saldap.ini file configuration

To connect using an LDAP server, a file containing information on how to find and connect to the LDAP server must be created on the database server computer and on each client computer. By default the name of this file is saldap.ini, but you can rename it. If you rename the saldap.ini file, then you must use the LDAP protocol option to specify the file name. If this file doesn't exist, LDAP support is disabled.

You can add simple encryption to obfuscate the contents of the saldap.ini file using the File Hiding utility (dbfhide). See File Hiding utility (dbfhide).

The file must be located in the same directory as the SQL Anywhere executables (for example, %SQLANY12%\bin32 on Windows) unless a full path is specified with the LDAP protocol option. The file's contents must be in the following format:

[LDAP]
server=computer-running-LDAP-server
port=port-number-of-LDAP-server
basedn=Base-DN
authdn=Authentication-DN
password=password-for-authdn
search_timeout=age-of-timestamps-to-be-ignored
update_timeout=frequency-of-timestamp-updates
read_authdn=read-only-authentication-domain-name
read_password=password-for-authdn

server The name or IP address of the computer running the LDAP server. This value is required on Unix. If this entry is missing on Windows, then Windows looks for an LDAP server running on the local domain controller.
port The port number used by the LDAP server. The default is 389.
basedn The domain name of the subtree where the SQL Anywhere entries are stored. This value defaults to the root of the tree.
authdn The authentication domain name. The domain name must be an existing user object in the LDAP directory that has write access to the basedn. This parameter is required for the database server and it is ignored on the client.
password The password for authdn. This parameter is required for the database server and it is ignored on the client.
search_timeout The age at which timestamps are ignored by the client and/or the Server Enumeration utility (dblocate). A value of 0 disables this option so that all entries are assumed to be current. The default is 600 seconds (10 minutes).
update_timeout The frequency of timestamp updates in the LDAP directory. A value of 0 disables this option so that the database server never updates the timestamp. The default is 120 seconds (2 minutes).
read_authdn The read-only authentication domain name. The domain name must be an existing user object in the LDAP directory that has read access to the basedn. This parameter is only required if the LDAP server requires a non-anonymous binding before searching can be done. For example, this field is normally required if Active Directory is used as the LDAP server. If this parameter is missing, the bind is anonymous.
read_password The password for authdn. This parameter is only required on the client if the read_authdn parameter is specified.

How the connection is made

When the database server starts, it checks for an existing entry with the same name in LDAP. If a matching entry is found, it is replaced if either the location entries in LDAP match the database server attempting to start, or the timestamp field in the LDAP entry is greater than the time specified by the search_timeout parameter.

If there is another database server running with the same name as the one attempting to start, then the database fails to start.

To ensure that the entries in LDAP are up-to-date, the database server updates a timestamp field in the LDAP entry every 2 minutes. If an entry's timestamp is older than 10 minutes, clients ignore the LDAP entry. Both of these settings are configurable.

On the client, the LDAP directory is searched before the client does any UDP broadcasting, so if the database server is found, no UDP broadcasts are sent. The LDAP search is very fast, so if it fails, there is no discernible delay.

LDAP server and the Server Enumeration utility (dblocate)

Example

The following is a sample saldap.ini file:

[LDAP]
server=ldapserver
basedn=dc=iAnywhere,dc=com
authdn=cn=SAServer,ou=iAnywhereASA,dc=iAnywhere,dc=com
password=secret

The entries are stored in a subtree of the basedn called iAnywhereASA. This entry must be created before SQL Anywhere can use LDAP. To create the subtree, you can use the LDAPADD utility, supplying the following information:

dn: ou=iAnywhereASA,basedn
objectClass: organizationalUnit
objectClass: top
ou: iAnywhereASA

Discuss this page in DocCommentXchange.

saldap.ini file configuration

How the connection is made

LDAP server and the Server Enumeration utility (dblocate)

See also

Example