Managing user accounts locally

After a user account is added to the LDAP server, Adaptive Server can modify local characteristics of that account. For example, Adaptive Server creates a new row in syslogins for a user account when the LDAP server successfully authenticates the user and the user logs in to Adaptive Server.

Table 10-14 describes changes in syslogins with each login attempt.

Table 10-14: Changes in syslogins

A row already exists in syslogins for the user

LDAP authentication succeeds

Resulting change in syslogins

no

yes

Adds a new row for the user

no

no

No change

yes

yes

Updates an existing row if a new password is used

yes

no

No change

A System Administrator or a System Security Officer can add a row in syslogins using sp_addlogin to set login-specific values—such as a default database or the granting of roles—even before the user first logs in to Adaptive Server via LDAP. However, for sp_addlogin to succeed, the value of enable ldap user auth must allow LDAP authentication (either 1 or 2) and the user must have an LDAP account.

Note If LDAP authentication is enabled, you cannot change the value of the password used to authenticate the user at login using sp_addlogin. The password for LDAP authentication is always stored and managed at the LDAP server, and can be modified with LDAP server tools.

When a user login account is deleted from the LDAP server, the user account remains on Adaptive Server. The System Administrator or System Security Officer can delete the account only after all objects and users for that user account are deleted.