04-30-2018 11:41 AM
I tried to configure two LDAP Server with different hosts with the documentation http://documentation.sas.com/?docsetId=bisecag&docsetTarget=n0w8oa3erw568vn192xwf0872npk.htm&docsetV...
My configuration is like this:
-authproviderdomain (LDAP:Name1, LDAP:Name2) -primpd Name1 -set LDAP_PRIV_DN_Name2 "..." -set LDAP_PRIV_PW_Name2 "..." -set LDAP_BASE_Name2 "..." -set LDAP_HOST_Name2 "..." -set LDAP_PORT "636" -set LDAP_TLSMODE "1" -set LDAP_PRIV_DN_Name1 "..." -set LDAP_PRIV_PW_Name1 "..." -set LDAP_BASE_Name1 "..." -set LDAP_HOST_Name1 "..." -set LDAP_IDATTR_Name1 "racfid"
But it didn't work. I got the ERROR message:
2018-04-30T17:31:47,872 ERROR  :sasadm - Unable to authenticate due to missing environment variable: LDAP_HOST.
05-01-2018 09:02 AM
The SAS metadata server can only connect to on LDAP server. You'd need to provide a single LDAP endpoint that can provide a view of more than one directory tree. This is possible in the Microsoft AD space by joining domains under and single forest and querying the global catalogue. A Google search shows there are some software solutions that can provide a virtual directory backed by more than one LDAP tree, this is a potential solution.
05-03-2018 11:20 PM
I suppose you might want to think about the higher intent here and try provide some more details.
What is the problem you are attempting to solve, try provide some context.
eg. The company I work for just aquired a new company. Users are now split across two active directory domains which are not in the same forest. The SAS team need to update our existing configuration to allow users from both Active Directory domains to be autheticated and use SAS using their existing domain accounts. How might we configure the SAS Metadata Server to authenitcate users from two different Active Directory domains?
If its something like two district Active Directory setups then I'd not use the LDAP bits inside SAS but rather configure sasauth to use PAM then simply just have my Linux/UNIX system administrators ensure the krb5 configuration on that system is able to talk to both KDCs for those two realms and SAS will seamlessly authenticate both annie@REALMA.COMPANY and bob@REALMB.COMPANY if the krb5 configuration is correct.