In SAS Environment Manager, under Configuration ► Identities Service, multiple definitions for the service might occur. If you open and save one of the configurations, the duplicates are removed. However, these duplicates might return the next time that you restart the identities service.

These duplicate configurations can prevent users from being able to authenticate successfully or prevent users and groups from being correctly populated in SAS Environment Manager.

This issue can occur when, in a multi-tenant environment, you perform the following steps:

1. Update the playbook's sitedefault.yml file to include the LDAP configuration for a tenant.
2. Use the site.yml playbook to update the environment instead of using the update-only.yml playbook.

As a result of these steps, the following occurs: 

• The sitedefault.yml file is copied to each consul server's /opt/sas/viya/config/etc/consul.d/default/ path by running the site.yml playbook.
• The next time that the consul starts, this file loads into the consul under the configurationservice/sitedefaults/config/application/tenants/tenant_id/ path. ​​​​
• Each time the identities service starts, its bootstrap process creates the configuration by reading from the sitedefaults keys.

Workaround

To circumvent this issue, complete the following steps:

Note: Be sure to have a good backup of your environment and playbook before completing these recovery steps.

1. Check both the tenant and provider configurations to locate all duplicates.
2. Remove the duplicate configurations in SAS Environment Manager by editing one of the duplicates and saving it.
3. In the sas_viya_playbook/roles/consul/files/sitedefault.yml file, remove any references to the tenant LDAP configuration.
4. Replace the sitedefault.yml file that is deployed in /opt/sas/viya/config/etc/consul.d/default/sitedefault.yml on all consul server hosts with your edited file from step three.
5. Use sas-bootstrap-config to remove the key-value pairs from consul by running the following commands as the "sas" user. Make sure to replace the tenant_id placeholder with the tenant ID that is appropriate for your environment:
   1. Initialize the environment using the following command:
      . /opt/sas/viya/config/consul.conf
      export CONSUL_HTTP_TOKEN=$(cat /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default/client.token)
   2. Use the kv read command to identify the keys:
      /opt/sas/viya/home/bin/sas-bootstrap-config kv read --recurse configurationservice/sitedefaults/config/application/tenants/tenant_id/
   3. Use the kv delete command to remove the keys that you want to remove. You can remove multiple keys by using the --recurse option. (Note: The following examples include separate commands, which are separated by a blank space.)
      /opt/sas/viya/home/bin/sas-bootstrap-config kv delete --recurse 
      configurationservice/sitedefaults/config/application/tenants/tenant_id/sas.identities.providers.ldap.connection/
      
      /opt/sas/viya/home/bin/sas-bootstrap-config kv delete --recurse 
      configurationservice/sitedefaults/config/application/tenants/tenant_id/sas.identities.providers.ldap.group/
      
      /opt/sas/viya/home/bin/sas-bootstrap-config kv delete --recurse 
      configurationservice/sitedefaults/config/application/tenants/tenant_id/sas.identities.providers.ldap.user/
   4. Use the kv read command again to confirm that the keys are removed.
      /opt/sas/viya/home/bin/sas-bootstrap-config kv read --recurse 
      configurationservice/sitedefaults/config/application/tenants/tenant_id/
6. Restart the environment and confirm duplicate configurations are no longer being created.