Does MOSS roleManager work with Sun Java dynamic groups?

Thu, 02 Oct 2008 16:18:16 Z

We are trying to interface to an LDAP server that seems to be a combo of Open LDAP and Sun Java System directory server (formerly SunOne and/or iPlanet) to do LDAP authentication for forms based authentication (FBA). We got the SharePoint membership provider to work, and we got the role provider to validate group names. However, we cannot get any combination of Web.config entries to handle group membership. The directory we are hitting uses both static (groupMemberAttribute=uniqueMember) and dynamic (groupMemberAttribute=memberURL) groups, but we only need the dynamic groups. Is the SharePoint LDAP role manager even capable of handling LDAP dynamic groups? The only example I've seen anywhere refers only to static groups:

http://msdn.microsoft.com/en-us/library/bb977430.aspx#MOSSFBAPart3_UsingLDAPProvider

This is our environment:

LDAP schema snippet and sample entries  

o=zzz 

  ou=yyy 

    ou=xxx 

      ou=People 

    cn=user.name  

      uid           user.name  

      xxxaccounttype    AA  

      cn            user.name  

      sn            name  

      givenName     user  

      objectClass       top  

      objectClass       person  

      objectClass       organizationalPerson  

      objectClass       inetOrgPerson  

      objectClass       xxxperson  

      ou=Groups 

    cn=Full 

      memberURL     ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=AA))  

      memberURL     ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=AR))  

      memberURL     ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=RE))  

      memberURL     ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=DA))  

      memberURL     ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=DR))  

      memberURL     ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=NG))  

      memberURL     ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=EA))  

      cn            Full  

      objectClass       top  

      objectClass       groupofuniquenames  

      objectClass       groupofurls  

    cn=AA Group  

      cn            AA Group  

      objectClass       top  

      objectClass       groupofuniquenames  

      objectClass       groupofurls  

      memberURL     ldap:///ou=People,ou=xxx,ou=yyy,o=zzz,c=US??sub?(&(objectclass=xxxPerson)(xxxaccounttype=AA))  

    cn=RO Group  

      uniqueMember      cn=user1.name,ou=People,ou=xxx,ou=yyy,o=zzz,c=US 

      uniqueMember      cn=user2.name,ou=People,ou=xxx,ou=yyy,o=zzz,c=US 

      uniqueMember      cn=user3.name,ou=People,ou=xxx,ou=yyy,o=zzz,c=US 

      cn            RO Group  

      objectClass       top  

      objectClass       groupOfUniqueNames  

Extended Web app Web.config snippet  

    <membership defaultProvider="LDAP">  

      <providers> 

        <add name="LDAP"   

type="Microsoft.Office.Server.Security.LDAPMembershipProvider,Microsoft.Office.Server,Version=12.0.0.0,Culture=neutral,PublicKeyToken=71E9BCE111E9429C"   

server="directory.xxx" port="636" useSSL="true" useDNAttribute="false" userDNAttribute="distinguishedName" userNameAttribute="cn"   

userContainer="ou=people,ou=xxx,ou=yyy,o=zzz,c=us" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree"   

otherRequiredUserAttributes="sn,givenname,cn" connectionUsername="cn=xxx.moss,ou=xxx administrators,ou=xxx,ou=yyy,o=zzz,c=us" connectionPassword="qqqqqq"   

logTrace="false" /> 

      </providers> 

    </membership> 

    <roleManager defaultProvider="LDAPGroups" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">  

      <providers> 

        <add name="LDAPGroups" type="Microsoft.Office.Server.Security.LDAPRoleProvider,Microsoft.Office.Server,   

Version=12.0.0.0,Culture=neutral,PublicKeyToken=71E9BCE111E9429C" server="directory.xxx" port="636" useSSL="true" groupContainer="ou=groups,ou=xxx,ou=yyy,o=zzz,c=us"   

userNameAttribute="cn" useUserDNAttribute="false" userFilter="(objectClass=person)" groupNameAttribute="cn" dnAttribute="" scope="Subtree"   

connectionUsername="cn=xxx.moss,ou=xxx administrators,ou=xxx,ou=yyy,o=zzz,c=us" connectionPassword="qqqqqq" /> 

      </providers> 

    </roleManager>

Does MOSS roleManager work with Sun Java dynamic groups?

Sun, 23 Nov 2008 10:20:48 Z

I have a similar issue described here:
LDAP - Role manager problem
Did you solve your problem?
/k3larra

Does MOSS roleManager work with Sun Java dynamic groups?

Tue, 30 Dec 2008 14:18:41 Z

k3lara,

I've had a case open with Premier Support now for several months. So far, they have looked and escalated. You look like you are trying to leverage static groups, which has a better chance of working. At least some of the examples on Technet bear a resemblance to your scenario.

Try this: http://msdn.microsoft.com/en-us/library/bb977430.aspx#MOSSFBAPart3_UsingLDAPProvider

Regards,

ET

Does MOSS roleManager work with Sun Java dynamic groups?

Wed, 07 Jan 2009 01:59:02 Z

Have you extended the schema on your ldap? We had the same problem and pinpointed that it was caused by a incorrect extension of the schema.

Does MOSS roleManager work with Sun Java dynamic groups?

Wed, 18 Feb 2009 02:46:58 Z

Please try the configuration I just posted.
http://social.msdn.microsoft.com/Forums/en-US/sharepointdevelopment/thread/0e877951-0b11-4e12-8c65-1d3fe4aec64f/

I also added community content to the article posted above.

I waited 3 weeks with MS support trying to get an answer. I finally spent some time and figured it out on my own.

RobertRFreeman

Does MOSS roleManager work with Sun Java dynamic groups?

Fri, 08 May 2009 11:33:12 Z

ETweedy

Have you found a solution on how to get SharePoint to work with Dynamic groups?

Does MOSS roleManager work with Sun Java dynamic groups?

Mon, 17 Aug 2009 16:05:15 Z

After many months (no exaggeration, about 7 months), the Indians on the Microsoft phone line turned things over to someone who had the chutzpah to call the development activity in Redmond and ask the simple question, "Is this supposed to work?" Answer came back in a couple of hours, "No." Got it.

Does MOSS roleManager work with Sun Java dynamic groups?

Mon, 17 Aug 2009 19:13:16 Z

mwhite01 and ETweedy,

Please note that I successfully configured the LdapRoleProvider using nested groups (not dynamic)
You would need to use the debugging tools I identified in the community content section to see why your configuration (using dynamic groups) is not working.

Also, did you get an answer from MS as to why it wouldn't work? AFAIK, the dynamic parsing is done on the LDAP end, so the role provider wouldn't even need to be aware of it.
I am always skeptical when MS support pulls out the WAD excuse. Generally, this is either due to lack of knowledge or wanting to close an open case.

RobertRFreeman