Architecting, installing and maintaining your SAS environment

Sync uner from LDAP to MC - works but fails to add to a group

Accepted Solution Solved
Reply
Contributor
Posts: 23
Accepted Solution

Sync uner from LDAP to MC - works but fails to add to a group

I'm trying to sync users from LDAP into Management console on SAS 9.4 linux.  I've used the macros that comes as standard and have got the new users synching into management console.  The problem is that I don't have a group associated against them.

 

From what I can see i from the notes on the cononical tables (http://support.sas.com/documentation/cdl/en/bisecag/69827/PDF/default/bisecag.pdf - p.232) the table grpmems needs to be populated with a grpkey (the group I want them assigned to in MC) and the memkeyid (the unique user id from the person table).

 

So I have the info extracted for a new user and when trying to load them I get this error in the log

 

 

ERROR: The method is not directed at a repository.  (The Reposid parameter is blank.)

ERROR: Errors returned from Proc Metadata prevented objects from being Loaded. Table: work.mduimplb_failedobjs identifies 2 such
objects. Consult the SAS Log for the specific Metadata Server errors returned.

LDAP2SAS.png

 

The output work.mduimpl_failedobs is above.  Is there a key field on here that is missing that is causing that?

 

 

 

 

 


Accepted Solutions
Solution
‎03-29-2017 04:23 PM
PROC Star
Posts: 392

Re: Sync uner from LDAP to MC - works but fails to add to a group

In developing our Metacoda Identity Sync plug-in, I have seen that error message many times Smiley Happy  In my case it has usually been caused by missing metadata object ids in the generated proc metadata XML. When debugging I often find it useful to capture the generated XML to see what proc metadata is trying to do (which can be used to work backwards to find the problem). If you look at the SAS MDUCHGLB macro you can set the _mduchglb_outrequest_ and _mduchglb_outresponse_ macro variables to a directory path where it will write XML files (which are otherwise temporary and deleted).

 

Looking at the screenshot you posted, I am wondering if perhaps you have the wrong value in the memkeyid column. This column should contain the unique keyid value for the group member (being a user or group) and not the member name. It looks like your memkeyid is the same as the memname. Is this the same value as the keyid for the member or is the key id different?  In case it is useful I wrote a blog post about key-id's which includes a screenshot of the SAS Management Console User Manager dialog that can be used to view/edit them for existing sync'ed users: Identity Sync: Finding Your Keys

 

 

View solution in original post


All Replies
SAS Super FREQ
Posts: 291

Re: Sync uner from LDAP to MC - works but fails to add to a group

Hi,

 

what is the entire error message?

 

As far as I know (please someone correct me if I am wrong), there is no way to add new users to old groups.

You would have to re-sync.

 

Sending the entire error message would help.

Thanks

Anja

Contributor
Posts: 23

Re: Sync uner from LDAP to MC - works but fails to add to a group

That is the full error.  Yes it doesnt mean much to me either.

 

Are you sure that you can't automatically add a new user to an existing group?  As I siad I can get the new users to be visible in meta-data but they are not added into a group.

 

What about this paper http://support.sas.com/resources/papers/proceedings12/377-2012.pdf

 

 

SAS Super FREQ
Posts: 291

Re: Sync uner from LDAP to MC - works but fails to add to a group

Hi,

 

first of all, my apologies for providing a wrong info. Thats what's happening if one is too quick with answering :-)

You can certainly import groups / empty groups.

 

Did you specify the repository information? (regarding the error "... blank")

Are you running this through EGuide, batch or any other client?

 

If you are running through EG, you usually would not have to specify the connection options, as the

EG profile includes all info needed.

 

If you are running this any other way, please verify that you are using the following properties in the program:

 

options metaserver=metahostname.xxxxx.com 

          metaport=8561               

          metauser="sasadm@saspw"       *or any other unrestricted user ID

          metapass="encrypted password"   

          metaprotocol=bridge       

          metarepository=Foundation

 

Am looking forward to hearing back from you with your findings/info.

 

Thanks

Anja

Solution
‎03-29-2017 04:23 PM
PROC Star
Posts: 392

Re: Sync uner from LDAP to MC - works but fails to add to a group

In developing our Metacoda Identity Sync plug-in, I have seen that error message many times Smiley Happy  In my case it has usually been caused by missing metadata object ids in the generated proc metadata XML. When debugging I often find it useful to capture the generated XML to see what proc metadata is trying to do (which can be used to work backwards to find the problem). If you look at the SAS MDUCHGLB macro you can set the _mduchglb_outrequest_ and _mduchglb_outresponse_ macro variables to a directory path where it will write XML files (which are otherwise temporary and deleted).

 

Looking at the screenshot you posted, I am wondering if perhaps you have the wrong value in the memkeyid column. This column should contain the unique keyid value for the group member (being a user or group) and not the member name. It looks like your memkeyid is the same as the memname. Is this the same value as the keyid for the member or is the key id different?  In case it is useful I wrote a blog post about key-id's which includes a screenshot of the SAS Management Console User Manager dialog that can be used to view/edit them for existing sync'ed users: Identity Sync: Finding Your Keys

 

 

Contributor
Posts: 23

Re: Sync uner from LDAP to MC - works but fails to add to a group

Thanks for the info this helped me to home in the areas to check.  In the end I used the default set of macros to identify users in ldap that are not in SAS yet.  I was then able to load these users in.  I then used some of the code in these macros to identify any users that were not in a group and add them to a specific group.  The end result is a web page in an organisation that users can sign into and get a base level of privelages in order to access a numer of visual analytics dashboards.  This removes a lot of overhead of faffy admin jobs registering news users. 

Super Contributor
Posts: 321

Re: Sync uner from LDAP to MC - works but fails to add to a group

You actually save me hours/days trying to figure out how to do update of a user's group assignments!

 

After pointing out the XML files to a specific path I saw that the Ids were blank as I only populated the keyids and not the objids of my _add and _delete tables.

PROC Star
Posts: 392

Re: Sync uner from LDAP to MC - works but fails to add to a group

Great to hear it helped. Being able to see the generated XML has helped me many times in the past too.

☑ This topic is solved.

Need further help from the community? Please ask a new question.

Discussion stats
  • 7 replies
  • 363 views
  • 7 likes
  • 4 in conversation