Windows SharePoint Services >
SharePoint Products and Technologies Forums
>
SharePoint - Setup, Upgrade, Administration and Operation
>
Does MOSS roleManager work with Sun Java dynamic groups?
Does MOSS roleManager work with Sun Java dynamic groups?
- We are trying to interface to an LDAP server that seems to be a combo of Open LDAP and Sun Java System directory server (formerly SunOne and/or iPlanet) to do LDAP authentication for forms based authentication (FBA). We got the SharePoint membership provider to work, and we got the role provider to validate group names. However, we cannot get any combination of Web.config entries to handle group membership. The directory we are hitting uses both static (groupMemberAttribute=uniqueMember) and dynamic (groupMemberAttribute=memberURL) groups, but we only need the dynamic groups. Is the SharePoint LDAP role manager even capable of handling LDAP dynamic groups? The only example I've seen anywhere refers only to static groups:
http://msdn.microsoft.com/en-us/library/bb977430.aspx#MOSSFBAPart3_UsingLDAPProvider
This is our environment:LDAP schema snippet and sample entries o=zzz ou=yyy ou=xxx ou=People cn=user.name uid user.name xxxaccounttype AA cn user.name sn name givenName user objectClass top objectClass person objectClass organizationalPerson objectClass inetOrgPerson objectClass xxxperson ou=Groups cn=Full memberURL ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=AA)) memberURL ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=AR)) memberURL ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=RE)) memberURL ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=DA)) memberURL ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=DR)) memberURL ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=NG)) memberURL ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=EA)) cn Full objectClass top objectClass groupofuniquenames objectClass groupofurls cn=AA Group cn AA Group objectClass top objectClass groupofuniquenames objectClass groupofurls memberURL ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=AA)) cn=RO Group uniqueMember cn=user1.name,ou=People,ou=xxx,ou=yyy,o=zzz,c=US uniqueMember cn=user2.name,ou=People,ou=xxx,ou=yyy,o=zzz,c=US uniqueMember cn=user3.name,ou=People,ou=xxx,ou=yyy,o=zzz,c=US cn RO Group objectClass top objectClass groupOfUniqueNames Extended Web app Web.config snippet <membership defaultProvider="LDAP"> <providers> <add name="LDAP" type="Microsoft.Office.Server.Security.LDAPMembershipProvider,Microsoft.Office.Server,Version=12.0.0.0,Culture=neutral,PublicKeyToken=71E9BCE111E9429C" server="directory.xxx" port="636" useSSL="true" useDNAttribute="false" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="ou=people,ou=xxx,ou=yyy,o=zzz,c=us" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" connectionUsername="cn=xxx.moss,ou=xxx administrators,ou=xxx,ou=yyy,o=zzz,c=us" connectionPassword="qqqqqq" logTrace="false" /> </providers> </membership> <roleManager defaultProvider="LDAPGroups" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole"> <providers> <add name="LDAPGroups" type="Microsoft.Office.Server.Security.LDAPRoleProvider,Microsoft.Office.Server, Version=12.0.0.0,Culture=neutral,PublicKeyToken=71E9BCE111E9429C" server="directory.xxx" port="636" useSSL="true" groupContainer="ou=groups,ou=xxx,ou=yyy,o=zzz,c=us" userNameAttribute="cn" useUserDNAttribute="false" userFilter="(objectClass=person)" groupNameAttribute="cn" dnAttribute="" scope="Subtree" connectionUsername="cn=xxx.moss,ou=xxx administrators,ou=xxx,ou=yyy,o=zzz,c=us" connectionPassword="qqqqqq" /> </providers> </roleManager>
All Replies
I have a similar issue described here:
LDAP - Role manager problem
Did you solve your problem?
/k3larra- k3lara,
I've had a case open with Premier Support now for several months. So far, they have looked and escalated. You look like you are trying to leverage static groups, which has a better chance of working. At least some of the examples on Technet bear a resemblance to your scenario.
Try this: http://msdn.microsoft.com/en-us/library/bb977430.aspx#MOSSFBAPart3_UsingLDAPProvider
Regards,
ET- Unproposed As Answer byMike Walsh MVPMVP, ModeratorWednesday, February 18, 2009 4:39 AM
- Proposed As Answer byTimCE Wednesday, January 07, 2009 1:57 AM
- Have you extended the schema on your ldap? We had the same problem and pinpointed that it was caused by a incorrect extension of the schema.
Please try the configuration I just posted.
http://social.msdn.microsoft.com/Forums/en-US/sharepointdevelopment/thread/0e877951-0b11-4e12-8c65-1d3fe4aec64f/
I also added community content to the article posted above.I waited 3 weeks with MS support trying to get an answer. I finally spent some time and figured it out on my own.
RobertRFreeman- ETweedy
Have you found a solution on how to get SharePoint to work with Dynamic groups? - After many months (no exaggeration, about 7 months), the Indians on the Microsoft phone line turned things over to someone who had the chutzpah to call the development activity in Redmond and ask the simple question, "Is this supposed to work?" Answer came back in a couple of hours, "No." Got it.
- mwhite01 and ETweedy,
Please note that I successfully configured the LdapRoleProvider using nested groups (not dynamic)
You would need to use the debugging tools I identified in the community content section to see why your configuration (using dynamic groups) is not working.
Also, did you get an answer from MS as to why it wouldn't work? AFAIK, the dynamic parsing is done on the LDAP end, so the role provider wouldn't even need to be aware of it.
I am always skeptical when MS support pulls out the WAD excuse. Generally, this is either due to lack of knowledge or wanting to close an open case.
RobertRFreeman
