You must have sso_role permissions
to modify the authenticate with option for a
login.
To configure external authentication mechanisms such as Kerberos, LDAP, or PAM, Sybase recommends that you determine the server-wide authentication setting that matches your company’s security policy. This server-wide setting is appropriate for most client connections. Then, you can set individual logins to another authentication mechanism using the authenticate with option.
You can use authenticate with to specify an the external authentication mechanisms Kerberos, LDAP, and PAM. You can also issue sp_modifylogin or sp_addlogin authenticate with to set the authentication mechanism to ASE to use only the Adaptive Server internal authentication mechanism. To allow any authentication mechanism, use authenticate with ANY.
When authentication mechanism ANY is set for a login,
the login uses the server-wide configuration settings to control
authentication. The default authentication mechanism setting for
a login is ANY.
sp_modifylogin also checks for any conflicts with any login mapping specified by a previous sp_maplogin. See “Adding tighter controls on login mapping” for more details.
Example 1: Creating a local account to run a batch application Consider an environment that uses Kerberos for a centralized user account repository and requires its general population of users to authenticate using Kerberos, Adaptive Server should configure Kerberos by setting parameters:
sp_configure "use security services", 1 go sp_configure "unified login required", 1 go
These configuration parameters now require all user logins, other than login “sa”, to authenticate using Kerberos to gain access to the Adaptive Server.
Now consider a nightly batch operation run by the Adaptive Server database administrator or operator, which may authenticate locally without requiring the account to exist in the Kerberos repository. This is done by use of authenticate with option to sp_modifylogin or sp_addlogin.
sp_addlogin nightlybatch, localpassword, ... go sp_modifylogin nightlybatch, 'authenticate with', 'ASE' go
Example 2: Migrating users from Adaptive Server authentication to LDAP user authenication In this example, a phased approach for moving clients from local ASE authentication to LDAP user authentication is given.The LDAP directory server has been setup but has not yet been populated with all user accounts. A small population of users has agreed to a pilot program to test out LDAP for external authentication to Adaptive Server.
sp_configure 'enable ldap user auth', 1 go
This setting allows failover to ASE authentication when authentication with the LDAP directory server fails or the LDAP server is unavailable. Users without accounts in LDAP, failover to ASE authentication. The users in the pilot program are added to the LDAP directory server and may begin authenticating using the LDAP directory server.
A user can determine which authentication mechanism was used to authenticate with with the global variable @@authmech:
select @@authmech
As the pilot program proceeds and LDAP authentication is used, users in the pilot program can be required to only use LDAP authentication:
sp_maplogin loginame, 'authenticate with', 'ldap' go
When the pilot program concludes and LDAP user authentication is required for all users, change the configuration parameter to level 2. Any logins set to authenticate with LDAP during the pilot program can be reset to the default value ANY. The logins will still be required to authenticate using LDAP because the configuration parameter is set to 2.
sp_configure 'enable ldap user auth', 2 go sp_maplogin loginame, 'authenticate with', 'any' go
If a login has authenticate with set
to a specific authentication mechanism such as LDAP, Kerberos, PAM,
or ASE, then that login may only use that mechanism for authentication.
It is best utilized to set exceptions to the server-wide settings
and to force a particular authentication mechanism to be used.
