You might encounter the following issues with the Members and Member Of lists on the Users page of SAS Environment Manager:
These issues can occur under the following conditions:
By default, the identities service determines the groups to which a user is a member by using the Member Of list value that is set in the sas.identities.providers.ldap.user configuration instance. The identities service determines the users who are members of a group by using the Members list value that is set in the sas.identities.providers.ldap.group configuration instance.
For group memberships, the identities service maps list values to LDAP attributes as follows:
The identities service does not determine group membership by using two different LDAP attributes, which is why you encounter this problem with the posixGroup. The posixGroup determines group memberships by using both the memberUid LDAP attribute and the gidNumber LDAP attribute.
The posixGroup functions like a UNIX group. The gidNumber LDAP attribute determines primary membership, and the memberUid LDAP attribute determines secondary memberships.
Consider the following scenario for a group and three users in LDAP. Here are the relevant LDAP attributes for the group:
Relevant LDAP Attributes | GroupA |
dn | cn=groupa, ou=groups, dc=example, dc=com |
objectClass | top |
objectClass | posixGroup |
cn | groupa |
gidNumber | 20001 |
memberUid | user2 |
memberUid | user3 |
Here are the relevant LDAP attributes for the users.
Relevant LDAP Attributes | User1 | User2 | User3 |
dn | uid=user1, ou=users, dc=example, dc=com | uid=user2, ou=users, dc=example, dc=com | uid=user3, ou=users, dc=example, dc=com |
objectClass | top | top | top |
objectClass | person | person | person |
objectClass | inetorgperson | inetorgperson | inetorgperson |
objectClass | posixAccount | posixAccount | posixAccount |
cn | user1 | user2 | user3 |
sn | USER1 | USER2 | USER3 |
uid | user1 | user2 | user3 |
uidNumber | 5001 | 5002 | 5003 |
gidNumber | 20001 | 10002 | 10002 |
In this example, User2 and User3 are identified as members of the GroupA group because the memberUid group attribute names the uid of members. User1 is not identified as a member because user1 is not a memberUid value.
Click the Hot Fix tab in this note to access the hot fix for this issue.
The hot fix adds the sas.identities.providers.ldap/primaryGroupMembershipsEnabled configuration property. This property allows the identities service to determine additional memberships based on the primary group memberships (for example, the gidNumber attribute in LDAP).
Make the following changes to the configuration properties:
With these properties set, User1 in the example above is identified as a member of the GroupA group because of the matching gidNumber value. User2 and User3 are still identified as members due to the memberUid attribute value.
Product Family | Product | System | Product Release | SAS Release | ||
Reported | Fixed* | Reported | Fixed* | |||
SAS System | SAS Viya | Linux for x64 | 3.3 | 3.4 |
An update for this issue is available for SAS Viya 3.3. For instructions on how to access and apply software updates, see the Managing Your Software section of the SAS Viya 3.3 Administration document at
http://documentation.sas.com/?softwareId=administration&softwareVersion=3.3&softwareContextId=softwareUpdatesType: | Problem Note |
Priority: | medium |
Date Modified: | 2018-07-25 16:41:42 |
Date Created: | 2018-06-13 15:15:00 |