ALTER LDAP SERVER Statement

Any changes to an LDAP server configuration object are applied on subsequent connections. Any connection already started when the change is applied does not immediately reflect the change.

In addition to resetting LDAP server configuration object values for attributes, the ALTER LDAP SERVER statement allows an administrator to make manual adjustments to a server's state and behavior by putting the LDAP server configuration object in maintenance mode and returning it to service from maintenance mode.

Syntax

ALTER LDAP SERVER <ldapua-server-name> 
{ <ldapua-server-attribs> 
| [ WITH  ( SUSPEND | ACTIVATE | REFRESH ) ] }

ldapua-server-attribs: 
SEARCH DN
            URL { ‘URL_string’ | NULL } 
            | ACCESS ACCOUNT { ‘DN_string’ | NULL } 
            | IDENTIFIED BY ( ‘password>’ | NULL } 
            | IDENTIFIED BY ENCRYPTED { encrypted-password | NULL }

| AUTHENTICATION URL { ‘URL_string’ | NULL } 
| CONNECTION TIMEOUT timeout_value 
| CONNECTION RETRIES retry_value 
| TLS { ON | OFF }

Parameters

URL – identifies the host (by name or by IP address), port number, and the search to be performed for the DN lookup for a given user ID. This value is validated for correct LDAP URL syntax before it is stored in the ISYSLDAPSERVER system table. The maximum size for this string is 1024 bytes.
ACCESS ACCOUNT – a user created on the LDAP server for use by SAP Sybase IQ, not a user within SAP Sybase IQ. The distinguished name (DN) for this user is used to connect to the LDAP server. This user has permissions within the LDAP server to search for DNs by user ID in the locations specified by the SEARCH DN URL. The maximum size for this string is 1024 bytes.
IDENTIFIED BY – provides the password associated with the ACCESS ACCOUNT user. The password is stored using symmetric encryption on disk. Use the value NULL to clear the password and set it to none. The maximum size of a clear text password is 255 bytes.
IDENTIFIED BY ENCRYPTED – configures the password associated with the ACCESS ACCOUNT distinguished name in an encrypted format. The binary value is the encrypted password and is stored on disk as is. Use the value NULL to clear the password and set it to none. The maximum size of the binary is 289 bytes. The encrypted key should be a valid varbinary value. Do not enclose the encrypted key in quotation marks.
AUTHENTICATION URL – identifies the host (by name or IP address) and the port number of the LDAP server to use for authentication of the user. This is the value defined for <URL_string> and is validated for correct LDAP URL syntax before it is stored in ISYSLDAPSERVER system table. The DN of the user obtained from a prior DN search and the user password bind a new connection to the authentication URL. A successful connection to the LDAP server is considered proof of the identity of the connecting user. The maximum size for this string is 1024 bytes.
CONNECTION TIMEOUT – specifies the connection timeout from SAP Sybase IQ to the LDAP server for both DN searches and authentication. This value is in milliseconds, with a default value of 10 seconds.
CONNECTION RETRIES – specifies the number of retries on connections from SAP Sybase IQ to the LDAP server for both DN searches and authentication. The valid range of values is 1 – 60, with a default value of 3.
TLS – defines whether the TLS or Secure LDAP protocol is used for connections to the LDAP server for both DN searches and authentication. When set to ON, the TLS protocol is used and the URL begins with "ldap://" When set to OFF (or not specified), Secure LDAP protocol is used and the URL begins with “ldaps://”. When using the TLS protocol, specify the database security option TRUSTED_CERTIFICATES_FILE with a file name containing the certificate of the Certificate Authority (CA) that signed the certificate used by the LDAP server.
WITH ACTIVATE – sets the state of the LDAP server configuration object to READY and allows authentication with the LDAP server. Server option values are read from the ISYSLDAPSERVER system table and applied to new connections to the LDAP server and incoming authentication requests to the SAP Sybase IQ server. Upon successful authentication of a user, the state changes to ACTIVE.
WITH SUSPEND – sets the state of the LDAP server configuration object to SUSPENDED, which puts the LDAP server configuration object in maintenance mode. Connections to the LDAP server are closed and authentication with the LDAP server becomes unavailable.
WITH REFRESH – reinitializes LDAP user authentication. This command does not change the state of the LDAP server configuration object, nor does it change any existing connections from a client to the SAP Sybase IQ server. This parameter is typically used with an LDAP server that is in an ACTIVE or READY state to release any resources that may be held or to reread changes made to files outside of the server, such as a change to the contents of the file specified by database option TRUSTED_CERTIFICATES_FILE.
Note: When the LDAP server is in any state other than ACTIVE or READY, REFRESH has no effect.

Examples

Example 1 – suspends the LDAP server configuration object named apps_primary.
```
ALTER LDAP SERVER apps_primary SUSPEND
```
Example 2 – changes the LDAP server configuration object named apps_primary to use a different URL for authentication on host fairfax, sets the port number to 1066, sets the number of connection retries to 10, and finally activates the LDAP server configuration object.
```
ALTER LDAP SERVER apps_primary
AUTHENTICATION URL 'ldap://my_LDAPserver:1066/'
CONNECTION RETRIES 10
WITH ACTIVATE
```

Standards

ANSI SQL – Compliance level: Transact-SQL extension.

Permissions

Requires the MANAGE ANY LDAP SERVER system privilege.