03-08-2018 02:48 AM
We have created users using LDAP and able to login to environment Manager. While logging in to sasstudio, Only few of them are able to login. But, few of them are not able to login to SASStudio and its saying Access Denied and For few others its saying password expired. Is there any thing going wrong while logging in. We had set the same password for all the users. I dont see any limitations in the validity of paswords though.
Can anyone help on this . Many Thanks!!
03-08-2018 03:00 AM - edited 03-08-2018 03:01 AM
are you talking about SASStudio on Viya or on 9.4?
For Viya, the tip is that the authentication works on a slightly different way: the users will authenticate against the web (and web to LDAP, as your selected option), but it has to double-authenticate as well against the host servers where CAS is running. Meaning: either you have your users registered in the host itself, maintaining same passwords, or you have your linux server joined to the LDAP realm, hence the users can log, with the LDAP credentials, to the CAS servers and the home folders should be automatically generated (you can give a look into PAM options).
For 9.4, I think we would need to know additional details: the specific errors in SAS metadata, SAS Studio logs and SAS Logon is a good starting point.
03-08-2018 03:05 AM
03-08-2018 03:16 AM
the web applications (Environment Manager, VA, etc) all work with the authentication as set as web authentication: LDAP, SAML, etc. in your case, it is connected to LDAP/AD.
However, CAS sessions connect through web (SASStudio), but also it starts a process (the actual CAS one) in the host itself. That is why you need host authentication as well. And the users and passwords should match.
PAM is your friend here, and you can delegate authentications to it. So you can create users locally, and maintain the users and passwords, or you just join the machine/s to LDAP realm to allow users to log locally to the server (through SAS Studio) and the server should create the linux home folder for the user as well.