About the Sample Code for Active Directory

Note: This code is in SAS-installation-directory\SASFoundation\9.3\core\sample\importad.sas (Windows) or SAS-installation-directory/SASFoundation/9.3/samples/base/importad.sas (UNIX). This topic highlights key points about the code.
Here are some tips for using the program:
  • The code uses the SAS interface to LDAP (the LDAP CALL Routine interface) to extract information from Active Directory.
  • The code references standard Active Directory schemas to identify user and group attributes. If your site has extended the standard schema, you might need to make changes in section 3 to reference additional or alternate attributes.
  • The code uses filters to segment retrieval. It might be necessary to alter the filters in sections 3 (user extraction) and 4 (group extraction) to better fit the contents of your Active Directory server. If the number of records in a request exceeds Active Directory's maximum query limit, only a subset of the requested records is returned. The Microsoft utility program LDIFDE can be useful in defining appropriate filters.
  • If either or both of the data sets that are extracted from Active Directory are empty, execution of the code is canceled and an error message is provided. This reduces the likelihood of inadvertent deletion of metadata identities due to a problem with the Active Directory extraction during the synchronization process.
    Note: Execution is canceled if no users are extracted, and execution is canceled if no groups are extracted. If you use the 9.3 version of the Active Directory sample code, and you want to extract only users from Active Directory, you must modify the sample code. Either disable the error check or remove the entire section of the code that extracts groups.
  • The code won't import membership information for a group that has more than 1500 members. (This limitation is version-specific. Check the documentation for your Active Directory server for details). To incorporate an oversize group, use an approach like this:
    1. Rewrite the section 4 filters to exclude large groups.
    2. Create an additional extraction that uses LDAP range retrieval specifiers to extract the large group membership information in segments. See the LDAPS_SEARCH CALL routine in the SAS Integration Technologies: Directory Services Reference.
    3. Add that membership information to the main extracted grpmems table.
The following table highlights selected macro variables:
Selected Macro Variables in an Active Directory Import
Variable Name
Purpose
Notes
keyidvar
Provides an external identity value for each metadata user that this program creates.
Specify an LDAP attribute that contains a unique and unchanging value for each user. The sample code uses the employeeID attribute.1
MetadataAuthDomain
Enables all metadata logins that this program creates to be associated with an authentication domain.
Specify a SAS authentication domain name. This value isn't related to a Windows domain name. In the standard configuration, the correct value is DefaultAuth (or, if you have configured Web authentication and are extracting information for users who use only Web clients, web).
WindowsDomain
Enables construction of a qualified user ID in each login that this program creates.
Provide the Windows domain name for the extracted identities. The supplied value is prepended to each extracted user ID to yield qualified IDs in the form supplied-value\userID.
ADExtIDTag
Provides a label for all metadata items that this program creates. The label indicates which objects were created by this program.
Specify a descriptive label that will be applied to all imported objects to indicate where they came from. The default value is Active Directory Import. Do not quote this value. If you select the External Identities button on an imported identity's General tab (in SAS Management Console), you will see this label in the Context column of the External Identities dialog box.
1If this attribute is empty, consider using sAMAccountName or distinguished name.