If users can already authenticate at the host level, the following list of steps is generally all that is needed to configure PAM authentication for SAS to authenticate against Active Directory or LDAP:
- Ensure that the SASFoundation/9.x/utilities/bin/sasauth.conf file has been edited to set methods=pam.
- As the root user, complete the following steps:
- Create the file /etc/pam.d/sasauth by copying the /etc/pam.d/system-auth file (Red Hat) or the /etc/pam.d/common-auth file (SuSE). On SuSE linux systems, also copy the contents of /etc/pam.d/common-account to the newly created /etc/pam.d/sasauth file.
- root# cd /etc/pam.d
- root# cp system-auth sasauth (RHEL) or cp common-auth sasauth (SuSE)
- (SuSE only) cat common-account >> sasauth
- Edit the /etc/pam.d/sasauth file to retain only those lines beginning with "auth" or "account" and remove any lines with pam_fprintd.so fingerprint authentication is not being used.
A similar approach can be used in other UNIX environments by copying lines in the /etc/pam.conf file for the "login" service to define the "sasauth" service.
This approach configures SAS to make the same PAM calls as are used to authenticate a user logging in directly to the system. Therefore, if the user can log in directly, the user should also be able to authenticate through a SAS client application.