Quantcast
Channel: LDAP/AD Claims Provider For SharePoint
Viewing all 270 articles
Browse latest View live

New Post: Ldap connection error

$
0
0
Hello Yvand,
thanks a lot for your answer. I'm going to test your new version as soon as possible and tell you if i have found the solution.
Many thanks.

New Post: Disabling prefix (Role) when searching for AD groups

$
0
0
Hello Yvan,

Many thanks for update.
Just for your information, i was able to do it by removing LDAP class "group" from _admin/Ldapcp/ClaimsTable.aspx on my ShP CA server (as shown on screenshot below):
Image
However, i think it's a bad way, isn't it?

Thanks,
Sergey

Updated Wiki: Home

$
0
0

This claims provider queries Active Directory and LDAP servers to enhance people picker with a great search experience in trusted authentication (typically ADFS).

Joe boss 

Features

  • Works with SharePoint 2013 and SharePoint 2016.
  • Easy to configure with administration pages added in Central administration > Security.
  • Queries multiple servers in parallel (multi-threaded connections).
  • Populates properties (e.g. email, SIP, display name) upon permission creation.
  • Supports rehydration for provider-hosted add-ins.
  • Supports dynamics tokens “{domain}” and “{fqdn}” to add domain information on permissions to create.

Customization capabilities

  • Customize list of claim types, and their mapping with LDAP objects.
  • Customize display of permissions.
  • Customize LDAP filter per claim type, e.g. to only return users member of a specific security group.
  • Set a keyword to bypass LDAP lookup. e.g. input "extuser:partner@contoso.com" directly creates permission "partner@contoso.com" on claim type set for this.
  • Set a prefix to add to LDAP results, e.g. add "domain\" to groups returned by LDAP.
  • Hide disabled users and distribution lists.
  • Developers can easily do a lot more by inheriting base class. See below for more details.

Important - Limitations

Due to limitations of SharePoint API,do not associate LDAPCP with more than 1 SPTrustedIdentityTokenIssuer. Developers can bypass this limitation by inheriting LDAPCP to create new claims providers (with different names). Read “Developers section” below for further information.

You must manually deploy ldapcp.dll on SharePoint servers that do not have SharePoint service "Microsoft SharePoint Foundation Web Application" started. You can use this PowerShell script:

[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
$publish = New-Object System.EnterpriseServices.Internal.Publish
$publish.GacInstall("C:\Data\Dev\ldapcp.dll")

Version 2 is a critical update that ensures thread safety and fully implements SharePoint logging infrastructure (messages are recorded in Area/Product "LDAPCP"). Its logging level can be customized with PowerShell or Central Administration.

How to install LDAPCP

Install and deploy the solution (that will automatically activate the “LDAPCP” farm-scoped feature):

Add-SPSolution -LiteralPath "PATH TO WSP FILE"
Install-SPSolution -Identity "LDAPCP.wsp"-GACDeployment

At this point claim provider is inactive and it must be associated to an SPTrustedIdentityTokenIssuer to work:

$trust = Get-SPTrustedIdentityTokenIssuer "SPTRUST NAME"$trust.ClaimProviderName ="LDAPCP"$trust.Update()

How to update LDAPCP

Run Update-SPSolution cmdlet to start a timer job that that will deploy the update. You can monitor the progression in farm solutions page in central administration.

Update-SPSolution -GACDeployment -Identity "LDAPCP.wsp" -LiteralPath "C:\Data\Dev\LDAPCP.wsp"

How to remove LDAPCP

For an unknown reason, randomly SharePoint 2013 doesn’t uninstall correctly the solution because it removes assembly from the GAC before calling the feature receiver... When this happens, the claims provider is not removed and that causes issues when you re-install it.
To uninstall safely, deactivate the farm feature before retracting the solution:

Disable-SPFeature -identity "LDAPCP"
Uninstall-SPSolution -Identity "LDAPCP.wsp"
Remove-SPSolution -Identity "LDAPCP.wsp"

