Hi All,
We have installed and configured SAS 9.4 M5 Grid in a Linux Environment.
We would like to know how to integrate AD users/groups into Management console instaed of adding the users manually.
We have enabled PAM Authentication already.
Kindly suggest.
Thanks,
Madhan M.
Look at
SASROOT/SASFoundation/9.4/samples/base/importad.sas
SASROOT is where you installed the SAS software.
@Madhan_cog1 wrote:
Yes kurt,Thanks. We did look at this program mentioned in the below specified location. However wanted to understand when new users are included or move out of the organisation, they should be added/ removed accordingly. Does this mean, we need to run this code everytime (scheduled / adhoc) during the above scenario, please suggest or any alternate suggestion.Thanks,Madhan M
Yes. We run this program (a version adapted to our environment) daily from the scheduler, to keep the metadata synchronized with the LDAP userbase.
Hi @Madhan_cog1,
if a thirdparty tool is an option for you, have a look at Metacoda (https://www.metacoda.com/en/products/utility-plug-ins/). They offer several tools to observe and manage your metadata. One of it functionalities is to sync your metadata Users with the Active Directory. I am pretty sure @MichelleHomes could help you with further information or an evalution license.
We are absolutely happy with metacoda. We have about 10 SAS-Environments with up to 600 AD-Users, that are synced as often, as we want (right now, each night).
Users that have left an AD-group (cause they left our company or do something else and no longer have the rights to use SAS - since they dont have the AD-Group anymore) loose their rights automatically, but stay in the metadata - marked as "DELETED".
Kind Regards
Daniel
Thanks Daniel,
As per our discussion with client, we understand they are not interested / looking for any thrid party component or solution. We did browse and understood with metacoda it is acheivable, but they have suggested only to use SAS based solution.
Thanks,
Madhan M
Alright, then @AnandVyas and @Kurt_Bremser gave you the right information!
Thanks @DanielKaiser for sharing your experiences using the Metacoda Identity Sync Plug-in. We're very pleased to hear how helpful it is!!!
@Madhan_cog1 - I understand you may not be looking for an integrated third party solution however you may find the additional features beneficial for your environment:
Feel free to have a look at the documentation on GitHub to understand the architecture and how the standard SAS %MDU macros are used to drive the sync https://metacoda.github.io/idsync-utils/topics/idsp/
Furthermore, have a read of Synchronizing SAS Platform Identities blog post to learn more and watch a 10 minute screencast demonstration https://platformadmin.com/blogs/paul/2015/07/synchronizing-sas-platform-identities/
You're welcome to try it out in your environment. You can register for a 30 day free evaluation at https://www.metacoda.com/en/evaluation/
Kind Regards,
Michelle
This KB article explains the steps on the import process. It also refers to the same program as mentioned by @Kurt_Bremser
Hi All,
Thanks for the response.
We are trying to use importad.sas to integrate the AD users.
What is the variable we need to use for keyidvar because we do not have employee id in our system.
Also please suggest on the filters to be used . We are not getting any records for ldapusers .
Thanks,
Madhan M
The other option for keyidvar is distinguished name, from importad.sas:
/****************************************************************************/ /* Choose the value that will be used as the keyid for Person information. */ /* Choices are the DistinguishedName of the User entry or the employeeid. */ /* For groups, the DistinguishedName will be used. */ /* */ /* %let keyidvar=employeeID; */ /* %let keyidvar=distinguishedName; */ /****************************************************************************/ %let keyidvar=employeeID;
The default filters pull users in chunks based on the display name, so I'm not sure the filter is your issue. Do you see any errors in the log related to your LDAP connection?
Hi Madhan
I have played around with importad.sas but only for the purposes of experimentation in a Lev2 environment. We also don't have Employee ID. samaccountname or distinguishedName are options: samaccountname is the recommended alternative because in some establishments users get put into different OUs. I used distinguishedName because that doesn't happen with us, and our users sometimes get their user IDs changed (different prefixes for different types of user). Even so, distinguishedName can also change if someone has a change of name. It's one (minor) reason why I decided not to take it beyond the experimentation into Lev1.
It's worth reading in detail the KB referenced by @Kurt_Bremser, and the appropriate appendix in the Intelligence Platform Security Administration Guide referred to in that. Also, the comments in importad.sas are very useful too.
Regarding the filters, I think they will depend on your own AD structure. Mine subsetted the LDAP queries by the initial letter of users' DisplayNames to stop each query timing out in AD (might be the default, can't remember), and only returned groups with a specific prefix (related to users' permissions on the SAS server). But if nothing is getting returned it might be that you need to check the values of the ADPerBaseDN and ADGrpBaseDN macro variables initialised at the beginning. These specify where in the LDAP hierarchy searches for people and groups begin.
Hope this helps.
importad.sas is the template used globally and it's working for many many sites. If you're the one responsible for Install&Config/Post Installation then you're supposed to understand what this code does and to be able to adapt it to your site specific requirements.
Should you not manage to do this then I recommend that you contact your local SAS Office for support.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.