05-10-2017 04:06 PM
We use our company ID to log in to SAS 9.2, the user ID format is UserName.us.company.com.
We now have an ID in the format of UserName.company.com, without the us.
How do I add multiplue ID formats to sasv9_usermods.cfg file for LDAP authentication?
Would I add -primpd company.com after -authpd LDAP:us.company.com?
/*--------------------Original LDAP Authentication Code----------------------*/
* This config file extends options set in sasv9.cfg. Place your site-specifi c
* options in this file. Any options included in this file are common across
* all server components in this application server.
* Do NOT modify the sasv9.cfg file.
-set LDAP_PORT 389
-set LDAP_HOST bluepages.company.com
-set LDAP_BASE "c=us,ou=bluepages,o=company.com"
-set LDAP_IDATTR "primaryuserid"
05-11-2017 09:06 AM
if i am not mistaken, you could add it as::
-authpd (ADIR:us.company.com, ADIR:company.com)
-authproviderdomain (HOSTUSER:'....', ADIR:us.company.com')
-authproviderdomain (HOSTUSER:'....', ADIR:'company.com')
Have you tried it that way?
I do not want to put Paul on the spot :-) but .. he is THE ldap king super expert, he might have
a better / different suggestion (there is no one i trust more than Paul when it comes to security matters!)
05-12-2017 02:08 AM - edited 05-12-2017 02:19 AM
Thanks for the nice words Anja
@EPV3 - can you clarify what your authentication environment look like now. Is it a single LDAP server or two LDAP servers? If a single server are you trying to support both user id formats or just the new format? You mentioned the old user id format is UserName.us.company.com. Are you talking about the format you have in SAS metadata? Is it not UserName@us.company.com? When your users log in do they provide the long form user id UserName.us.company.com (or UserName@us.company.com) or the short form of just UserName?
The best place to look for more info on this in the SAS 9.2 documentation is the How to Configure Direct LDAP Authentication section in the SAS 9.2 Intelligence Platform: Security Administration Guide (though there is a bit more detail in the SAS 9.4 equivalent page).
The AUTHPROVIDERDOMAIN (AUTHPD) system option provides one or more authentication providers that can be used. If you need to use two LDAP servers then you can add extra domains in this option.
The PRIMARYPROVIDERDOMAIN (PRIMPD) system option is used to specify the primary domain that should be used for unqualified user ids (or PRIMPD qualified or an unknown qualifier). For example if you user specifies an unqualified bob as the user id and the primpd is example.com then email@example.com will be used as the qualified userid. Have a look at the SAS documentation for more examples of how and when PRIMPD is used.