SAS 9.1.3 Integration Technologies » Server Administrator's Guide


Implementing Authentication
Host Authentication
Setting the System Permissions on:
Windows NT
Windows 2000
Windows XP
UNIX
Specifying Default Host Domains
How Hosts Handle Domains
Trusted Authentication Mechanisms
Alternative Authentication Providers
Specifying Authentication Providers and Domains
How Servers Determine the Authentication Provider
Scenario
Security

Implementing Alternative Authentication Providers

To implement authentication, for SAS Metadata Servers or SAS OLAP Servers, you can implement one or both of the following alternative authentication providers:


LDAP Directory Server Authentication

Overview of LDAP Directory Server Authentication

When starting a server, you can enable LDAP users who specify a particular authentication provider domain to authenticate against an LDAP server instead of against the host.

When a user logs in to a SAS client, authentication is performed in one of the following ways:

  • If the user specified a distinguished name (DN), then the client uses that DN and the user's password to authenticate the user on the LDAP server.

  • If the user specified a user ID and if a DN and password are specified in the LDAP_PRIV_DN and LDAP_PRIV_PW environment variables, then the client:

    1. uses the values of LDAP_PRIV_DN and LDAP_PRIV_PW to connect to the LDAP server.

    2. searches for a DN where the value for uid matches the user ID. If the LDAP_IDATTR environment variable specifies an alternative attribute, then the client searches for that attribute instead of uid.

    3. authenticates the user by reconnecting to the LDAP server with the DN result from the previous step and the password that the user specified.

  • If the user specified a user ID and if a DN and password are not specified in the LDAP_PRIV_DN and LDAP_PRIV_PW environment variables, then the client:

    1. connects to the LDAP server anonymously.

    2. searches for a DN where the value for uid matches the user ID. If the LDAP_IDATTR environment variable specifies an alternative attribute, then the client searches for that attribute instead of uid.

    3. authenticates the user by reconnecting to the LDAP server with the DN result from the previous step and the password that the user specified.

Implementing LDAP Directory Server Authentication

To implement authentication for LDAP, you must perform the following tasks:

  1. Ensure that LDAP users are defined. Ensure that the appropriate user credentials are set up on an LDAP directory server.

  2. Start the server with the appropriate options for alternative authentication. When starting the server, specify the following:
    • On the server start command or in the service configuration (if you run on Windows as a service), specify the AUTHPROVIDERDOMAIN option with the authentication provider domain to use for LDAP authentication. For example,
      -authproviderdomain LDAP:orion.com
      

      where orion.com is the domain that will be specified when the user wishes to authenticate against LDAP.

      For details, see Specifying Authentication Provider and Default Domains When Starting Servers.

    • Set the following environment variables (using the appropriate procedure for your operating system):
      LDAP_PORT=   <port number for LDAP. If LDAP_PORT is not specified,
                   then the default value is 389.>
      
      LDAP_BASE=   <base DN to use. For example:
                   ou=People, dc=orion, dc=com>
      
      LDAP_HOST=   <the host name of the machine where LDAP is running>
      
      LDAP_IDATTR= <(optional) an alternative attribute to identify
                   person entries. The default value is uid.>
      

      Note: For information about setting the environment variables, see Setting Environment Variables for the Server.

    • If your users connect with a user ID instead of a DN, and the LDAP server does not allow anonymous connections, set the following environment variables:
      LDAP_PRIV_DN=  <privileged DN that is allowed to search
                     for users. For example, cn=useradmin>
      
      LDAP_PRIV_PW=  <password for LDAP_PRIV_DN>
      

      For the LDAP_PRIV_PW variable, you can provide a password that is encoded by using the PWENCODE procedure. For more information, see The PWENCODE Procedure in Base SAS Procedures Guide.

  3. Define login credentials on the SAS Metadata Server. After authentication, the SAS Metadata Server searches for the user ID and associated user definition (identity) in the SAS Metadata Repository. Therefore, you must have a user and login definition (that contains the LDAP authentication credentials) in the appropriate SAS Metadata Repository. (For details, see Defining Users, Groups, and Logins on the SAS Metadata Server). For user IDs that authenticate against the LDAP server, create a login definition with a user ID that has the following format:

    userid@AUTHPROVIDERDOMAIN
    
  4. Ensure that users connect with the appropriate credentials for alternative authentication. When an LDAP user connects to the server, specify the authentication provider domain in the LDAP user connection request (in order to associate the authentication provider domain with the LDAP authentication provider). To authenticate against LDAP, the LDAP user must log on with the following format:

    userid@AUTHPROVIDERDOMAIN
    

    For example

    Tom@orion.com
    

    where orion.com is the authentication provider domain that you specified for the LDAP server in the AUTHPROVIDERDOMAIN option.

    If you have used the AUTHPROVIDERDOMAIN option to configure the LDAP server as an alternative authentication provider (for example, LDAP: <AUTHPROVIDERDOMAIN>), all logins of the form userID@<authproviderdomain> will be sent to the LDAP server (as opposed to the host authentication provider) for authentication.

Example

The following is an example of a Windows metadata server start command that specifies an alternative LDAP authentication provider:

"where_your_sas_is_installed\sas.exe"
-log "C:\sasoma\logs\sasoma.log" -logparm "write=immediate"
-linesize max -pagesize max -nosplash -noterminal
-memsize 0 -authproviderdomain LDAP:orion.com
-objectserver -objectserverparms "protocol=bridge port=XXXX
  classfactory=2887E7D7-4780-11D4-879F-00C04F38F0DB"

To be authenticated by this provider, a user would specify a user ID in the form:

userid@orion.com

Microsoft Active Directory Authentication

Overview of Microsoft Active Directory Authentication

When starting a server, you can enable Microsoft Active Directory users who specify a particular authentication provider domain to authenticate against a Microsoft Active Directory server instead of against the host.

