BookmarkSubscribeRSS Feed
sunilreddy
Fluorite | Level 6

Hi,

Trying to connect from SAS server to LDAP server using TCP port 636 is the common communications port for SSL, getting error as "ERROR: Unable to contact the LDAP server.".

I am able to connect LDAP server with TCP port 389 port from Solaris where SAS 9.1.3 has installed.

%let ADServer = "xxxxxxxxxx";

%let ADPort = 389;

%let ADPerBaseDN ="ou=users,ou=internal,o=xxxxxx";

%let ADBindUser = "uid=xxxxxx,ou=users,ou=internal,o=xxxxx";

%let ADBindPW = "xxxx";

call ldaps_open( handle, &ADServer, &ADPort, &ADPerBaseDN, &ADBindUser, &ADBindPW, rc, option );

Installed Verisign certificate in "/etc/certs/ldapCert/cert8.db" path on source system to use 636 port, Any environment variable to pass this certificate path while connecing from sas to ldap.

your help would be much appreciated

4 REPLIES 4
SASKiwi
PROC Star

Check with your network specialist regarding port 636. It is common practice these days to protect servers with firewalls, and then open ports in the firewalls only as required plus restrict traffic to only specified servers. In my organisation everytime we want to add a new server we need to change the firewall rules for our SAS server.

sunilreddy
Fluorite | Level 6

But i am able to connect with 636 by using verisign installed path (Z -P "/etc/certs/ldapCert/cert8.db") in below shell script

ldapsearch -h ecd.ldap.se -p 636 -D "uid=EXXXXXX,ou=Users,ou=Internal,o=XXXXXX" -T -w  8HrS7iQ2 -Z -P "/etc/certs/ldapCert/cert8.db" -1 -b "ou=users,ou=internal,o=XXXXXX" "(&(objectclass=ldap)(idmaccess=XXXXXX*))"

I want to use "/etc/certs/ldapCert/cert8.db" certification path to run it from SAS Code. Is there any way to pass this path thru variable or any alternative

sas code:

data useraccess (keep=entryname attrName value filter displayName);

     length entryname $600 attrName $100 value $600 filter $500
            displayName $600 ;

     handle = 0;
     rc     = 0;
     option = "OPT_REFERRALS_ON";

     /* open connection to LDAP server */
     call ldaps_open( handle, &ADServer, &ADPort, &ADPerBaseDN, &ADBindUser, &ADBindPW, rc, option );
   

     timeLimit=0;
     sizeLimit=0;
     base='';  /* use default set at _open time */
     referral = "OPT_REFERRALS_ON";
     restart = ""; /* use default set at _open time */

     call ldaps_setOptions(handle, timeLimit, sizeLimit, base, referral, restart, rc);

        %include groups;

     /* close connection to LDAP server */
     call ldaps_close(handle,rc);
 
run;

SASKiwi
PROC Star

In that case I suggest you open a track with Tech Support.

ronan
Lapis Lazuli | Level 10

Hi sunilreddy,

We have a track still opened for months on a similar issue.

- a SAS 9.3 (TS1/M1) Metadata Server on Linux x64  is unable to authenticate against an LDAP server through SSL (LDAPS) using a chained Verisign Certificate.

it works fine using a self-signed certificate but fails with a chained Verisign. SAS tech support has tried to replicate our issue but we disagree on the minimal requirements

and, unfortunately, this is still unresolved despite upgrading the ssl SAS code up to 9.4.

In our case, the LDAPS certificate should be declared with SSLCALISTLOC SAS sytem option. Be aware that SAS awaits the SSL certificate to be read as a plain text file (ASCII);

I am note sure it can retrieve the certificate from a *.dlb key store. Since I'm not familiar with SAS 9.1 on Solaris, check the documentation.

I'll be curious to know if you can open the LDAPS call at all. Please, keep us informed.

Ronan

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 4 replies
  • 2832 views
  • 0 likes
  • 3 in conversation