Validate that claims provider was removed: "Get-SPClaimProvider| ft DisplayName". If LDAPCP appears, remove it: "Remove-SPClaimProvider LDAPCP"

Claims supported

LDAPCP has a default mapping between claim types and LDAP attributes, but this can be customized in “Claims table” page available in Central Administration/Security.
Default list is following:

Claim typeLDAP attribute nameLDAP object class
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressmailuser
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountnamesAMAccountNameuser
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upnuserPrincipalNameuser
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennamegivenNameuser
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/localityphysicalDeliveryOfficeNameuser
http://schemas.microsoft.com/ws/2008/06/identity/claims/rolesAMAccountNamegroup
linked to identity claimdisplayNameuser
linked to identity claimcnuser
linked to identity claimsnuser

None of the claim types above is mandatory in the SPTrust, but the identity claim must either be one of them, or added through LDAPCP admin pages.

Note that you should never have 2 identical claim types in the list, this would cause issues.

To enhance search experience, LDAPCP also queries user input against common LDAP attributes such as the display name (displayName) and the common name (cn).

Developers corner

Project has evolved a lot since the beginning, and now 99% of all possible customizations can be made with LDAPCP administration pages in standard solution. Possible customizations not covered by standard package that can be achieved with "LDAPCP for Developers.zip" are:

  • Use LDAPCP in multiple trusts (SPTrustedIdentityTokenIssuer objects), so that each trust has a claim provider with a unique name.
  • Customize the display text or the value of permissions created by LDAPCP

"LDAPCP for Developers.zip" contains a Visual Studio project with sample classes that cover various use-case scenarios. Only 1 inherited claim provider is installed at a time, you need to edit the feature event receiver to install the claim provider you want to test.
Common mistakes to avoid:

  • Always deactivate the farm feature before retracting the solution (see "how to remove" above to understand why).
  • When you create your own SharePoint solution, DO NOT forget to include the ldapcp.dll assembly in the wsp package.

If you did any of the mistakes above, you will likely experience issues when you try to redeploy the solution because the feature was already installed. All features in the solution must be uninstalled before it can be redeployed.

In any case, DO NOT directly edit LDAPCP class, it has been designed to be inherited so that you can customize it to fit your needs. If a scenario that you need is not covered, please submit it in the discussions tab.



New Post: Disabling prefix (Role) when searching for AD groups

$
0
0
Hello,
I'm not exactly sure about what you did but I don't think it was a good idea :)
You should revert your change and after installing the update, you'll see a checkbox for to show/hide the claim name.
thanks,
Yvan

New Post: Disabling prefix (Role) when searching for AD groups

$
0
0
Sure,
Will try it today and reply back.
Thanks.

Source code checked in, #2430ee0b78afe6a75f3b8d4e836da8ec5742d59c

$
0
0
*Changes in version 3.10 (published 29/03/2016)* - Added an overridable method that is called after permissions are created, but before they are sent to SharePoint, so that you have developers have a chance to remove the ones already created, and add new ones - New: by default display name of groups are also queries to create role permissions - It is not possible to show/hide claim name in display text of permissions - Various improvements and fixes in claims mapping page

Updated Wiki: Home

$
0
0

This claims provider queries Active Directory and LDAP servers to enhance people picker with a great search experience in trusted authentication (typically ADFS).

Joe boss 

Features

  • Works with SharePoint 2013 and SharePoint 2016.
  • Easy to configure with administration pages added in Central administration > Security.
  • Queries multiple servers in parallel (multi-threaded connections).
  • Populates properties (e.g. email, SIP, display name) upon permission creation.
  • Supports rehydration for provider-hosted add-ins.
  • Supports dynamics tokens "{domain}" and "{fqdn}" to add domain information on permissions to create.
  • Implements SharePoint logging infrastructure and logs messages in Area/Product "LDAPCP".
  • Ensures thread safety.

