topic LDAP Authentication in Linux environment (for SAS Forecast Server) in Administration and Deployment

LDAP Authentication in Linux environment (for SAS Forecast Server)

doq — Tue, 30 Jul 2019 14:43:33 GMT

Hi, I am implementing SAS Forecast Server on a Google Cloud Platform (GCP) Compute Instance/VM. I am having problem configuring sasauth.conf to connect back to our on-prem LDAP server for password authentication. One item of note is that the ldap server IP is actually the load balancer for our ldap servers. Not sure if this is significant for my situation or not.

I am able to perform an ldapsearch from the command line with an embedded fetch of the target DN as follows:

ldapsearch -x -LLL \
  -H ldaps://<ldaphost.domain.com>:636 \
  -D "$(ldapsearch -x -LLL \
    -H ldaps://<ldaphost.domain.com>:636 \
    -b 'o=,c=us' \
    -s sub 'uid=<tgt_uid>' dn | grep dn | \
    cut -d' ' -f2-)" \
  -s sub "uid=<tgt_uid>" \
  -b "o=,c=us" \
  -w <user_psw>

Please note also that I have been unable to get an ldapsearch command to work using the form '-h <ldaphost.domain.com> -p 636' for the ldap host reference.

The above ldapsearch command fetches the DN first (and strips off the chars 'dn: '), and then uses it in the outer query with the associated password to confirm the password.

This is how I am interpreting the doc for LDAP_AUTH_METHOD=QUERY in sasauth.conf to work...

# QUERY = Search for the user's name in a specified attribute to determine
# the user's DN, then BIND using that DN and the user's credentials.
# (Useful for large enterprises with multiple AD domains.)

However, I have been unable to figure out how to set up sasauth.conf to connect using simple authentication (-x) and ldapuri (-H ldaps://....) and am hoping that this is my problem. Can someone provide guidance on how to configure sasauth.conf to create its query using the form '-x -H ldaps://...:nnn' (or where it is discussed in the manuals) and where I can find the logging for this activity so that I can debug it? I have been unable to find the logs for this anywhere.

Thanks in advance, Dennis

Re: LDAP Authentication in Linux environment (for SAS Forecast Server)

alexal — Tue, 30 Jul 2019 15:49:27 GMT

@doq ,

The easiest way to configure LDAP authentication in sasauth.conf is to use BIND in LDAP_AUTH_METHOD. In that case, you are binding as the user and you do not need to have service account to search your users. As I said before, you need to make sure that your LDAP schema is UNIX enabled, meaning that your schema contains UID/GID for each user. sasauth-debug along with PROC PERMTEST can be used for debugging purposes, please see more details in a SAS note listed below:

http://support.sas.com/kb/39/891.html

Also, I want to say, the easiest way to configure LDAP authentication is to do that on a system level. For example through SSSD and then use PAM authentication in SAS.

Re: LDAP Authentication in Linux environment (for SAS Forecast Server)

doq — Mon, 05 Aug 2019 11:41:51 GMT

I was able to accomplish what I needed to do via the PAM_EXEC module and the expose_authtok parameter. This gave me the info I needed to perform my LDAP search directly without the overhead of SSSD.