SAS VIYA 3.5 I don't see user under groups

mctrit8 · Posted 05-28-2020 12:14 PM

Hi,

I have installesd SAS VIYA 3.5 on Linux, now, after I configured sas.identities.providers.ldap.group, I don't see in SAS the user under the groups.

For example I have in LDAP:

but on SAS I don't see the member:

My SAS configuration:

In general: wich objectClass I have to use for users and for groups? Which field for this objextClasses I have to use in SAS configuration? Thanks a lot in advance!

alexal · Posted 05-28-2020 12:59 PM

@mctrit8 ,

Please check the most recent log file in /opt/sas/viya/config/var/log/identities/default directory. Do you see any errors there?

mctrit8 · Posted 05-28-2020 03:42 PM

I verified, no errors in it.

gwootton · Posted 05-28-2020 01:59 PM

Hi @mctrit8,

Are you able to see the member users when examining the user list?

--
Greg Wootton | Principal Systems Technical Support Engineer

mctrit8 · Posted 05-29-2020 03:20 AM

Hi,

I can see the users whne I select Users on SAS but when I select Groups on SAS I see the groups but I don't see the member of the groups.

gwootton · Posted 05-29-2020 01:42 PM

You may wish to engage SAS Technical Support if you haven't already so they can take a look at your settings and LDAP contents.

From your screen shot it looks like linuxgroup is an OU rather than a group DN, which I haven't seen before. (It's distinguished name is OU=... instead of CN=...) but has attributes associated with a group (objecttype of groupofnames, members, and a CN) Which LDAP server are you using?

--
Greg Wootton | Principal Systems Technical Support Engineer

mctrit8 · Posted 06-01-2020 03:22 AM

Hi,

sorry, I'm new in LDAP and I don't know what is the right object type for groups, I see there are Objectclass= Organizationalunit but this hasn't the member attribute and the Objectclass=groupOfNames that has the member attribute; exctly what is the Object class you say?

I'm using OpenLDAP for server.

Can you give me an example of a simple group in LDAP? Thank you very much.

gwootton · Posted 06-01-2020 09:48 AM

Thanks @mctrit8 ,

Often a OU is created named something like "Groups" that contains the various groups. So you'd have an organizational unit. This is from OpenLDAP's documentation:

Note you have two OUs, Group and People, and one user within the "People" OU (dn: uid=test1,ou=People,dc=example,dc=com), and one group within the "Group" OU (dn: cn=testgroup,ou=Group,dc=example,dc=com) with a "member" defined as the user:

        cat memberof.ldif
        dn: dc=example,dc=com
        objectclass: domain
        dc: example

        dn: ou=Group,dc=example,dc=com
        objectclass: organizationalUnit
        ou: Group

        dn: ou=People,dc=example,dc=com
        objectclass: organizationalUnit
        ou: People

        dn: uid=test1,ou=People,dc=example,dc=com
        objectclass: account
        uid: test1

        dn: cn=testgroup,ou=Group,dc=example,dc=com
        objectclass: groupOfNames
        cn: testgroup
        member: uid=test1,ou=People,dc=example,dc=com

--
Greg Wootton | Principal Systems Technical Support Engineer