SAS 9.1.3 Integration Technologies » Server Administrator's Guide


Implementing Authentication
Host Authentication
Setting the System Permissions on:
Windows NT
Windows 2000
Windows XP
UNIX
Specifying Default Host Domains
How Hosts Handle Domains
Trusted Authentication Mechanisms
Alternative Authentication Providers
Specifying Authentication Providers and Domains
How Servers Determine the Authentication Provider
Scenario
Security

Specifying Authentication Provider and Default Domains When Starting Servers

When you start a SAS Metadata Server or SAS OLAP server, you can use the AUTHPROVIDERDOMAIN startup option to associate domains with the host, LDAP, or Microsoft Active Directory authentication provider. When a user connects to the server, the server can use the domain associations to determine the appropriate authentication provider or associate a default domain with the host. When starting a SAS Metadata Server or SAS OLAP server, you can use the AUTHPROVIDERDOMAIN option to do the following:

  • associate specific domains with the LDAP or Microsoft Active Directory authentication provider. When a user logs on using a particular domain, the user is authenticated by the authentication provider specified for that domain. If the domain is not associated with an authentication provider, host authentication is used as the default authentication provider.

    To associate a domain with an authentication provider, on the SAS startup command, specify the AUTHPROVIDERDOMAIN system option and associate a domain suffix with the host (HOSTUSER), LDAP (LDAP), or ADIR (ADIR) authentication provider. This association allows the SAS server to choose the authentication provider by the domain name presented.

    Note: To allow multiple security domains to authenticate to the same alternative authentication provider (LDAP or Microsoft Active Directory) you can associate a pseudo-domain name as the authentication provider domain name for that authentication provider. For example, the security domains RANDD and MKTG might both use the authentication provider domain of LDAP.

  • associate a domain with the host authentication provider.
    • On all hosts, when you associate a domain with the host authentication provider, if a user does not specify a domain in their credentials, the associated domain is used.
    • On hosts other than Windows, when you associate a domain with the host authentication provider, if a user specifies that domain with their credentials, the domain is removed from the credentials and the credentials are authenticated using the host authentication provider. If the user specifies a domain that is not the associated domain, the host authentication provider will not be able to authenticate the user.

      To associate a domain with the host authentication provider, on the SAS server startup command, specify the AUTHPROVIDERDOMAIN system option and associate a domain suffix with the host (HOSTUSER) authentication provider.

When using an alternative authentication provider, the AUTHPROVIDERDOMAIN option has the following syntax:

authproviderdomain provider:domain | (provider-1:domain-1<, . . .provider-n:domain-n>)
provider
specifies the authentication provider associated with a domain. Valid values for provider are as follows:
ADIR specifies that the authentication provider is a Microsoft Active Directory server that accepts a bind containing a user ID and password for authentication.
HOSTUSER specifies that user IDs and passwords are authenticated by using the authentication processing that is provided by the host operating system.

Operating Environment Information: In Windows operating environments, assigning the authentication provider using the HOSTUSER domain is the same as assigning the authentication provider using the AUTHSERVER system option. You may want to use the AUTHPROVIDERDOMAIN system option when you specify multiple authentication providers.

LDAP specifies that the authentication provider uses an LDAP server by specifying either
  • the bind distinguished name (BINDDN) and a password for authentication
  • the default "uid" and enabling LDAP to search for the bind distinguished name (BINDDN) by setting the LDAP_PRIV_DN and LDAP_PRIV_PW environment variables.

domain
specifies a site-specific domain name. The domain name is a name supplied by the administrator to which authentication provider should be used to authenticate a user. Quotation marks are required if the domain value contains blanks.

The following examples show how to specify domain:

Note: If you specify multiple domains, you must enclose the list of domains in parentheses.

Note: The maximum length for the AUTHPROVIDERDOMAIN option value is 1,024 characters.

Operating Environment Information: In UNIX operating environments, you must insert an escape character before each parenthesis. For example, -authproviderdomain \(HOSTUSER:MyHostDomain, ADIR:MyDomain\)