When a user logs in to a SAS client, the client authenticates the user by using the login credentials to connect to the Active Directory server.

Implementing Microsoft Active Directory Authentication

To implement authentication for Microsoft Active Directory, you must perform the following tasks:

  1. Ensure that Microsoft Active Directory users are defined. Ensure that the appropriate user credentials are set up on a Microsoft Active Directory server. For details, see the Microsoft Active Directory home page on the Microsoft Web site.

  2. Start the server with the appropriate options for alternative authentication. When starting the server, specify the following:
    • On the server start command or in the service configuration (if you run on Windows as a service), specify the AUTHPROVIDERDOMAIN option with the authentication provider domain to use for Microsoft Active Directory authentication. For example,
      -authproviderdomain ADIR:orion.com
      

      where orion.com is the domain that will be specified when the user wishes to authenticate against Microsoft Active Directory.

      Note: With Microsoft Active Directory alternative authentication, you can use your Windows network domain as the authentication provider domain. For example, if your users log in as europe\<user>, you could specify the following:

      -authproviderdomain ADIR:europe
      
      where europe is the Windows network domain. In this configuration, your users will log in using the format <user>@europe.

      Note: For details, see Specifying Authentication Provider and Default Domains When Starting Servers.

    • Set the following environment variables:
      AD_PORT=  <Active Directory port number>
                If AD_PORT is not specified, the
                default is 389.
      
      AD_HOST=  <Active Directory host name>
      

      Note: For information about setting the environment variables, see Setting Environment Variables for the Server.

  3. Define login credentials on the SAS Metadata Server. After authentication, the SAS Metadata Server searches for the user ID and associated user definition (identity) in the SAS Metadata Repository. Therefore, you must have a user and login definition (that contains the Microsoft Active Directory user name) in the appropriate SAS Metadata Repository. (For details, see Defining Users, Groups, and Logins on the SAS Metadata Server). For user IDs that authenticate against Microsoft Active Directory, create a login definition with a user ID that has one of the following formats:

    domain\userid
    userid@domain
    
  4. Ensure that users connect with the appropriate credentials for alternative authentication. When a Microsoft Active Directory user connects to the server, specify the authentication provider domain in the user ID (in order to associate the authentication provider domain with the Microsoft Active Directory authentication provider). To authenticate against Microsoft Active Directory, the Microsoft Active Directory user must log on with one of the following formats:

    userid@AUTHPROVIDERDOMAIN
    domain\userid@AUTHPROVIDERDOMAIN
    userid@domain@AUTHPROVIDERDOMAIN
    

    For example:

    ABC\Tom@orion.com
    

    where orion.com is the authentication provider domain that you specified for the Microsoft Active Directory server in the AUTHPROVIDERDOMAIN option.

    Note: If you have used the AUTHPROVIDERDOMAIN option to configure the Microsoft Active Directory alternative authentication provider (for example, ADIR: <AUTHPROVIDERDOMAIN>), all logins of the form userID@<authproviderdomain> will be sent to the Active Directory server (as opposed to the host authentication provider) for authentication.

Example

The following is an example of a Windows metadata server start command that specifies an alternative Microsoft Active Directory authentication provider:

"where_your_sas_is_installed\sas.exe"
-log "/sasoma/logs/sasoma.log" -logparm "write=immediate"
-linesize max -pagesize max -noterminal -memsize 0
-authproviderdomain ADIR:orion.com -objectserver
-objectserverparms "protocol=bridge port=XXXX
  classfactory=2887E7D7-4780-11D4-879F-00C04F38F0DB"

To be authenticated by this provider, a user would specify a user ID in the form:

domain\userid@orion.com
userid@domain@orion.com

Setting Environment Variables for the Server

Windows

For Windows, add the environment variables to the configuration file that is used to start the OLAP or metadata server.

The default configuration file for the metadata server is sasv9_MetadataServer.cfg in the \Lev1\SASMain\MetadataServer subdirectory of your SAS configuration directory.

The default configuration file for the OLAP server is sasv9_OLAPServer.cfg in the \Lev1\SASMain\OLAPServer subdirectory of your SAS configuration directory.

Use the syntax -set variable-name value. For example:

-set LDAP_PORT 389

UNIX

For UNIX, add the environment variables to the shell script that starts the OLAP or metadata server.

The default script for the metadata server is MetadataServer.sh in the /Lev1/SASMain/MetadataServer subdirectory of your SAS configuration directory.

The default script for the OLAP server is OLAPServer.sh in the /Lev1/SASMain/OLAPServer subdirectory of your SAS configuration directory.

The syntax for setting an environment variable is dependent on the UNIX shell that you are using. For example:

## C Shell ##;
setenv LDAP_PORT 389

## Bourne Shell / Korn Shell ##
LDAP_PORT= 389
export LDAP_PORT

z/OS

A TKMVSENV file is used to make a list of pseudo environment variables available. A TKMVSENV PDS is created at installation. To define the environment variables for the SAS Metadata Server or SAS OLAP Server, create a member in the PDS that specifies the necessary variables, then reference this PDS member in the TKMVSENV DD statement in your started task.

By default, the TKMVSENV file is located in <SASROOT>.<XX>.SRVENV(TKMVSENV), where <SASROOT> is the path where SAS is installed and <XX> represents your 2-byte character encoding name. For example, SVS02.V913.W0.SRVENV(TKMVSENV).

In the TKMVSENV file, use the syntax set variable-name=value. For example:

set LDAP_PORT=389