In SPD Server 4.5, clients
can be authenticated by psmgr or by an LDAP server that is running
on the SPD Server host. LDAP authentication integrates with the SPD
Server password facility and offers a centralized approach to user
ID and password management. SPD Server clients that use LDAP authentication
should have user accounts in the domain in which the LDAP and SPD
servers are running. The user ID and password information must be
stored on an LDAP server that the SPD Server can access. The user
ID must be entered into the SPD Server's password database through
psmgr or the SAS Management Console utility so that all other SPD
Server user information is recorded.
When a client uses LDAP
authentication to connect to an SPD Server, the LDAP server that is
configured in the SPD Server's parameter file does the authentication.
After the client is verified, SPD Server uses the client's password
database record for all other SPD Server operations.
To set up LDAP authentication,
add the following parameters to the SPD Server's spdsserv.parm file:
turns on LDAP authentication.
If the LDAP parameter is found during start-up, the SPD Server creates
a context for LDAP authentication. The default setting is NOLDAP.
specifies a valid IP
address, or the host machine for the LDAP server. This address is
usually the same as the IP address of the SPD Server host. The default
value is the IP address of the SPD Server host.
Note: If you use the LDAP_HOST
value for LDAPSERVER, SPD Server might fail during start-up.
specifies the TCP/IP
port that is used to communicate with the LDAP server. This value
is usually the default LOCAL_HOST value or port 389. Valid values
are in the range 0-65536. The default setting is the LDAP_PORT value.
the distinguished name
(DN), or the location in the LDAP Server’s database where the
client’s information is stored. LDAPBINDDN is a Lightweight
Directory Access Protocol term. LDAPBINDDN is the combination of the
user name and the network domain in which they operate. The form of
this string is "ID= , rdn1=RDN1, rdn2=RDN2, ...", where ID is the identifier
of the relative distinguished name (RDN) of a user ID that exists
in the LDAP server database. The default value of the DN is "uid= , dc=DOM1, dc=DOM2, dc=DOM3", and the default
value of the LDAPBINDDN parameter is null.
If no distinguished
name is specified in the spdsserv.parm file, SPD Server uses the LDAP
server host's domain name to generate values for
DOM1,
DOM2, and
DOM3. The SPD Server user ID becomes the value for
uid. The resulting value becomes the default user location for LDAP
database members.
For example, suppose
the LDAP host machine is sunhost.unx.sun.com and the user ID is sunjws.
The resulting default distinguished name is
"uid=sunjws,
dc=unx, dc=sun, dc=com"., The distinguished name is used
to locate the user sunjws. Then the sunjws user password is compared
to the password that is stored in the LDAP database. If SPD Server
users are located in a specific location in your LDAP database, be
sure to specify it using LDAPBINDDN.
See the LDAP server
administrator at your site if you need more information about LDAP
parameters for your spdsserv.parm file. To use the default value for
any LDAP parameter, omit the parameter specification from the spdsserv.parm
file. Undeclared parameters automatically assume default values.