PAM (Pluggable Authentication Modules)
|
|
A supporting feature
that extends UNIX host authentication to recognize an additional provider
such as Active Directory. When a SAS server asks its UNIX host to
validate a user's credentials, the host sends the user's ID and password
to the configured additional provider for verification.
PAM extends the host's
authentication process to recognize an additional provider; PAM doesn't
modify the metadata server's behavior.
|
|
|
Affects all SAS servers
that run on the UNIX host and rely on the host operating system to
authenticate users. Typically, the metadata server and the workspace
server use host authentication.
|
|
|
Can be used to enable
users to use their Windows accounts to authenticate to a metadata
server or workspace server that run on UNIX.
|
|
|
Not an alternative to
storing user IDs in the metadata (that requirement applies to all
configurations).
|
|
|
|
This mechanism is useful if both the metadata
server and the workspace server are on UNIX and you want users to
use Windows accounts to access these servers.
This mechanism can also
be useful if one of these servers is on Windows, the other is on UNIX,
and you want to avoid credential prompts for the workspace server.
However, if you use PAM to resolve a mixed provider situation, users
who access the workspace server must have two logins. One login should
include the user's ID in its qualified form. The other login should
include the same ID in short (unqualified) form. Both logins should
be in the DefaultAuth authentication domain. Neither login should
include a password. For example, a user's logins might look like this:
DefaultAuth | WIN\joe | (no password)
DefaultAuth | joe | (no password)