Note: This code is
in
SAS-installation-directory\SASFoundation\9.3\core\sample\importad.sas
(Windows) or
SAS-installation-directory/SASFoundation/9.3/samples/base/importad.sas
(UNIX). This topic highlights key points about the code.
Here are some tips for
using the program:
-
The code uses the SAS interface
to LDAP (the LDAP CALL Routine interface) to extract information from
Active Directory.
-
The code references standard Active
Directory schemas to identify user and group attributes. If your site
has extended the standard schema, you might need to make changes
in section 3 to reference additional or alternate attributes.
-
The code uses filters to segment
retrieval. It might be necessary to alter the filters in sections
3 (user extraction) and 4 (group extraction) to better fit the contents
of your Active Directory server. If the number of records in a request
exceeds Active Directory's maximum query limit, only a subset of the
requested records is returned. The Microsoft utility program LDIFDE
can be useful in defining appropriate filters.
-
If either or both of the data sets
that are extracted from Active Directory are empty, execution of the
code is canceled and an error message is provided. This reduces the
likelihood of inadvertent deletion of metadata identities due to a
problem with the Active Directory extraction during the synchronization
process.
Note: Execution is canceled if
no users are extracted, and execution is canceled if no groups are
extracted. If you use the 9.3 version of the Active Directory sample
code, and you want to extract only users from Active Directory, you
must modify the sample code. Either disable the error check or remove
the entire section of the code that extracts groups.
-
The code won't import membership
information for a group that has more than 1500 members. (This limitation
is version-specific. Check the documentation for your Active Directory
server for details). To incorporate an oversize group, use an approach
like this:
-
Rewrite the section
4 filters to exclude large groups.
-
Create an additional
extraction that uses LDAP range retrieval specifiers to extract the
large group membership information in segments. See the LDAPS_SEARCH
CALL routine in the
SAS Integration Technologies: Directory
Services Reference.
-
Add that membership
information to the main extracted grpmems table.
The following table
highlights selected macro variables:
Selected Macro Variables in an Active Directory Import
|
|
|
|
Provides an external
identity value for each metadata user that this program creates.
|
Specify an LDAP attribute
that contains a unique and unchanging value for each user. The sample
code uses the employeeID attribute. 1
|
|
Enables all metadata
logins that this program creates to be associated with an authentication
domain.
|
Specify a SAS authentication
domain name. This value isn't related to a Windows domain name. In
the standard configuration, the correct value is DefaultAuth (or, if you have configured Web authentication and are extracting
information for users who use only Web clients, web ).
|
|
Enables construction
of a qualified user ID in each login that this program creates.
|
Provide the Windows
domain name for the extracted identities. The supplied value is prepended
to each extracted user ID to yield qualified IDs in the form supplied-value\userID.
|
|
Provides a label for
all metadata items that this program creates. The label indicates
which objects were created by this program.
|
Specify a descriptive
label that will be applied to all imported objects to indicate where
they came from. The default value is Active Directory
Import . Do not quote this value. If you select the External Identities button on an imported identity's General tab (in SAS Management Console), you will see
this label in the Context column of the External Identities dialog box.
|
1If this attribute is empty,
consider using sAMAccountName or distinguished name.
|