PAM-enabled SAS Authentication - a caveat

4

We recently ran into a situation where a customer, with metadata and compute servers on Linux and mid-tier on windows, was trying to leverage the out-of-the-box Pluggable Authentication Module (PAM) support of SAS 9.1.3. PAM allows SAS customers to keep their user management simple by granting users on a Linux (or UNIX) system access to their enterprise LDAP or Microsoft Active Directory (AD) accounts. This results in potentially huge savings in terms of effort on the part of the SAS Administrator - you don't have to create and manage local accounts for all your potential SAS users, just allow them to log into the compute server with their AD account. Also, unlike the direct connection to LDAP that can also be configured, PAM is a "zero effort" configuration. Well, not quite.

The complication we ran into has to do with how PAM is actually enabled on Linux (and presumably the same would apply on other UNIX flavors). Per the documentation all we needed to do was download the PAM-enabled version of sasauth appropriate to our operating system (http://support.sas.com/kb/21/154.html) and use it to replace the old sasauth in !SASROOT/utilities/bin. We did that - no joy.

While some documentation talks about a file called /etc/pam.conf we found that this file actually doesn't exist in newer systems and has instead been replaced by a directory called /etc/pam.d which in turn contains individual files for each of the systems allowed to leverage the functionality of PAM. In other words, in order for sasauth, the SAS authentication module that can speak to PAM, to be granted the use of PAM, we needed to add a sasauth text file to the /etc/pam.conf directory. The file itself follows a similar format to that of the old pam.conf file, as well as the other files found in the /etc/pam.d directory.

In the end, after getting the correct file and removing some cut-and-paste artifacts we have a system that authenticates users' AD accounts.

Share

About Author

Angela Hall

Senior Technical Architect

Angela offers tips on using the SAS Business Intelligence solutions. She manages a team of SAS Fraud Framework implementers within the SAS Solutions On-Demand organization. Angela also has co-written two books, 'Building BI using SAS, Content Development Examples' & 'The 50 Keys to Learning SAS Stored Processes'.

4 Comments

  1. Hello Angela, GM! How are you doing today?
    For Linux we have done this procedure, but still not working.
    According to the procedure, we just need to edit the SASFoundation/9.x/utilities/bin/sasauth.conf file in order to set METHODS=PAM and edit the /etc/pam.d/sasauth file to retain only those lines beginning with "auth", right
    Could you please help us with that?
    I appreciate your help and time.

  2. Fred Janssen on

    Thanks Angela! We are considering utilizing PAM for our EBI system to authenticate against LDAP. Do you remember from the project that you worked on here if user accounts also had to be created on the Linux hosts?

Back to Top