New Post: deployment question

February 25, 2016, 1:08 am

≫ Next: New Post: Query within site collection

≪ Previous: New Post: Creating user profiles without resolution?

Hi,
we're doing a custom version of LDAPCP. I'm having troubles uninstalling the standard LDAPCP and deploying ours, and i have two questions :

The uninstall isnt smooth and we must force the feature and the claimprovider deletion manually. Wonder if you have to unselect the custom provider from the webapps, or even delete it, before retracting LDAPCP
After the custom install, LDAPCP says it already exists a ldapcp.config with that id. I'd say our devs didnt implement the config right, but i'm no dev :)
I have multiple DLL woes : can't load dll messages often appear when deploying / setting provider, and i saw quite a few ldapcp.dll in \TEMP, which afaik means windows ain't desinstalling them as it should.

Any feedback on these points?

↧

New Post: Query within site collection

March 6, 2016, 10:52 am

≫ Next: New Post: deployment question

≪ Previous: New Post: deployment question

I would like the picker to only return users who are in the site collection where the user is performing the search from. Which method do I need to override to filter the results?

↧

New Post: deployment question

March 9, 2016, 4:23 am

≫ Next: New Post: Query within site collection

≪ Previous: New Post: Query within site collection

Hello,
whenever you uninstall LDAPCP standard or custom, you should always use those cmdlets (documented on homepage):

Disable-SPFeature -identity "LDAPCP"
Uninstall-SPSolution -Identity "LDAPCP.wsp"
Remove-SPSolution -Identity "LDAPCP.wsp"

The reason is because there is a bug in SharePoint, that I also explained in the homepage of the project (in "Developers corner" section)
thanks,
Yvan

↧

New Post: Query within site collection

March 9, 2016, 4:29 am

≫ Next: New Post: Query within site collection

≪ Previous: New Post: deployment question

Hello,
LDAPCP cannot help you for that: when it is called, assuming it is configured for this web app/zone, LDAPCP should always return results if it can.
What you want is to find a way so that SharePoint does NOT call LDAPCP, that's not Something you can achieve by overriding any method in LDAPCP.
Thanks,
Yvan

↧

New Post: Query within site collection

March 9, 2016, 4:43 am

≫ Next: New Post: Query within site collection

≪ Previous: New Post: Query within site collection

What if I override the FillSearch function with the same exact code found in the LDAPCP base class function, but instead of adding every returned user to the searchtree hierarchy, I ignore those that are not in the site collection? Would that not work?

// On purpose, if this property is true, LDAP lookp is completely bypassed
List<PickerEntity> entities = CreatePickerEntityForSpecificClaimTypes(
input,
attributes.FindAll(x => !x.CreateAsIdentityClaim),
false
);

if (results != null && results.Count > 0)
{
foreach (var result in results)
{

  __# Check if current user exists in site collection. If true, execute__:
  matchNode.AddEntity(entity);

}
}

↧

New Post: Query within site collection

March 9, 2016, 8:45 am

≫ Next: New Post: Query within site collection

≪ Previous: New Post: Query within site collection

Hmm, yes, I think that scenario will work.
I'm just not sure if FillSearch will be called on every scenario where you want to restrict the permissions returned, maybe you'll have to override FillResolve([...]string[...]) as well.
But in any case, you should not override FillResolve([...]SPClaim[...])

Quick question for you: would that help if LDAPCP had an overridable method that would always be called after permissions are created, but before they are added to the list (so that you have a chance to remove the ones already created, and add new ones)?

Thanks,
Yvan

↧

New Post: Query within site collection

March 9, 2016, 11:02 am

≫ Next: New Post: Query within site collection

≪ Previous: New Post: Query within site collection

Absolutely that would help. It would give me the chance to remove the permissions for all the users who are not members of the site collection before displaying them in the list. If I can get the context uri of the site collection inside this overloaded method, then I'll be set.

I agree with you that the FillSearch will not cover every scenario for me, and that I would have to override FillResolve also. I wanted to take it one step a time, and get it working for FillSearch first before I tackled other methods. I actually tried overriding FillSearch today but I ran into an exception, and did not mess around too much with it. If you provide an overridable method that I can use, then I don't even need to mess around with overriding FillSearch or FillResolve. I'll just remove the permissions that I don't need and then return the updated permission collection back to the base class for display in the list. That would be great!

