New Post: Query within site collection

March 23, 2017, 7:31 am

≫ Next: New Post: Query within site collection

≪ Previous: New Post: LDAPCP 2013 for Developers

$

0

0

Hello

I am interresting too by this features, I don't find it in the last version, How use it ?

thx

---

New Post: Query within site collection

March 24, 2017, 3:03 am

≫ Next: New Post: Unexpected error during augmentation

≪ Previous: New Post: Query within site collection

$

0

0

Hello, it's already available and you can implement this as described in my post above from Mar 29, 2016 (I just marked it as answer).

New Post: Unexpected error during augmentation

March 24, 2017, 6:06 pm

≫ Next: New Post: How To Grant Permission to all users or NT AUTHORITY\Authenticated Users with our Tool

≪ Previous: New Post: Query within site collection

$

0

0

This error is followed in ULS ldapcp product search by "[LDAPCP] No group found for user <user.domain.com> during augmentation process" People picker displays LDS users and groups.

[LDAPCP] Unexpected error while getting group membership of user user@domain.com in LDAP://<fqdn>/cn=<cn>: System.Runtime.InteropServices.COMException: Unknown error (0x80005000), Callstack:
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue)
at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue)
at ldapcp.LDAPCP.<>c__DisplayClass47_0.<AugmentWithGroups>b__0(DirectoryEntry directory)

New Post: How To Grant Permission to all users or NT AUTHORITY\Authenticated Users with our Tool

March 29, 2017, 10:37 am

≫ Next: New Post: How To Grant Permission to all users or NT AUTHORITY\Authenticated Users with our Tool

≪ Previous: New Post: Unexpected error during augmentation

$

0

0

I wan to grant permission to NT AUTHORITY\Authenticated Users or all users are in AD what configuration we need to do with our Tool?

Can you please help?

Best
Sunit Patil

New Post: How To Grant Permission to all users or NT AUTHORITY\Authenticated Users with our Tool

April 6, 2017, 7:28 pm

≫ Next: New Post: How To Grant Permission to all users or NT AUTHORITY\Authenticated Users with our Tool

≪ Previous: New Post: How To Grant Permission to all users or NT AUTHORITY\Authenticated Users with our Tool

$

0

0

Would "Everyone" work for this?

New Post: How To Grant Permission to all users or NT AUTHORITY\Authenticated Users with our Tool

April 25, 2017, 2:23 am

≫ Next: New Post: Unexpected error during augmentation

≪ Previous: New Post: How To Grant Permission to all users or NT AUTHORITY\Authenticated Users with our Tool

$

0

0

You can search for "All users" and it will return entries that correspond to "authenticated users" permission

New Post: Unexpected error during augmentation

April 25, 2017, 2:25 am

≫ Next: Updated Wiki: Home

≪ Previous: New Post: How To Grant Permission to all users or NT AUTHORITY\Authenticated Users with our Tool

$

0

0

The bind failed for some reason, it could be some permission issue or something else, we can't say with just this.
Does the search in people picker works?
Do you see more information in application event viewer?

Updated Wiki: Home

April 26, 2017, 12:28 am

≫ Next: Updated Wiki: Home

≪ Previous: New Post: Unexpected error during augmentation

$

0

0

This claims provider queries Active Directory and LDAP servers to enhance people picker with a great search experience in trusted authentication (typically ADFS).

 

Features

• Works with SharePoint 2013 and SharePoint 2016.
• Easy to configure with administration pages added in Central administration > Security.
• Queries multiple servers in parallel (multi-threaded connections).
• Populates properties (e.g. email, SIP, display name) upon permission creation.
• Supports rehydration for provider-hosted add-ins.
• Supports dynamics tokens "{domain}" and "{fqdn}" to add domain information on permissions to create.
• Implements SharePoint logging infrastructure and logs messages in Area/Product "LDAPCP".
• Ensures thread safety.
• version 5 introduces most wanted feature: Implements augmentation to populate SAML token of users with group membership upon authentication.

