platformadmin.com – Page 31 – Paul Homes blogging on SAS® platform administration topics

Resources for Solaris and Active Directory Integration

A while back I worked with a client to implement Active Directory (AD) integration for a number of Solaris containers that made up their SAS platform. The main benefit of this was to allow all of the SAS users to use their Windows (Active Directory) credentials, the same ones they use to log into their workstation in the morning, to get access to the SAS servers on the Solaris platform. This removed any requirement to manage local user accounts, across multiple Solaris containers, as they could all be managed in Active Directory by the people who usually manage accounts. It was not a trivial exercise – it required communication with several different groups, some changes to the AD server, population of UNIX attributes for users and groups in AD and configuration of the Solaris containers, however it was well worth the effort and I would definitely recommend it.

These were the main technical resources I found useful with implementation and troubleshooting:

The starting point was the Sun document Using Kerberos to Authenticate a Solaris™ 10 OS LDAP Client With Microsoft Active Directory at http://www.sun.com/bigadmin/features/articles/kerberos_s10.pdf.
Scott Lowe’s blog, particularly the Solaris 10-AD Integration, Version 3 post at http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/, provided additional information. That article, the other articles it links to, and the comments on those articles all proved useful, either in their own right or as sources for additional keywords/phrases for Google searches.

I hope you find them useful too.

Installing VirtualBox Guest Additions in Ubuntu

What, you might be wondering, is a post about VirtualBox and Ubuntu doing on a blog that is primarily about SAS® platform administration and metadata?

The answer to that question is that VirtualBox and Ubuntu are both platforms where I run SAS for the purposes of development, testing and exploration/learning. So, whilst not specifically related to SAS platform administration itself, these topics are related to the administration of a platform that underpins a SAS installation I use, plus this blog is a place for me to put things so I don’t forget them later. I guess it’s also possible these posts might be of use to a small niche out there that might be trying to install SAS on Ubuntu in a VirtualBox environment for non-production purposes?

I’m a big fan of VirtualBox for desktop virtualization on Linux hosts and my primary desktop/notebook operating system has been Ubuntu for a few years. Whilst I have been a VMware Workstation user for many years, I find that VirtualBox works better for me on Linux desktop hosts at the moment. VMware is definitely my virtualization application of choice on Windows and Mac OS X desktops, but when it comes to running VMware Workstation on Linux I found there were just enough annoyances (you could use the term paper cut too) when using VMware on a Linux desktop that I was prompted to look elsewhere. VirtualBox ticked most of the boxes for me.

So, down the the subject of the post, I needed to install the VirtualBox Guest Additions in a brand new Ubuntu 10.04 Server guest installation and these were the steps I needed to take.

The installation of the guest additions requires a compilation/build environment which was not present on a fresh Ubuntu server installation.

sudo apt-get install build-essential linux-headers-`uname -r`

With the build tools now available I could load the Guest Additions software CD via the VirtualBox menu items Devices > Install Guest Additions…, mount the CD and then run the installer for 64-bit Linux platforms:

sudo mount /dev/sr0 /mnt/cdrom cd /mnt/cdrom sudo ./VBoxLinuxAdditions-amd64.run

Sudo with no password prompt

DISCLAIMER: This is definitely not recommended for any type of real environment that you rely on to be secure, but sometimes when you are setting up demo/sandpit/throwaway environments you want to be able to execute commands on Linux as root using sudo without getting prompted for your password. You could just work in a root shell all the time, but perhaps you still want to use sudo so you can use your normal account mostly and save yourself from potential accidents by only using sudo when you have to.

So, disclaimer out of the way, here’s how you can set yourself up as a no-password-sudoer (assuming you start out with sudo/root access to begin with):

Add your userid to an appropriate admin group:
sudo gpasswd -a youruserid youradmingroup

Edit the sudoers file:
sudo visudo

… to add an entry to allow your admin group to execute any command via sudo with no password requirement:
%youradmingroup ALL=NOPASSWD: ALL

BTW – visudo on Ubuntu defaults to the nano editor. If you prefer vi/vim you can switch default editor with:

sudo update-alternatives --config editor

.. and select the /usr/bin/vim.basic entry.

There’s more info about sudo on Ubuntu in the community documentation: RootSudo, Sudoers and RootSudoTimeout.

