Prior to SPD Server
5.2, the only alternative to native SPD Server authentication was
LDAP (Lightweight Directory Access Protocol).
(For more information about
alternative authentication methods, such as using SAS Metadata Server
to configure back-end authenticators, seeOverview of SAS Metadata Server Authentication.) An LDAP server that runs on the SPD Server machine performs
LDAP authentication. When you use LDAP authentication, the operating
system handles password maintenance. LDAP authentication has the added
benefit of operating-system-level security and convenience.
On start up, an LDAP
configuration in the server parameter file signals the SPD Server
host to use LDAP Authentication. SPD Server sends the LDAP server
a DN (Distinguished Name) which consists of the user ID. LDAP begins
the process of validation and setting access accordingly. LDAP authentication
levels can range from anonymous authentication,
which gives the least amount of access to information, to administrator
authentication, which gives a user complete access. After
LDAP settings are accessed, SPD Server grants user access according
to the protocols set in the password database.
When you use an LDAP
server to perform SPD Server user authentication, keep the following
facts in mind:
-
SPD Server users can be authenticated
by an LDAP server, or by SPD Server via the psmgr password
database, but not by both. The type of authentication to be performed
is specified in the server parameter file, which is read when SPD
Server is invoked.
-
If you are changing from using
the LDAP server to using SPD Server via the psmgr password
database for authentication, you must remove all LDAP parameters from
the SPD Server server parameter file. In order for the changes to
the server parameter file to be read, you must restart SPD Server.
-
When you configure SPD Server to
perform user authentication using the LDAP server, you still need
the psmgr utility. When you use the LDAP
server, a password database record is required for each SPD Server
user. SPD Server uses the psmgr utility's
password database to perform user access control tasks and other tasks
that are not related to user password authentication.
-
Users that connect to an SPD Server
must have corresponding logon information about the LDAP server. The
LDAP server user ID and the SPD Server user ID formats are the same.
The logon password format is the host-operating-system format.
-
You must enter the initial password
in the psmgr table when you are adding a new user. This password is
never used, and simply enables you to add the new user. The user is
not required to use the NEWPASSWD= or CHANGEPASS=YES LIBNAME option
to use the LDAP password.
-
Some LDAP server products might
require users to enter host logon information. In these cases, confirm
with your LDAP server administrator that the host logon information
exists in the LDAP database.
-
If you are using LDAP user authentication,
and you create a user connection that uses the NEWPASSWORD= LIBNAME
option, the user password is not changed. If you want to change a
user password, follow the operating system procedures to change a
user password, and check with your LDAP server administrator to ensure
that the LDAP database records the password changes. The same process
information applies to other non-native authenticators as well.