|
Creates an LDAP server configuration object.
CREATE LDAP SERVER ldapua-server-name [ ldapua-server-attribs ... ] [ WITH ACTIVATE ]
ldapua-server-attribs : SEARCH DN search-dn-attributes ... | AUTHENTICATION URL { 'url-string' | NULL } | CONNECTION TIMEOUT timeout-value | CONNECTION RETRIES retry-value | TLS { ON | OFF }
search-dn-attributes : URL { 'url-string' | NULL } | ACCESS ACCOUNT { 'dn-string' | NULL } | IDENTIFIED BY ( 'password' | NULL } | IDENTIFIED BY ENCRYPTED { encrypted-password | NULL }
There is no default value for any parameter in the SEARCH DN clause.
Use this clause to specify to identify the host (by name or by IP address), port number, and search to be performed to do the lookup of the LDAP Distinguished Name (DN) for a given user ID. url-string is validated for correct LDAP URL syntax before it is stored in ISYSLDAPSERVER. The maximum size for this string is 1024 bytes.
The format of url-string
must comply with the LDAP URL standard. See The LDAP Standard
Specification
.
Use this clause to specify the DN used by the database server to connect to the LDAP server. This is not a SQL Anywhere user, but a user created in the LDAP server specifically for logging in to the LDAP server. This user must have permissions within the LDAP server to search for DNs by user ID in the locations specified in the SEARCH DN URL clause. The maximum size for this string is 1024 bytes.
Use this clause to specify the password associated with the user identified by ACCESS ACCOUNT. The maximum size is 255 bytes and cannot be set to NULL.
Use this clause to specify the password associated with the user identified by ACCESS ACCOUNT, provided in encrypted form, and is a binary value stored somewhere on disk. The maximum size of the binary is 289 bytes, and cannot be set to NULL. IDENTIFIED BY ENCRYPTED allows the password to be retrieved and used, without it becoming known.
Use this clause to specify the url-string that identifies the host by name or IP address, and the port number of the LDAP server to use to authenticate a user. The DN of the user obtained from a prior DN search and the user password are used to bind a new connection to the authentication URL. A successful connection to the LDAP server is considered proof of the identity of the connecting user. There is no default value for this parameter. For size limits to this string, see the SYSLDAPSERVER system view.
Use this clause to specify the connection timeout, in milliseconds, to the LDAP server, both for searches for the DN and for authentication. The default value is 10 seconds.
Use this clause to specify the number of retries for connections to the LDAP server, both for searches for the DN and for authentication. The valid range of values is 1-60. The default is 3.
Use this clause to specify the use of the TLS protocol on connections to the LDAP server, both for the DN searches and for authentication. The valid values are ON or OFF. The default is OFF. Use the Secure LDAP protocol by using ldaps:// to begin the URL instead of ldap://. The TLS option must be set to OFF when using Secure LDAP.
Use this clause to activate the LDAP server for immediate use. This clause permits the definition and activation of LDAP User Authentication in one statement, changing the state of the new LDAP server to READY.
If you use this statement in a procedure, do not specify the password (IDENTIFIED BY clause) as a string literal because the definition of the procedure is visible in the SYSPROCEDURE system view. For security purposes, specify the password using a variable that is declared outside of the procedure definition.
You must have the MANAGE ANY LDAP SERVER system privilege.
Automatic commit.
Not in the standard.
This example sets search parameters, authentication URL, 3 second timeout, and activates the LDAP server so it can begin authenticating users. A connection is made to the LDAP server without TLS or SECURE LDAP protocols. In addition to the privileges required to execute the CREATE LDAP SERVER statement, you must also have the SET ANY SECURITY system privilege to set the login_mode option in the following example.
SET OPTION PUBLIC.login_mode = 'Standard,LDAPUA';
CREATE LDAP SERVER apps_primary
SEARCH DN
URL 'ldap://voyager:389/dc=MyCompany,dc=com??sub?cn=*'
ACCESS ACCOUNT 'cn=aseadmin, cn=Users, dc=mycompany, dc=com'
IDENTIFIED BY 'Secret99Password'
AUTHENTICATION URL 'ldap://voyager:389/'
CONNECTION TIMEOUT 3000
WITH ACTIVATE;This example uses the same search parameters, but specifies ldaps:// so that a Secure LDAP connection is established with the LDAP server on host voyager, port 636. Only LDAP clients using the Secure LDAP protocol may connect on this port. The database security option Trusted_certificate_file must be set with a filename containing the certificate of the Certificate Authority (CA) that signed the certificate used by the LDAP server at 'ldaps://voyager:636'. During the handshake with the LDAP server, the certificate presented by the LDAP server is verified by the database server to ensure that it is signed by one of the certificates listed in the file. The ACCESS ACCOUNT and IDENTIFIED BY parameters provided to the LDAP server are verified by the LDAP server as well.
SET OPTION PUBLIC.login_mode = 'Standard,LDAPUA';
SET OPTION PUBLIC.trusted_certificates_file = '/opt/sap/shared/trusted.txt';
CREATE LDAP SERVER secure_primary
SEARCH DN
URL 'ldaps://voyager:636/dc=MyCompany,dc=com??sub?cn=*'
ACCESS ACCOUNT 'cn=aseadmin, cn=Users, dc=mycompany, dc=com'
IDENTIFIED BY 'Secret99Password'
AUTHENTICATION URL 'ldaps://voyager:636/'
CONNECTION TIMEOUT 3000
WITH ACTIVATE;