|
Security
Specifying Authentication Provider and Default Domains When Starting Servers
When you start a SAS Metadata Server or SAS OLAP server,
you can use the AUTHPROVIDERDOMAIN startup option to
associate domains
with the host, LDAP, or Microsoft Active Directory authentication provider. When a user connects to the server,
the server can use the domain associations to determine the appropriate authentication provider or associate
a default domain with the host. When starting a SAS Metadata Server or SAS OLAP server, you can use the
AUTHPROVIDERDOMAIN option to do the following:
associate specific domains with the LDAP or Microsoft Active Directory authentication provider.
When a user logs on using a particular domain, the user is authenticated by the authentication provider
specified for that domain. If the domain is not associated with an authentication provider, host
authentication is used as the default authentication provider.
To associate a domain with an authentication provider, on the SAS startup command, specify the AUTHPROVIDERDOMAIN system option
and associate a domain
suffix with the host (HOSTUSER ), LDAP (LDAP ), or ADIR (ADIR ) authentication provider. This association allows the SAS server
to choose the authentication provider by the domain name presented.
Note: To allow multiple security domains to authenticate to the same alternative authentication provider (LDAP or Microsoft Active Directory)
you can associate a pseudo-domain name as the authentication provider domain name for that authentication provider.
For example, the security domains RANDD and MKTG might both use the authentication provider domain of LDAP.
- associate a domain with the host authentication provider.
- On all hosts, when you associate a domain with the host authentication provider, if a user does not specify a
domain in their credentials, the associated domain is used.
- On hosts other than Windows, when you associate a domain with the host authentication provider, if a user specifies that domain with their credentials, the domain is removed from the credentials and the credentials are authenticated using the host
authentication provider.
If the user specifies a domain that is not the associated domain, the host authentication provider will not be able to authenticate the user.
To associate a domain with the host authentication provider, on the SAS server startup command, specify the AUTHPROVIDERDOMAIN system option
and associate a domain
suffix with the host (HOSTUSER ) authentication provider.
When using an alternative authentication provider, the AUTHPROVIDERDOMAIN option has the following syntax:
authproviderdomain provider:domain | (provider-1:domain-1<, . . .provider-n:domain-n>)
|
- provider
- specifies the authentication provider associated with a
domain. Valid values for provider are as follows:
ADIR |
specifies that the authentication provider is a
Microsoft Active Directory server that accepts a bind containing a user ID and password for authentication. |
HOSTUSER |
specifies that user IDs and passwords are authenticated
by using the authentication processing that is provided by the host operating
system.
Operating Environment Information: In Windows operating environments, assigning
the authentication provider using the HOSTUSER domain is the same as assigning
the authentication provider using the AUTHSERVER system option. You may want
to use the AUTHPROVIDERDOMAIN system option when you specify multiple authentication
providers. |
LDAP |
specifies that the authentication provider uses an
LDAP server by specifying either
- the bind distinguished name (BINDDN) and a password for authentication
- the default "uid" and enabling LDAP to search for the bind distinguished name (BINDDN)
by setting the LDAP_PRIV_DN and LDAP_PRIV_PW environment variables.
|
- domain
- specifies a site-specific domain name.
The domain name is a name supplied by the administrator to
which authentication provider should be used to authenticate a user.
Quotation marks are
required if the domain value contains blanks.
The following examples show how to specify domain:
Note: If you specify multiple domains, you must enclose the list of domains in parentheses.
Note: The maximum length for the AUTHPROVIDERDOMAIN option value is 1,024
characters.
Operating Environment Information: In UNIX operating environments, you must insert an escape character before each parenthesis. For example, -authproviderdomain \(HOSTUSER:MyHostDomain, ADIR:MyDomain\)
|