cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
darwinwalters
Fluorite | Level 6 darwinwalters
Fluorite | Level 6

Active Directory Authentication via LDAP for SAS Studio Basic 3.71

Posted 01-11-2019 11:15 AM (1561 views)

We're currently trying to set up SAS Studio Basic 3.71 in AWS to authenticate against our Active Directory setup.

 

Looking at the documentation in <SASHome>/SASFoundation/9.4/utilities/bin/sasauth.conf, there are three ways to authenticate a user (BIND, MATCH, or QUERY). We decided to go with the MATCH or QUERY methods for authentication. However, we've run into a few errors with both methods.

 

With MATCH, it seems that the user is found, but SAS runs into an issue with getting the encrypted password.


With BIND, we're getting an operations error. It looks like our DN query failed, but I'm not getting any other information from the debug logs.


I had the following questions:

  1. With MATCH and Active Directory, has anyone had any success with retrieving an encrypted password? I've used the password attribute unicodePwd, which is what our other applications use when authenticating against LDAP.
  2. Is there a way to see the exact DN query that the QUERY method uses to find the user's DN? I'm thinking that this is our best bet with authenticating against LDAP
  3. Is there an additional setup that we have to do on the SAS EC2 instance to create users? As of now, we only have the sas user which is used to install and run SAS Studio Basic. Does each user in LDAP also need a corresponding Unix system user?
  4. If anyone has successfully set up SAS Studio basic to authenticate against Active Directory (either using ldap or a combination of PAM and LDAP), could you please share an overview of your working configuration?

 

I can provide more details and logs, but I think my last post was marked at spam from being too long.  

 

Thanks again!

Reply
3 REPLIES 3
JuanS_OCS
Amethyst | Level 16 JuanS_OCS
Amethyst | Level 16

Re: Active Directory Authentication via LDAP for SAS Studio Basic 3.71

Posted 01-14-2019 03:24 AM (1500 views)  |   In reply to darwinwalters

Hello @darwinwalters,

 

The solution to this answer is more than 50% non-SAS related.

 

In your case, I would revert first back all the changes. Afterwards, I would join that machine, to the Active Directory ( realm or any other method ). You will need an AD admin, because it requires the password of the admin.

 

Once it is done, please test if a user can actually log in to the machine by SSH. At this stage, the host itself will be able to authenticate against active directory. So, most of your work is done, just one easy bit is left.

 

Only then, you can share the created PAM authentication with SAS Foundation http://support.sas.com/kb/49/432.html and test in SAS Foundation and SAS Studio Basic, if it can authenticate. It should be possible, since the hot itself should be able to authenticate.

 

This should be enough, please let us know if it works for you.


This might help you as well: http://support.sas.com/documentation/installcenter/en/ikfdtnunxcg/66380/PDF/default/config.pdf?local...

 

Kind regards,

Juan

 

0 Likes
Reply
darwinwalters
Fluorite | Level 6 darwinwalters
Fluorite | Level 6

Re: Active Directory Authentication via LDAP for SAS Studio Basic 3.71

Posted 01-14-2019 10:35 AM (1473 views)  |   In reply to JuanS_OCS

Hey @JuanS_OCS,

 

Thanks for the answer!  I just wanted to clarify that our EC2 instance is running Linux.  Rather than joining our instance to Active Directory, we're just trying to bind with a service account.  This account is used to look up users in our domain and authenticate them.

 

If we are just binding using this service account, we shouldn't need an admin account, right?  The service account is also being used for LDAP authentication for other applications running in our AWS account.

 

 

 

Reply
JuanS_OCS
Amethyst | Level 16 JuanS_OCS
Amethyst | Level 16

Re: Active Directory Authentication via LDAP for SAS Studio Basic 3.71

Posted 01-14-2019 01:05 PM (1459 views)  |   In reply to darwinwalters
Hi!

Well, when talking about Active Directory, even if it is a Linux server what we talk about, I can only see advantages on joining the machine to the domain. However, not a requirement indeed, just my advice.

Besides: with SAS Studio you do not want, only, to authenticate, the underneath SAS foundation system process will need to run on the name of the user.

Lets put it this way: it is a requirement that the local sas process will run on the name of the user. Meaning, the user has to be able to authenticate at the host level and to create processes.

As long as you create this pre-requisite, you will be OK. An my recomendation is, to use one of the methods that will create a PAM registry, because it is easy to bring to SAS.

The choice of the particular method, is yours.

The aim, still the same: the user should be able to authenticate to the linux machine as he will authenticate to SAS.

Does it help?
0 Likes
Reply

Ready to join fellow brilliant minds for the SAS Hackathon?

Build your skills. Make connections. Enjoy creative freedom. Maybe change the world. Registration is now open through August 30th. Visit the SAS Hackathon homepage.

Register today!
Discussion stats
  • 3 replies
  • ‎01-11-2019 11:15 AM
  • 1562 views
  • 2 likes
  • 2 in conversation