Problem Note 62467: Valid user credentials are occasionally rejected by SAS® Metadata Server when you use direct LDAP authentication
 |  |  |  |  |
In SAS® 9.4 TS1M3 and earlier, you might experience an issue in which valid user credentials are occasionally rejected by SAS Metadata Server when you use direct LDAP authentication. This SAS Note provides details about the issue for different releases of SAS.
SAS® 9.4 TS1M3 and Earlier
In SAS 9.4 TS1M3 and earlier, SAS Metadata Server might occasionally reject connections from a valid user. When authentication fails, a message like the following appears in the metadata server log:
This issue occurs under the following conditions:
- SAS Metadata Server is configured for direct LDAP authentication.
- The LDAP provider returns multiple distinguished names (DNs) for the user.
This problem occurs because SAS Metadata Server uses the first DN that is returned by LDAP. Because LDAP result-set ordering is not guaranteed (sorting must be supported and enabled on the LDAP server), the first result that is returned could be different each time. The DN that is returned might not authenticate successfully with the user credentials.
SAS® 9.4TS1M4 and Later
SAS 9.4TS1M4 and later releases include a change in behavior so that direct LDAP authentication aligns with pam_ldap. When more than one DN is returned for a user, the connection is rejected. In this scenario, SAS Metadata Server returns messages like the following to the metadata server log:
WARN [00001234] :sas - New client connection (15) rejected from server port 8561 for user sasdemo.
Click the Hot Fix tab in this note to access the hot fix for this issue.
When you install the hot fix, a new feature is introduced that enables you to configure your environment so that the SAS Metadata Server allows more than one DN for a user. This feature enables you to specify the same behavior as in SAS 9.4 TS1M3 and earlier.
Post-Installation Instructions
After you install the hot fix, SAS Metadata Server recognizes the SAS_ALLOW_MULTIPLE_DN_ENTRIES environment variable, which you must configure for your environment. Regardless of the value that you set for this environment variable, SAS Metadata Server allows more than one DN for a user. The first DN in the LDAP result set is used for authentication. This behavior is the same behavior as in SAS 9.4 TS1M3 and earlier.
To create the SAS_ALLOW_MULTIPLE_DN_ENTRIES environment variable under UNIX, locate the level_env_usermods.sh file that is in your equivalent of SAS/Config/Lev1 and add the setting as follows on the line after CONTEXT_USERMODS_OPTIONS=:
export SAS_ALLOW_MULTIPLE_DN_ENTRIES
To create the SAS_ALLOW_MULTIPLE_DN_ENTRIES environment variable under Windows, follow these steps:
- Select Start ► Control Panel and click System. Then, click Advanced system settings on the left.
- In the System Properties dialog box, click the Advanced tab.
- Click Environment Variables.
- In the System variables section, click New.
- In the Variable name field, enter SAS_ALLOW_MULTIPLE_DN_ENTRIES.
- In the Variable value field, enter any_value.
Important Note: The section “How to Configure Direct LDAP Authentication” in SAS® 9.4 Intelligence Platform: Security Administration Guide instructs you to add environment variables that describe your LDAP or Active Directory provider in the sasv9_usermods.cfg file that is in your equivalent of SAS/Config/Lev1/SASMeta/MetadataServer. This location is not correct for setting the SAS_ALLOW_MULTIPLE_DN_ENTRIES environment variable.
Refer to “Configuration Files for Components of SAS Application Servers” in SAS® 9.4 Intelligence Platform: System Administration Guide for more information about setting environment variables.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Metadata Server | Solaris for x64 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 |
| Linux for x64 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| HP-UX IPF | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| 64-bit Enabled Solaris | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| 64-bit Enabled AIX | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Windows 7 Home Premium 32 bit | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Windows 7 Enterprise x64 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Windows 7 Enterprise 32 bit | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows 8.1 Enterprise 32-bit | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Windows 7 Ultimate x64 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Windows 7 Ultimate 32 bit | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Windows 7 Professional x64 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Windows 7 Professional 32 bit | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Windows 7 Home Premium x64 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows Server 2012 Std | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows Server 2012 R2 Std | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows Server 2012 R2 Datacenter | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows Server 2012 Datacenter | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows Server 2008 for x64 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows Server 2008 R2 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows Server 2008 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows 10 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows 8.1 Pro x64 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows 8.1 Pro 32-bit | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows 8.1 Enterprise x64 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows 8 Pro x64 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows 8 Pro 32-bit | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows 8 Enterprise x64 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft Windows 8 Enterprise 32-bit | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||
| Microsoft® Windows® for x64 | 9.4_M4 | 9.4_M4 | 9.4 TS1M4 | 9.4 TS1M4 | ||