VALIDATE LDAP SERVER Statement

Quick Links:

Go to Parameters

Go to Examples

Go to Usage

Go to Standards

Go to Permissions

Syntax

VALIDATE LDAP SERVER [ ldapua-server-name | ldapua-server-attribs  ]
   [ CHECK userid [ user-dn-string ] ]

ldapua-server-attribs 
   SEARCH DN 
            URL { ‘URL_string’ | NULL } 
            | ACCESS ACCOUNT { ‘DN_string’ | NULL } 
            | IDENTIFIED BY ( ‘password’ | NULL } 
            | IDENTIFIED BY ENCRYPTED { encrypted-password | NULL }

   | AUTHENTICATION URL { ‘URL_string’ | NULL } 
   | CONNECTION TIMEOUT timeout_value 
   | CONNECTION RETRIES retry_value 
   | TLS { ON | OFF } 

Parameters

(back to top)

• ldapua-server-name – identifies the LDAP server configuration object.

• URL – identifies the host (by name or by IP address), port number, and the search to be performed for the DN lookup for a given user ID. This value is validated for correct LDAP URL syntax before it is stored in the ISYSLDAPSERVER system table. The maximum size for this string is 1024 bytes.

• ACCESS ACCOUNT – a user created on the LDAP server for use by SAP Sybase IQ, not a user within SAP Sybase IQ. The distinguished name (DN) for this user is used to connect to the LDAP server. This user has permissions within the LDAP server to search for DNs by user ID in the locations specified by the SEARCH DN URL. The maximum size for this string is 1024 bytes.

• IDENTIFIED BY – provides the password associated with the ACCESS ACCOUNT user. The password is stored using symmetric encryption on disk. Use the value NULL to clear the password and set it to none. The maximum size of a clear text password is 255 bytes.

• IDENTIFIED BY ENCRYPTED – configures the password associated with the ACCESS ACCOUNT distinguished name in an encrypted format. The binary value is the encrypted password and is stored on disk as is. Use the value NULL to clear the password and set it to none. The maximum size of the binary is 289 bytes.

• AUTHENTICATION URL – identifies the host (by name or IP address) and the port number of the LDAP server to use for authentication of the user. This is the value defined for <URL_string> and is validated for correct LDAP URL syntax before it is stored in ISYSLDAPSERVER system table. The DN of the user obtained from a prior DN search and the user password bind a new connection to the authentication URL. A successful connection to the LDAP server is considered proof of the identity of the connecting user. The maximum size for this string is 1024 bytes.

• CONNECTION TIMEOUT – specifies the connection timeout from SAP Sybase IQ to the LDAP server for both DN searches and authentication. This value is in milliseconds, with a default value of 10 seconds.

• CONNECTION RETRIES – specifies the number of retries on connections from SAP Sybase IQ to the LDAP server for both DN searches and authentication. The valid range of values is 1 – 60, with a default value of 3.

• TLS – defines whether the TLS or Secure LDAP protocol is used for connections to the LDAP server for both DN searches and authentication. When set to ON, the TLS protocol is used and the URL begins with "ldap://" When set to OFF (or not specified), Secure LDAP protocol is used and the URL begins with “ldaps://”. When using the TLS protocol, specify the database security option TRUSTED_CERTIFICATES_FILE with a file name containing the certificate of the Certificate Authority (CA) that signed the certificate used by the LDAP server.

• CHECK userID – the userID whose existence is validated on the LDAP server.

• user-dn-string – compares a user's DN value with the user ID for verification purposes.

Examples

(back to top)

• Example 1 – assume the apps_primary LDAP server configuration object was created as follows:

  SET OPTION PUBLIC.login_mode = ‘Standard,LDAPUA’ 
  CREATE LDAP SERVER apps_primary 
  SEARCH DN 
  	URL 'ldap://my_LDAPserver:389/dc=MyCompany,dc=com??sub?cn=*' 
  	ACCESS ACCOUNT 'cn=aseadmin, cn=Users, dc=mycompany, dc=com' 
  	IDENTIFIED BY 'Secret99Password' 
  AUTHENTICATION URL 'ldap://my_LDAPserver:389/' 
  CONNECTION TIMEOUT 3000 
  WITH ACTIVATE

  This statement validates the existence of a userID myusername by using the optional CHECK clause to compare the userID to the expected user distinguished name (enclosed in quotation marks) on the apps_primary LDAP server configuration object.

  VALIDATE LDAP SERVER apps_primary
  CHECK myusername ‘cn=myusername,cn=Users,dc=mycompany,dc=com’
   

• Example 2 – the name of the LDAP server configuration object does not have to defined in the VALIDATE LDAP SERVER statement if you include the search attributes:

  VALIDATE LDAP SERVER 
  SEARCH DN 
  	URL  'ldap://my_LDAPserver:389/dc=MyCompany,dc=com??sub?cn=*' 
  	ACCESS ACCOUNT 'cn=aseadmin, cn=Users, dc=mycompany, dc=com'
  	IDENTIFIED BY 'Secret99Password'
  AUTHENTICATION URL 'ldap://my_LDAPserver:389/'
  CONNECTION TIMEOUT 3000
  CHECK myusername ‘cn=myusername,cn=Users,dc=mycompany,dc=com’
   

Usage

(back to top)

This statement is useful for an administrator when setting up a new server to use LDAP user authentication, and for diagnosing problems between the LDAP server configuration object and the external LDAP server. Any connection made by the VALIDATE LDAP SERVER statement is temporary and is closed by the end of the statement.

When validating the LDAP server configuration object by name, definitions from prior CREATE LDAP SERVER and ALTER LDAP SERVER statements are used. Alternately, when ldapua-server-attributes are specified instead of the LDAP server configuration object name, the specified attributes are validated. When ldapua-server-attributes are specified, the URLs are parsed to identify syntax errors, and statement processing stops is a syntax error is detected.

Whether using an LDAP server configuration object name or a successfully parsed set of ldapua-server-attributes, a connection to the external LDAP server is attempted. If the parameter ACCESS ACCOUNT and a password are specified, the values are used to establish the connection to the SEARCH DN URL. This is the SEARCH DN URL, ACCESS ACCOUNT, and ACCESS ACCOUNT password.

When using the optional CHECK clause, the userID is used in the search to validate the existence of the user on the external LDAP server.  When the expected DN value for a given user is known, the value can be specified, and is compared with the result of the search to determine success or failure.

Standards

(back to top)

ANSI SQL–Compliance level: Transact-SQL extension.

Permissions

(back to top)

Requires the MANAGE ANY LDAP SERVER system privilege.