Customization capabilities

  • Customize list of claim types, and their mapping with LDAP objects.
  • Customize display of permissions.
  • Customize LDAP filter per claim type, e.g. to only return users member of a specific security group.
  • Set a keyword to bypass LDAP lookup. e.g. input "extuser:partner@contoso.com" directly creates permission "partner@contoso.com" on claim type set for this.
  • Set a prefix to add to LDAP results, e.g. add "domain\" to groups returned by LDAP.
  • Hide disabled users and distribution lists.
  • Developers can easily do a lot more by inheriting base class. See below for more details.

Important - Limitations

Due to limitations of SharePoint API,do not associate LDAPCP with more than 1 SPTrustedIdentityTokenIssuer. Developers can bypass this limitation by inheriting LDAPCP to create new claims providers (with different names). Read “Developers section” below for further information.

You must manually deploy ldapcp.dll on SharePoint servers that do not have SharePoint service "Microsoft SharePoint Foundation Web Application" started. You can use this PowerShell script:

[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
$publish = New-Object System.EnterpriseServices.Internal.Publish
$publish.GacInstall("C:\Data\Dev\ldapcp.dll")

How to install LDAPCP

Install and deploy the solution (that will automatically activate the “LDAPCP” farm-scoped feature):

Add-SPSolution -LiteralPath "PATH TO WSP FILE"
Install-SPSolution -Identity "LDAPCP.wsp"-GACDeployment

At this point claim provider is inactive and it must be associated to an SPTrustedIdentityTokenIssuer to work:

$trust = Get-SPTrustedIdentityTokenIssuer "SPTRUST NAME"$trust.ClaimProviderName ="LDAPCP"$trust.Update()

How to update LDAPCP

Run Update-SPSolution cmdlet to start a timer job that that will deploy the update. You can monitor the progression in farm solutions page in central administration.

Update-SPSolution -GACDeployment -Identity "LDAPCP.wsp" -LiteralPath "C:\Data\Dev\LDAPCP.wsp"

How to remove LDAPCP

For an unknown reason, randomly SharePoint 2013 doesn’t uninstall correctly the solution because it removes assembly from the GAC before calling the feature receiver... When this happens, the claims provider is not removed and that causes issues when you re-install it.
To uninstall safely, deactivate the farm feature before retracting the solution:

Disable-SPFeature -identity "LDAPCP"
Uninstall-SPSolution -Identity "LDAPCP.wsp"
Remove-SPSolution -Identity "LDAPCP.wsp"

Validate that claims provider was removed: "Get-SPClaimProvider| ft DisplayName". If LDAPCP appears, remove it: "Remove-SPClaimProvider LDAPCP"

Claims supported

LDAPCP has a default mapping between claim types and LDAP attributes, but this can be customized in “Claims table” page available in Central Administration/Security.
Default list is following:

Claim typeLDAP attribute nameLDAP object class
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressmailuser
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountnamesAMAccountNameuser
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upnuserPrincipalNameuser
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennamegivenNameuser
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/localityphysicalDeliveryOfficeNameuser
http://schemas.microsoft.com/ws/2008/06/identity/claims/rolesAMAccountNamegroup
linked to identity claimdisplayNameuser
linked to identity claimcnuser
linked to identity claimsnuser

None of the claim types above is mandatory in the SPTrust, but the identity claim must either be one of them, or added through LDAPCP admin pages.

Note that you should never have 2 identical claim types in the list, this would cause issues.

To enhance search experience, LDAPCP also queries user input against common LDAP attributes such as the display name (displayName) and the common name (cn).

