Configuring Nonnative Authentication in SPD Server :: SAS® Scalable Performance Data Server 5.3: Administrator's Guide

Overview

To use a nonnative authentication provider, you include options that identify the nonnative provider in the spdsserv.parm parameter file. Only one authenticator should be configured in the spdsserv.parm parameter file. For example, include options that configure either direct authentication through LDAP or options that configure authentication through SAS Metadata Server. SAS Metadata Server provides a choice of external authenticators, including LDAP. Do not include options that configure both. Doing so can cause undesirable results.

Most server parameters can be changed and refreshed while the SPD Server host is running. However, the collection of server parameter options that begin with LDAP* and META* should not be changed or modified while SPD Server is running.

CAUTION:

Changing LDAP* and META* property settings without first shutting down SPD Server can cause unpredictable results.

To modify LDAP* and META* options in the spdsserv.parm parameter file, you must first shut down SPD Server, make your parameter file configuration changes, and then restart SPD Server.

Direct LDAP Configuration Options

To configure direct LDAP authentication for SPD Server:

Register users in the SPD Server password database with the psmgr utility.
Make sure that the SPD Server user IDs match the user’s LDAP user IDs. The passwords are not required to match. The LDAP password will be used.
Include LDAP parameter options in the spdsserv.parm parameter file.

The LDAP parameter options for the spdsserv.parm parameter file are as follows:

LDAP

Turns on LDAP authentication. If the LDAP parameter is found during start-up, SPD Server creates a context for LDAP authentication. The default setting is NOLDAP.

LDAPSERVER=

Specify a valid IP address of the host machine for the LDAP server. This address is usually the same as the IP address of the SPD Server host. The default value is the IP address of the SPD Server host.

LDAPPORT=

Specify the TCP/IP port that is used to communicate with the LDAP server. This value is usually the default LOCAL_HOST value, or port 389. Valid values are in the range 0–65,536. The default setting is the LDAP_PORT value.

LDAPBINDMETH=

Controls how SPD Server clients are authenticated by the LDAP server. If this parameter is found in the SPD Server parameter file, LDAPBINDMETH= is a character string whose value must be LDAP_AUTH_SASL. The default setting is null.

LDAPBINDDN=

Specify the distinguished name (DN) of the LDAP database entry, or the location in the LDAP Server database where the client information is stored. LDAPBINDDN is an LDAP term. LDAPBINDDN is a combination of the user ID and the network domain in which the user operates. The form of this string is ID= , rdn1=RDN1, rdn2=RDN2, .., where ID is the identifier for the relative distinguished name (RDN) of a user ID that exists in the LDAP server database. The default value of the DN is uid= , dc=DOM1, dc=DOM2, dc=DOM3. The default value of the LDAPBINDDN parameter is null.

If no distinguished name is specified in the SPD Server server parameter file, SPD Server uses the LDAP Server host's domain name to generate values for DOM1, DOM2, and DOM3. The SPD Server user ID becomes the value for the user ID. The resulting value becomes the default user location for LDAP database members.

For example, suppose the LDAP host machine is sunhost.unx.sun.com, and the user ID is sunjws. The resulting default DN is

uid=sunjws, dc=unx, dc=sun,
                                    dc=com

. The distinguished name is used to locate the user sunjws. Then the sunjws user password is compared to the password that is stored in the LDAP database. If SPD Server users are located in a specific location in your LDAP database, be sure to specify that location using LDAPBINDDN.

See the LDAP Server administrator for your site if you need more information about LDAP parameters for your server parameter file. To use the default value for any LDAP parameter, omit the parameter specification from the server parameter file. Undeclared parameters automatically assume default values.

Note: Entering the LDAP_HOST value for LDAPSERVER can cause SPD Server to fail during start-up.

SAS Metadata Server Authentication Options

Specify one or more of the following options in the spdsserv.parm parameter file to configure SAS Metadata Server authentication:

METAAUTHENTIC

specifies that SPD Server should use the SAS Metadata Server to perform user authentication. The back-end authentication provider is whatever the SAS Metadata Server was configured with. NOMETAAUTHENTIC is the default setting.

Note: Use METAAUTHENTIC or the other META* options. When any other META* options are specified, use of METAUTHENTIC is assumed.

METASERVER=

Specify the name of the host that the SAS Metadata Server is running on. If SAS Metadata Server authentication is configured but METASERVER= is not specified, then SPD Server assigns a default value of METASERVER=localhost.

METAPORT=

Specify the port number of the SAS Metadata Server. If SAS Metadata Server authentication is configured but no METAPORT= value is specified, then SPD Server assigns a default value of METAPORT=8561.

METADOMAIN=

Specify the metadata authentication domain where the back-end authenticator resides. If no domain is specified, none is configured. Consult the SAS Metadata Server administrator for the name of the appropriate metadata authentication domain.

Configuring LDAP Authentication through SAS Metadata Server

If you want to use LDAP as the default authenticator for SAS Metadata Server, SPD Server can send user IDs through SAS Metadata Server to LDAP for validation. In this scenario, the SPD Server user IDs must exist in LDAP, and the METAAUTHENTIC option must be specified in the spdsserv.parm parameter file. (You can also specify values for the METASERVER=, METAPORT=, and METADOMAIN= server parameter options as needed.)

The SPD Server host passes the SPD Server user ID to SAS Metadata Server for authentication. SAS Metadata Server routes the authentication requests to LDAP. LDAP then performs the authentication and passes the results via SAS Metadata Server back to the SPD Server host.

Both LDAP and the password database require user IDs and passwords to operate. Some administrative planning is required: User IDs for LDAP and the password database accounts must be exact matches. However, the passwords for the LDAP and password database user IDs do not have to match. Only the LDAP password is used to perform authentication. The password database is not part of authentication transactions. The password database password is used only when SPD Server administrators add a new user to the password database.

For example, in the following LIBNAME statement, the password ripsnert9 for the user coretest must exist in the authentication provider configured in SAS Metadata Server, but not in the SPD Server password database.

libname region_data sasspds "spds_domain" 
  host="s658d01.unx.sas.com" 
  service="14567" 
  user="coretest"
  password="ripsnert9";