SPD Server Lightweight Directory Access Protocol (LDAP) Authentication

In SPD Server for Solaris, AIX, HP-UX, and HP Integrity Itanium, clients can be authenticated by psmgr, or by an LDAP Server such as Microsoft Active Directory, Sun Java System Directory Server, or OpenLDAP (for more information, go to www.openldap.org). LDAP authentication integrates with the SPD Server password facility and provides a centralized approach to user ID and password management. SPD Server clients that use LDAP authentication should have user accounts that are managed by the authenticating LDAP server. The user ID and password information must be stored on an LDAP server that the SPD Server can access. The user ID must be entered into the SPD Server password database through psmgr or the SAS Management Console utility so that all other SPD Server user information is recorded.
When a client uses LDAP authentication to connect to an SPD Server, the LDAP server that is configured in the SPD Server's parameter file does the authentication. After the client is verified, SPD Server uses the client's password database record for all other SPD Server operations.
To set up LDAP authentication, add the following parameters to the SPD Server's spdsserv.parm file:
(NO)LDAP
turns on LDAP authentication. If the LDAP parameter is found during start-up, the SPD Server creates a context for LDAP authentication. The default setting is NOLDAP.
LDAPSERVER
specifies a valid IP address, or the host machine for the LDAP server. This address is usually the same as the IP address of the SPD Server host. The default value is the IP address of the SPD Server host.
Note: If you use the LDAP_HOST value for LDAPSERVER, SPD Server might fail during start-up.
LDAPPORT
specifies the TCP/IP port that is used to communicate with the LDAP server. This value is usually the default LOCAL_HOST value or port 389. Valid values are in the range 0-65536. The default setting is the LDAP_PORT value.
LDAPBINDMETH
controls the way SPD Server clients are authenticated by the LDAP server. If this parameter is found in the SPD Server parameter file, LDAPBINDMETH is a character string whose value must be LDAP_AUTH_SASL. The default setting is null.
The value LDAP_AUTH_SASL forces secure authentication and is the default authentication method. LDAPBINDMETH="LDAP_AUTH_SASL" tells the LDAP server to authenticate SPD Server clients with the Simple Authentication and Security Layer (SASL) method. SASL is the preferred authentication method for secure environments. When the SPD Server authenticates with SASL, the SPD Server specifies that the DIGEST-MD5 mechanism is used. DIGEST-MD5 is the most common LDAP authentication and is a requirement for all Version 3 LDAP server products.
LDAPBINDDN
the distinguished name (DN), or the location in the LDAP Server's database where the client's information is stored. LDAPBINDDN is a Lightweight Directory Access Protocol term. LDAPBINDDN is the combination of the user name and the network domain in which they operate. The form of this string is ID= , rdn1=RDN1, rdn2=RDN2, ... , where ID is the identifier for the relative distinguished name (RDN) of a user ID that exists in the LDAP server database. The default value of the DN is uid= , dc=DOM1, dc=DOM2, dc=DOM3. The default value of the LDAPBINDDN parameter is null.
If no distinguished name is specified in the spdsserv.parm file, SPD Server uses the LDAP Server host's domain name to generate values for DOM1, DOM2, and DOM3. The SPD Server user ID becomes the value for uid. The resulting value becomes the default user location for LDAP database members.
For example, suppose the LDAP host machine is sunhost.unx.sun.com and the user ID is sunjws. The resulting default DN is "uid=sunjws, dc=unx, dc=sun, dc=com".. The distinguished name is used to locate the user sunjws. Then the sunjws user password is compared to the password that is stored in the LDAP database. If SPD Server users are located in a specific location in your LDAP database, be sure to specify that location using LDAPBINDDN.
See the LDAP Server administrator for your site if you need more information about LDAP parameters for your spdsserv.parm file. To use the default value for any LDAP parameter, omit the parameter specification from the spdsserv.parm file. Undeclared parameters automatically assume default values.
Note: Entering the LDAP_HOST value for LDAPSERVER can cause SPD Server to fail during start-up.