In SPD Server for Solaris,
AIX, HP-UX, and HP Integrity Itanium, clients can be authenticated
by psmgr, or by an LDAP Server such as Microsoft Active Directory,
Sun Java System Directory Server, or OpenLDAP (for more information,
go to www.openldap.org). LDAP authentication integrates with the SPD
Server password facility and provides a centralized approach to user
ID and password management. SPD Server clients that use LDAP authentication
should have user accounts that are managed by the authenticating LDAP
server. The user ID and password information must be stored on an
LDAP server that the SPD Server can access. The user ID must be entered
into the SPD Server password database through psmgr or the SAS Management
Console utility so that all other SPD Server user information is recorded.
When a client uses LDAP
authentication to connect to an SPD Server, the LDAP server that is
configured in the SPD Server's parameter file does the authentication.
After the client is verified, SPD Server uses the client's password
database record for all other SPD Server operations.
To set up LDAP authentication,
add the following parameters to the SPD Server's spdsserv.parm file:
turns on LDAP authentication.
If the LDAP parameter is found during start-up, the SPD Server creates
a context for LDAP authentication. The default setting is NOLDAP.
specifies a valid IP
address, or the host machine for the LDAP server. This address is
usually the same as the IP address of the SPD Server host. The default
value is the IP address of the SPD Server host.
Note: If you use the LDAP_HOST
value for LDAPSERVER, SPD Server might fail during start-up.
specifies the TCP/IP
port that is used to communicate with the LDAP server. This value
is usually the default LOCAL_HOST value or port 389. Valid values
are in the range 0-65536. The default setting is the LDAP_PORT value.
controls the way SPD
Server clients are authenticated by the LDAP server. If this parameter
is found in the SPD Server parameter file, LDAPBINDMETH is a character
string whose value must be LDAP_AUTH_SASL. The default setting is
null.
The value LDAP_AUTH_SASL
forces secure authentication and is the default authentication method.
LDAPBINDMETH="LDAP_AUTH_SASL" tells the LDAP server to authenticate
SPD Server clients with the Simple Authentication and Security Layer
(SASL) method. SASL is the preferred authentication method for secure
environments. When the SPD Server authenticates with SASL, the SPD
Server specifies that the DIGEST-MD5 mechanism is used. DIGEST-MD5
is the most common LDAP authentication and is a requirement for all
Version 3 LDAP server products.
the distinguished name
(DN), or the location in the LDAP Server's database where the client's
information is stored. LDAPBINDDN is a Lightweight Directory Access
Protocol term. LDAPBINDDN is the combination of the user name and
the network domain in which they operate. The form of this string
is ID= , rdn1=RDN1, rdn2=RDN2, ...
, where ID is the identifier for the relative distinguished
name (RDN) of a user ID that exists in the LDAP server database. The
default value of the DN is uid= , dc=DOM1, dc=DOM2, dc=DOM3
. The default value of the LDAPBINDDN parameter is null.
If no distinguished
name is specified in the spdsserv.parm file, SPD Server uses the LDAP
Server host's domain name to generate values for
DOM1
,
DOM2
, and
DOM3
. The SPD Server user ID becomes the value for
uid
. The resulting value becomes the default user location for LDAP
database members.
For example, suppose
the LDAP host machine is sunhost.unx.sun.com and the user ID is sunjws.
The resulting default DN is
"uid=sunjws, dc=unx, dc=sun,
dc=com".
. The distinguished name is used to locate the
user sunjws. Then the sunjws user password is compared to the password
that is stored in the LDAP database. If SPD Server users are located
in a specific location in your LDAP database, be sure to specify that
location using LDAPBINDDN.
See the LDAP Server
administrator for your site if you need more information about LDAP
parameters for your spdsserv.parm file. To use the default value for
any LDAP parameter, omit the parameter specification from the spdsserv.parm
file. Undeclared parameters automatically assume default values.
Note: Entering the LDAP_HOST value
for LDAPSERVER can cause SPD Server to fail during start-up.