SPD Server Lightweight Directory Access Protocol (LDAP) Authentication

In SPD Server for Solaris, AIX, HP-UX, and HP Integrity Itanium, clients can be authenticated by psmgr, or by an LDAP Server such as Microsoft Active Directory, Sun Java System Directory Server, or OpenLDAP from www.openldap.org. LDAP authentication integrates with the SPD Server password facility and offers a centralized approach to user ID and password management. SPD Server clients that use LDAP authentication should have user accounts managed by the authenticating LDAP server. In addition the user ID and password information must be stored on an LDAP server that the SPD Server can access. The user ID must be entered into the SPD Server password database through psmgr or the SAS Management Console Utility to record all other SPD Server user information.

When a client uses LDAP authentication to connect to an SPD Server, the LDAP server that is configured in the SPD Server's parameter file does the authentication. After the client is verified, SPD Server uses the client's password database record for all other SPD Server operations.

To set up LDAP authentication, the following parameters must be added to the SPD Server's spdsserv.parm file:

The LDAP parameter turns on LDAP authentication. If the LDAP parameter is found during start-up, the SPD Server creates a context for LDAP authentication.

The LDAPSERVER parameter specifies a valid IP address, or the host machine for the LDAP server. This is usually the same address as the IP address of the SPD Server host. The default value for LDAPSERVER is the IP address of the SPD Server host.

The LDAPPORT parameter specifies the TCP/IP port that is used to communicate with the LDAP server. This is usually the default LOCAL_HOSTor port 389.

The LDAPBINDMETH parameter controls the way SPD Server clients are authenticated by the LDAP server. If it is found in the SPD Server parameter file, LDAPBINDMETH is a character string whose value is either LDAP_AUTH_SIMPLE or LDAP_AUTH_SASL.

The default authentication method, LDAP_AUTH_SIMPLE, sends the SPD Server client's user name and password to the LDAP server in clear text. LDAP_AUTH_SIMPLE should not be used in a secure environment.

When LDAPBINDMETH="LDAP_AUTH_SASL", the LDAP server authenticates SPD Server clients with the Simple Authentication and Security Layer (SASL) method. SASL is the preferred authentication method for secure environments. When authenticating with SASL, the SPD Server specifies that the DIGEST-MD5 mechanism is used.

DIGEST-MD5 is the most common LDAP authentication and is a requirement for all Version 3 LDAP server products.

The LDAPBINDDN parameter is the distinguished name (DN), or the location in the LDAP Server's database where the client's information is stored. The form of this string is the following:

"ID= , rdn1=RDN1, rdn2=RDN2, ...".  

IDis the identifier for the relative distinguished name (RDN) of a user ID that exists in the LDAP server database. The default value of the DN is the following:

"uid= , dc=DOM1, dc=DOM2, dc=DOM3".  

If no distinguished name is specified in the spdsserv.parm file, SPD Server uses the LDAP Server host's domain name to generate values for DOM1, DOM2, and DOM3. The SPD Server user ID becomes the value for uid. The resulting value becomes the default user location for LDAP database members.

For example, suppose the LDAP host machine is sunhost.unx.sun.com and the user ID is sunjws. The resulting default distinguished name is the following:

"uid=sunjws, dc=unx, dc=sun, dc=com".  

The distinguished name is used to locate the user sunjws. Then the sunjws user password is compared to the password that is stored in the LDAP database. If there is a specific location for SPD Server users in your LDAP database, be sure to specify it using LDAPBINDDN.

See the LDAP Server administrator for your site if you need more information about LDAP parameters for your spdsserv.parm file. To use the default value for any LDAP parameter, omit the parameter specification from the spdsserv.parm file. Undeclared parameters automatically assume default values.