Architecting, installing and maintaining your SAS environment

LDAP Open

Reply
Frequent Contributor
Posts: 115

LDAP Open

Hi,

Trying to connect from SAS server to LDAP server using TCP port 636 is the common communications port for SSL, getting error as "ERROR: Unable to contact the LDAP server.".

I am able to connect LDAP server with TCP port 389 port from Solaris where SAS 9.1.3 has installed.

%let ADServer = "xxxxxxxxxx";

%let ADPort = 389;

%let ADPerBaseDN ="ou=users,ou=internal,o=xxxxxx";

%let ADBindUser = "uid=xxxxxx,ou=users,ou=internal,o=xxxxx";

%let ADBindPW = "xxxx";

call ldaps_open( handle, &ADServer, &ADPort, &ADPerBaseDN, &ADBindUser, &ADBindPW, rc, option );

Installed Verisign certificate in "/etc/certs/ldapCert/cert8.db" path on source system to use 636 port, Any environment variable to pass this certificate path while connecing from sas to ldap.

your help would be much appreciated

Super User
Posts: 3,114

Re: LDAP Open

Check with your network specialist regarding port 636. It is common practice these days to protect servers with firewalls, and then open ports in the firewalls only as required plus restrict traffic to only specified servers. In my organisation everytime we want to add a new server we need to change the firewall rules for our SAS server.

Frequent Contributor
Posts: 115

Re: LDAP Open

But i am able to connect with 636 by using verisign installed path (Z -P "/etc/certs/ldapCert/cert8.db") in below shell script

ldapsearch -h ecd.ldap.se -p 636 -D "uid=EXXXXXX,ou=Users,ou=Internal,o=XXXXXX" -T -w  8HrS7iQ2 -Z -P "/etc/certs/ldapCert/cert8.db" -1 -b "ou=users,ou=internal,o=XXXXXX" "(&(objectclass=ldap)(idmaccess=XXXXXX*))"

I want to use "/etc/certs/ldapCert/cert8.db" certification path to run it from SAS Code. Is there any way to pass this path thru variable or any alternative

sas code:

data useraccess (keep=entryname attrName value filter displayName);

     length entryname $600 attrName $100 value $600 filter $500
            displayName $600 ;

     handle = 0;
     rc     = 0;
     option = "OPT_REFERRALS_ON";

     /* open connection to LDAP server */
     call ldaps_open( handle, &ADServer, &ADPort, &ADPerBaseDN, &ADBindUser, &ADBindPW, rc, option );
   

     timeLimit=0;
     sizeLimit=0;
     base='';  /* use default set at _open time */
     referral = "OPT_REFERRALS_ON";
     restart = ""; /* use default set at _open time */

     call ldaps_setOptions(handle, timeLimit, sizeLimit, base, referral, restart, rc);

        %include groups;

     /* close connection to LDAP server */
     call ldaps_close(handle,rc);
 
run;

Super User
Posts: 3,114

Re: LDAP Open

In that case I suggest you open a track with Tech Support.

Frequent Contributor
Posts: 117

Re: LDAP Open

Hi sunilreddy,

We have a track still opened for months on a similar issue.

- a SAS 9.3 (TS1/M1) Metadata Server on Linux x64  is unable to authenticate against an LDAP server through SSL (LDAPS) using a chained Verisign Certificate.

it works fine using a self-signed certificate but fails with a chained Verisign. SAS tech support has tried to replicate our issue but we disagree on the minimal requirements

and, unfortunately, this is still unresolved despite upgrading the ssl SAS code up to 9.4.

In our case, the LDAPS certificate should be declared with SSLCALISTLOC SAS sytem option. Be aware that SAS awaits the SSL certificate to be read as a plain text file (ASCII);

I am note sure it can retrieve the certificate from a *.dlb key store. Since I'm not familiar with SAS 9.1 on Solaris, check the documentation.

I'll be curious to know if you can open the LDAPS call at all. Please, keep us informed.

Ronan

Ask a Question
Discussion stats
  • 4 replies
  • 896 views
  • 0 likes
  • 3 in conversation