Customization capabilities

• Customize list of claim types, and their mapping with LDAP objects.
• Enable/disable augmentation globally or per LDAP connection.
• Customize display of permissions.
• Customize LDAP filter per claim type, e.g. to only return users member of a specific security group.
• Set a keyword to bypass LDAP lookup. e.g. input "extuser:partner@contoso.com" directly creates permission "partner@contoso.com" on claim type set for this.
• Set a prefix to add to LDAP results, e.g. add "domain\" to groups returned by LDAP.
• Hide disabled users and distribution lists.
• Developers can easily do a lot more by inheriting base class. See below for more details.

Important - Limitations

Due to limitations of SharePoint API,do not associate LDAPCP with more than 1 SPTrustedIdentityTokenIssuer. Developers can bypass this limitation by inheriting LDAPCP to create new claims providers (with different names). Read “Developers section” below for further information.

You must manually deploy ldapcp.dll on SharePoint servers that do not have SharePoint service "Microsoft SharePoint Foundation Web Application" started. You can use this PowerShell script:

[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
$publish = New-Object System.EnterpriseServices.Internal.Publish
$publish.GacInstall("C:\Data\Dev\ldapcp.dll")

How to install LDAPCP

Install and deploy the solution (that will automatically activate the “LDAPCP” farm-scoped feature):

Add-SPSolution -LiteralPath "PATH TO WSP FILE"
Install-SPSolution -Identity "LDAPCP.wsp"-GACDeployment

At this point claim provider is inactive and it must be associated to an SPTrustedIdentityTokenIssuer to work:

$trust = Get-SPTrustedIdentityTokenIssuer "SPTRUST NAME"$trust.ClaimProviderName ="LDAPCP"$trust.Update()

How to update LDAPCP

Run Update-SPSolution cmdlet to start a timer job that that will deploy the update. You can monitor the progression in farm solutions page in central administration.

Update-SPSolution -GACDeployment -Identity "LDAPCP.wsp" -LiteralPath "C:\Data\Dev\LDAPCP.wsp"

How to remove LDAPCP

For an unknown reason, randomly SharePoint 2013 doesn’t uninstall correctly the solution because it removes assembly from the GAC before calling the feature receiver... When this happens, the claims provider is not removed and that causes issues when you re-install it.
To uninstall safely, deactivate the farm feature before retracting the solution:

Disable-SPFeature -identity "LDAPCP"
Uninstall-SPSolution -Identity "LDAPCP.wsp"
Remove-SPSolution -Identity "LDAPCP.wsp"

Validate that claims provider was removed: "Get-SPClaimProvider| ft DisplayName". If LDAPCP appears, remove it: "Remove-SPClaimProvider LDAPCP"

Claims supported

LDAPCP has a default mapping between claim types and LDAP attributes, but this can be customized in “Claims table” page available in Central Administration/Security.
Default list is following:

Claim type	LDAP attribute name	LDAP object class
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	mail	user
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname	sAMAccountName	user
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn	userPrincipalName	user
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname	givenName	user
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality	physicalDeliveryOfficeName	user
http://schemas.microsoft.com/ws/2008/06/identity/claims/role	sAMAccountName	group
linked to identity claim	displayName	user
linked to identity claim	cn	user
linked to identity claim	sn	user

None of the claim types above is mandatory in the SPTrust, but the identity claim must either be one of them, or added through LDAPCP admin pages.

Note that you should never have 2 identical claim types in the list, this would cause issues.

To enhance search experience, LDAPCP also queries user input against common LDAP attributes such as the display name (displayName) and the common name (cn).

Developers corner

Project has evolved a lot since the beginning, and now 99% of all possible customizations can be made with LDAPCP administration pages in standard solution. Possible customizations not covered by standard package that can be achieved with "LDAPCP for Developers.zip" are:

• Use LDAPCP in multiple trusts (SPTrustedIdentityTokenIssuer objects), so that each trust has a claim provider with a unique name.
• Customize the display text or the value of permissions created by LDAPCP

"LDAPCP for Developers.zip" contains a Visual Studio project with sample classes that cover various use-case scenarios. Only 1 inherited claim provider is installed at a time, you need to edit the feature event receiver to install the claim provider you want to test.
Common mistakes to avoid:

• Always deactivate the farm feature before retracting the solution (see "how to remove" above to understand why).
• When you create your own SharePoint solution, DO NOT forget to include the ldapcp.dll assembly in the wsp package.

