The authentication mechanism is defined when you log in. enable pam user auth and enable ldap user auth enable PAM and LDAP respectively. You can also force a login to use a specific authentication process by using the new options to sp_modifylogin and sp_addlogin.
sp_modifylogin has a new option, authenticate with which has the following values:
ASE – use Adaptive Server internal authentication using syslogin passwords.
LDAP – use external authentication with an LDAP Server.
PAM – use external authentication with PAM.
ANY – by default, users are authenticated using this authentication method. A user with ANY authentication means that Adaptive Server checks if there is any external authentication mechanism defined, and if there is, it is used. Otherwise, it uses ASE authentication.
Adaptive Server checks for external authentication mechanisms in the following order:
LDAP.
PAM.
If neither PAM nor LDAP is enabled, ASE authentication through syslogins is used.
If any of these options are enabled, it is the mechanism used, and no other is tried. For this reason, if both LDAP and PAM are enabled, PAM is never tried for a user with ANY authentication.
Only a System Security Officer with sso_role can set authenticate with for a login.
For example:
sp_modifylogin "nightlyjob", "authenticate with", "ASE" sp_displaylogin "nightlyjob"
displays something that looks similar to:
Suid: 1234 Loginname: nightlyjob Fullname: Batch Login Default Database: master [...] Date of Last Password Change: Oct 2 2003 7:38 PM Password expiration interval: 0 Password expired: N Minimum password length: 6 Maximum failed logins: 0 Current failed login attempts: Authenticate with: ASE
sp_addlogin accepts a new parameter, @auth_mech which defines the authentication mechanism.
The syntax is:
sp_addlogin login, passwd [, defdb]
[, deflanguage] [, fullname] [, passwdexp]
[, minpwdlen] [, maxfailedlogins] [, auth_mech]
auth_mech can take the same values as sp_modify login "authenticate with" option.
In the following example, individual users can be configured to override global authentication mechanisms:
sp_addlogin mylogin, mypassword, @auth_mech = ASE
sp_displaylogin now includes output showing the specified authentication mechanism, if any. For example:
1> sp_dislaylogin mylogin 2> go
now displays something similar to the following:
Suid: 1234 Loginname: mylogin Fullname: My Full Name Default Database: master Default Language: Auto Login Script: Configured Authorization: Locked: NO Date of Last Password Change: Oct 2 2003 7:38PM Password exiration interval: 0 Password expired: N Minimum password length: 6 Maximum failed logins: 0 Current failed login attempts: Authenticate with: ASE
| Copyright © 2004. Sybase Inc. All rights reserved. |
|
|
