 |
|
| Authentication Tasks |
How to Configure Direct LDAP Authentication
Note: This is not a universally necessary task.
Before you use these instructions, make sure that this is an appropriate choice
in your environment. See Direct LDAP Authentication. ![[cautionend]](../../../../common/63294/HTML/default/images/cautend.gif)
To make a metadata server on UNIX directly recognize Active Directory accounts, locate the sasv9_usermods.cfg file that is in your equivalent of SAS/Config/Lev1/SASMeta/MetadataServer and add lines such as these:
/* Environment variables that describe your AD server */ -set AD_HOST myhost /* System options that make AD the primary authentication provider */ -authpd ADIR:company.com -primpd company.com
You can reference only one Active Directory server. You might choose to use a Windows domain name (for example, ADIR:MyWinDomain instead of ADIR:company.com).
The preceding settings cause these results:
| How a User Logs On | Where the Metadata Server Sends the Credentials | How the User ID Must Be Stored in SAS Management Console1 |
|---|---|---|
| user-ID or user-ID@company.com | To Active Directory | user-ID@company.com |
|
WinDomain\user-ID |
To Active Directory | WinDomain\user-ID or user-ID@WinDomain |
| user-ID@saspw | To its internal provider | No login for an internal account |
| user-ID@host | To its host |
user-ID |
|
user-ID@anything-else |
To its host |
user-ID@anything-else |
| 1 If the ID isn't stored in the correct format, the user can log on but has only the PUBLIC identity. Put the SAS copy of each user's ID in a login on that user's Accounts tab. Assign each login to DefaultAuth. | ||
Or, to make a metadata server on UNIX or Windows directly recognize some other LDAP provider, use lines such as these:
/* Environment variables that describe your LDAP server */ -set LDAP_HOST myhost -set LDAP_BASE "ou=emp, o=us" /* System options that make LDAP the primary authentication provider */ -authpd LDAP:company.com -primpd company.com
You can reference only one LDAP server.
The preceding settings cause these results:
| How a User Logs On | Where the Metadata Server Sends the Credentials | How the User ID Must Be Stored in SAS Management Console1 |
|---|---|---|
| user-ID or user-ID@company.com | To LDAP | user-ID@company.com2 |
| user-ID@saspw | To its internal provider | No login for an internal account |
| user-ID@host | To its host |
user-ID |
|
user-ID@anything-else |
To its host |
user-ID@anything-else |
| 1
If the ID isn't stored in the correct format, the user can
log on but has only the PUBLIC identity. Put the SAS copy of each user's ID
in a login on that user's Accounts tab.
Assign each login to DefaultAuth.
2 When you use the LDAP version of -authpd, you must append the @primpd-value suffix in the SAS copy of each user ID that is authenticated by your LDAP provider. |
||
To make the changes take effect, restart the metadata server. After you complete the configuration, verify that access to the workspace server isn't compromised. If access fails, see Mixed Providers.
| AD_HOST | The host name of the machine where Active Directory is running. |
| AD_PORT | The port number for Active Directory. The default is 389. |
| LDAP_HOST | The host name of the machine where LDAP is running. |
| LDAP_PORT | The port number for LDAP. The default is 389. |
| LDAP_BASE | The base DN to use. For example: o=People, dc=orion, dc=com. |
| LDAP_IDATTR | (Optional) an alternative LDAP attribute that the SAS server can use to find your DN. The default is uid. |
| LDAP_PRIV_DN* | The privileged DN that is allowed to search for users. For example, cn=useradmin. |
| LDAP_PRIV_PW* | The password for LDAP_PRIV_DN. You can use the PWENCODE procedure to provide an encoded password. |
| * Set this variable only if users connect with a user ID instead of a DN, and the LDAP server does not allow anonymous binds. | |
| AUTHPD | Use this option to register and name your Active Directory provider or other LDAP provider. For complete syntax, see the AUTHPROVIDERDOMAIN SAS system option. |
| PRIMPD | Use this option to designate your Active Directory server or other LDAP provider as the primary authentication provider for the metadata server. The metadata server directly uses its primary provider when the submitted user ID has an @your-primpd suffix or no @ suffix at all. Using this option enables users to log on using their usual user IDs (no special suffix is required at log on time). For complete syntax, see the PRIMARYPROVIDERDOMAIN SAS system option. |
Here are some additional details:
-
On UNIX, an alternate location for specifying the environment variables is in the MetadataServer.sh shell script. For example:
AD_HOST=myhost export AD_HOST
-
On z/OS, a TKMVSENV file is used to make a list of pseudo environment variables available. A TKMVSENV PDS is created at installation. To define the environment variables, create a member in the PDS that specifies the necessary variables, and then reference this PDS member in the TKMVSENV DD statement in your started task.
-
Don't move inbound logins (logins that provide access to the metadata server) out of the DefaultAuth authentication domain. Doing so can interfere with credential reuse. See Credential Management.
|
|
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.