login_mode option

Controls the use of Standard, Integrated, Kerberos, LDAP, and PAM user authentication for the database.

Allowed values

One or more of: Standard, Integrated, Kerberos, LDAPUA, PAMUA, CloudAdmin, Mixed (deprecated)

Default

Standard

Scope

	PUBLIC role	For current user	For other users
Allowed to set permanently?	Yes, with SET ANY SECURITY OPTION	No	No
Allowed to set temporarily?	Yes, with SET ANY SECURITY OPTION	No	No

Remarks

This option specifies whether Standard, Integrated, Kerberos, LDAP, PAM, and CloudAdmin user authentication is permitted. One or more of the following login modes are accepted (the values are case insensitive):

Note Do not set Integrated, Kerberos, LDAPUA, or PAMUA as a permanent login_mode as this setting can allow a user unauthorized access to the database if they obtain a copy of the database.

Standard
Standard user authentication is permitted. This value is the default setting. Connections that use standard user authentication include both a user ID and password, and do not use the Integrated or Kerberos connection parameters.
Integrated
Integrated user authentication is permitted.
Kerberos
Kerberos user authentication is permitted.
LDAPUA
LDAP (Lightweight Directory Access Protocol) user authentication is permitted. Connections that use LDAP user authentication include both a user ID and password, and do not use the Integrated or Kerberos connection parameters.

If a user's hashed password has changed, then it is updated in the SYSUSER table of the database when the user logs in to the database using LDAPUA if the ldap_failover_to_std option is set to ON.

When using LDAPUA, the password control rules of the login policy are ignored.
PAMUA PAM (Pluggable Authentication Modules) user authentication is permitted. If a user's hashed password has changed, then it is updated in the SYSUSER table of the database when the user logs into the database using PAMUA when the pam_failover_to_std option is set to ON.
When using PAMUA, the password control rules of the login policy are ignored.
CloudAdmin
This login mode is for internal use in the cloud.
Mixed (deprecated)
This value is equivalent to specifying Standard,Integrated.

If you specify multiple login modes, then the database server allows all the specified modes.

Caution Setting the login_mode database option to not allow Standard user authentication restricts connections to only those users who have been granted an Integrated, Kerberos, LDAP, or PAM login mapping. Attempting to connect with a standard database user ID and password generates an error. The only exception to this rule are users with MANAGE ANY USER privilege.

Specify multiple values in a comma-separated list. This list cannot contain white space. For example, the following setting allows both Standard and Integrated logins:

SET OPTION PUBLIC.login_mode = 'Standard,Integrated';

Caution If a database file is not secured and can be copied by unauthorized users, then the temporary PUBLIC login_mode option should be used (for Integrated, Kerberos, LDAP, and PAM user authentication). This way, Integrated, Kerberos, LDAPUA, and PAMUA logins are not supported by default if the file is copied.

Example

Enable only Integrated user authentication (Standard, Kerberos, LDAP, and PAM user authentication fail):

SET OPTION PUBLIC.login_mode = 'Integrated';

Enable Standard and Kerberos user authentication (Integrated, LDAP, and PAM user authentication fail):

SET OPTION PUBLIC.login_mode = 'Standard,Kerberos';

Enable Standard, Integrated, Kerberos, LDAP, and PAM user authentication:

SET OPTION PUBLIC.login_mode = 'Standard,Integrated,Kerberos,LDAPUA,PAMUA';