Developers corner

Project has evolved a lot since the beginning, and now 99% of all possible customizations can be made with LDAPCP administration pages in standard solution. Possible customizations not covered by standard package that can be achieved with "LDAPCP for Developers.zip" are:

  • Use LDAPCP in multiple trusts (SPTrustedIdentityTokenIssuer objects), so that each trust has a claim provider with a unique name.
  • Customize the display text or the value of permissions created by LDAPCP

"LDAPCP for Developers.zip" contains a Visual Studio project with sample classes that cover various use-case scenarios. Only 1 inherited claim provider is installed at a time, you need to edit the feature event receiver to install the claim provider you want to test.
Common mistakes to avoid:

  • Always deactivate the farm feature before retracting the solution (see "how to remove" above to understand why).
  • When you create your own SharePoint solution, DO NOT forget to include the ldapcp.dll assembly in the wsp package.

If you did any of the mistakes above, you will likely experience issues when you try to redeploy the solution because the feature was already installed. All features in the solution must be uninstalled before it can be redeployed.

In any case, DO NOT directly edit LDAPCP class, it has been designed to be inherited so that you can customize it to fit your needs. If a scenario that you need is not covered, please submit it in the discussions tab.



New Post: Disabling prefix (Role) when searching for AD groups

$
0
0
Hi Yvan,
All works like a charm.
Great addition to solution!

However i'd like to ask one more question - currently i'm unable to extract email address associated with AD security group (or Exchange distribution list).
In fact, when looking through PowerShell, i see
Get-ADGroup "Project EPM-RIM" -Properties *
LastKnownParent                       :
mail                                  : ProjectEPM-RIM@XXX.com
mailNickname                          : ProjectEPM-RIM
The same i see when looking for a user:
 Get-ADUser "Sergey_Solovyev"  -Properties *
GivenName         : Sergey
mail              : Sergey_Solovyev@XXX.com
Name              : Sergey Solovyev
ObjectClass       : user
SamAccountName    : Sergey_Solovyev
Surname           : Solovyev
UserPrincipalName : Sergey_Solovyev@XXX.com
But when checking at SharePoint server, email is present for user, but not for group:
$spti = Get-SPTrustedIdentityTokenIssuer
$claim9 = New-SPClaimsPrincipal -ClaimValue "Sergey_Solovyev@xxxx.com" -ClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn -TrustedIdentityTokenIssuer $spti
$user9 = $web.EnsureUser($claim9.ToEncodedString())
$user9 | Format-List -Property *
UserLogin                        : i:0e.t|staging adfs|sergey_solovyev@XXX.com
DisplayName                      : Sergey Solovyev
Name                             : Sergey Solovyev
Email                            : Sergey_Solovyev@XXX.com
$spti = Get-SPTrustedIdentityTokenIssuer
$claim10 = New-SPClaimsPrincipal -ClaimValue "Project EPM-GOPS" -ClaimType http://schemas.microsoft.com/ws/2008/06/identity/claims/role -TrustedIdentityTokenIssuer $spti
$user10 = $web.EnsureUser($claim10.ToEncodedString())
$user10 | Format-List -Property *
UserLogin                        : c:0-.t|staging adfs|project epm-gops
DisplayName                      : (Role) Project EPM-GOPS
Name                             : (Role) Project EPM-GOPS
Email                            : 
Any suggestions on what i'm doing wrong?
Is there another way for mapping group email?

