02-14-2014 01:08 PM
Have any of you implemented SAS apps to authenticate users in a OpenLDAP server?
I have a LDAP server working and I can see my client server can authenticate users in my OpenLDAP server, this works fine.
When I open my SAS Management Console and attempt to authenticate, it doesn't work and retusn this message to me:
LDAP SSL Message ldapsNegotiate() failed -2139099117
Possible cause: Server certificate not found, port not SSL enabled
Unable to contact the LDAP server.
The application could not log on to the server "golf.effectivemkt.com.br:8561". The user ID "sas_etl_bi" or the password is incorrect.
I rulled out password issues because I'm able to authenticate with the user "sas_etl_bi" directly using SSH.
I need some help to understand and clarify the certificates thing... I've been reading the following links, but still not clear.
My LDAP Server is: PRISMA
Server where SAS installation is on: GOLF
Initially I thought that the certication should be copied from my ldap server to my sas installation server, but this doesn't seem to be the case.
Pls, any guidance here is much appreciated.
/* Configuração para autenticar no servidor de LDAP / prisma.effectivemkt.com.br: */
-set LDAP_HOST prisma.effectivemkt.com.br
-set LDAP_BASE "dc=netdomain,dc=com"
-set LDAP_PORT 636
-set LDAP_TLSMODE 1
/* System options that make LDAP the primary authentication provider */
-authpd LDAPrisma.effectivemkt.com.br -primpd prisma.effectivemkt.com.br
Thanks in advance.
02-18-2014 08:08 AM
additional information for posteriority.. I still have hope someone will help here!
running the command at the metadata server (golf) against my LDAP server (prisma), I got apparently good results:
openssl s_client -tls1 -connect prisma.effectivemkt.com.br:636 -showcerts
02-19-2014 02:41 PM
Why not use the LDAP being at the host level (Unix I assume) than using host-autentication
A lot easier as you local session started in a persons-context (ldap defined) can be highly secures at the OS level.
You can not secure the OS with SAS Metadata-security, but you can secure the OS with sandboxing on group and user accounts in a way the system will be safe even making a mess in metadata-security. Let the users use SSH SFTP X-cmd on the system when you did the security well they can not go outside their own sandbox.