In SPD
Server 4.5, clients can be authenticated by psmgr or by an LDAP server
that is running on the SPD Server host. LDAP authentication integrates
with the SPD Server password facility and offers a centralized approach
to user ID and password management. SPD Server clients that use LDAP
authentication should have user accounts in the domain in which the
LDAP and SPD servers are running. The user ID and password information
must be stored on an LDAP server that the SPD Server can access. The
user ID must also be entered into the SPD Server's password database
through psmgr or the SAS Management Console utility to record all
other SPD Server user information.
When a
client uses LDAP authentication to connect to an SPD Server, the LDAP
server that is configured in the SPD Server's parameter file does
the authentication. After the client is verified, SPD Server uses
the client's password database record for all other SPD Server operations.
To set
up LDAP authentication, the following parameters must be added to
the SPD Server's spdsserv.parm file:
Parameters for the spdsserv.parm File
|
|
|
directs user authentication
|
|
|
|
|
|
|
|
|
LDAP bind distinguished
name
|
|
|
The LDAP
parameter turns on LDAP authentication. If the LDAP parameter is found
during start-up, the SPD Server creates a context for LDAP authentication.
The LDAPSERVER
parameter specifies a valid network IP address, or the host machine
for the LDAP server. This is usually the same address as the IP address
of the SPD Server host. The default value for LDAPSERVER is the IP
address of the SPD Server host.
The LDAPPORT
parameter specifies the TCP/IP port that is used to communicate with
the LDAP server. This is usually the default LOCAL_HOST or port 389.
The LDAPBINDDN
parameter is the "Distinguished Name" (DN), or the location in the
LDAP Server's database where the client's information is stored. The
form of this string is
"ID= , rdn1=RDN1, rdn2=RDN2, ...".
ID is
the identifier for the relative distinguished name of a user ID that
exists in the LDAP server database. The default value of the DN is
the following:
"uid= , dc=DOM1, dc=DOM2, dc=DOM3".
If no
distinguished name is specified in the spdsserv.parm file, SPD Server
uses the LDAP server host's domain name to generate values for
DOM1
,
DOM2
, and
DOM3
. The SPD Server user ID becomes the value for
uid
. The resulting value becomes the default user location
for LDAP database members.
For example,
suppose the LDAP host machine is sunhost.unx.sun.com and the user
ID is sunjws. The resulting default distinguished name would be
"uid=sunjws, dc=unx, dc=sun, dc=com".
The distinguished
name is used to locate the user sunjws. Then, the sunjws user password
is compared to the password that is stored in the LDAP database. If
there is a specific location for SPD Server users in your LDAP database,
be sure to specify it using LDAPBINDDN.
For more
information about LDAP parameters for your spdsserv.parm file, see
the LDAP server administrator at your site. To use the default value
for any LDAP parameter, omit it from the spdsserv.parm file. Undeclared
parameters automatically assume default values.
Note: Entering the
LDAP_HOST value for LDAPSERVER causes SPD Server to fail during start-up.