Thanks,
Sergey

New Post: AD security group\Exchange distribution list email property is missed

$
0
0
Hello Yvan,

Currently i'm unable to extract email address associated with AD security group (and Exchange distribution list).
In fact, when looking through PowerShell, i see
Get-ADGroup "Project EPM-RIM" -Properties *
LastKnownParent                       :
mail                                  : ProjectEPM-RIM@XXX.com
mailNickname                          : ProjectEPM-RIM
The same i see when looking for a user:
 Get-ADUser "Sergey_Solovyev"  -Properties *
GivenName         : Sergey
mail              : Sergey_Solovyev@XXX.com
Name              : Sergey Solovyev
ObjectClass       : user
SamAccountName    : Sergey_Solovyev
Surname           : Solovyev
UserPrincipalName : Sergey_Solovyev@XXX.com
But when checking at SharePoint server, email is present for user, but not for group:
$spti = Get-SPTrustedIdentityTokenIssuer
$claim9 = New-SPClaimsPrincipal -ClaimValue "Sergey_Solovyev@xxxx.com" -ClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn -TrustedIdentityTokenIssuer $spti
$user9 = $web.EnsureUser($claim9.ToEncodedString())
$user9 | Format-List -Property *
UserLogin                        : i:0e.t|staging adfs|sergey_solovyev@XXX.com
DisplayName                      : Sergey Solovyev
Name                             : Sergey Solovyev
Email                            : Sergey_Solovyev@XXX.com
$spti = Get-SPTrustedIdentityTokenIssuer
$claim10 = New-SPClaimsPrincipal -ClaimValue "Project EPM-GOPS" -ClaimType http://schemas.microsoft.com/ws/2008/06/identity/claims/role -TrustedIdentityTokenIssuer $spti
$user10 = $web.EnsureUser($claim10.ToEncodedString())
$user10 | Format-List -Property *
UserLogin                        : c:0-.t|staging adfs|project epm-gops
DisplayName                      : (Role) Project EPM-GOPS
Name                             : (Role) Project EPM-GOPS
Email                            : 
Please note that there is no possibility to create duplicate claim in LDAPCP configuration table.

Any suggestions on what i'm doing wrong?
Is there another way for mapping group email?

Thanks,
Sergey

New Post: AddWildcardInFrontOfQuery property

$
0
0
Dear Team,

I would like to include a wildcard before and after the input string

This definition is managed by the property AddWildcardInFrontOfQuery and its default value is set out to false.

You have stated that starting from the 1.4 version, this option is no longer active by default
but should be the possibility to set up it by means of the administration page.

I cannot find this option but after a deeper investigation I noticed that in the page LdapcpSettings.aspx this option has been made unavailable.

At this point I have made this option available again but when I save the configuration the option is ignored.

Due to that I tried to activate the property updating the database on the object Ldapcp.
In this way an input LDAP query is executed but after the filtering process is applied It cannot display all the results.

Looking at the code of the Ldacp.cs I noticed that in the filtering process the following code is used:

string a = properties[attributeHelper.LDAPAttribute][0].ToString();
if (exactSearch)
{
if (!string.Equals(a, input, StringComparison.InvariantCultureIgnoreCase))
    continue;
}
else if (!a.StartsWith(input, StringComparison.InvariantCultureIgnoreCase))
continue;
The code check that the result starts with the filled in input than delete some results such as herebelow:

-Input String: rossi
-I get two results (Marco Rossi, Rossi Luca)
-1 permission(s) after filtering
In this case the "Marco Rossi" result is discarded because it not start with rossi.

My question is: Is there a workaround for this issue ? and in case is there a way to activate the option ?

Thank you in advance for your kind answer

Giuseppe

Reviewed: LDAPCP v3.10 (апр 01, 2016)

$
0
0
Rated 5 Stars (out of 5) - Good solution for all your need. Very powerful and configurable though CA.

Reviewed: LDAPCP v3.10 (апр 01, 2016)

$
0
0
Rated 5 Stars (out of 5) - Good solution for all your needs. Very powerful and configurable through CA.

New Post: AD security group\Exchange distribution list email property is missed

$
0
0
Hello,
actually this is possible but there is a bug in the claims mapping page that prevents you from adding the entry needed to handle this.
You can fix it manually by editing ClaimsTable.aspx with notepad (located in 15\TEMPLATE\ADMIN\ldapcp\ClaimsTable.aspx):
edit line 307 to replace this:
$('#rowClaimEntityType').hide('slow')
by this:
$('#rowClaimEntityType').show('slow')

