Create an LDAP user authentication environment by creating an LDAP server configuration object, creating a login policy that uses the LDAP server, and creating users that authenticate to the LDAP server by using that login policy.
Prérequis
You must have an LDAP server.
You must have the following system privileges:
Task(Optional) To enable TLS encryption for communications with your LDAP server, identify a certificate file for the server to use. The following statement is an example of how to specify the certificate file.
SET OPTION PUBLIC.trusted_certificates_file='c:\\certificates\\trusted.txt'; |
To enable TLS encryption in the steps that follow, the TLS OFF clause should be changed to TLS ON in each of the examples where this clause occurs.
Execute a VALIDATE LDAP SERVER statement to test the connection to an LDAP server.
For example, the following statement verifies the connection attributes of an existing LDAP server. The database server connects to the LDAP server using the supplied credentials.
VALIDATE LDAP SERVER
SEARCH DN
URL 'ldap://iq10web:389/dc=sybase,dc=com?dn?sub?uid=*'
ACCESS ACCOUNT 'cn=Manager,dc=sybase,dc=com'
IDENTIFIED BY 'Not4YourEyes'
AUTHENTICATION URL 'ldap://iq10web:389/'
CONNECTION TIMEOUT 1000
CONNECTION RETRIES 3
TLS OFF; |
This LDAP server uses port 389 for communications. The example does not enable TLS encryption (TLS OFF). Your VALIDATE LDAP SERVER statement must execute without error before continuing with the next step.
Execute a CREATE LDAP SERVER statement to create an LDAP server configuration object.
For example, the following statement defines an LDAP server configuration object that can be used for user authentication.
CREATE LDAP SERVER prim_ldap
SEARCH DN
URL 'ldap://iq10web:389/dc=sybase,dc=com?dn?sub?uid=*'
ACCESS ACCOUNT 'cn=Manager,dc=sybase,dc=com'
IDENTIFIED BY 'Not4YourEyes'
AUTHENTICATION URL 'ldap://iq10web:389/'
CONNECTION TIMEOUT 1000
CONNECTION RETRIES 3
TLS OFF; |
Unlike the VALIDATE LDAP SERVER statement, the CREATE LDAP SERVER statement does not attempt a connection to the LDAP server.
Execute a CREATE LDAP SERVER statement to create a second LDAP server configuration object to be used for failover. This step is optional but is required for the steps that follow.
For example, the following statement defines an LDAP server configuration object that can be used as a failover for user authentication.
CREATE LDAP SERVER sec_ldap
SEARCH DN
URL 'ldap://iq10web:390/dc=sybase,dc=com?dn?sub?uid=*'
ACCESS ACCOUNT 'cn=Manager,dc=sybase,dc=com'
IDENTIFIED BY 'Not4YourEyes'
AUTHENTICATION URL 'ldap://iq10web:390/'
CONNECTION TIMEOUT 1000
CONNECTION RETRIES 3
TLS OFF; |
This LDAP server uses port 390 for communications.
Execute a SET OPTION statement to change the login mode to enable LDAP user authentication.
For example, the following statement enables both standard and LDAP user authentication.
SET OPTION PUBLIC.login_mode='Standard,LDAPUA'; |
The current setting of the login_mode option can be queried as follows:
SELECT connection_property('login_mode'); |
Execute a CREATE LOGIN POLICY statement to create a new login policy.
For example, the following statement creates a new login policy that can be used for authentication of users.
CREATE LOGIN POLICY ldap_policy_both LDAP_PRIMARY_SERVER=prim_ldap LDAP_SECONDARY_SERVER=sec_ldap LDAP_FAILOVER_TO_STD=ON; |
The names of the primary and secondary LDAP servers are specified in this login policy. If authentication for the user associated with this login policy fails, standard authentication is attempted (if permitted by the login mode). The current settings of the login policy can be queried as follows:
SELECT lpo.* FROM sysloginpolicyoption AS lpo, sysloginpolicy AS lp
WHERE lpo.login_policy_id = lp.login_policy_id
AND lp.login_policy_name = 'ldap_policy_both'; |
Execute a CREATE USER statement to create a new user ID with the LDAP login policy defined in a previous step.
For example, the following statement creates a new user ID that authenticates against either the primary or secondary LDAP server.
CREATE USER ldap_user01 LOGIN POLICY ldap_policy_both; |
The IDENTIFIED BY clause is omitted. The IDENTIFIED BY clause is used to specify the password to use for standard authentication. If a password is specified using this clause, it need not be the same as the password authenticated by the LDAP server. Since this password is replaced the first time the user successfully authenticates to the LDAP server, the IDENTIFIED BY clause is omitted here.
Activate the LDAP servers for immediate use. The following statements activate the primary and secondary LDAP servers.
ALTER LDAP SERVER prim_ldap WITH ACTIVATE; ALTER LDAP SERVER sec_ldap WITH ACTIVATE; |
The current state of all LDAP servers can be determined using the following query.
call sa_get_ldapserver_status; |
The ldsrv_state column of the result set indicates that the two LDAP servers are in the READY state.
Execute an Interactive SQL CONNECT statement to connect to the database using LDAP user authentication.
For example, the following statement connects to the sample database using the specified user ID and password.
CONNECT DATABASE demo USER ldap_user01 IDENTIFIED BY 'abcd1234'; |
If the LDAP server fails the user authentication, then standard authentication is attempted. Standard authentication can fail if the standard password does not match the one provided (for example, because it has not been updated during LDAP authentication).
See also |
Discuter à propos de cette page dans DocCommentXchange.
|
Copyright © 2013, SAP AG ou société affiliée SAP - SAP Sybase SQL Anywhere 16.0 |