10-15-2013 01:48 PM
Hello, I am wondering how to best set up authentication via Lightweight Directory Access Protocol (LDAP) for users from many different organizations outside my own who need to access individualized SAS 9.3 BI dashboards that my organization is creating. Tech support has been helpful so far, but, as someone with little configuration/deployment/administration experience who has nonetheless been asked to take care of this, I'm afraid I need more basic help.
Here are the steps I've taken so far:
1) Added the Active Directory Lightweight Directory Services (AD LDS) role on our Windows 2008 R2 Enterprise Server.
2) Added 2 lines to sasv9_usermods.cfg (SAS(R) 9.3 Intelligence Platform: Security Administration Guide). I did not add the 3rd line (/* System options that make LDAP the primary authentication provider */ -authpd LDAP:company.com -primpd company.com) yet because I don't fully understand the implications of making the change. If I make LDAP the primary authentication provider, will that create problems for all the SAS users within our organization who connect to SAS servers through Integrated Windows authentication (IWA)? In other words, do I have to choose either IWA or LDAP?
I restarted the Metadata server after updating the sasv9_usermods.cfg file.
3) I created a new authentication domain in Management Console, created a user, and set the user's authentication domain to the new one just created. However, nothing seems to have actually happened. For example, I cannot log in to SAS BI Dashboard with the login information I entered, either in AD LDS or Management Console.
4) Following tech support's advice, have run this code (40147 - Test connection to LDAP or Active Directory server from within SAS® 9) for a single user account I set up in AD LDS. I modified the code with one small edit (30425 - "ERROR: Invalid handle specified" occurs when running the sample program IMPORTAD.SAS) after encountering an "Invalid handle specified" error. The code executes with 1 warning and the following messages in the log:
"LDAPS_OPEN call successful.
WARNING: No results found.
LDAPS_FREE call successful.
LDAPS_CLOSE call successful."
So, I clearly still have some issues to address, but it appears that some sort of connection is being made to AD LDS.
Sorry in advance for my rookie mistakes. Any help to keep moving forward would be greatly appreciated!
12-02-2013 11:36 AM
In case anyone is trying to do something similar, I thought I would provide an update to this post to say that we ended up creating local Windows users ( Create a user account - Microsoft Windows Help) and then running a generic bulk load macro (SAS(R) 9.3 Intelligence Platform: Security Administration Guide) to create new SAS accounts based on the local Windows accounts. Following this approach, the SAS accounts need to have the prefix "WIN\" for the local domain and the SAS user would log in with the password set in the local Windows account. We had issues with metadata that may have prevented us from taking the AD LDS / LDAP approach.
12-03-2013 02:32 PM
12-05-2013 09:00 AM
Thank you for these resources, Michelle!