BookmarkSubscribeRSS Feed
Madhan_cog1
Quartz | Level 8

Hi All,

 

We have installed and configured SAS 9.4 M5 Grid in a Linux Environment.

 

We would like to know how to integrate AD users/groups into Management console instaed of adding the users manually.

We have enabled PAM Authentication already.

 

Kindly suggest.

 

Thanks,

Madhan M.

 

13 REPLIES 13
Madhan_cog1
Quartz | Level 8
Yes kurt,
Thanks. We did look at this program mentioned in the below specified location. However wanted to understand when new users are included or move out of the organisation, they should be added/ removed accordingly.  Does this mean, we need to run this code everytime (scheduled / adhoc) during the above scenario, please suggest or any alternate suggestion.
 
Thanks,
Madhan M
Kurt_Bremser
Super User

@Madhan_cog1 wrote:
Yes kurt,
Thanks. We did look at this program mentioned in the below specified location. However wanted to understand when new users are included or move out of the organisation, they should be added/ removed accordingly.  Does this mean, we need to run this code everytime (scheduled / adhoc) during the above scenario, please suggest or any alternate suggestion.
 
Thanks,
Madhan M

Yes. We run this program (a version adapted to our environment) daily from the scheduler, to keep the metadata synchronized with the LDAP userbase.

DanielKaiser
Pyrite | Level 9

Hi @Madhan_cog1,
if a thirdparty tool is an option for you, have a look at Metacoda (https://www.metacoda.com/en/products/utility-plug-ins/). They offer several tools to observe and manage your metadata. One of it functionalities is to sync your metadata Users with the Active Directory. I am pretty sure @MichelleHomes could help you with further information or an evalution license. 
We are absolutely happy with metacoda. We have about 10 SAS-Environments with up to 600 AD-Users, that are synced as often, as we want (right now, each night).
Users that have left an AD-group (cause they left our company or do something else and no longer have the rights to use SAS  - since they dont have the AD-Group anymore) loose their rights automatically, but stay in the metadata - marked as "DELETED".

Kind Regards

Daniel

Madhan_cog1
Quartz | Level 8

Thanks Daniel,

As per our discussion with client, we understand they are not interested / looking for any thrid party component or solution. We did browse and understood with metacoda it is acheivable, but they have suggested only to use SAS based solution.

 

Thanks,

Madhan M

DanielKaiser
Pyrite | Level 9

Alright, then @AnandVyas and @Kurt_Bremser gave you the right information!

MichelleHomes
Meteorite | Level 14

Thanks @DanielKaiser for sharing your experiences using the Metacoda Identity Sync Plug-in. We're very pleased to hear how helpful it is!!!

 

@Madhan_cog1 - I understand you may not be looking for an integrated third party solution however you may find the additional features beneficial for your environment:

  • tag-DELETE - to avoid AD identities being automatically deleted from SAS metadata if they are deleted from AD. This helps the process to be reversable if an AD admin, or some automated process into AD, made a mistake
  • preview what changes are going to be made before you sync - this enables those sites that want to review the changes to be made in SAS metadata before syncing to ensure their SAS metadata identities are not corrupted from AD changes/mistakes. It also provides admins the confidence to know what will be synced before it happens so they don't need to resort to a backup if things fail. Many Metacoda customers like this feature and use the tool interactively only and others schedule it in batch at night like Daniel described.
  • out of the box audit reporting - after every sync a report detailing all the sync changes with the MDU tables and log is produced
  • the ability to sync with deeply nested AD groups - this enables sites to target one AD group and then travel through all nested groups to sync identities
  • the ability to sync across multiple domains

Feel free to have a look at the documentation on GitHub to understand the architecture and how the standard SAS %MDU macros are used to drive the sync https://metacoda.github.io/idsync-utils/topics/idsp/

 

Furthermore, have a read of Synchronizing SAS Platform Identities blog post to learn more and watch a 10 minute screencast demonstration https://platformadmin.com/blogs/paul/2015/07/synchronizing-sas-platform-identities/

 

You're welcome to try it out in your environment. You can register for a 30 day free evaluation at https://www.metacoda.com/en/evaluation/

 

Kind Regards,

Michelle

//Contact me to learn how Metacoda software can help keep your SAS platform secure - https://www.metacoda.com
srikanths
Calcite | Level 5
How about the authentication and authorization of SMC groups for the first time and in case of newly created AD groups ?
AnandVyas
Ammonite | Level 13

This KB article explains the steps on the import process. It also refers to the same program as mentioned by @Kurt_Bremser 

Madhan_cog1
Quartz | Level 8

Hi All,

 

Thanks for the response.

 

We are trying to use importad.sas to integrate the AD users.

What is the variable we need to use for keyidvar because we do not have employee id in our system.

 

Also please suggest on the filters to be used . We are not getting any records for ldapusers .

 

Thanks,

Madhan M

gwootton
SAS Super FREQ

The other option for keyidvar is distinguished name, from importad.sas:

/****************************************************************************/
/* Choose the value that will be used as the keyid for Person information.  */
/* Choices are the DistinguishedName of the User entry or the employeeid.   */
/* For groups, the DistinguishedName will be used.                          */
/*                                                                          */
/* %let keyidvar=employeeID;                                                */
/* %let keyidvar=distinguishedName;                                         */
/****************************************************************************/
%let keyidvar=employeeID;

The default filters pull users in chunks based on the display name, so I'm not sure the filter is your issue. Do you see any errors in the log related to your LDAP connection?

--
Greg Wootton | Principal Systems Technical Support Engineer
Nigel_Pain
Lapis Lazuli | Level 10

Hi Madhan

 

I have played around with importad.sas but only for the purposes of experimentation in a Lev2 environment. We also don't have Employee ID. samaccountname or distinguishedName are options: samaccountname is the recommended alternative because in some establishments users get put into different OUs. I used distinguishedName because that doesn't happen with us, and our users sometimes get their user IDs changed (different prefixes for different types of user). Even so, distinguishedName can also change if someone has a change of name. It's one (minor) reason why I decided not to take it beyond the experimentation into Lev1.

It's worth reading in detail the KB referenced by @Kurt_Bremser, and the appropriate appendix in the Intelligence Platform Security Administration Guide referred to in that. Also, the comments in importad.sas are very useful too.

Regarding the filters, I think they will depend on your own AD structure. Mine subsetted the LDAP queries by the initial letter of users' DisplayNames to stop each query timing out in AD (might be the default, can't remember), and only returned groups with a specific prefix (related to users' permissions on the SAS server). But if nothing is getting returned it might be that you need to check the values of the ADPerBaseDN and ADGrpBaseDN macro variables initialised at the beginning. These specify where in the LDAP hierarchy searches for people and groups begin.

Hope this helps.

 

Patrick
Opal | Level 21

@Madhan_cog1 

importad.sas is the template used globally and it's working for many many sites. If you're the one responsible for Install&Config/Post Installation then you're supposed to understand what this code does and to be able to adapt it to your site specific requirements.

Should you not manage to do this then I recommend that you contact your local SAS Office for support.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 13 replies
  • 4343 views
  • 5 likes
  • 9 in conversation