LDAP User Authentication Configuration

The LDAP user authentication allows you to use LDAP enterprise-wide passwords instead of Replication Server passwords.

Replication Server uses the OpenLDAP API for the LDAP user authentication and this API supports LDAPv3.

When connecting to an LDAP server as a client, Replication Server supports any LDAP server, which conforms with a standard LDAP protocol, including Microsoft Windows Active Directory and OpenLDAP directory servers.

The primary data structure used with the LDAP protocol is the LDAP URL, which specifies a set of objects or values on an LDAP server. Replication Server uses LDAP URLs to specify an LDAP server, and search criteria to authenticate user login requests.

The LDAP URL uses this syntax:

ldapurl:=ldap://host:port/node?attribute?[base | one | sub]?filter

where:

host – is the host name of the LDAP server.
port – is the port number of the LDAP server.
node – specifies the node in the object hierarchy at which to start the search.
attributes – is a list of attributes to return in the result set. Each LDAP server may support a different list of attributes.
base | one | sub – qualifies the search criteria.
- base – specifies a search criteria for the base node.
- one – specifies a search criteria for the base node and a sublevel under the base node.
- sub – specifies a search of the base node and all node sublevels.
filter – specifies the attribute or attributes to be authenticated. The filter can be simple, for example, "uid=*" or compound, for example, "&(uid=*)(ou=group)".
The wildcard replacement fails if the first attribute in a wildcard search filter is not mapped to the login name attribute.

For example, if the search filter is "&(uid=*)(ou=group)" and the login name is "mylogin", during authentication, Replication Server uses "mylogin" to generate an output filter "&(uid=mylogin)(ou=group)". If the search filter is specified as "&(ou=*)(uid=*)", the login name is "ou=mylogin", which is incorrect. The wildcard replacement for the user authentication fails.

An example of the LDAP URL:

ldap://john.doe.com:8888/dc=doe,dc=com??SUB?(cn=*)

Upgrading Replication Server to Use LDAP User Authentication
Use sysadmin ldap and configure replication server to configure the LDAP user authentication.
Migrating Existing Replication Server to LDAP User Authentication
Migrate the existing Sybase Replication Server to LDAP authentication using sysadmin ldap and configure replication server commands.
Configuring Primary LDAP Server to Use SSL/TLS
Configure the primary LDAP server URL to use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for user authentication.
Disabling LDAP User Authentication
Disable the LDAP user authentication in an existing Sybase replication system.

Parent topic: LDAP User Authentication