topic Re: Need to upgrade current LDAP to secure LDAP in Administration and Deployment

Need to upgrade current LDAP to secure LDAP

nambhanushali — Thu, 09 Aug 2018 12:18:26 GMT

Hi Team,

I am new to SAS admin.How do I upgrade current LDAP to more secure LDAP authentication?

What is the process?Any documents to refer?

Also what kind of certificates will be needed to install it for authentication ? and where can I find those certificates?

There are 2 servers which SAS needs to access to connect to 3rd party software (Labware LIMS) to extract/fetch the data in reports.

Thank You

Regards,

Namrata

Re: Need to upgrade current LDAP to secure LDAP

alexal — Thu, 09 Aug 2018 12:35:59 GMT

@nambhanushali,

SAS has multiple ways to configure the authentication. Please clarify, are you talking about direct LDAP authentication method on the metadata server, LDAP authentication in sasauth.conf or LDAP authentication within PAM?

Re: Need to upgrade current LDAP to secure LDAP

JuanS_OCS — Thu, 09 Aug 2018 12:36:26 GMT

Hello @nambhanushali,

what is the SAS version of your servers? The certificates must be always imported in the SASPrivateJavaRuntimeEnvironment certificate store.

Please read the following links, it should give you much more than enough information.

https://communities.sas.com/t5/Administration-and-Deployment/How-to-implement-both-AD-and-LDAP-for-user-authentication/td-p/292396

http://support.sas.com/kb/48/142.html

https://www.sas.com/content/dam/SAS/fr_fr/doc/support-clients/articles/us2016_q3_implementation-d-une-authentification-ldap-dans-sas.pdf

The last line about the Labware LIMS servers.... what is the relevance of it for the question?

Re: Need to upgrade current LDAP to secure LDAP

nambhanushali — Mon, 20 Aug 2018 12:47:57 GMT

HI I still did not get the solution as in from where to start?

I got access to SAS Management Console & server access, but I dont know how do I check current LDAP config.

Like below ???

Direct LDAP authentication method on the metadata server,
LDAP authentication in sasauth.conf or
LDAP authentication within PAM (Pluggable authentication modules?

Re: Need to upgrade current LDAP to secure LDAP

alexal — Mon, 20 Aug 2018 13:06:40 GMT

@nambhanushali,

I would like to see an output from the commands shown below:

grep methods /<SASHome>/SASFoundation/9.4/utilities/bin/sasauth.conf
grep AD_HOST /<SASConfig>/Lev<X>/SASMeta/MetadataServer/sasv9_usermods.cfg

Re: Need to upgrade current LDAP to secure LDAP

nambhanushali — Tue, 21 Aug 2018 06:26:28 GMT

Output of sasauth.conf attached & Output of sasv9_usermods.cfg below in mentioned path

SASConfig>/Lev<X>/SASMeta/MetadataServer/sasv9_usermods.cfg

/*
* sasv9_usermods.cfg
*
* This config file extends options set in sasv9.cfg. Place your site-specific
* options in this file. Any options included in this file are common across
* all server components in this application server.
*
* Do NOT modify the sasv9.cfg file.
*
*/
-secpackagelist "Kerberos"

Re: Need to upgrade current LDAP to secure LDAP

alexal — Tue, 21 Aug 2018 11:04:34 GMT

@nambhanushali,

You are using host-based authentication. I do not see any references to PAM or LDAP in your configuration files.

Re: Need to upgrade current LDAP to secure LDAP

nambhanushali — Tue, 21 Aug 2018 11:17:52 GMT

ok so whats next now? how do I implement new secured LDAP?

Any docs to refer for host based authentication?

Re: Need to upgrade current LDAP to secure LDAP

nambhanushali — Tue, 21 Aug 2018 11:29:05 GMT

So now we need to upgrade from host based to LDAPS . What all configuration changes needed to move the SAS environments to support LDAP Secure (LDAPS)?

Re: Need to upgrade current LDAP to secure LDAP

alexal — Tue, 21 Aug 2018 11:29:03 GMT

@nambhanushali,

SAS supports the following methods for integration with LDAP:

host use of LDAP
The SAS server’s host uses an LDAP provider as a back-end authentication provider. From the perspective of the SAS server, this is host authentication. For example:
Active Directory is the standard back-end authentication provider on Windows.
Some UNIX hosts recognize LDAP accounts (or can be configured to do so). See Pluggable Authentication Modules (PAM).
sasauth use of LDAP (UNIX only)
This method provides a direct connection from sasauth (the UNIX host authentication module) to an LDAP database for authentication. This method provides an authenticated UNIX host identity for each user. For configuration instructions, see Configuration Guide for SAS Foundation for UNIX Environments at http://support.sas.com/documentation/installcenter.
metadata server use of LDAP
The metadata server validates some users against an LDAP provider such as Active Directory. This method enables the metadata server to recognize accounts that are not known to its host. It does not provide SAS with an authenticated UNIX host identity for each user. See Direct LDAP Authentication.
LDAP integration support is for authentication purposes only, not for authorization.

Re: Need to upgrade current LDAP to secure LDAP

nambhanushali — Wed, 29 Aug 2018 12:31:45 GMT

HI All,

I need to know how do we set newly created authentication as default auth in SAS Management Console (SMC) which will be applicable to new & existing users also.

Currently under SMC-->User manager->(right click)properties-->Accounts-->new

By default auth showing for new & existing user is "defaultauth". How do we change this default setting for new & existing users?

Is there any way to get it done once for all or do I need to go into individual user & select newly created auth.

I went through into the below link

http://support.sas.com/documentation/cdl/en/mcsecug/69854/HTML/default/viewer.htm#p1q3sdzivhqesin1ol4pb2xz7cjv.htm

But how to set default auth is not mentioned.

Regards,

Namrata