Thanks.

↧

New Post: Query within site collection

March 10, 2016, 8:09 am

≫ Next: New Post: Query within site collection

≪ Previous: New Post: Query within site collection

Ok :)
I will implement it, but I don't want to commit on any timeframe when it will be available.
thanks,
Yvan

↧

New Post: Query within site collection

March 10, 2016, 4:53 pm

≫ Next: New Post: Disabling prefix (Role) when searching for AD groups

≪ Previous: New Post: Query within site collection

Fantastic! I will be anxiously awaiting :)

Thanks, Yvan.

↧

New Post: Disabling prefix (Role) when searching for AD groups

March 24, 2016, 1:24 am

≫ Next: New Post: Disabling prefix (Role) when searching for AD groups

≪ Previous: New Post: Query within site collection

Hi all,

I'm looking for solution to prevent emerge of (Role) prefix when searching for AD groups in people picker.
Currently, when looking for a AD group, I've got the following: "(Role) Project ХХХ-ХХХ".

Unfortunately, in /_admin/Ldapcp/ClaimsTable.aspx i see only possibility to add prefix to returned value, not to remove.

Any suggestions?

Thanks,
Sergey

↧

New Post: Disabling prefix (Role) when searching for AD groups

March 25, 2016, 9:17 am

≫ Next: New Post: Query within site collection

≪ Previous: New Post: Disabling prefix (Role) when searching for AD groups

Hello,
this will be possible with the next version that will be available soon.
thanks,
Yvan

↧

New Post: Query within site collection

March 25, 2016, 9:19 am

≫ Next: New Post: Ldap connection error

≪ Previous: New Post: Disabling prefix (Role) when searching for AD groups

Hello,
for your information, I implemented this in the next version and it should be available soon (let's say within 1 month).
thanks,
Yvan

↧

New Post: Ldap connection error

March 25, 2016, 2:24 pm

≫ Next: New Post: Disabling prefix (Role) when searching for AD groups

≪ Previous: New Post: Query within site collection

I try to add a connection to an LDAP Sun v11 with the following values :

LDAP Path : LDAPS://IP_Of_The_LDAP_Server
Username : uid=xxxx,ou=xxx,dc=xxx
Password : xxx

The Secure checkbox is checked.

When i click on the button "Test LDAP Connection", i have this error :
Unable to connect to LDAP for following reason:
Unknown error (0x80005000)
It may be expected if w3wp process of central admin has intentionally no access to LDAP server.

I have activated the LDAPCP log but there is no message ...

Can LDAPCP connect to a LDAP SUN ? Can LDAPCP connect to an LDAPS server ?
Thanks a lot for your help.

↧

New Post: Disabling prefix (Role) when searching for AD groups

March 25, 2016, 10:41 pm

≫ Next: New Post: Ldap connection error

≪ Previous: New Post: Ldap connection error

Hi Yvan,
Thank you for prompt answer.
I've found this topic - http://ldapcp.codeplex.com/discussions/587739, may i achieve it using the specified technique (create a new entry of type "Query LDAP with specified attribute and create permission with the attribute linked to identity claim" ) ?

Thanks,
Sergey

↧

New Post: Ldap connection error

March 28, 2016, 1:57 am

≫ Next: Released: LDAPCP v3.10 (Mar 29, 2016)

≪ Previous: New Post: Disabling prefix (Role) when searching for AD groups

Yvand,
can you answer me please ?
This is a point very important for my project and my customer.

Thank you so much in advance.

Best regards.

