SAS Metadata Server Authentication

Overview of SAS Metadata Server Authentication
LDAP through SAS Metadata Server
Configuring SPD Server for SAS Metadata Server Authentication
SPD Server Parameter File Options for Configuring SAS Metadata Server Authentications
[NO]METAAUTHENTIC
METASERVER=
METAPORT=
METADOMAIN=
Examples of SPD Server Authentication Options

Overview of SAS Metadata Server Authentication

To use nonnative authentication, you should configure authentication through the SAS Metadata Server. SAS Metadata Server uses the authentication provider specified in its configuration to perform the authentication. In this case, SPD Server passes the authentication request to back-end authenticator via the SAS Metadata Server.
The SAS Metadata Server parameter options configure SPD Server to use the SAS Metadata Server to perform user authentication. SPD Server passes the user ID and password to the SAS Metadata Server for validation. After SAS Metadata Server validates the user account, SPD Server then accesses its internal password database file to determine other attributes belonging to the user, such as group and permissions information. For more information, about the SAS Metadata Server parameter options, see SPD Server Parameter File Configurations for SAS Metadata Server Authentication.
When using SAS Metadata Server to perform user authentication, an entry is still required for each user in the SPD Server password database. The SPD Server password database is managed by the psmgr utility. Each user entry in the database provides non-authentication information, such as SPD Server group memberships, user performance levels, ACL privileges, and so on.
The benefits of using SAS Metadata Server include the ability to use longer passwords than supported by the native SPD Server authentication, or by SPD Server authentication performed via LDAP. SPD Server has a native password length limit of 8 characters. However, the password length limit when using a non-native authenticator via SAS Metadata Server is defined by the back-end authenticator. This often provides access to longer and more secure passwords. SAS Metadata Server also provides better support for using LDAP as a back-end authentication provider.

LDAP through SAS Metadata Server

If you want to use LDAP as the default authenticator for SAS Metadata Server, SPD Server can use this configuration by sending user IDs through SAS Metadata Server to LDAP for validation. In this scenario, the SPD Server user IDs must exist in LDAP, and the METAAUTHENTIC option must be specified in the SPD Server server parameter file. You can also specify values for the METASERVER=, METAPORT=, and METADOMAIN= server parameter options as needed. For more information about configuring SAS Metadata Server authentication options in SPD Server, see SPD Server Parameter File Configurations for SAS Metadata Server Authentication.
The SPD Server host passes the user ID to SAS Metadata Server for authentication. SAS Metadata Server routes the authentication requests to LDAP, which performs the authentication and passes the results via SAS Metadata Server back to the SPD Server host.
Both LDAP and the SPD Server psmgr password database require user IDs and passwords to operate. Some administrative planning is required: user IDs for LDAP and the SPD Server psmgr accounts must be exact matches. However, the passwords for the LDAP and psmgr user IDs do not have to match. Only the LDAP password is used to perform authentication. The psmgr password is not part of authentication transactions. The psmgr password is used only when SPD Server administrators add a new user to the psmgr password database.
For example, in the following LIBNAME statement, the password ripsnert9 for the user coretest must exist in the authentication provider configured in SAS Metadata Server, but not in the SPD Server password database accessed via psmgr. 
LIBNAME region_data sasspds "spds_domain" 
  host="s658d01.unx.sas.com" 
  service="14567" 
  user="coretest"
  password="ripsnert9";

Configuring SPD Server for SAS Metadata Server Authentication

An SPD Server host can use only one configured authenticator. For example, an SPD Server host cannot use both native SPD Server authentication and either legacy LDAP authentication or SAS Metadata Server authentication.
If either legacy LDAP or SAS Metadata Server authentication is configured, native authentication is disabled.
If both legacy LDAP and SAS Metadata Server are configured, only LDAP is used.
However, if SAS Metadata Server authentication is used, SAS Metadata Server can use multiple authenticators based on its configuration.
One feature of these non-native authenticators is their support for large password lengths. These lengths are defined by each authenticator, but usually support a maximum length of 64 characters.

SPD Server Parameter File Options for Configuring SAS Metadata Server Authentications

SPD Server 5.2 features several new options for performing user authentication through the SAS Metadata Server. Although most server parameters can be changed and refreshed while the SPD Server host is running, the collection of server parameter options that begin with LDAP* and META* should not be changed or modified while the host is running. Changing LDAP* and META* property settings without first shutting down the server can cause unpredictable results. To modify LDAP* and META* options in the SPD Server server parameter file, you must first shut down the server, make your parameter file configuration changes, and then restart the SPD Server host. The following options can be specified only in the SPD Server server parameter file.

[NO]METAAUTHENTIC

Specifies whether SPD Server should use the SAS Metadata Server to perform user authentication. The back-end authentication provider is whatever the SAS Metadata Server was configured with. NOMETAAUTHENTIC is the default setting.
Syntax
METAAUTHENTIC ;
Description
When in the default setting of NOMETAAUTHENTIC, an internal account (native to SPD Server) is used for authentication. When METAAUTHENTIC is specified, SAS Metadata Server performs user authentication via the authentication provider that is specified in the SPD Server server parameter file.
Note: If you specify any META* option in your SPD Server server parameter file, then SPD Server assumes an authentication setting of METAAUTHENTIC.

METASERVER=

Specifies the name of the host that the SAS Metadata Server is running on.
Syntax
METASERVER=SAS-Metadata-Server-hostname
Description
Provides the name of the host that the SAS Metadata Server resides on. If SAS Metadata Server authentication is configured but METASERVER= is not specified, then SPD Server assigns a default value of METASERVER=localhost.

METAPORT=

Specifies the port number of the SAS Metadata Server.
Syntax
METAPORT=SAS-Metadata-Server-port-number
Description
Identifies the port number of the SAS Metadata Server. If SAS Metadata Server authentication is configured but no METAPORT= value is specified, then SPD Server assigns a default value of METAPORT=8561.

METADOMAIN=

Specifies the domain where the back-end authenticator resides.
Syntax
METADOMAIN=domain-name
Description
The domain name, if needed, for the back-end authenticator used by the SAS Metadata Server. No domain is used if this option is not specified.

Examples of SPD Server Authentication Options

The simplest way to use SAS Metadata Server authentication is to add METAAUTHENTIC to the server parm file. The value for METASERVER= defaults to localhost and the value for METAPORT= defaults to 8561. localhost selects the host that SPD Server server runs on.
The following examples configure SPD Server to use SAS Metadata Server for authentication:
Example using default values for METASERVER= and METAPORT=
METAAUTHENTIC;
Example using option values for METASERVER= and METAPORT=
METASERVER=lax94d01;
METAPORT=8561;
Either of these options imply METAAUTHENTIC to SPD Server.
Note: The METADOMAIN= option is required only by some authentication providers when configured with SAS Metadata Server.
Copyright © SAS Institute Inc. All rights reserved.