Architecting, installing and maintaining your SAS environment

LDAP / AD authentication in SAS Viya 3.2 - Full deployment

Reply
Trusted Advisor
Posts: 1,414

LDAP / AD authentication in SAS Viya 3.2 - Full deployment

Hello,

 

I have a couple of questions, regarding authentication with Viya, when you select the full deployment.

 

  • The OAuth authentication set up for the visual interfaces, speaking more specifically, I am talking about the Environment Manager, allows you to sync with a CN or an OU, for users and for the groups.
    1. If done on the groups, it gets the groups on that OU or CN
    2. If done on the users, it gets the direct users on the OU or CN.

          But apparently it is not getting the sub trees, hence, if there are Interactive accounts and System accounts (such as 'cas'), on different CNs or OUs (as they generally are/should be) .. is there any way to tell the Environment Manager to do so?

 

  • The authentication is happening OK in the Visual Environments (VA and EVM) but not in SAS Studio.
    • I can log locally to the server with an AD / LDAP account
    • I guess, I need to set up the SAS-internal PAM config files for cas and sasstudio
    • How to set up the SAS-internal PAM configuration files?

Any guidance or pin-pointing to the right direction would be welcome! Many thanks in advance,

 

Kind regards,

Juan

 

 

SAS Employee
Posts: 316

Re: LDAP / AD authentication in SAS Viya 3.2 - Full deployment

Posted in reply to JuanS_OCS

@JuanS_OCS,

 

I can help with PAM authentication.

How to set up the SAS-internal PAM configuration files?

 

SAS Viya 3.2 Administration / Authentication: How To Configure PAM

Trusted Advisor
Posts: 1,414

Re: LDAP / AD authentication in SAS Viya 3.2 - Full deployment

[ Edited ]

Hello @alexal,

 

many thanks, however, I already have gone through it and that link just states the obvious, I am afraid. I mentioned the 2 PAM files, and the link pin-points to the same 2 PAM files:

  • ./etc/pam.d/cas
  • /etc/pam.d/sasauth

 

Both files are quite standard, not really useful as default. What is more important is that it says:

  1. Make any modifications to the file that are necessary for your environment.

 

Which points to the direction What are the necessary changes and based on what?

Either the documentation is missing something or I am.

 

I see you have experience, perhaps you can help with additional details?

SAS Employee
Posts: 316

Re: LDAP / AD authentication in SAS Viya 3.2 - Full deployment

Posted in reply to JuanS_OCS

@JuanS_OCS,

Which points to the direction What are the necessary changes and based on what?

Based on you system settings. What you have in /etc/pam.d/system-auth or /etc/pam.d/system-auth-ac?

Trusted Advisor
Posts: 1,414

Re: LDAP / AD authentication in SAS Viya 3.2 - Full deployment

[ Edited ]

Hello @alexal,

 

alright, that makes sense, that based on system config.

 

Please let me share with you the current contents of that file:

 

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

 

And as follow up: can anyone help me with the question 1? Smiley Happy

 

Thanks in advance! 

SAS Employee
Posts: 316

Re: LDAP / AD authentication in SAS Viya 3.2 - Full deployment

Posted in reply to JuanS_OCS

@JuanS_OCS,

And as follow up: can anyone help me with the question 1?

 

This is not my area of support. I suggest you open a track, in order to contact the team which supports it.

Trusted Advisor
Posts: 1,414

Re: LDAP / AD authentication in SAS Viya 3.2 - Full deployment

Many thanks @alexal.

 

I also shared the contents of the system PAM file. What would it be your recommendation to modify the other files?

 

I made a couple of tries by myself (also in sas.postgres file, on an attempt to leave SAS out of the equation and test connection to PostgreSQL), but no success.

Ask a Question
Discussion stats
  • 6 replies
  • 220 views
  • 3 likes
  • 2 in conversation