on 08-27-2018 6:26 PM
Looking at:
Replication Server Administration Guide Volume 1 -> Manage Replication Server Security -> Manage Replication Server System Security -> Maintenance User Security
it says:
Set hide_maintuser_pwd on to:
So if I set hide_maintuser_pwd to "on" and then set maintuser_pwd_expiration to some value, will maint users passwords be automatically regenerated after the expiration time and then automatically updated in the repserver *and* in the corresponding ASE servers for those maint users?
The key part of this question is whether or not the ASE server maint users get their passwords automatically updated.
Thanks in advance
Ben
Yes. The initial password for the maintenance user will be altered with a new generated string with fixed length ’30’ both in RSSD ‘rs_maintusers’ table and user databases.
The password is then altered periodically when the ‘maintuser_pwd_expiration’ duration expires if the configuration has been set to a non-zero value.
If there are multiple user databases on the same data server which shares one maintenance user login, the password of the login will be altered for each of the user database and its corresponding entry in RSSD.
Limitation
Hide maintenance user password feature is not supported if:
- The database is non-ASE or Replication Server system database(RSSD).
- ASE version is lower than 15.0.3.
- The ASE server is authenticating the maintenance user login with method other than ‘ASE’ (eg. Kerberos or LDAP).
- Maintenance user of the user database shares the same data server login with RSSD maintenance user or primary user.
- Multiple user databases share the same data server login while they are controlled by more than one Replication Server.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks this is a very useful answer.
For me, the following item is a problem:
This is because, in order to minimize repserver crashing problems, we spread out replication for different databases (on the same ASE server) to different repservers. So we have multiple repservers all sharing the same maint user login to an ASE server.
But thanks for the info. I'm marking your answer as "Accepted".
Ben
One more related question:
So if I were to use hide_maintuser_pwd and maintuser_pwd_expiration the passwords for the maint user would periodically change in the repserver and the ASE server.
But what happens with I need to rs_init a new connection to an ASE server. I need to know the maint user password to do that, right? But it's been changed to a random value.
Do I have to reset the maint user password to a known value before running rs_init?
Re: Yes, I have to reset the maint user password to a known value before running rs_init.
So the procedure to do this would be (which would be the default procedure to change maint user passwords if "hide_maintuser_pwd" is off):
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes, that would seem to be the case if you use the same maint_user for multiple databases.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
83 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.