topic Re: LDAP / AD authentication in SAS Viya 3.2 - Full deployment in Administration and Deployment

LDAP / AD authentication in SAS Viya 3.2 - Full deployment

JuanS_OCS — Thu, 30 Nov 2017 12:11:27 GMT

Hello,

I have a couple of questions, regarding authentication with Viya, when you select the full deployment.

The OAuth authentication set up for the visual interfaces, speaking more specifically, I am talking about the Environment Manager, allows you to sync with a CN or an OU, for users and for the groups.
1. If done on the groups, it gets the groups on that OU or CN
2. If done on the users, it gets the direct users on the OU or CN.

But apparently it is not getting the sub trees, hence, if there are Interactive accounts and System accounts (such as 'cas'), on different CNs or OUs (as they generally are/should be) .. is there any way to tell the Environment Manager to do so?

The authentication is happening OK in the Visual Environments (VA and EVM) but not in SAS Studio.
- I can log locally to the server with an AD / LDAP account
- I guess, I need to set up the SAS-internal PAM config files for cas and sasstudio
- How to set up the SAS-internal PAM configuration files?

Any guidance or pin-pointing to the right direction would be welcome! Many thanks in advance,

Kind regards,

Juan

Re: LDAP / AD authentication in SAS Viya 3.2 - Full deployment

alexal — Thu, 30 Nov 2017 16:04:26 GMT

@JuanS_OCS,

I can help with PAM authentication.

How to set up the SAS-internal PAM configuration files?

SAS Viya 3.2 Administration / Authentication: How To Configure PAM

Re: LDAP / AD authentication in SAS Viya 3.2 - Full deployment

JuanS_OCS — Thu, 30 Nov 2017 16:11:02 GMT

Hello @alexal,

many thanks, however, I already have gone through it and that link just states the obvious, I am afraid. I mentioned the 2 PAM files, and the link pin-points to the same 2 PAM files:

./etc/pam.d/cas
/etc/pam.d/sasauth

Both files are quite standard, not really useful as default. What is more important is that it says:

Make any modifications to the file that are necessary for your environment.

Which points to the direction What are the necessary changes and based on what?

Either the documentation is missing something or I am.

I see you have experience, perhaps you can help with additional details?

Re: LDAP / AD authentication in SAS Viya 3.2 - Full deployment

alexal — Thu, 30 Nov 2017 16:11:58 GMT

@JuanS_OCS,

Which points to the direction What are the necessary changes and based on what?

Based on you system settings. What you have in /etc/pam.d/system-auth or /etc/pam.d/system-auth-ac?

Re: LDAP / AD authentication in SAS Viya 3.2 - Full deployment

JuanS_OCS — Fri, 01 Dec 2017 11:08:31 GMT

Hello @alexal,

alright, that makes sense, that based on system config.

Please let me share with you the current contents of that file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

And as follow up: can anyone help me with the question 1? 🙂

Thanks in advance!

Re: LDAP / AD authentication in SAS Viya 3.2 - Full deployment

alexal — Fri, 01 Dec 2017 18:56:20 GMT

@JuanS_OCS,

And as follow up: can anyone help me with the question 1?

This is not my area of support. I suggest you open a track, in order to contact the team which supports it.

Re: LDAP / AD authentication in SAS Viya 3.2 - Full deployment

JuanS_OCS — Wed, 06 Dec 2017 09:31:49 GMT

Many thanks @alexal.

I also shared the contents of the system PAM file. What would it be your recommendation to modify the other files?

I made a couple of tries by myself (also in sas.postgres file, on an attempt to leave SAS out of the equation and test connection to PostgreSQL), but no success.