We recently ran into a situation where a customer, with metadata and compute servers on Linux and mid-tier on windows, was trying to leverage the out-of-the-box Pluggable Authentication Module (PAM) support of SAS 9.1.3. PAM allows SAS customers to keep their user management simple by granting users on a Linux (or UNIX) system access to their enterprise LDAP or Microsoft Active Directory (AD) accounts. This results in potentially huge savings in terms of effort on the part of the SAS Administrator - you don't have to create and manage local accounts for all your potential SAS users, just allow them to log into the compute server with their AD account. Also, unlike the direct connection to LDAP that can also be configured, PAM is a "zero effort" configuration. Well, not quite.

The complication we ran into has to do with how PAM is actually enabled on Linux (and presumably the same would apply on other UNIX flavors). Per the documentation all we needed to do was download the PAM-enabled version of sasauth appropriate to our operating system (http://support.sas.com/kb/21/154.html) and use it to replace the old sasauth in !SASROOT/utilities/bin. We did that - no joy.

While some documentation talks about a file called /etc/pam.conf we found that this file actually doesn't exist in newer systems and has instead been replaced by a directory called /etc/pam.d which in turn contains individual files for each of the systems allowed to leverage the functionality of PAM. In other words, in order for sasauth, the SAS authentication module that can speak to PAM, to be granted the use of PAM, we needed to add a sasauth text file to the /etc/pam.conf directory. The file itself follows a similar format to that of the old pam.conf file, as well as the other files found in the /etc/pam.d directory.

In the end, after getting the correct file and removing some cut-and-paste artifacts we have a system that authenticates users' AD accounts.