If you did any of the mistakes above, you will likely experience issues when you try to redeploy the solution because the feature was already installed. All features in the solution must be uninstalled before it can be redeployed.

In any case, DO NOT directly edit LDAPCP class, it has been designed to be inherited so that you can customize it to fit your needs. If a scenario that you need is not covered, please submit it in the discussions tab.

---

Updated Wiki: Home

June 30, 2017, 5:47 am

≫ Next: Updated Wiki: Home

≪ Previous: Updated Wiki: Home

$

0

0

LDAPCP is no longer updated on Codeplex and has moved to GitHub.com/Yvand/LDAPCP.
Please visit ldapcp.com to download the latest version.

This claims provider queries Active Directory and LDAP servers to enhance people picker with a great search experience in trusted authentication (typically ADFS).

 

Features

• Works with SharePoint 2013 and SharePoint 2016.
• Easy to configure with administration pages added in Central administration > Security.
• Queries multiple servers in parallel (multi-threaded connections).
• Populates properties (e.g. email, SIP, display name) upon permission creation.
• Supports rehydration for provider-hosted add-ins.
• Supports dynamics tokens "{domain}" and "{fqdn}" to add domain information on permissions to create.
• Implements SharePoint logging infrastructure and logs messages in Area/Product "LDAPCP".
• Ensures thread safety.
• version 5 introduces most wanted feature: Implements augmentation to populate SAML token of users with group membership upon authentication.

Customization capabilities

• Customize list of claim types, and their mapping with LDAP objects.
• Enable/disable augmentation globally or per LDAP connection.
• Customize display of permissions.
• Customize LDAP filter per claim type, e.g. to only return users member of a specific security group.
• Set a keyword to bypass LDAP lookup. e.g. input "extuser:partner@contoso.com" directly creates permission "partner@contoso.com" on claim type set for this.
• Set a prefix to add to LDAP results, e.g. add "domain\" to groups returned by LDAP.
• Hide disabled users and distribution lists.
• Developers can easily do a lot more by inheriting base class. See below for more details.

Important - Limitations

Due to limitations of SharePoint API,do not associate LDAPCP with more than 1 SPTrustedIdentityTokenIssuer. Developers can bypass this limitation by inheriting LDAPCP to create new claims providers (with different names). Read “Developers section” below for further information.

You must manually deploy ldapcp.dll on SharePoint servers that do not have SharePoint service "Microsoft SharePoint Foundation Web Application" started. You can use this PowerShell script:

[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
$publish = New-Object System.EnterpriseServices.Internal.Publish
$publish.GacInstall("C:\Data\Dev\ldapcp.dll")

How to install LDAPCP

Install and deploy the solution (that will automatically activate the “LDAPCP” farm-scoped feature):

Add-SPSolution -LiteralPath "PATH TO WSP FILE"
Install-SPSolution -Identity "LDAPCP.wsp"-GACDeployment

At this point claim provider is inactive and it must be associated to an SPTrustedIdentityTokenIssuer to work:

$trust = Get-SPTrustedIdentityTokenIssuer "SPTRUST NAME"$trust.ClaimProviderName ="LDAPCP"$trust.Update()

How to update LDAPCP

Run Update-SPSolution cmdlet to start a timer job that that will deploy the update. You can monitor the progression in farm solutions page in central administration.

