Problem Note 51979: Synchronizing identity data in metadata generates the error message "IdentityGroup with this name is being added and deleted"
 |  |  |  |
The %MDUCHGV macro, one of the user import macros for managing identity information in metadata, generates the following error message when the distinguished name (DistinguishedName=value) for an identity group (IdentityGroup) is longer than 128 bytes:
ERROR: Change data contains changes that will violate integrity constraints in the server or cause other errors during this or future synchronizations. See errors-dataset for information regarding problems encountered. ERROR: Validation errors detected by %mduchgv. Load not attempted.
In addition, the errors data set contain this message:
IdentityGroup with this name is being added and deleted. Cannot determine if this is a new IdentityGroup or an old IdentityGroup with a new keyid.
This message means that the match key from the external identity source data (the value of the column KEYID in the Idgrps table) is different from the match key in the metadata (the Identifier attribute value for the group's ExternalIdentity object). Therefore, the program cannot determine whether the group from the external identity source data is a new group that replaces the existing metadata group of the same name or whether the match key has changed.
In synchronization code (for example, importad.sas) that uses the %MDUIMPC macro, the condition can be caused by different lengths between the KEYID value that is extracted from your Lightweight Directory Access Protocol (LDAP) server and the Identifier attribute value of the ExternalIdentity object in metadata.
In this situation:
The 200-byte KEYID value does not compare equally to the 128-byte Identifier value. This discrepancy causes the error described previously.
To circumvent this problem:
- Locate the following block of code that is found in Section 4 (the extraction of group data) of the importAD.sas file:
/* Extract the distinguishedName - Obj-Dist-Name. */ if (attrName = 'distinguishedName') then distinguishedName=value; - Add the additional comment and SUBSTR function that are shown below:
/* Extract the distinguishedName - Obj-Dist-Name. */ /* PER SAS NOTE 51979, LIMIT THE LENGTH FOR */ /* CONSISTENCY WITH EXTERNALIDENTITY FOR GROUPS */ if (attrName = 'distinguishedName') then do; distinguishedName=value; distinguishedName=substr(distinguishedName,1,128); end; - Rerun the synchronization to apply this circumvention.
The Identifier attribute was limited to the 128 bytes when the value was first set. Therefore, there is no additional data that can be saved. The modification to the program truncates the extracted KEYID value from LDAP (or other external source) to 128 bytes making the comparison between the KEYID value and the Identifier value an equal–length comparison.
Operating System and Release Information
| Product Family | Product | System | SAS Release | |
| Reported | Fixed* | |||
| SAS System | SAS Metadata Server | Microsoft Windows 2000 Advanced Server | 9.1 TS1M0 | |
| z/OS | 9.1 TS1M0 | |||
| Microsoft Windows 2000 Datacenter Server | 9.1 TS1M0 | |||
| Microsoft Windows 2000 Server | 9.1 TS1M0 | |||
| Microsoft Windows 2000 Professional | 9.1 TS1M0 | |||
| Microsoft Windows NT Workstation | 9.1 TS1M0 | |||
| Microsoft Windows Server 2003 Datacenter Edition | 9.1 TS1M0 | |||
| Microsoft Windows Server 2003 Enterprise Edition | 9.1 TS1M0 | |||
| Microsoft Windows Server 2003 Standard Edition | 9.1 TS1M0 | |||
| Microsoft Windows XP Professional | 9.1 TS1M0 | |||
| 64-bit Enabled AIX | 9.1 TS1M0 | |||
| 64-bit Enabled Solaris | 9.1 TS1M0 | |||
| HP-UX IPF | 9.1 TS1M0 | |||
| Type: | Problem Note |
| Priority: | medium |
| Date Modified: | 2014-07-07 10:24:55 |
| Date Created: | 2014-01-07 10:43:19 |