BookmarkSubscribeRSS Feed
darwinwalters
Fluorite | Level 6

We're currently using the following guide to configure LDAP authentication against Active Directory for SAS Studio Basic running on one EC2 instance : http://support.sas.com/documentation/installcenter/en/ikfdtnunxcg/66380/PDF/default/config.pdf

 

My questions are at the bottom of the post.


Looking at the documentation in <SASHome>/SASFoundation/9.4/utilities/bin/sasauth.conf, there are three ways to authenticate a user (BIND, MATCH, or QUERY). We decided to go with the MATCH or QUERY methods for authentication. However, we've run into a few errors with both methods.

With MATCH, it seems that the user is found, but SAS runs into an issue with getting the encrypted password.

 

20190111-14:30:01 Authenticating user <USERNAME> via ldap
20190111-14:30:01 LDAP: Authenticating user <USERNAME>
20190111-14:30:01 Build entry DN: User domain ignored (if any).
20190111-14:30:01 Set LDAP to version 3.
20190111-14:30:01 LDAP: Connecting to <LDAP_URL>
20190111-14:30:01 LDAP: Using protocol version 3
20190111-14:30:01 LDAP: binding to '<LDAP_HOST_DN>'
20190111-14:30:01 LDAP: entrydn is '<LDAP_USERBASE> <LDAP_SEARCHBASE>'
20190111-14:30:01 LDAP: filter is '(&(sAMAccountName=<USERNAME>)(&(objectClass=user)))'
20190111-14:30:01 LDAP: UID is XXX
20190111-14:30:01 LDAP: GID is XXX
20190111-14:30:01 Request failed: 'Did not get encrypted password for user.'
```

 

 

With BIND, we're getting an operations error.

20190111-15:23:04 Authenticating user <USERNAME> via ldap
20190111-15:23:04 LDAP: Authenticating user <USERNAME>
20190111-15:23:04 LDAP: Search for user in domain <LDAP_DOMAIN>
20190111-15:23:04 Set LDAP to version 3.
20190111-15:23:04 LDAP: Connecting to <LDAP_DOMAIN>
20190111-15:23:04 LDAP: Using protocol version 3
20190111-15:23:04 LDAP: binding to '<LDAP_HOST_DN>,'XX
XX'
20190111-15:23:04 LDAP: Searching for user DN using query '(sAMAccountName=<USERNAME>)'
20190111-15:23:04 DN query failed in domain '<LDAP_DOMAIN>'
20190111-15:23:04 Operations error

 

 

I had the following questions:

 

  1. With MATCH and Active Directory, has anyone had any success with retrieving an encrypted password? I've used the password attribute unicodePwd, which is what our other applications use when authenticating against LDAP.
  2. Is there a way to see the exact DN query that the QUERY method uses to find the user's DN? I'm thinking that this is our best bet with authenticating against LDAP.
  3. Is there an additional setup that we have to do on the SAS EC2 instance to create users? As of now, we only have the sas user which is used to install and run SAS Studio Basic. Does each user in LDAP also need a corresponding Unix system user?
  4. If anyone has successfully set up SAS Studio basic to authenticate against Active Directory (either using ldap or a combination of PAM and LDAP), could you please share an overview of your working configuration?

 

Thanks!

2 REPLIES 2
JuanS_OCS
Amethyst | Level 16

Hello @darwinwalters ,

 

this is an interesting question. I would personally lay the AD or LDAP authentication onto the shoulders of the operating system itself, with PAM. But this would be my personal choice. 

 

In this sense, with PAM and SSSD (or realm for Active Directory), you can let the operating system to authenticate internally with your Identity Provider, no matter which one. And once oyu do this, and you test that it works, that you can authenticate to the OS with your AD user, you only need to let SAS to use PAM on its terms (see http://support.sas.com/kb/49/432.html )

 

This would be my choice because then the authentication can be managed by its real experts. Also the authentication is much easier and secure for you, and, furthermore, Google is full of examples on how to do all of that. 

 

https://www.google.nl/search?q=PAM+SSSD&rlz=1C1GCEU_nlNL823NL827&oq=PAM+SSSD&aqs=chrome..69i57.3591j...

 

This being said, let me answer ayour other questions:

 

1. I would not ever like to retrieve a password, encrypted or not. The more the confidential information is kept at origin, the best. A secure handshake is better!

 

2. Yes, there is always is, by increasing the level of the logs of the sas java process. I cannot recall not which one is the right one now, but if you are interested, I am sure SAS Technical Support can give you a hand there

 

3. If you use this authentication, yes, you would need local and AD user, corresponding, If you use the PAM module, you only need one that is in the AD or LDAP. Of course, extra admin actions would need to be taken then anyways in the SSSD configuration: which users would be part of what local groups, ACLs, roles for each local group, etc. The normal stuff.

 

4. I think I answer it already at the top.

 

 

Does this help? Please let us know.


Kind regards,

Juan

alexal
SAS Employee

@darwinwalters ,

Request failed: 'Did not get encrypted password for user.'

I would like to know what did you set in these options:

  • LDAP_SCHEMA
  • LDAP_PASSWD_ATTRIBUTE

SASAUTH here tried to retrieve a password from LDAP_PASSWD_ATTRIBUTE and failed because nothing has been returned from an LDAP server.

20190111-15:23:04 LDAP: Searching for user DN using query '(sAMAccountName=<USERNAME>)'
20190111-15:23:04 DN query failed in domain '<LDAP_DOMAIN>'

I'm wondering to see what will be returned from this command:

ldapsearch -b "" -D "sAMAccountName=<USERNAME>" -h <SERVER_NAME> -W -x

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 2 replies
  • 1334 views
  • 2 likes
  • 3 in conversation