Notes for SPD Server Administrators

The SPD Server administrator performs the maintenance and configuration functions for SPD Server. The following sections contain guidelines for administrators.

UNIX User IDs

The SPD Server administrator needs a UNIX login ID on the SPD Server machine. Other SPD Server users do not need UNIX login IDs. You can control other users’access to SPD Server data resources without giving them special login accounts by using the SPD Server password facility. Withholding login accounts to these users adds a measure of security and control, and SPD Server users are permitted physical access to the SPD Server machine.

You should add the InstallDir/bin directory to your PATH environment variable by using your shell's login script. If you use ksh, modify the .profile or .kshrc files. If you use csh, modify the .login or .cshrc files, depending on where you currently set the PATH environment variable. This modification makes invoking the various SPD Server utility programs much easier.

Run your SPD Server environment using the same UNIX user ID that was used to install SPD Server on the server machine. The user ID should also be the SPD Server administrator's user ID. The common user ID minimizes potential problems with file ownership and system access permissions on the server machine. You add SPD Server access controls to the resources that were created with SPD Server by using SPD Server user IDs and SPD Server ACLs. The SPD Server user IDs and ACLs provide fine-grained access controls to the SPD Server data resources.

Regardless of how the SPD Server run-time environment is configured, SPD Server processes always run with a UNIX user ID. That UNIX user ID owns all of the files that the SPD Server process creates. The UNIX user ID is governed by UNIX file access permissions. Remember this when you are starting SPD Server processes and running SPD Server administrator utilities. Otherwise, it is possible to create files that have ownership and permissions that deny required access to the SPD Server processes. If you perform all SPD Server installation and administration tasks from the same UNIX user ID, subsequent use of the SPD Server is much easier.

Here are some options for establishing the appropriate UNIX user ID for your SPD Server processes:

Establish a dedicated UNIX account for the SPD Server administrator. Always execute the rc.spds script from that account.
The rc.spds script that starts the SPD Server processes should use the setuid bit. It does not matter who executes the script, the user ID of the shell executing the script is the script owner. This ensures that SPD Server processes run with the correct UNIX user ID.
When you start the system, use the UNIX su command to establish the correct UNIX user ID for the shell that executes the rc.spds script. To start the environment manually, you must enter the password for each UNIX account in your su command, unless you are the root when you execute the su command.

SPD Server User IDs

The SPD Server administrator needs to be familiar with the psmgr utility in SPD Server.

The SPD Server system uses its own layer of access controls that overlay UNIX access permissions. SPD Server processes run in the context of a UNIX user ID, and that user owns all of the resulting SPD Server file resources that are created.

The SPD Server password file allows better access control to SPD Server's data resources than a native UNIX user ID does. Many sites do not want to give UNIX accounts to SPD Server system users, but still want to retain protection of and ownership of the data resources that were created in the SPD Server environment. In this case, SPD Server user IDs provide an extra layer of access control.

If you do not use SPD Server user IDs, you still need the SPD Server password file. Without the SPD Server password file, the SPD Server host process does not function correctly. To disable the use of SPD Server user IDs at your site, specify the -NOACL option when you start SPD Server.

If you use SPD Server user IDs, add them to the SPD Server password file that was created during installation. The psmgr command reads its commands from stdin ,so you can pipe commands to it from another command, script, or input file.

LDAP Password Authentication

LDAP authentication causes SPD Server to authenticate an SPD Server user password using LDAP, rather than using the password in the password database. LDAP authentication allows an SPD Server user to have the same user ID and password as their UNIX logon, as long as the UNIX logon meets the SPD Server character restrictions for user IDs and passwords.

You can select the mode of password authentication with server parameters. You can choose between using psmgr or LDAP. After you select the mode, all authentication is performed using the that mode. When you use LDAP authentication, an SPD Server user must be entered in the SPD Server password database in order to maintain other information that SPD Server requires, such as a user's groups and access levels.

For more information about SPD Server LDAP authentication, see LDAP Authentication Notes.