Configures or lists an LDAP URL, specifies the access accounts for LDAP user authentication, or verifies an LDAP URL or login-related parameters.
sysadmin ldap [<operation> [,<parameter1>, [,<parameter2>]]]
set_primary_url, '<ldapurl>' set_access_acct, '<account_distinguished_name>', '<account_password>' list_urls list_access_acct check_url, '<ldapurl>' [,'<tls>'] [,'<dn>', '<pwd>'] check_login, '<login_name>' set_secondary_url, '<ldapurl>' set_secondary_access_acct,'<account_distinguished_name>',<account_password> starttls_on_primary, 'true|false' starttls_on_secondary, 'true|false' set_timeout, timeout_in_milliseconds set_retry_limit, retry_number set_cacert_file, 'full/path/to/CARootCertFile' refresh_ldapua_module
ldapurl:=ldap://host:port/node?attributes?base | one |sub?filter
Specifies the distinguished name (DN) and password of an LDAP server user account that Replication Server uses to conduct search and administrative functions.
If you do not specify the administrative DN and password, Replication Server uses anonymous binding to LDAP server for searching the user account.
Displays the LDAP server access account DN, which is set in the "set_access_account" parameter.
Verifies an LDAP URL search filter. Verifies whether the connection to the LDAP server is running.
Verifies the existence of a user account in the LDAP server, but does not authenticate the user.
Specifies the secondary LDAP URL search filter.
A null URL string or failed connection to the primary LDAP URL causes Replication Server to attempt failover to a secondary LDAP URL if specified. Replication Server does not fail over to the secondary URL for failures returned by LDAP search operations.
Specifies the secondary DN, and password of an LDAP server user account that Replication Server uses to conduct search and administrative functions.
If you do not specify a search filter, Replication Server uses anonymous binding to LDAP server for searching the user account.
Specifies whether to start or stop the Transport Layer Security (TLS) connection on a primary LDAP server.
Specifies whether to start or stop the TLS connection on a secondary LDAP server.
Specifies timeout value, in milliseconds, Replication Server to wait for a response from the LDAP server before rejecting the request. The default value for set_timeout is 10,000 milliseconds (10 seconds). Valid range is between 1 to 3,600,000 (one hour).
Specifies the number of retry attempts limit after transient errors. The default value is 3. Valid range for retry_limit is between 1 to 60.
Configures the full path to the trusted certificate authority (CA) root file, which accepts the PEM-format files for Secure Sockets Layer (SSL) communication. For example, the default file location is '$SYBASE/config/trusted.txt'
See Replication Server Administration Guide: Volume 1> Manage Replication Server Security > Manage SSL Security > SSL Overview.
Reintializes the entire LDAP user authentication module.
Do not restart the Replication Server for the reinitialization to take effect. This parameter releases any resources that may be held by LDAP user authentication module, or rereads changes made to files outside of Replication Server, such as a change to the contents of CA root file.
Configures an LDAP URL search filter in Replication Server using the sublevel criteria:
sysadmin ldap, set_primary_url, 'ldap://myhost:389/dc=mycompany,dc=com?distinguishedName?sub?uid=*?'
Specifies an LDAP server login name and password for authentication:
sysadmin ldap set_access_acct, 'cn=Manager, dc=mycompany, dc=com', 'password'
sysadmin ldap, check_url, 'ldap://myhost:389'
sysadmin ldap, check_url, 'ldap://myhost;389', 'cn=Manager,dc=mycompany,dc=com', 'password'
sysadmin ldap, check_url, 'ldaps://myhost:636'
sysadmin ldap, check_url, 'ldap://myhost:389', 'tls'
sysadmin ldap, starttls_on_primary, 'true'
sysadmin ldap, set_cacert_file, 'user/sybase/config/trusted.txt'
sysadmin ldap, set_timeout, 3000
sysadmin ldap, set_retry_limit, 6
The LDAP vendor determines the syntax of the search filter. In all cases, the search filter specifies the attribute name that uniquely identifies the user in the form “<attribute> = wildcard” as in “cn=*.”
The first attribute with a wildcard in a compound filter must define the relative distinguished name ; Otherwise, authentication fails. For example, if "uid = ray, dc=sybase, dc=com" is the user DN, then its parent DN is "dc=sybase, dc=com" and its relative DN is "uid = ray"
When a search filter is added, Replication Server verifies that it uses valid LDAP URL syntax and has references to an existing node. To ensure that the valid string returns expected values, choose the search filter carefully, and verify it when you configure Replication Server.
Setting the CA root file path and entering the "ldaps://" scheme to specify the LDAP URL, or,
Enabling TLS using the sysamdin ldap on the target LDAP URL. The LDAP URL scheme must be "ldap://" with no "s".