Problem Note 62464: The Member Of list on the Users page of SAS® Environment Manager does not show all group members under certain conditions
 |  |  |  |  |
You might encounter the following issues with the Members and Member Of lists on the Users page of SAS Environment Manager:
- When you select a group and expand the Members list, you might not see all the members.
- When you select a user and expand the Member Of list, you might not see all groups that the user belongs to.
These issues can occur under the following conditions:
- The LDAP environment uses the posixGroup schema.
- The members of a group are determined by the memberUid and gidNumber LDAP attributes.
Background Information and Cause
By default, the identities service determines the groups to which a user is a member by using the Member Of list value that is set in the sas.identities.providers.ldap.user configuration instance. The identities service determines the users who are members of a group by using the Members list value that is set in the sas.identities.providers.ldap.group configuration instance.
For group memberships, the identities service maps list values to LDAP attributes as follows:
- sas.identities.providers.ldap.group/member: memberUid
- sas.identities.providers.ldap.user/memberOf: gidNumber
The identities service does not determine group membership by using two different LDAP attributes, which is why you encounter this problem with the posixGroup. The posixGroup determines group memberships by using both the memberUid LDAP attribute and the gidNumber LDAP attribute.
The posixGroup functions like a UNIX group. The gidNumber LDAP attribute determines primary membership, and the memberUid LDAP attribute determines secondary memberships.
Example
Consider the following scenario for a group and three users in LDAP. Here are the relevant LDAP attributes for the group:
| Relevant LDAP Attributes | GroupA |
| dn | cn=groupa, ou=groups, dc=example, dc=com |
| objectClass | top |
| objectClass | posixGroup |
| cn | groupa |
| gidNumber | 20001 |
| memberUid | user2 |
| memberUid | user3 |
Here are the relevant LDAP attributes for the users.
| Relevant LDAP Attributes | User1 | User2 | User3 |
| dn | uid=user1, ou=users, dc=example, dc=com | uid=user2, ou=users, dc=example, dc=com | uid=user3, ou=users, dc=example, dc=com |
| objectClass | top | top | top |
| objectClass | person | person | person |
| objectClass | inetorgperson | inetorgperson | inetorgperson |
| objectClass | posixAccount | posixAccount | posixAccount |
| cn | user1 | user2 | user3 |
| sn | USER1 | USER2 | USER3 |
| uid | user1 | user2 | user3 |
| uidNumber | 5001 | 5002 | 5003 |
| gidNumber | 20001 | 10002 | 10002 |
In this example, User2 and User3 are identified as members of the GroupA group because the memberUid group attribute names the uid of members. User1 is not identified as a member because user1 is not a memberUid value.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Post-Installation Instructions
The hot fix adds the sas.identities.providers.ldap/primaryGroupMembershipsEnabled configuration property. This property allows the identities service to determine additional memberships based on the primary group memberships (for example, the gidNumber attribute in LDAP).
Make the following changes to the configuration properties:
- sas.identities.providers.ldap/primaryGroupMembershipsEnabled: true
- sas.identities.providers.ldap.group/objectClass: posixGroup
- sas.identities.providers.ldap.group/memberOf: none
- sas.identities.providers.ldap.user/memberOf: none
With these properties set, User1 in the example above is identified as a member of the GroupA group because of the matching gidNumber value. User2 and User3 are still identified as members due to the memberUid attribute value.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Viya | Linux for x64 | 3.3 | 3.4 | ||