↧

Released: LDAPCP v3.10 (Mar 29, 2016)

March 29, 2016, 8:00 am

≫ Next: Updated Release: LDAPCP v3.10 (mars 29, 2016)

≪ Previous: New Post: Ldap connection error

Changes in version 3.10 (published 29/03/2016)
- Added an overridable method that is called after permissions are created, but before they are sent to SharePoint, so that you have developers have a chance to remove the ones already created, and add new ones
- New: by default display name of groups are also queries to create role permissions
- It is not possible to show/hide claim name in display text of permissions
- Various improvements and fixes in claims mapping page

Changes in version 3.9 (published 05/11/2015)
- Fixed NullReferenceException bug that occurred with specific LDAP servers like Tivoli
- LDAPCP can now dynamically append FQDN to LDAP results when it creates permission, using token {fqdn}
- Minor improvements

Changes in version 3.8 (published 09/09/2015)
- An attempt to get LDAP object is now performed even if input was potentially submitted with a keyword that bypasses LDAP lookup
- Fixed a bug where LDAPCP may display permissions in web apps where it is not used

Changes in version 3.7 (published 11/02/2015)
- Implemented SupportsUserKey to support rehydration for provider hosted apps
- Updated logging

Changes in version 3.6 (published 14/01/2015)
- Fixed incorrect test on metadata field while creating item in claims table page
Validated new features added by itsystemsGuy:
- Added in the functionality to search by group attributes (i.e displayName).
- Added in timeout logic so LDAP queries will only run for a certain period of time before failing. The default is 10 seconds for new deployments and can be set in LDAPCP config page.
- Added in logic so that a domain token can be used as a prefix which will then replace {domain} with the relevant domain associated to the search result.

Changes in version 3.4 (published 06/11/2014)
- Improvements in claims table page
- Fixed bug in text description
- Now permission metadata can be set on any SPClaimEntityTypes (not only User)

Changes in version 3.3 (published 12/08/2014)
- Fixed incorrect value of parameter isIdentityClaimType in overridable method FormatPermissionValue
- Fixed permission validation issue when AlwaysResolveUserInput is set to true. Now, if this property is set to true, LDAP lookup is completely bypassed

Changes in version 3.2 (published 18/07/2014)
Added 2 overridable methods to allow customization of value and display text of permissions. This makes some customization a lot easier (see class LDAPCP_CustomResolution in LDAPCP for Developers for more details)

Changes in version 3.1 (published 11/07/2014)
Connection to LDAP servers is now multi-threaded (using Parallel Library only available in .NET 4+)

Changes in version 3.0 (published 08/07/2014)
Rewrote important parts of the code to be smarter, faster and more reliable.
Include various bug fixes
This is also the last version sharing the same code than LDAPCP 2010

Changes in version 2.2 (published 05/06/2014)
Fixed a minor bug that prevented LDAPCP to return results from central administration in rare scenarios

Changes in version 2.1 (published 05/06/2014)
Updated LDAPCP administration pages to:
- Connect to multiple LDAP / AD
- Set a keyword to resolve an input without LDAP lookup
- Set a prefix to add to a value returned by LDAP
And other minor improvements

Changes in version 2.0 (published 15/05/2014)
Fixed bug with multithreading: Results collections used by LDAPCP were shared by every thread. As a result, in very rare cases (issues were reported only with Project when it synchronized permissions between PWA and projects sites), and sometimes (< 1%) permission was created with values of another user.
Full integration of LDAPCP logging with SharePoint logging infrastructure
Improved admin "claims table" page with new options and improved layout

Changes in version 1.11 (published 22/04/2014)
New option to filter exact match only
New option to specify a custom LDAP filter individually for each LDAP attribute
Minor optimizations
Added new options in LDAPCP admin pages
Now by default computer accounts are excluded from results list

Changes in version 1.10 (published 27/03/2014)
Improved logging with a dedicated Area (LDAPCP) and a dedicated event id (1337)
Fixed memory leak issue
Some optimizations to improve performance
Better management of permissions metadata

Changes in version 1.9 (published 12/11/2013)
Minor optimizations in the code
Removed messages related to metadata of permission from ULS logging, which tended to flood the logs
added parameters "context" and "entityTypes" in method SetLDAPConnections to cover new scenarios for developers

Changes in version 1.8.0.0 (published 23/09/2013)
Many changes on the code to improve resilience and better support customizations of developers (especially when connecting to multiple LDAP servers)
added new property "LDAPAttributeToDisplay" to customize display text of each claim type
updated general admin page
added new LDAP attribute "sn" to search users with their last name
improved logging
minor bug fixes

