The Identities service in SAS Viya 3.5 introduced a change to the way group members are fetched from LDAP. This change increases performance by explicitly using the LDAP attributes that are set in the sas.identities.providers.ldap.group/memberOf and sas.identities.providers.ldap.group/memberOf configuration properties. The Identities service also reduces the number of requests to LDAP by generating filters to fetch more than one set of objects at a time, rather than making separate requests for each.

In some cases, this filtering approach can cause a failure to return group memberships. A user might see an error message similar to the following in the browser:

The Identities service log might contain an error similar to the following:

An LDAP error code 32 is not always unusual or unexpected, and it is not new with this filtering method. The error means that the entry targeted by the search base distinguished name (DN) does not exist. However, when one part of the SAS Viya 3.5 optimized filter encounters an issue, the entire fetch fails in addition to the Identities service returning the error. This scenario occurs most often when the search base contains more than one domain. For example, sas.identities.providers.ldap.user/baseDN is set to dc=example,dc=com, and user entries are in two domains, such as dc=domain1,dc=example,dc=com and dc=domain2,dc=example,dc=com.

Click the Hot Fix tab in this note for a link to instructions about accessing and applying the software update.

Post-Installation Instructions

A new property was added to the Identities service that allows you override the SAS Viya 3.5 optimized filtering, reverting to the simpler but larger number of requests that was used in SAS^® Viya^® 3.4 and earlier.

To set this property, first confirm that you are at Identities service version 2.40.20 or later by using one of the methods shown here:

• Run the following rpm command from the SAS Viya microservices host machine:
     rpm -q sas-identities​
  
  The version number is shown after the service name. Here is an example: sas-identities-2.40.20-20210225.1614278438161.x86_64
   
• Connect to the identities/apiMeta endpoint. The XML output shows the version in this way:
     "buildVersion":"2.40.20"

Next, use one of the options below to set the group.memberQuery.override property to true.

Option 1

Set a general Java Virtual Machine (JVM) option. You can do this in SAS^® Environment Manager by editing the JVM configuration instance for the Identities service.

1. Open the Configuration page in SAS Environment Manager.
2. Select View: All services and select Identities service from the listing.
3. Open the JVM configuration instance for editing.
4. Select + Add property.
5. Enter the following into the specified fields:
   Name: java_option_group_memberQuery_override  
   Value: -Dsas.identities.providers.ldap.groupMemberQueryOverride=true
6. Save the changes.
7. Restart the Identities service to implement the new configuration setting.

Option 2

Set a key and value in the SAS^® Configuration Server (Consul) in the identities configuration instance.
 
Here are the commands to use sas-bootstrap-config command-line interface (CLI). These three commands should be run as the sas user (or as a user with sudo privileges) and be run on the machine that is running the SAS Configuration Server.

Restart the Identities service to implement the new configuration setting.

Operating System and Release Information

Viya on Linux: An update for this issue is available for SAS Viya 3.5. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.5 for Linux Deployment Guide at