topic LDAP Open in Administration and Deployment

LDAP Open

sunilreddy — Wed, 06 Nov 2013 17:37:59 GMT

Hi,

Trying to connect from SAS server to LDAP server using TCP port 636 is the common communications port for SSL, getting error as "ERROR: Unable to contact the LDAP server.".

I am able to connect LDAP server with TCP port 389 port from Solaris where SAS 9.1.3 has installed.

%let ADServer = "xxxxxxxxxx";

%let ADPort = 389;

%let ADPerBaseDN ="ou=users,ou=internal,o=xxxxxx";

%let ADBindUser = "uid=xxxxxx,ou=users,ou=internal,o=xxxxx";

%let ADBindPW = "xxxx";

call ldaps_open( handle, &ADServer, &ADPort, &ADPerBaseDN, &ADBindUser, &ADBindPW, rc, option );

Installed Verisign certificate in "/etc/certs/ldapCert/cert8.db" path on source system to use 636 port, Any environment variable to pass this certificate path while connecing from sas to ldap.

your help would be much appreciated

Re: LDAP Open

SASKiwi — Wed, 06 Nov 2013 19:06:10 GMT

Check with your network specialist regarding port 636. It is common practice these days to protect servers with firewalls, and then open ports in the firewalls only as required plus restrict traffic to only specified servers. In my organisation everytime we want to add a new server we need to change the firewall rules for our SAS server.

Re: LDAP Open

sunilreddy — Wed, 06 Nov 2013 20:21:34 GMT

But i am able to connect with 636 by using verisign installed path (Z -P "/etc/certs/ldapCert/cert8.db") in below shell script

ldapsearch -h ecd.ldap.se -p 636 -D "uid=EXXXXXX,ou=Users,ou=Internal,o=XXXXXX" -T -w 8HrS7iQ2 -Z -P "/etc/certs/ldapCert/cert8.db" -1 -b "ou=users,ou=internal,o=XXXXXX" "(&(objectclass=ldap)(idmaccess=XXXXXX*))"

I want to use "/etc/certs/ldapCert/cert8.db" certification path to run it from SAS Code. Is there any way to pass this path thru variable or any alternative

sas code:

data useraccess (keep=entryname attrName value filter displayName);

length entryname $600 attrName $100 value $600 filter $500
displayName $600 ;

     handle = 0;
     rc     = 0;
     option = "OPT_REFERRALS_ON";

     /* open connection to LDAP server */
     call ldaps_open( handle, &ADServer, &ADPort, &ADPerBaseDN, &ADBindUser, &ADBindPW, rc, option );

     timeLimit=0;
     sizeLimit=0;
     base=''; /* use default set at _open time */
     referral = "OPT_REFERRALS_ON";
     restart = ""; /* use default set at _open time */

call ldaps_setOptions(handle, timeLimit, sizeLimit, base, referral, restart, rc);

%include groups;

/* close connection to LDAP server */
call ldaps_close(handle,rc);

run;

Re: LDAP Open

SASKiwi — Wed, 06 Nov 2013 20:32:11 GMT

In that case I suggest you open a track with Tech Support.

Re: LDAP Open

ronan — Thu, 07 Nov 2013 12:05:02 GMT

Hi sunilreddy,

We have a track still opened for months on a similar issue.

- a SAS 9.3 (TS1/M1) Metadata Server on Linux x64 is unable to authenticate against an LDAP server through SSL (LDAPS) using a chained Verisign Certificate.

it works fine using a self-signed certificate but fails with a chained Verisign. SAS tech support has tried to replicate our issue but we disagree on the minimal requirements

and, unfortunately, this is still unresolved despite upgrading the ssl SAS code up to 9.4.

In our case, the LDAPS certificate should be declared with SSLCALISTLOC SAS sytem option. Be aware that SAS awaits the SSL certificate to be read as a plain text file (ASCII);

I am note sure it can retrieve the certificate from a *.dlb key store. Since I'm not familiar with SAS 9.1 on Solaris, check the documentation.

I'll be curious to know if you can open the LDAPS call at all. Please, keep us informed.

Ronan