How to Configure Direct LDAP Authentication

Note: Before you use these instructions, make sure that this is an appropriate choice in your environment. See Direct LDAP Authentication.

To make a metadata server on UNIX directly recognize Active Directory accounts, locate the sasv9_usermods.cfg file that is in your equivalent of SAS/Config/Lev1/SASMeta/MetadataServer and add lines such as these:

/* Environment variables that describe your AD server */
-set AD_HOST myhost

/* System options that  make AD the primary authentication provider */
-authpd ADIR:company.com  -primpd company.com

You can reference only one Active Directory server. You might choose to use a Windows domain name (for example, ADIR:MyWinDomain instead of ADIR:company.com).

The preceding settings cause these results:

Example: User ID Formats If -authpd ADIR:company.com -primpd company.com

How a User Logs On	Where the Metadata Server Sends the Credentials	How the User ID Must Be Stored in Metadata1
user	To Active Directory	user@company.com
user@company.com	To Active Directory	user@company.com
user@unrecognized-qualifier	To Active Directory	user@unrecognized-qualifier
WinDomain\user	To Active Directory	WinDomain\user or user@WinDomain
user@saspw	To its internal provider	No login for an internal account
user@host	To its host	user
1If the ID isn't stored in the correct format, the user can log on but has only the PUBLIC identity. Put the SAS copy of each user's ID in a login in that user's metadata definition. Assign these logins to DefaultAuth.

To make a metadata server on UNIX or Windows directly recognize some other LDAP provider, use lines such as these:

/* Environment variables that describe your LDAP server */
-set LDAP_HOST myhost
-set LDAP_BASE "ou=emp, o=us" 

/* System options that make LDAP the primary authentication provider */
-authpd LDAP:company.com -primpd company.com

You can reference only one LDAP server.

The preceding settings cause these results:

Example: User ID Formats If -authpd LDAP:company.com -primpd company.com

How a User Logs On	Where the Metadata Server Sends the Credentials	How the User ID Must Be Stored in Metadata1
user	To LDAP	user@company.com
user@company.com	To LDAP	user@company.com
user@unrecognized-qualifier	To LDAP	user@unrecognized-qualifier@company.com
user@saspw	To its internal provider	No login for an internal account
user@host	To its host	user
1If the ID isn't stored in the correct format, the user can log on but has only the PUBLIC identity. Put the SAS copy of each user's ID in a login in that user's metadata definition. Assign these logins to DefaultAuth.

Reference: Environment Variables

AD_HOST	The host name of the machine where Active Directory is running.
AD_PORT	The port number for Active Directory. The default is 389.
AD_TLSMODE	Enable Secure Socket Layer (SSL) encrypted communication between the metadata server and the Active Directory server. Set this variable to 1 to activate (for example, `-set AD_TLSMODE 1`).1
LDAP_HOST	The host name of the machine where LDAP is running.
LDAP_PORT	The port number for LDAP. The default is 389.
LDAP_BASE	The base DN to use. For example: `o=People, dc=orion, dc=com`.
LDAP_IDATTR	(Optional) an alternative LDAP attribute that the SAS server can use to find your DN. The default is uid.
LDAP_PRIV_DN	The privileged DN that is allowed to search for users. For example, `cn=useradmin`.2
LDAP_PRIV_PW	The password for LDAP_PRIV_DN. You can use the PWENCODE procedure to provide an encoded password.2
LDAP_TLSMODE	Enable Secure Socket Layer (SSL) encrypted communication between the metadata server and the LDAP server. Set this variable to 1 to activate (for example, `-set LDAP_TLSMODE 1`).1
1Additional configuration is required. See How to Configure SSL between the Metadata Server and an LDAP Server.
2Set this variable only if users connect with a user ID instead of a DN, and the LDAP server does not allow anonymous binds.

Tip

For more information about setting environment variables, see the SAS system option SET= in the documentation for your host:

Reference: SAS System Options

AUTHPD

Use this option to register and name your Active Directory provider or other LDAP provider. See AUTHPROVIDERDOMAIN System Option in SAS System Options: Reference.

PRIMPD

Use this option to designate your Active Directory server or other LDAP provider as the primary authentication provider for the metadata server. The metadata server directly uses its primary provider when the submitted user ID has no qualifier, the -primpd qualifier, or an unrecognized qualifier. Using this option enables users to log on using their usual user IDs (no special qualifier is required at log on time). See PRIMARYPROVIDERDOMAIN= System Option in SAS System Options: Reference.

Here are some additional details:

These configuration changes take effect after you restart the metadata server.
To optimize credential reuse, don't move inbound logins (logins that provide access to the metadata server) out of the DefaultAuth authentication domain.
On UNIX, an alternate location for specifying the environment variables is in the MetadataServer.sh shell script. For example:
```
AD_HOST=myhost
export AD_HOST
```
On z/OS, a TKMVSENV file is used to make a list of pseudo environment variables available. A TKMVSENV PDS is created at installation. To define the environment variables, create a member in the PDS that specifies the necessary variables, and then reference this PDS member in the TKMVSENV DD statement in your started task.
After you complete the configuration, verify that access to the workspace server isn't compromised.
If you use external accounts for the SAS Administrator (sasadm) or the SAS Trusted User (sastrust), certain configuration files that include those user IDs must conform to the format requirements in the third column of the preceding example tables.

Note: Only configuration files that contain the user ID for the purpose of matching an authenticated user ID must conform (for example, the adminUsers.txt and trustedUsers.txt files).