After a user account is added to the LDAP server, Adaptive Server can modify local characteristics of that account. For example, Adaptive Server creates a new row in syslogins for a user account when the LDAP server successfully authenticates the user and the user logs in to Adaptive Server.
Table 10-14 describes changes in syslogins with each login attempt.
A row already exists in syslogins for the user |
LDAP authentication succeeds |
Resulting change in syslogins |
|---|---|---|
no |
yes |
Adds a new row for the user |
no |
no |
No change |
yes |
yes |
Updates an existing row if a new password is used |
yes |
no |
No change |
A System Administrator or a System Security Officer can add a row in syslogins using sp_addlogin to set login-specific values—such as a default database or the granting of roles—even before the user first logs in to Adaptive Server via LDAP. However, for sp_addlogin to succeed, the value of enable ldap user auth must allow LDAP authentication (either 1 or 2) and the user must have an LDAP account.
If LDAP authentication is enabled, you cannot change
the value of the password used to authenticate the user at login
using sp_addlogin. The password for
LDAP authentication is always stored and managed at the LDAP server,
and can be modified with LDAP server tools.
When a user login account is deleted from the LDAP server, the user account remains on Adaptive Server. The System Administrator or System Security Officer can delete the account only after all objects and users for that user account are deleted.