Then refresh the page in the browser and add a new entry to the table with following options:
  • select "Add a LDAP attribute to use only as a metadata of the new permission."
  • Type of permission metadata: Email
  • LDAP Attribute: mail
  • LDAP Object class: group
  • Claim entity type: FormsRole
Now, when you add a new group it should populate its email property. You can also monitor ULS logs with following message:
04/01/2016 17:15:57.57 w3wp.exe (0x1F64) 0x2AD8 LDAPCP Claims Picking 1337 Verbose [LDAPCP] Added metadata "Email" with value "group1@yvanhost.local" to permission 1f496e9d-2d82-20c6-840b-81ac9483b4f6
04/01/2016 17:15:57.57 w3wp.exe (0x1F64) 0x2AD8 LDAPCP Claims Picking 1337 Verbose [LDAPCP] Created permission: display text: "(Role) YvanHost.local\group1", value: "YvanHost.local\group1", claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", and filled with 2 metadata. 1f496e9d-2d82-20c6-840b-81ac9483b4f6

thanks,
Yvan

New Post: AddWildcardInFrontOfQuery property

$
0
0
Hello Giuseppe,
Your analysis is correct, and I don't see any workaround for this.
To give you some background, this option was hidden because using a wildcard in front of input prevents LDAP from using its indexers, and it has a dramatic impact on performance, so even if it worked, you would probably not want to use it.
Can't you query an additional attribute that starts with the term instead (like the cn, displayName, sn, etc...) ?
thanks,
Yvan

New Post: AD security group\Exchange distribution list email property is missed

$
0
0
Hello Yvan,

Unfortunately this doesn't help.
The only ULS entry i see when adding group using People picker is:

04/04/2016 08:18:41.22 w3wp.exe (0x3F18) 0x3904 LDAPCP Claims Picking 1337 Medium [LDAPCP] Added permission created with LDAP lookup: claim value: "Project EPM-ACCL", claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" to the list of results. 241e6f9d-d401-5080-80b3-bc094f3648d5

Here is how group is displayed:
Image

And here is how user:
Image

Also that's how group selection is displayed in People picker (duplicates are due to 2 authentication providers for web application default zone - AD + Trusted (ADFS)):
Image

Here is claims table - could you please check if something is wrong?
Image

Thanks,
Sergey

New Post: AD security group\Exchange distribution list email property is missed

$
0
0
Hello Sergey,
can you delete and recreate the entry, and choose "SecurityGroup" instead of "FormRole" for the Claim entity type?
thanks,
Yvan

New Post: AD security group\Exchange distribution list email property is missed

$
0
0
Hello Yvan,
Empirically i've found that SecurityGroup entry works fine.
Image

Here is how group is now displayed:
Image

But i'm still unable to get it from code (either PowerShell or C# -"Email" property is empty for group.

Maybe i should deal with additional entries to claims mapping table?

Thanks,
Sergey

New Post: AD security group\Exchange distribution list email property is missed

$
0
0
I'm not sure to understand what you mean with the code.
Do you have a sample code that works for users and not for groups?

New Post: AD security group\Exchange distribution list email property is missed

$
0
0
Sure,
Please find an example below:
$logonName = "WFA FP&A"
$user = [AMPortal.Data.SPLists.Repositories.Base.WebExtension]::TryEnsureUser($web, $logonName)
Write-Host $user.LoginName $user.Name $user.Email
c:0 + .w|s-1-5-21-1292428093-113007714-1060284298-40795 WFA FP&A WFAFP&A@xxxx.com
$logonName = "WFA FP&A"
$user = [AMPortal.Data.SPLists.Repositories.Base.WebExtension]::TryEnsureUser($web, $logonName)
Write-Host $user.LoginName $user.Name $user.Email
c:0-.t|staging adfs|wfa fp&a (Role) WFA FP&A
PS TryEnsureUser is our implementation of SPWeb.EnsureUser()

Thanks,
Sergey

New Post: Query within site collection

$
0
0
Great!!! I will go ahead and download the update this evening and test it out.

Thank you once again for implementing this and making it available quicker than I expected. Very thankful for all your efforts on this, Yvan.
Viewing all 270 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>