You must have sso_role permissions
to modify the authenticate with option for a
login.
To configure external authentication mechanisms such as Kerberos, LDAP, or PAM, Sybase recommends that you determine the server-wide authentication setting that matches your company’s security policy. This server-wide setting is appropriate for most client connections. Then, you can set individual logins to another authentication mechanism using the authenticate with option.
You can use authenticate with to specify an the external authentication mechanisms Kerberos, LDAP, and PAM. You can also issue sp_modifylogin or sp_addlogin authenticate with to set the authentication mechanism to “ASE” to use only the Adaptive Server internal authentication mechanism. To allow any authentication mechanism, use authenticate with ANY.
When authentication mechanism “ANY” (the
default) is set for a login, the login uses the server-wide configuration
settings to control authentication.
sp_modifylogin also checks for any conflicts with any login mapping specified by a previous sp_maplogin. See “Adding tighter controls on login mapping” for more details.
Example 1 This example creates a local account to run a batch application. Consider an environment that uses Kerberos for a centralized user account repository and requires its general population of users to authenticate using Kerberos, Configure Kerberos by setting these parameters:
sp_configure "use security services", 1 go sp_configure "unified login required", 1 go
These configuration parameters now require all user logins, other than “sa,” to authenticate using Kerberos to gain access to the Adaptive Server.
Now consider a nightly batch operation run by the Adaptive Server database administrator or operator, which may authenticate locally without requiring the account to exist in the Kerberos repository. Use authenticate with option to sp_modifylogin or sp_addlogin:
sp_addlogin nightlybatch, localpassword, ... go sp_modifylogin nightlybatch, 'authenticate with', 'ASE' go
Example 2: Migrating users from Adaptive Server authentication to LDAP user authenication This example uses a phased approach for moving clients from local Adaptive Server authentication to LDAP user authentication.The LDAP directory server has been set up but has not yet been populated with all user accounts. A small population of users has agreed to a pilot program to test out LDAP for external authentication to Adaptive Server. To allow failover to ASE authentication when authentication with the LDAP directory server fails or the LDAP server is unavailable, enter:
sp_configure 'enable ldap user auth', 1 go
Users without LDAP accounts fail over to Adaptive Server authentication. The users in the pilot program are automatically added to the LDAP directory server and may begin authenticating using the LDAP directory server.
A user can use the @@authmech global variable to determine which authentication mechanism was used to authenticate with with:
select @@authmech
You can require users in the pilot program to use only LDAP authentication by entering:
sp_maplogin loginame, 'authenticate with', 'ldap' go
If you decide to use LDAP user authentication for all users, change the configuration parameter to level 2. Any logins set to authenticate with LDAP during the pilot program can be reset to the default value “ANY”. Because the configuration parameter is set to 2. “ANY” logins are still required to use LDAP:
sp_configure 'enable ldap user auth', 2 go sp_maplogin loginame, 'authenticate with', 'any' go
If a login has authenticate with set
to a specific authentication mechanism such as LDAP, Kerberos, PAM,
or ASE, that login can use only that mechanism for authentication.
Sybase suggests that you use authentication with to set exceptions
to the server-wide settings and to force a particular authentication mechanism
to be used.
