Previous Page

|

Next Page

User Import Macros

About the Sample Code for Active Directory Import

Note:   This code is in SAS-installation-directory\SASFoundation\9.2\core\sample\importad.sas (Windows) or SAS-installation-directory/SASFoundation/9.2/samples/base/importad.sas (UNIX). This topic highlights key points about the code.  

Here are some tips for using the program:

• The code uses the SAS interface to LDAP (the LDAP CALL Routine interface) to extract information from Active Directory.

• The code references standard Active Directory schemas to identify user and group attributes. If your site has extended the standard schema, you might need to make changes in section 3 to reference additional or alternate attributes.

• The code uses filters to segment retrieval. It might be necessary to alter the filters in sections 3 (user extraction) and 4 (group extraction) to better fit the contents of your Active Directory server. If the number of records in a request exceeds Active Directory's maximum query limit, only a subset of the requested records is returned. The Microsoft utility program LDIFDE can be useful in defining appropriate filters.

• The code won't import membership information for a group that has more than 1500 members. (This limitation is version-specific. Check the documentation for your Active Directory server for details). To incorporate an oversize group, use an approach like this:

  1. Rewrite the section 4 filters to exclude large groups.

  2. Create an additional extraction that uses LDAP range retrieval specifiers to extract the large group membership information in segments. See the LDAPS_SEARCH CALL routine in the SAS Integration Technologies: Directory Services Reference.

  3. Add that membership information to the main extracted grpmems table.

The following table highlights selected macro variables:

Selected Macro Variables in an Active Directory Import

Variable Name	Purpose	Notes
keyidvar	Provides an external identity value for each metadata user that this program creates.	Specify an LDAP attribute that contains a unique and unchanging value for each user. The sample code uses the employeeID attribute 1
MetadataAuthDomain	Enables all metadata logins that this program creates to be associated with an authentication domain.	Specify a SAS authentication domain name. This value isn't related to a Windows domain name. In the standard configuration, the correct value is DefaultAuth (or, if you have configured Web authentication and are extracting information for users who use only Web clients, web).
WindowsDomain	Enables construction of a qualified user ID in each login that this program creates.	Provide the Windows domain name for the extracted identities. The supplied value is prepended to each extracted user ID to yield qualified IDs in the form supplied-value\userID.
ADExtIDTag	Provides a label for all metadata items that this program creates. The label indicates which objects were created by this program.	Specify a descriptive label that will be applied to all imported objects to indicate where they came from. The default value is Active Directory Import. Do not quote this value. If you select the External Identities button on an imported identity's General tab (in SAS Management Console), you will see this label in the Context column of the External Identities dialog box.
1 If this attribute is empty, consider using sAMAccountName or distinguished name.

Previous Page

|

Next Page

|

Top of Page

Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.