I've defined a security group called "SAS VA Users" in Active Directory, whereby we can add users by name or by security group via MS Outlook. Other units can also maintain their groups via Outlook, making our Visual Analytics Security simple to maintain using existing mail distribution groups. In order to sync users to SAS VA, I want to sync all users in the SAS VA Users AD group, including those who are members indirectly through nested groups. Active Directory allows for selection of all members of a selected group, including nested groups using a special filter: All members of specified group, including due to group nesting (Note 10) (memberOf:1.2.840.113556.1.4.1941:= cn=Test,ou=East,dc=Domain,dc=com) Note 10:The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes. This is an extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. This reveals group nesting. See https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx for samples of various filters. With appropriate values, This memberOf string works fine in an ldapfilter in PowerShell, but i cannot get it to work properly in our AD Sync SAS program in a call to LDAPS_SEARCH. ERROR: Bad LDAP search filter. FILTER=(&(memberOf:1.2.840.113556.1.4.1941:=CN=SAS VA Users,CN=Users,DC=marshall,DC=edu) (objectclass=person)) NOTE: The data set ADIR.LDAPUSERS has 0 observations and 22 variables. The filter works fine without the ":1.2.840.113556.1.4.1941:" , but doesn't return any users not directly contained in the SAS VA Users group. I've tried a few variations on quotation marks, but nothing seems to work. Does anyone have any thoughts on how to easily filter and return users in a group, including those in nested groups? thank you, --michael SAS 9.4 VA 7.4
... View more