Authentication Mechanisms

Direct LDAP Authentication

Direct Use of LDAP Authentication
Summary	The metadata server validates some users against an LDAP provider such as Active Directory.
Scope	Primarily used for connections to the metadata server. Can also be used for direct connections from a data provider to the OLAP server.
Benefits	Enables users to use their Windows accounts to authenticate to a metadata server that runs on UNIX.
Limits	Not an alternative to storing user IDs in the metadata (that requirement applies to all configurations). Not supported for workspace servers or stored process servers. If you are using external accounts for sasadm and sastrust, requires manual updates to those user IDs in configuration files. Can involve appending a special suffix to user IDs that are stored in the metadata.
Use	Optional
1 Direct LDAP enables the metadata server to recognize accounts that aren't known to its host; direct LDAP doesn't modify the host's behavior.

The following figure contrasts back-end use and direct use.

Two Ways to Use an LDAP Authentication Provider

[Two Ways to Use an LDAP Authentication Provider]

Many hosts use an LDAP provider as a back-end authentication mechanism. From the perspective of the SAS server, this is host authentication, so no direct LDAP configuration is needed. For example:

Active Directory is the standard back-end authentication provider on Windows.
Some UNIX hosts recognize LDAP accounts (or can be configured to do so). See Pluggable Authentication Modules (PAM).

See How to Configure Direct LDAP Authentication.

Top of Page