|
Security
Specifying Default Host Domains When Starting Servers That Only Use Host Authentication
When you start a server, or a spawner that starts a server, you can use the AUTHPROVIDERDOMAIN startup option to
associate a domain
with the host authentication provider. (To understand
the different types of domains used in the host environment, Open Metadata Architecture, and SAS Integration Technologies security, refer to Overview of Domains). When a user connects to the server without a domain,
the server can use the domain association to determine
a domain.
On all hosts, when you associate a domain with the host authentication provider, if a user does not specify a
domain in their credentials, the associated domain is used. For example, you might specify a default security domain APEX for the UNIX operating system; when a user connects without a domain, the domain APEX is used to locate the correct fully qualified user ID (in a login definition) on the SAS Metadata Server.
On hosts other than Windows, when you associate a domain with the host authentication provider, if a user specifies that domain with their credentials, the domain is removed from the credentials and the credentials are authenticated using the host
authentication provider.
If the user specifies a domain that is not the associated domain, the host authentication provider will not be able to authenticate the user.
When you specify a domain for hosts other than Windows, you allow multiple hosts to have their login definitions appear as identical.
For example, when starting the servers xyz.iyi.abc.com and xyz2.iyi.abc.com, you can use the
AUTHPROVIDERDOMAIN
option to assign the domain name "abcunix". When users log on to either server, the domain will be returned and
their user ID will look identical because both servers use the same domain name (for example, "abcunix\abcmktg").
To associate a domain with the host authentication provider, on the SAS server or spawner startup command, specify the AUTHPROVIDERDOMAIN system option
and associate a domain
suffix with the host (HOSTUSER) authentication provider.
If you are only using host authentication to authenticate users that access the server,
the AUTHPROVIDERDOMAIN option has the following syntax:
authproviderdomain HOSTUSER:domain |
- HOSTUSER
- specifies that user IDs and passwords are authenticated
by using the authentication processing that is provided by the host operating
system.
- domain
- specifies a site-specific domain name. Quotation marks are
required if the domain value contains blanks.
Note: The maximum length for the AUTHPROVIDERDOMAIN option value is 1,024
characters.
Note: In Windows operating environments, you can specify a authentication provider domain using either the AUTHPROVIDERDOMAIN system option or the AUTHSERVER system option. If both AUTHPROVIDERDOMAIN and AUTHSERVER are specified, the option that was specified first takes precedence.
|