Use sp_maplogin to map external client names to local Adaptive Server logins. It is used to map users that are authenticated with LDAP or PAM to the local Adaptive Server login.
To map a user authenticated with Kerberos, use sybmapname instead of sp_maplogin. See instructions and examples in “Using sybmapname to handle user principal names”.
Only users with sso_role can create or modify login mappings using sp_maplogin.
In Adaptive Server version 12.5.4, controls have been added to sp_maplogin to avoid conflicts between an authentication mechanism setting for a login and a mapping that uses the login. Potential mapping conflicts are detected by the stored procedures sp_maplogin, sp_modifylogin, or sp_addlogin.
The tighter controls no longer permit a map:
From one Adaptive Server login name to another login name
From an external name that already exists as a local login
To a nonexistent login name
Additionally, when the authentication mechanism is specified with a mapping, the mechanism is checked with the authentication mechanism set in the target login.
If a target login’s authentication mechanism restricts the login to use a particular authentication mechanism, then the mechanism specified with the mapping must match either that specified for the login or match ANY authentication mechanism.
When sp_maplogin detects that a conflict exists, sp_maplogin fails and reports an error to identify the conflict.
Similarly, sp_modifylogin and sp_addlogin check for an existing mapping that may conflict with the authenticate with option for the user login. When sp_modifylogin or sp_addlogin detect a conflict, then an error is reported to identify any conflicts with a login mapping.
Example 1: Mapping an LDAP user to Adaptive Server “sa” login A company has adopted LDAP as their repository for all user
accounts and has a security policy that requires LDAP authentication
of all users including database administrators, "adminA" and "adminB", who
may manage hundreds of Adaptive Servers. Auditing is enabled and
login events are recorded in the audit trail.
To map these administrator accounts to “sa”, enter:
sp_maplogin LDAP, 'adminA', 'sa' go sp_maplogin LDAP, 'adminB', 'sa' go
Use enable ldap user auth to require all users to authenticate using LDAP authentication:
sp_configure 'enable ldap user auth', 2 go
When 'adminA' authenticates
during login to Adaptive Server, the distinguished name associated
with 'adminA' rather than
only “sa” is recorded in the login audit event.
This allows each individual performing an action to be identified
in the audit trail.
Because 'adminA' and 'adminB' password
is set in the LDAP server, there is no need to maintain the “sa” password
on all Adaptive Servers being managed.
This example also allows different external identities and passwords to be used for authentication, while their actions within Adaptive Server still require the special privileges associated with “sa” account.
Example 2: Using both PAM and LDAP to map users to application logins A company has adopted both PAM and LDAP authentication but for different purposes. The company security policy defines LDAP as the authentication mechanism for general user accounts, and PAM for special users such as a middle-tier application. A middle-tier application may establish a pool of connections to Adaptive Server to handle requests on behalf of users of the middle-tier application.
Configure Adaptive Server for both LDAP and PAM user authentication:
sp_configure 'enable ldap user auth', 2 go sp_configure 'enable pam user auth', 2 go
Establish an Adaptive Server login appX locally
with permissions that are appropriate for the middle-tier application:
sp_addlogin 'appX', password go sp_modifylogin appX, 'authenticate with', PAM go
Instead of hard-coding a simple password in appX and
maintaining the password consistently in several different Adaptive
Servers, a custom PAM module is developed to authenticate the application
in a centralized repository using additional facts to verify the
middle tier application.
Client application login appY requires
LDAP authentication of the user with its LDAP identity and password.
Use sp_maplogin to map all LDAP authenticated
users to login appY.
sp_addlogin 'appY', password go sp_maplogin LDAP, NULL, 'appY' go
Users of appY are
authenticated with their company identity and password, then mapped
to a local Adaptive Server login appY to
execute database actions. Authentication has occurred with the identity
of the LDAP user, which is recorded in the audit trail, and executes
with permissions appropriate to the application login appY.
