sp_addlogin

Description

Adds a new user account to Adaptive Server; specifies the password expiration interval, the minimum password length, and the maximum number of failed logins allowed for a specified login at creation.

Syntax

sp_addlogin loginame, passwd [, defdb] 
	[, deflanguage] [, fullname] [, passwdexp]
	[, minpwdlen] [, maxfailedlogins] [, auth_mech]

Parameters

loginame

is the user’s login name. Login names must conform to the rules for identifiers.

passwd

is the user’s password. Passwords must be at least 6 characters long. If you specify a shorter password, sp_addlogin returns an error message and exits. Enclose passwords that include characters besides A – Z, a – z, or 0 – 9 in quotation marks. Also enclose passwords that begin with 0-9 in quotation marks.

sp_addlogin invokes the password complexity checks introduced in Adaptive Server 15.0.2.

defdb

is the name of the default database assigned when a user logs into Adaptive Server. If you do not specify defdb, the default, master, is used.

deflanguage

is the official name of the default language assigned when a user logs into Adaptive Server. The Adaptive Server default language, defined by the default language id configuration parameter, is used if you do not specify deflanguage.

fullname

is the full name of the user who owns the login account. This can be used for documentation and identification purposes.

passwdexp

specifies the password expiration interval in days. It can be any value between 0 and 32767, inclusive. The password expires when the number of specified days passes. For example, if you create a new login on August 1, 2007 at 10:30 AM, with a password expiration interval of 30 days, the password expires on August 31, 2007 at 10:30 AM.

minpwdlen

specifies the minimum password length required for that login. The values range between 0 and 30 characters.

maxfailedlogins

is the number of allowable failed login attempts. It can be any whole number between 0 and 32767.

auth_mech

defines the authentication mechanism.

Examples

Example 1

Creates an Adaptive Server login for “albert” with the password “longer1” and the default database corporate:

sp_addlogin albert, longer1, corporate

Example 2

Creates an Adaptive Server login for “claire.” Her password is “bleurouge,” her default database is public_db, and her default language is French:

sp_addlogin claire, bleurouge, public_db, french

Example 3

Creates an Adaptive Server login for “robertw.” His password is “terrible2.” his default database is public_db, and his full name is “Robert Willis.” Do not enclose null in quotes:

sp_addlogin robertw, terrible2, public_db, null, "Robert Willis"

Example 4

Creates a login for “susan” with a password of “wonderful,” a full name of “Susan B. Anthony,” and the server’s default database and language. Do not enclose null in quotes:

sp_addlogin susan, wonderful, null, null, "Susan B. Anthony"

Alternately, you can also use the following:

sp_addlogin susan, wonderful, @fullname="Susan B. Anthony"

Example 5

Configures the login “mylogin” to override global authentication mechanisms:

sp_addlogin mylogin, mypassword, @auth_mech = ASE

Usage


sp_modifylogin and sp_addlogin authenticate with option

The authenticate with option to sp_modifylogin or sp_addlogin requires that the login use only a specified authentication mechanism. The supported authentication mechanisms are:

Using authenticate with with these supported authentication mechanisms allows you to override the server-wide configuration parameters unified login required, enable ldap user auth, and enable pam user auth.

If more than one external authentication mechanism is configured and a login-specific authenticate with option has not been set, the external authentication mechanism is based on the following order:

  1. Kerberos

  2. LDAP

  3. PAM

For example, if both PAM and LDAP are configured, LDAP is chosen for external authentication, not PAM.

At the time of authentication, exactly one external authentication mechanism is attempted. Depending on the value of configuration parameters, you can try the “ASE” authentication mechanism when the external authentication fails.When none of the external authentication mechanisms are configured, Adaptive Server uses ASE authentication.


Using authenticate with to override server-wide authentication options

NoteYou must have sso_role permissions to modify the authenticate with option for a login.

To configure external authentication mechanisms such as Kerberos, LDAP, or PAM, Sybase recommends that you determine the server-wide authentication setting that matches your company’s security policy. This server-wide setting is appropriate for most client connections. Then, you can set individual logins to another authentication mechanism using the authenticate with option.

You can use authenticate with to specify an the external authentication mechanisms Kerberos, LDAP, and PAM. You can also issue sp_modifylogin or sp_addlogin authenticate with to set the authentication mechanism to “ASE” to use only the Adaptive Server internal authentication mechanism. To allow any authentication mechanism, use authenticate with ANY.

NoteWhen authentication mechanism “ANY” (the default) is set for a login, the login uses the server-wide configuration settings to control authentication.

sp_modifylogin also checks for any conflicts with any login mapping specified by a previous sp_maplogin.

Examples

Example 6

Example 1 Creates a local account to run a batch application. Consider an environment that uses Kerberos for a centralized user account repository and requires its general population of users to authenticate using Kerberos, Configure Kerberos by setting these parameters:

sp_configure  "use security services", 1
go

sp_configure "unified login required", 1
go

These configuration parameters now require all user logins, other than “sa,” to authenticate using Kerberos to gain access to the Adaptive Server.

Now consider a nightly batch operation run by the Adaptive Server database administrator or operator, which may authenticate locally without requiring the account to exist in the Kerberos repository. Use authenticate with option to sp_modifylogin or sp_addlogin:

sp_addlogin nightlybatch, localpassword, ... 
go
sp_modifylogin nightlybatch, 'authenticate with', 'ASE'
go

Example 7

Example 2 Migrates users from Adaptive Server authentication to LDAP user authenication, using a phased approach for moving clients from local Adaptive Server authentication to LDAP user authentication.The LDAP directory server has been set up but has not yet been populated with all user accounts. A small population of users has agreed to a pilot program to test out LDAP for external authentication to Adaptive Server. To allow failover to ASE authentication when authentication with the LDAP directory server fails or the LDAP server is unavailable, enter:

sp_configure 'enable ldap user auth', 1
go

Users without LDAP accounts fail over to Adaptive Server authentication. The users in the pilot program are automatically added to the LDAP directory server and may begin authenticating using the LDAP directory server.

A user can use the @@authmech global variable to determine which authentication mechanism was used to authenticate with with:

select @@authmech

You can require users in the pilot program to use only LDAP authentication by entering:

sp_maplogin loginame, 'authenticate with', 'ldap'
go

If you decide to use LDAP user authentication for all users, change the configuration parameter to level 2. Any logins set to authenticate with LDAP during the pilot program can be reset to the default value “ANY”. Because the configuration parameter is set to 2. “ANY” logins are still required to use LDAP:

sp_configure 'enable ldap user auth', 2
go
sp_maplogin loginame, 'authenticate with', 'any'
go

NoteIf a login has authenticate with set to a specific authentication mechanism such as LDAP, Kerberos, PAM, or ASE, that login can use only that mechanism for authentication. Sybase suggests that you use authentication with to set exceptions to the server-wide settings and to force a particular authentication mechanism to be used.

Permissions

Only a System Security Officer can execute sp_addlogin.

Auditing

Values in event and extrainfo columns from the sysaudits table are:

Event

Audit option

Command or access audited

Information in extrainfo

38

exec_procedure

Execution of a procedure

  • Roles – Current active roles

  • Keywords or options – NULL

  • Previous value – NULL

  • Current value – NULL

  • Other information – All input parameters

  • Proxy information – Original login name, if set proxy in effect

See also

System procedures sp_addalias, sp_adduser, sp_droplogin, sp_locklogin, sp_modifylogin, sp_password, sp_role