topic Re: How to implement both AD and LDAP for user authentication? in Administration and Deployment

How to implement both AD and LDAP for user authentication?

Saikrishna979 — Thu, 18 Aug 2016 09:50:14 GMT

Our SAS VA located on UNIX Environment. currently we are using AD for authenticate a group of people(Eg: UK users). Another group(Eg: US users) of users need authenticate and access the SAS applications, But they are not present in current AD that we are using and present in a LDAP server. So, is this possible to implement both the authentication processes in sasv9_usermods.cfg (both AD and LDAP)?

As like.

/*-----------------Active Directory Authentication---------------------- */
/* Environment variables that describe your Active Directory server  */
-set AD_HOST myhost
/* Define authentication provider  */
-authpd ADIR:mycomapny.com
-primpd mycompany.com
 
/*------------------------LDAP Authentication--------------------------- */
/* Environment variables that describe your LDAP server */
-set LDAP_HOST myhost
-set LDAP_BASE "ou=emp, o=us"
/* Define authentication provider */
-authpd LDAP:mycompany.com
-primpd aus.mycompany.com

or is there any other way to achieve this? please suggest.

Thanks in advance

Re: How to implement both AD and LDAP for user authentication?

PaulHomes — Thu, 18 Aug 2016 10:47:25 GMT

See the How to Configure Direct LDAP Authentication, Multiple LDAP Servers section in the SAS 9.4 Intelligence Platform: Security Administration Guide.

You could also talk to your sysadmin about the possibility of configuring your UNIX platform for authentication against multiple providers and just leave SAS to do host authentication.

Re: How to implement both AD and LDAP for user authentication?

Saikrishna979 — Thu, 18 Aug 2016 12:11:35 GMT

Dear @PaulHomes,

thanks for your reply.

"You could also talk to your sysadmin about the possibility of configuring your UNIX platform for authentication against multiple providers and just leave SAS to do host authentication". could you please elaborate this point in more detail?

Re: How to implement both AD and LDAP for user authentication?

PaulHomes — Fri, 19 Aug 2016 03:43:12 GMT

I mean that you could consider shifting the burden of authenticating users across multiple providers from the SAS platform layer to the operating system platform layer. If you can configure the UNIX server, where your metadata server runs, to authenticate against multiple providers (and it is appropriately aligned with your IT security policies) then SAS can be configured for simple host authentication. An example could be using SSSD with multiple domains.

Another possibility with VA is to shift the authentication to the mid-tier, where there are many authentication configuration options, then use (Trusted) Web Authentication possibly in combination with SAS Token Authenticaiton. Have a read through the Authentication Mechanisms section of the SAS 9.4 Intelligence Platform: Security Administration Guide for more background. You may also find the following papers and resources provide you with more ideas:

SAS Global Forum 2014 Paper: Advanced Security Configuration Options for SAS® 9.4 Web Applications and Mobile Devices by Heesun Park (SAS Institute)
SAS Global Forum 2014 Paper: An Advanced Fallback Authentication Framework for SAS® 9.4 and SAS® Visual Analytics by Zhiyong Li &Mike Roda (SAS Institute)
The SAS Web Server Authentication and Web Authentication sections in the SAS 9.4 Intelligence Platform: Middle-Tier Administration Guide
As an example of the flexibility that mid-tier authentication can provide SAS Visual Analytics Guest Access with IWA Fallback

Since there are lots of options around authentication, without an understanding of your environment, SAS product mix, and business requirements it is hard to give specific advice. I would suggest contacting SAS Professional Services or a SAS Partner in your local region if you need more in-depth assistance.

Re: How to implement both AD and LDAP for user authentication?

Saikrishna979 — Fri, 19 Aug 2016 09:43:30 GMT

Dear @PaulHomes,

We are currently using direct active directory authentication model. So my only question now is, is it possible to authenticate sas with both Active Directory and IBM Directory server at the same time. I have read http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm#n0w8oa3erw568vn192xwf0872npk.htm
which mentions that multiple LDAP servers can be configured. I would like to know if we can configure in such a way that the AD and IBM LDAP server both can be used as authentication providers in the same sas machine.

I have also raised a ticket with technical support regarding this. I would like to understand this topic before sas support contact me. Hence the repeated questions.

Thank you

Re: How to implement both AD and LDAP for user authentication?

PaulHomes — Fri, 19 Aug 2016 21:17:28 GMT

Have you tried this?

-authpd (ADIR:mydomain LDAP:mycompany.com)

For more info see the documentation for the AUTHPROVIDERDOMAIN System Option.

Re: How to implement both AD and LDAP for user authentication?

Saikrishna979 — Thu, 22 Sep 2016 05:52:17 GMT

@PaulHomes Thanks a lot for your kind support, we are proccedding for test with -authpd (ADIR:mydomain LDAP:mycompany.com).