BookmarkSubscribeRSS Feed
mcguffey
Calcite | Level 5

 

I've defined a security group called "SAS VA Users" in Active Directory, whereby we can add users by name or by security group via MS Outlook. Other units can also maintain their groups via Outlook, making our Visual Analytics Security simple to maintain using existing mail distribution groups.

 

In order to sync users to SAS VA, I want to sync all users in the SAS VA Users AD group, including those who are members indirectly through nested groups. Active Directory allows for selection of all members of a selected group, including nested groups using a special filter:

All members of specified group, including
due to group nesting (Note 10)
(memberOf:1.2.840.113556.1.4.1941:=
cn=Test,ou=East,dc=Domain,dc=com)

Note 10:The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes. This is an extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. This reveals group nesting. See https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filter... for samples of various filters.

 

With appropriate values, This memberOf string works fine in an ldapfilter in PowerShell, but i cannot get it to work properly in our AD Sync SAS program in a call to LDAPS_SEARCH.

 

ERROR: Bad LDAP search filter.
FILTER=(&(memberOf:1.2.840.113556.1.4.1941:=CN=SAS VA Users,CN=Users,DC=marshall,DC=edu) (objectclass=person))
NOTE: The data set ADIR.LDAPUSERS has 0 observations and 22 variables.

 

The filter works fine without the ":1.2.840.113556.1.4.1941:" , but doesn't return any users not directly contained in the SAS VA Users group. I've tried a few variations on quotation marks, but nothing seems to work.

 

Does anyone have any thoughts on how to easily filter and return users in a group, including those in nested groups?

 

thank you,

--michael

SAS 9.4

VA 7.4

 

 

3 REPLIES 3
JuanS_OCS
Amethyst | Level 16

Hello @mcguffey, Michael,

 

I am not a ldapsearch tool/query expert, so I won't even attempt to give advise, it will be probably bad and confusing.

 

I can, however, advise you the following:

 

case nobody can help you much with this approach, do not spend too much time, breaking your head against the wall.

 

Instead, just ensure you get the user and group information on any way you fancy. CSV file, if you like. And then put this information in the canonical tables expected by SAS http://documentation.sas.com/?docsetId=bisecag&docsetTarget=p1o31lg0trorn8n1rketxxe1jbr1.htm&docsetV... Then you can run the important script provided by sas to sync the users. As simple as that.

 

You probably have gone through the documentation and have seen already what I have indicated above:

SAS provided basically some example scripts, the important one is the one that uses the macros to sync and control the users.

The one for getting the users from AD or LDAP is not really important, you can create your own, with your own controls. As easy as that. The only thing required by the important script, is that you should have the users and groups data in the expected datamart, the canonical tables. Once you have that, the rest is much easier.

 

Hope it helps

 

Kind regards,

Juan

Jelle_Notilyze
Calcite | Level 5

Hello,

 

I am really sorry for posting in such an old post; I know that is not really a good practice... but I ran into this issue, and I think I can explain why this happens... So I hope other people finding this question, might be helped a little bit by this remark;

 

There seems to be a limit in the lenght that SAS actually forwards to the ldapsearch;

Your filter is being cut off, at about character: 101-ish

 

So what SAS queries to your ldap (or AD) is this:

(&(memberOf:1.2.840.113556.1.4.1941:=CN=SAS VA Users,CN=Users,DC=marshall,DC=edu) (objectclass=perso

instead of:

(&(memberOf:1.2.840.113556.1.4.1941:=CN=SAS VA Users,CN=Users,DC=marshall,DC=edu) (objectclass=person))

 

Basically by making your string shorter, your query get completely send to the ldapsearch... and for that reason actually resulting in output.

 

My logic about the 101 character might be off, as this could also be 255 (more logic number in computer terms) for the complete ldapsearch string... and since the searchfilter is in the end, that is the one actually being cut off.

 

Hope this helps to anyone running into this issue;

 

With kind regards,

Jelle

gwootton
SAS Super FREQ

The importad.sas program sets the length of filter to "$100" so you could modify that line if you need to use a longer filter:

[sas@sgmmstr ~]$ grep filter..100 /sas94/SASHome/SASFoundation/9.4/samples/base/importad.sas
length entryname $200 attrName $100 value $600 filter $100
length entryname $200 attrName $100 value $600 filter $100
[sas@sgmmstr ~]$
--
Greg Wootton | Principal Systems Technical Support Engineer

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 3 replies
  • 2808 views
  • 4 likes
  • 4 in conversation