Changes in version 1.7.0.0 (published 13/05/2013)
Added a new administration page to customize claims list
Fixed: minor bug that could occur with attributes set to be resolved as identity claim

Changes in version 1.6.0.0 (published 17/04/2013)
Fixed: bug when creating a SPClaimTypeMapping with a LocalClaimType different than IncomingClaimType

Changes in version 1.5.0.0 (published 28/03/2013)
New: Added ability to connect to LDAP in ServerBind authentication mode
New: Added option to exclude AD distribution lists from LDAP lookup

Changes in version 1.4.0.0 (published 21/03/2013)
Improved: Dramatic performance improvement of LDAP lookup by not using wildcard in front of search terms by default, which allows LDAP to use its indexes to speed up the lookup
New: Added option to choose to add or not a wildcard in front of search terms by default
New: Searches additional attributes to populate metadata of permission created (title, phone and SIP address)

Changes in version 1.3.0.0 (published 19/02/2013)
Fixed: sAMAccountName LDAP attribute is linked to http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname claim type, as it should
Fixed: better use of WIF namespaces in code: use System.Security.Claims as primary namespace for WIF

Changes in version 1.2.0.1 (published 25/01/2013)
Fixed: Removed an unnecessary check in the constructor that prevented LDAPCP to be called in some processes like OWSTimer or PowerShell, and could prevent to perform some operation.

Changes in version 1.2.0.0 (published 25/01/2013)
New: Added a new option to not resolve disabled users (works for AD only)
Fixed: Incorrect claim type used if incoming and local claim type are different (with New-SPClaimTypeMapping cmdlet)

Changes in version 1.1.0.0 (published 20/01/2013)
- Fixed: error "the user doesn't exist or is not unique" when web application has multiple zones and default zone does not use a TrustedLoginProvider

RTM version for SharePoint 2013 (published 02/12/2012)
It is largely based on LDAPCP 2010 v3.0.0.0, but with improvements and bug fixes:
- Improved: identity claim can now use any LDAP attribute as preferred display value.
- Fixed: Did not search on additional attributes outside of the people picker control.
- Changed: Description text does not display claim provider name anymore for better readability
- Changed 2 claim types:
"http://schemas.xmlsoap.org/claims/Group" becomes "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" because it doesn’t exist anymore in .NET 4.5
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" becomes "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" because SharePoint throws an error message when it is used in a SAML token.

↧

Updated Release: LDAPCP v3.10 (mars 29, 2016)

March 29, 2016, 8:00 am

≫ Next: New Post: Ldap connection error

≪ Previous: Released: LDAPCP v3.10 (Mar 29, 2016)

↧

New Post: Ldap connection error

March 29, 2016, 8:05 am

≫ Next: New Post: Disabling prefix (Role) when searching for AD groups

≪ Previous: Updated Release: LDAPCP v3.10 (mars 29, 2016)

hello,
I never tested myself but it should definitely work. LDAPCP entirely relies on DirectoryEntry class ( https://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.aspx ).
For your information, I just published an update, and among other improvements it dumps the détails of the exception when test of LDAP connection fails, maybe it will give you more information on what's wrong.
Thanks,
Yvan

↧

New Post: Disabling prefix (Role) when searching for AD groups

March 29, 2016, 8:06 am

≫ Next: New Post: Query within site collection

≪ Previous: New Post: Ldap connection error

Hello Sergey,
you can do this with the new version I just published.
Once installed, go to central admin > security > LDAPCP claims mapping page > Edit the claim type and uncheck box for column "Show claim name in display text".
Thanks,
Yvan

↧

New Post: Query within site collection

March 29, 2016, 8:08 am

≫ Next: New Post: Ldap connection error

≪ Previous: New Post: Disabling prefix (Role) when searching for AD groups

Hello,
for your information, the update is available :)
You want to override FillPermissions in your inherited class to change / remove permissions created by LDAPCP, or add new ones.
Please let me know if you have some feedback or experience any issue.
Thanks,
Yvan

↧