Hello
Given that for role claim I have added "Prefix to add to value returned": "fqdn\", i can search and find groups in bouth domains and they get listed and i can choose from:
* domain1.local\Duplicate Group
* domain2.local\Duplicate Group
However when choosing a group and trying to create permission, LDAPCP doesn't handle it well. From ULS:
```
06.02.2016 13:38:49.44 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Connect to AD this server is member of, with application pool credentials e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.44 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Connect as domain2.local\SPProfileSync to LDAP://domain2.local:636/DC=domain2,DC=local. e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.45 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Verbose [LDAPCP] Got 1 result(s) from LDAP://domain1.local/DC=domain1,DC=local e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x48B4 LDAPCP LDAP Lookup 1337 Verbose [LDAPCP] Got 1 result(s) from LDAP://domain2.local:636/DC=domain2,DC=local b52d829d-3a4b-a00b-c963-d4789374d0bf
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Querying of LDAP servers finished in 79ms (current timeout is 0ms) e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Got 2 result(s) from all LDAP server(s) with query "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(| (&(objectclass=group)(sAMAccountName=duplicate group)) ))" e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] 2 permission(s) to create after filtering e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP Claims Picking 1337 Verbose [LDAPCP] Created permission: display text: "(Role) domain1.local\Duplicate Group", value: "domain1.local\Duplicate Group", claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", and filled with 0 metadata. e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP Claims Picking 1337 Verbose [LDAPCP] Created permission: display text: "(Role) domain2.local\Duplicate Group", value: "domain2.local\Duplicate Group", claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", and filled with 0 metadata. e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP Claims Picking 1337 Unexpected [LDAPCP] Validation with LDAP lookup created 2 permissions instead of 1 expected. Aborting operation e82d829d-4ac4-a00b-c963-d16364812a77
```
The result is that the group is not added to permissions.
If i choose a group name that doesn't exist in another domain, everything is OK.
Comments: Probably fails in FillResolve. Basically strips the fqnd part here: ``` // When working with domain tokens remove the domain part of the input so it can be found in AD if (attribute.PrefixToAddToValueReturnedProp != null && ( attribute.PrefixToAddToValueReturnedProp.Contains(Constants.LDAPCPCONFIG_TOKENDOMAINNAME) || attribute.PrefixToAddToValueReturnedProp.Contains(Constants.LDAPCPCONFIG_TOKENDOMAINFQDN) )) input = System.Text.RegularExpressions.Regex.Replace(input, ".*\\\\(.*)", "$1", System.Text.RegularExpressions.RegexOptions.None); ``` And the BuildFilterAndProcessResults ofcourse then returns 2 records, one from each domain. Should probably have some kind of logic that further filters records to match only those with _attribute.PrefixToAddToValueReturnedProp_
Given that for role claim I have added "Prefix to add to value returned": "fqdn\", i can search and find groups in bouth domains and they get listed and i can choose from:
* domain1.local\Duplicate Group
* domain2.local\Duplicate Group
However when choosing a group and trying to create permission, LDAPCP doesn't handle it well. From ULS:
```
06.02.2016 13:38:49.44 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Connect to AD this server is member of, with application pool credentials e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.44 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Connect as domain2.local\SPProfileSync to LDAP://domain2.local:636/DC=domain2,DC=local. e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.45 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Verbose [LDAPCP] Got 1 result(s) from LDAP://domain1.local/DC=domain1,DC=local e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x48B4 LDAPCP LDAP Lookup 1337 Verbose [LDAPCP] Got 1 result(s) from LDAP://domain2.local:636/DC=domain2,DC=local b52d829d-3a4b-a00b-c963-d4789374d0bf
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Querying of LDAP servers finished in 79ms (current timeout is 0ms) e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Got 2 result(s) from all LDAP server(s) with query "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(| (&(objectclass=group)(sAMAccountName=duplicate group)) ))" e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] 2 permission(s) to create after filtering e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP Claims Picking 1337 Verbose [LDAPCP] Created permission: display text: "(Role) domain1.local\Duplicate Group", value: "domain1.local\Duplicate Group", claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", and filled with 0 metadata. e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP Claims Picking 1337 Verbose [LDAPCP] Created permission: display text: "(Role) domain2.local\Duplicate Group", value: "domain2.local\Duplicate Group", claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", and filled with 0 metadata. e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP Claims Picking 1337 Unexpected [LDAPCP] Validation with LDAP lookup created 2 permissions instead of 1 expected. Aborting operation e82d829d-4ac4-a00b-c963-d16364812a77
```
The result is that the group is not added to permissions.
If i choose a group name that doesn't exist in another domain, everything is OK.
Comments: Probably fails in FillResolve. Basically strips the fqnd part here: ``` // When working with domain tokens remove the domain part of the input so it can be found in AD if (attribute.PrefixToAddToValueReturnedProp != null && ( attribute.PrefixToAddToValueReturnedProp.Contains(Constants.LDAPCPCONFIG_TOKENDOMAINNAME) || attribute.PrefixToAddToValueReturnedProp.Contains(Constants.LDAPCPCONFIG_TOKENDOMAINFQDN) )) input = System.Text.RegularExpressions.Regex.Replace(input, ".*\\\\(.*)", "$1", System.Text.RegularExpressions.RegexOptions.None); ``` And the BuildFilterAndProcessResults ofcourse then returns 2 records, one from each domain. Should probably have some kind of logic that further filters records to match only those with _attribute.PrefixToAddToValueReturnedProp_