LDAP Authentication

Overview of LDAP Authentication

SPD Server user passwords can be authenticated with LDAP or the psmgr utility. An LDAP server that runs on the SPD Server machine performs LDAP authentication. When you use LDAP authentication, the operating system handles password maintenance. LDAP authentication has the added benefit of operating-system-level security and convenience.

When you use an LDAP server to perform SPD Server user authentication, keep the following facts in mind:

SPD Server users can be authenticated by an LDAP server or by the psmgr utility, but not by both. The type of authentication to be performed is specified in the server.parm file, which is read when SPD Server is invoked.
If you are changing from using the LDAP server to using the psmgr utility for authentication, you must remove all LDAP parameters from the SPD Server server.parm file. In order for the changes to the server.parm file to be read, you must restart SPD Server.
When you configure SPD Server to perform user authentication using the LDAP server, you still need the psmgr utility. When you use the LDAP server, a password database record is required for each SPD Server user. SPD Server uses the psmgr utility's password database to perform user access control tasks and other tasks that are not related to user password authentication.
Users that connect to an SPD Server must have corresponding logon information about the LDAP server. The LDAP server user ID and the SPD Server user ID formats are the same. The logon password format is the host-operating-system format. A user ID must be at least 8 characters in length.
You must enter the initial password in the psmgr table when you are adding a new user. This password is never used, and simply enables you to add the new user. The user is not required to use the NEWPASSWD= or CHANGEPASS=YES LIBNAME option to use the LDAP password.
Some LDAP server products might require users to enter host logon information. In these cases, confirm with your LDAP server administrator that the host logon information exists in the LDAP database.
If you are using LDAP user authentication, and you create a user connection that uses the NEWPASSWORD= LIBNAME option, the user password is not changed. If you want to change a user password, follow the operating system procedures to change a user password, and check with your LDAP server administrator to ensure that the LDAP database records the password changes.

Configuring LDAP Authentication

To set up LDAP authentication, add the following parameters to the SPD Server's spdsserv.parm file:

(NO)LDAP

turns on LDAP authentication. If the LDAP parameter is found during start-up, SPD Server creates a context for LDAP authentication. The default setting is NOLDAP.

LDAPSERVER

specifies a valid IP address or the host machine for the LDAP server. This address is usually the same as the IP address of the SPD Server host. The default value is the IP address of the SPD Server host.

LDAPPORT

specifies the TCP/IP port that is used to communicate with the LDAP server. This value is usually the default LOCAL_HOST value, or port 389. Valid values are in the range 0–65,536. The default setting is the LDAP_PORT value.

LDAPBINDMETH

controls how SPD Server clients are authenticated by the LDAP server. If this parameter is found in the SPD Server parameter file, LDAPBINDMETH is a character string whose value must be LDAP_AUTH_SASL. The default setting is null.

LDAPBINDDN

the distinguished name (DN), or the location in the LDAP Server database where the client information is stored. LDAPBINDDN is a Lightweight Directory Access Protocol (LDAP) term. LDAPBINDDN is the combination of the user name and the network domain in which the user operates. The form of this string is

ID=
                                 , rdn1=RDN1,  rdn2=RDN2, ..

, where ID is the identifier for the relative distinguished name (RDN) of a user ID that exists in the LDAP server database. The default value of the DN is

uid=
                                 , dc=DOM1, dc=DOM2, dc=DOM3

. The default value of the LDAPBINDDN parameter is null.

If no distinguished name is specified in the spdsserv.parm file, SPD Server uses the LDAP Server host's domain name to generate values for DOM1, DOM2, and DOM3. The SPD Server user ID becomes the value for the user ID. The resulting value becomes the default user location for LDAP database members.

For example, suppose the LDAP host machine is sunhost.unx.sun.com, and the user ID is sunjws. The resulting default DN is

uid=sunjws, dc=unx,
                                 dc=sun,  dc=com

. The distinguished name is used to locate the user sunjws. Then the sunjws user password is compared to the password that is stored in the LDAP database. If SPD Server users are located in a specific location in your LDAP database, be sure to specify that location using LDAPBINDDN.

See the LDAP Server administrator for your site if you need more information about LDAP parameters for your spdsserv.parm file. To use the default value for any LDAP parameter, omit the parameter specification from the spdsserv.parm file. Undeclared parameters automatically assume default values.

Note: Entering the LDAP_HOST value for LDAPSERVER can cause SPD Server to fail during start-up.