Problem Note 61467: SAS® Identities service returns the "...Unprocessed Continuation Reference..." message
 |  |  |  |
The SAS Environment Manager - Users listings might return one or more of the following messages (Load Users, Load Groups, or Members):
An error occurred loading the list of users.
exception:
org.springframework.ldap.PartialResultException
Caused by: javax.naming.PartialResultException: Unprocessed Continuation
Reference(s); remaining name 'DC=EXAMPLE,DC=COMPANY,DC=COM'
Load Groups
An error occurred loading the list of groups.
org.springframework.ldap.PartialResultException
Caused by: javax.naming.PartialResultException: Unprocessed Continuation
Reference(s); remaining name 'DC=EXAMPLE,DC=COMPANY,DC=COM'
Members
An error occurred loading the members list.
exception:
org.springframework.ldap.PartialResultException
Caused by: javax.naming.PartialResultException: Unprocessed Continuation
Reference(s); remaining name 'DC=EXAMPLE,DC=COMPANY,DC=COM'
Messages containing the same verbiage will be written to the SAS Identities service log. Identities service logs are located in the /opt/sas/viya/config/var/log/identities/default/ directory.
The message indicates that the Identities service encountered an LDAP referral when searching the LDAP provider for identities that meet the search criterion. The search criterion is defined in the configuration properties of the Identities service.
Prior to version 2.16.7, the Identities service did not support following referrals and therefore presents the error.
Here are some possible circumventions that you can use by making changes to the configuration properties for the SAS Identities service:
- Specify a different baseDN value when you configure sas.identities.providers.ldap.user and/or sas.identities.providers.ldap.group so that no referrals are encountered. For example, if the current configuration for the user baseDN is DC=EXAMPLE,DC=COMPANY,DC=COM, you might change it to OU=USERS,DC=EXAMPLE,DC=COMPANY,DC=COM. This approach can be valid if there are no referrals in the OU=USERS organizational unit, and all entries for users that you want to load are within that OU structure.
- Specify the Active Directory Global Catalog by changing the LDAP port to the Global Catalog port when you configure sas.identities.providers.ldap.connection. For example, if the current configuration for the LDAP connection port is 389, you can change it to 3268. The Global Catalog can be valid because it stores a replica of a subset of attributes for objects across all domains in the forest. No referrals are needed. The default port for the Active Directory Global Catalog is 3268. For LDAP over SSL (LDAPS), the default Global Catalog port is 3269.
Beginning with Identities service version 2.16.7 in SAS Viya 3.4, a new configuration property allows the Identities service to follow referrals. In addition to the above two circumventions, you can:
- Set the followReferrals property to ON when you configure sas.identities.provider.ldap.
To determine the version of a service, use one of the methods shown here:
- On Linux, run the following rpm command from the SAS Viya microservices host machine:
rpm -q sas-identities
The version number is shown after the service name. Here is an example: sas-identities-2.16.7-20190315.1552683186584.x86_64
- On Linux or Windows, connect to the identities/apiMeta endpoint. The XML output shows the version like this:
"buildVersion":"2.16.7"
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Viya | Linux for x64 | 3.2 | 3.4 | Viya | |
| Type: | Problem Note |
| Priority: | medium |
| Date Modified: | 2017-12-13 14:05:56 |
| Date Created: | 2017-11-28 09:48:55 |