BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
doq
Fluorite | Level 6 doq
Fluorite | Level 6

Hi, I am implementing SAS Forecast Server on a Google Cloud Platform (GCP) Compute Instance/VM.  I am having problem configuring sasauth.conf to connect back to our on-prem LDAP server for password authentication.  One item of note is that the ldap server IP is actually the load balancer for our ldap servers.  Not sure if this is significant for my situation or not.

 

I am able to perform an ldapsearch from the command line with an embedded fetch of the target DN as follows:

 

ldapsearch -x -LLL \
  -H ldaps://<ldaphost.domain.com>:636 \
  -D "$(ldapsearch -x -LLL \
    -H ldaps://<ldaphost.domain.com>:636 \
    -b 'o=,c=us' \
    -s sub 'uid=<tgt_uid>' dn | grep dn | \
    cut -d' ' -f2-)
" \
  -s sub "uid=<tgt_uid>" \
  -b "o=,c=us" \
  -w <user_psw>

 

Please note also that I have been unable to get an ldapsearch command to work using the form '-h <ldaphost.domain.com> -p 636' for the ldap host reference.

 

The above ldapsearch command fetches the DN first (and strips off the chars 'dn: '), and then uses it in the outer query with the associated password to confirm the password.

 

This is how I am interpreting the doc for LDAP_AUTH_METHOD=QUERY in sasauth.conf to work...

 

   # QUERY = Search for the user's name in a specified attribute to determine
    # the user's DN, then BIND using that DN and the user's credentials.
    # (Useful for large enterprises with multiple AD domains.)

 

However, I have been unable to figure out how to set up sasauth.conf to connect using simple authentication (-x) and ldapuri (-H ldaps://....) and am hoping that this is my problem.  Can someone provide guidance on how to configure sasauth.conf to create its query using the form '-x -H ldaps://...:nnn' (or where it is discussed in the manuals) and where I can find the logging for this activity so that I can debug it?  I have been unable to find the logs for this anywhere.

 

Thanks in advance, Dennis

1 ACCEPTED SOLUTION

Accepted Solutions
doq
Fluorite | Level 6 doq
Fluorite | Level 6

I was able to accomplish what I needed to do via the PAM_EXEC module and the expose_authtok parameter.  This gave me the info I needed to perform my LDAP search directly without the overhead of SSSD.

View solution in original post

2 REPLIES 2
alexal
SAS Employee

@doq ,

 

The easiest way to configure LDAP authentication in sasauth.conf is to use BIND in LDAP_AUTH_METHOD. In that case, you are binding as the user and you do not need to have service account to search your users. As I said before, you need to make sure that your LDAP schema is UNIX enabled, meaning that your schema contains UID/GID for each user. sasauth-debug along with PROC PERMTEST can be used for debugging purposes, please see more details in a SAS note listed below:

 

http://support.sas.com/kb/39/891.html

 

Also, I want to say, the easiest way to configure LDAP authentication is to do that on a system level. For example through SSSD and then use PAM authentication in SAS.

doq
Fluorite | Level 6 doq
Fluorite | Level 6

I was able to accomplish what I needed to do via the PAM_EXEC module and the expose_authtok parameter.  This gave me the info I needed to perform my LDAP search directly without the overhead of SSSD.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 2 replies
  • 1294 views
  • 1 like
  • 2 in conversation