |
| ldap_refresh_dn |
At the time this policy option is specified by a CREATE LOGIN POLICY or ALTER LOGIN POLICY statement, the current time value is stored with the login policy. This value is the timestamp against which user authentication compares the user_dn_cached_at value found for the user in ISYSUSER. If the value in the policy is newer than the user_dn_cached_at value in ISYSUSER, a search for a user's Distinguished Name (DN) is done to refresh the user_dn value in ISYSUSER. The value NOW is the only valid value to assign to this policy option. All others result in an error. The value is in Coordinated Universal Time (UTC) and is stored as a string in the server default format. |
(none) | All users |
| locked | If the value for this option is ON, users are not allowed to establish new connections. The reason_locked column of the sa_get_user_status system procedure returns a string generated by the database server that shows why a user is locked. | OFF | All users except those with the MANAGE ANY USER system privilege |
| max_connections | The maximum number of concurrent connections allowed for a user. | Unlimited |
All users except those with the SERVER OPERATOR or DROP CONNECTION system privilege |
| max_failed_login_attempts | The maximum number of failed attempts since the last successful attempt to log in before the user is locked. Users with SYS_AUTH_DBA_ROLE compatibility role are unlocked after one minute has passed since the most recent failed login attempt. | Unlimited | |
| max_days_since_login | The maximum number of days that can elapse between two successive logins by the same user. | Unlimited | All users except those with the MANAGE ANY USER system privilege |
| max_non_dba_connections | The maximum number of concurrent connections that users can make. This option is only supported in the root login policy. | Unlimited |
All users except those with the SERVER OPERATOR or DROP CONNECTION system privilege |
| password_life_time | The maximum number of days before a password must be changed. | Unlimited | All users |
| password_grace_time | The number of days before the password expires during which login is allowed, but the default post_login procedure issues warnings. | 0 | All users |
| password_expiry_on_next_login | If the value for this option is ON, the user's password expires after the next login. | OFF | All users |
| root_auto_unlock_time | The time period after which locked accounts are automatically unlocked. This option is only supported in the root login policy. | 1 minute | Users with the MANAGE ANY USER system privilege |
RemarksWhen a login policy is altered, changes are immediately applied to all users.
If you do not specify a policy option, values for this login policy are taken from the root login policy. New policies do not inherit the MAX_NON_DBA_CONNECTIONS and ROOT_AUTO_UNLOCK_TIME policy options.
All new databases include a root login policy. You can modify the root login policy values, but you cannot delete the policy. An overview of the default values for the root login policy is provided in the table above.
PrivilegesYou must have the MANAGE ANY LOGIN POLICY system privilege.
Side effectsNone.
See also Standards and compatibilitySQL/2008 Vendor extension.
ExamplesThe following example alters the fictitious Test1 login policy by changing the LOCKED and MAX_CONNECTIONS policy options. The LOCKED value indicates that users with the policy cannot establish new connections and the MAX_CONNECTIONS value limits the number of concurrent connections that are allowed.
ALTER LOGIN POLICY Test1 LOCKED=ON MAX_CONNECTIONS=5; |
This example overrides the root login policy LOCKED and MAX_CONNECTIONS policy options.
ALTER LOGIN POLICY root LOCKED=ON MAX_CONNECTIONS=5; |
The following example sets a primary and a secondary LDAP server for a fictitious ldap_user_policy login policy, and turns off the ability to failover to standard authentication, even when database option login_mode includes 'Standard'. This provides strict controls on users of this login policy so that only LDAP user authentication may be used for authentication. In the event that a high volume of login connections occur such that the LDAP server is unable to respond and authenticate quickly, users whose retries and timeouts are exhausted will see connection failures to the database server rather than failover to use standard authentication.
ALTER LOGIN POLICY ldap_user_policy LDAP_PRIMARY_SERVER=ldapsrv1 LDAP_SECONDARY_SERVER=ldapsrv2 LDAP_FAILOVER_TO_STD=OFF; |
The following example resets the timestamp value for a fictitious application_user_policy login policy to the current time. Any user that is assigned this policy have their Distinguished Name (DN) searched on the next login attempt, rather than using the value cached in ISYSUSER. This strategy purges old DN values held in ISYSUSER for users associated with this policy at the time of their next authentication.
ALTER LOGIN POLICY application_user_policy LDAP_REFRESH_DN=NOW; |
 |
Discuter à propos de cette page dans DocCommentXchange.
|
Copyright © 2013, SAP AG ou société affiliée SAP - SAP Sybase SQL Anywhere 16.0 |