That’s it… sometimes handy but also dangerous … don’t say I didn’t warn you ;)

Found some SAS Enterprise Guide Custom Task development resources

I just saw an interesting SAS Discussion Forum thread relating to the development of custom tasks for SAS Enterprise Guide 4.2 & 4.3. Chris@SAS posted a reply containing a number of links to resources. Looks like a very useful list so I’m filing it away in case I have a need to do any custom task work at a later date.

I saw there is also a SAS support site page on Creating Custom Add-In Tasks for SAS Enterprise Guide with examples, templates and documentation at http://support.sas.com/documentation/onlinedoc/guide/customtasks/

Self-Service Account/Login Management with the SAS Personal Login Manager

Recently I was talking to someone about how users can manage their own logins in metadata using the SAS Personal Login Manager client application. I wanted to show them what it looks like but, to my surprise, I couldn’t find any screenshots of it on the SAS support site, and I didn’t have an installation to hand.

If you are not familiar with it, the SAS Personal Login Manager provides a self-service facility for SAS platform users to manage any of their own accounts/logins (user id and password) stored in metadata. It is available for both SAS 9.1.3 and SAS 9.2. It’s particularly useful when users need to update any of their own passwords that have to be stored in metadata. Of course, as platform administrators we strive to limit the number of passwords stored in metadata, but sometimes it can’t be avoided and so, in those instances, we also need a way to allow users to manage them for themselves.

In most cases we can take advantage of cached credentials, SAS token authentication, and Integrated Windows Authentication (IWA) to help us provide transparent authentication for our users with no requirement for passwords to be stored in metadata. Unfortunately in some cases we need to have passwords in metadata though: providing transparent access to an Oracle database is one example. Of course, as soon as we have passwords stored in metadata they have to be maintained, and security policies often require those passwords to be changed on a regular basis.

As a platform administrator we can see the presence of saved credentials (except the password) for an individual by using the SAS Management Console User Manager Plug-in to review the user’s Accounts tab (in SAS 9.2) or Logins tab (in SAS 9.1.3). Here is a screenshot showing a demo user with his inbound (identifying) login and a few outbound logins used to provide access to other servers.

So for those passwords that have to be stored in metadata for individual users (as opposed to shared logins for groups), how do we go about allowing the users to update them when they need to be changed?

As administrators it is possible, but not recommended, for us to update the password on behalf of the user, but that would mean they would have to 1) tell us their password and 2) it would become a burden for us very quickly.
Alternatively we could allow users to manage their own logins by providing them with access to SAS Management Console. There are some downsides to this too. From a security perspective you might not want those users to have access to the SAS Management Console at all. With SAS 9.1.3 we rarely gave others access to SAS Management Console, but with the addition of roles and capabilities in SAS 9.2 we can now do so and limit their access (visibility) to the other plug-ins to make it more palatable. However, even with access to the SAS Management Console they will need to be able to navigate to the User Manager plug-in, find their own identity, bring up its properties dialog and find the appropriate tab. This sounds like a recipe for lots of support calls.
If your users have SAS Enterprise Guide available to them, it can also be used use to manage their accounts/logins stored in metadata.
If your users don’t or shouldn’t have access to SAS Management Console or SAS Enterprise Guide then this is where the SAS Personal Login Manager shines. It does one thing and one thing only – it lets people manage their own logins using a very simple interface. You might think of it as providing a user with direct access to the contents of their own Accounts tab (or Logins tab for SAS 9.1.3) from SAS Management Console.

Here is a screenshot of the initial view of the SAS Personal Login Manager application immediately after the demo user Nate has logged in. He sees all of his own accounts/logins and can add, remove and edit any of them. That’s it. Nice and simple.

The following is a screenshot of him changing the password for his Oracle login.

Whilst this application can be used for managing an individual users own accounts/logins it can’t be used for managing shared accounts/logins for groups. Those shared logins have to be managed from the SAS Management Console and so if you want to delegate the management of those accounts/logins to group administrators then they will need to have access to the SAS Management Console. In SAS 9.2 you can however limit access to the rest of SAS Management Console via roles and capabilities.

The SAS Personal Login Manager is a desktop application and so requires the client software to be installed on, or be accessible from, the individuals workstation. You might use something like Citrix, VMware ACE or automated software deployment to help manage this. I don’t know of any web based apps from SAS Institute that allow users to manage their own logins, but if you do then please let me know.