Update-SPSolution -GACDeployment -Identity "LDAPCP.wsp" -LiteralPath "C:\Data\Dev\LDAPCP.wsp"

How to remove LDAPCP

For an unknown reason, randomly SharePoint 2013 doesn’t uninstall correctly the solution because it removes assembly from the GAC before calling the feature receiver... When this happens, the claims provider is not removed and that causes issues when you re-install it.
To uninstall safely, deactivate the farm feature before retracting the solution:

Disable-SPFeature -identity "LDAPCP"
Uninstall-SPSolution -Identity "LDAPCP.wsp"
Remove-SPSolution -Identity "LDAPCP.wsp"

Validate that claims provider was removed: "Get-SPClaimProvider| ft DisplayName". If LDAPCP appears, remove it: "Remove-SPClaimProvider LDAPCP"

Claims supported

LDAPCP has a default mapping between claim types and LDAP attributes, but this can be customized in “Claims table” page available in Central Administration/Security.
Default list is following:

Claim type	LDAP attribute name	LDAP object class
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	mail	user
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname	sAMAccountName	user
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn	userPrincipalName	user
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname	givenName	user
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality	physicalDeliveryOfficeName	user
http://schemas.microsoft.com/ws/2008/06/identity/claims/role	sAMAccountName	group
linked to identity claim	displayName	user
linked to identity claim	cn	user
linked to identity claim	sn	user

None of the claim types above is mandatory in the SPTrust, but the identity claim must either be one of them, or added through LDAPCP admin pages.

Note that you should never have 2 identical claim types in the list, this would cause issues.

To enhance search experience, LDAPCP also queries user input against common LDAP attributes such as the display name (displayName) and the common name (cn).

Developers corner

Project has evolved a lot since the beginning, and now 99% of all possible customizations can be made with LDAPCP administration pages in standard solution. Possible customizations not covered by standard package that can be achieved with "LDAPCP for Developers.zip" are:

• Use LDAPCP in multiple trusts (SPTrustedIdentityTokenIssuer objects), so that each trust has a claim provider with a unique name.
• Customize the display text or the value of permissions created by LDAPCP

"LDAPCP for Developers.zip" contains a Visual Studio project with sample classes that cover various use-case scenarios. Only 1 inherited claim provider is installed at a time, you need to edit the feature event receiver to install the claim provider you want to test.
Common mistakes to avoid:

• Always deactivate the farm feature before retracting the solution (see "how to remove" above to understand why).
• When you create your own SharePoint solution, DO NOT forget to include the ldapcp.dll assembly in the wsp package.

If you did any of the mistakes above, you will likely experience issues when you try to redeploy the solution because the feature was already installed. All features in the solution must be uninstalled before it can be redeployed.

In any case, DO NOT directly edit LDAPCP class, it has been designed to be inherited so that you can customize it to fit your needs. If a scenario that you need is not covered, please submit it in the discussions tab.

 

Updated Wiki: Home

June 30, 2017, 5:49 am

≪ Previous: Updated Wiki: Home

$

0

0

LDAPCP is no longer updated on Codeplex and has moved to GitHub.com/Yvand/LDAPCP.

Please visit ldapcp.com to find documentation and download the latest version.

This claims provider queries Active Directory and LDAP servers to enhance people picker with a great search experience in trusted authentication (typically ADFS).

 

Features

• Works with SharePoint 2013 and SharePoint 2016.
• Easy to configure with administration pages added in Central administration > Security.
• Queries multiple servers in parallel (multi-threaded connections).
• Populates properties (e.g. email, SIP, display name) upon permission creation.
• Supports rehydration for provider-hosted add-ins.
• Supports dynamics tokens "{domain}" and "{fqdn}" to add domain information on permissions to create.
• Implements SharePoint logging infrastructure and logs messages in Area/Product "LDAPCP".
• Ensures thread safety.
• version 5 introduces most wanted feature: Implements augmentation to populate SAML token of users with group membership upon authentication.

Customization capabilities

• Customize list of claim types, and their mapping with LDAP objects.
• Enable/disable augmentation globally or per LDAP connection.
• Customize display of permissions.
• Customize LDAP filter per claim type, e.g. to only return users member of a specific security group.
• Set a keyword to bypass LDAP lookup. e.g. input "extuser:partner@contoso.com" directly creates permission "partner@contoso.com" on claim type set for this.
• Set a prefix to add to LDAP results, e.g. add "domain\" to groups returned by LDAP.
• Hide disabled users and distribution lists.
• Developers can easily do a lot more by inheriting base class. See below for more details.