Any changes to an LDAP server configuration object are applied on subsequent
connections. Any connection already started when the change is applied does not immediately
reflect the change.
Syntax
ALTER LDAP SERVER <ldapua-server-name>
{ ldapua-server-attribs
| [ WITH ( SUSPEND | ACTIVATE | REFRESH ) ] }
ldapua-server-attribs - (back to Syntax)
SEARCH DN
URL { <‘URL_string’ | NULL> }
| ACCESS ACCOUNT { <‘DN_string’ | NULL> }
| IDENTIFIED BY ( <‘password’ | NULL> }
| IDENTIFIED BY ENCRYPTED { <encrypted-password | NULL> }
| AUTHENTICATION URL { <‘URL_string’ | NULL> }
| CONNECTION TIMEOUT <timeout_value>
| CONNECTION RETRIES <retry_value>
| TLS { ON | OFF }
Parameters
(back to top)
- URL identifies the host (by name or by IP address), port number, and
the search to be performed for the DN lookup for a given user ID. This value
is validated for correct LDAP URL syntax before it is stored in the
ISYSLDAPSERVER system table. The maximum size for
this string is 1024 bytes.
- ACCESS ACCOUNT user created in the LDAP server for
use by SAP IQ, not a user within SAP IQ. The distinguished name (DN) for this user is
used to connect to the LDAP server. This user has permissions within the LDAP server to
search for DNs by user ID in the locations specified by the SEARCH DN URL. The maximum
size for this string is 1024 bytes.
- IDENTIFIED BY provides the password associated with the ACCESS ACCOUNT user. The
password is stored using symmetric encryption on disk. Use the value NULL to clear the
password and set it to none. The maximum size of a clear text password is 255 bytes.
- IDENTIFIED BY ENCRYPTED configures the password associated with the ACCESS ACCOUNT
distinguished name in an encrypted format. The binary value is the encrypted password
and is stored on disk as is. Use the value NULL to clear the password and set it to
none. The maximum size of the binary is 289 bytes.
The encrypted key should be a
valid varbinary value. Do not enclose the encrypted key in quotation marks.
- AUTHENTICATION URL identifies the host (by name or IP
address) and the port number of the LDAP server to use for authentication of the user.
This is the value defined for URL_string and is validated for correct LDAP URL syntax
before it is stored in ISYSLDAPSERVER system table. The
DN of the user obtained from a prior DN search and the user password bind a new
connection to the authentication URL. A successful connection to the LDAP server is
considered proof of the identity of the connecting user. The maximum size for this
string is 1024 bytes.
- CONNECTION TIMEOUT specifies the connection timeout
from SAP IQ to the LDAP server for both DN
searches and authentication. This value is in milliseconds, with a default value of 10
seconds.
- CONNECTION RETRIES specifies the number of retries on
connections from SAP IQ to the LDAP server
for both DN searches and authentication. The valid range of values is 1– 60, with a
default value of 3.
- TLS defines whether the TLS or Secure LDAP protocol is used for
connections to the LDAP server for both DN searches and authentication. When set to ON,
the TLS protocol is used and the URL would being with "ldap://" When set to OFF (or not
specified), Secure LDAP protocol is used and the URL begins with “ldaps://”. When using
the TLS protocol, specify the database security option TRUSTED_CERTIFICATES_FILE with a
file name containing the certificate of the Certificate Authority (CA) that signed the
certificate used by the LDAP server.
- WITH ACTIVATE activates the LDAP server configuration object for immediate use
upon creation. This permits the definition and activation of LDAP User Authentication in
one statement. The LDAP server configuration object state changes to READY when WITH
ACTIVATE is used.
Examples
(back to top)
- Example 1 suspends the LDAP server configuration object named
apps_primary:
ALTER LDAP SERVER apps_primary SUSPEND
- Example 2 changes the LDAP server configuration object named
apps_primary to use a different URL for authentication
on host fairfax, sets the port number to
1066, sets the number of connection retries to
10, and finally activates the LDAP server configuration object:
ALTER LDAP SERVER apps_primary
AUTHENTICATION URL 'ldap://my_LDAPserver:1066/'
CONNECTION RETRIES 10
WITH ACTIVATE
Usage
(back to top)
In
addition to resetting LDAP server configuration object values for attributes, the
ALTER LDAP SERVER statement allows an administrator to make
manual adjustments to a server's state and behavior by putting the LDAP server
configuration object in maintenance mode and returning it to service from maintenance
mode.
Standards
(back to top)
ANSI SQL–Compliance level: Transact-SQL® extension.
Permissions
(back to top)
Requires the MANAGE ANY LDAP SERVER system privilege.