LdapRoleProvider GetRolesForUser bug?

Tue, 13 Jan 2009 20:14:45 Z

I have configured the standard LDAPRoleProvider to access a Sun Java SunOne LDAP according to the following document:
( http://msdn.microsoft.com/en-us/library/bb977430.aspx#MOSSFBAPart3_UsingLDAPProvider )

I am able to login via the membership provider and select roles from the role provider. The problem is that it does not recognize which users are in the LDAP groups. I coded a usercontrol to output the role provider's GetUsersInRole, IsUserInRole, and GetRolesForUser methods. The GetUsersInRole works successfully (listing the test users), but the latter methods return false and 0 results respectively. Has anyone successfully used the LdapRoleProvider?

Any help would be greatly appreciated.

Thank you,
Robert Freeman

RobertRFreeman

LdapRoleProvider GetRolesForUser bug?

Wed, 18 Feb 2009 02:29:06 Z

I found a solution to this issue and posted it in the community content on the source article above.
I will post it here as well:

Using LDAPRoleProvider with Sun Java Directory Server

When configuring Sun Java Directory Server LDAPRoleProvider, the userContainer is also required if the uniqueMember attribute contains the full DN.

This would be the correct config section (Same as above with the userContainer):

<roleManager defaultProvider="myorgGroup" enabled="true" cacheRolesInCookie="false" cookieName=".PeopleDCRole" >
<providers>
<add
name="myorgGroup"
type="Microsoft.Office.Server.Security.LDAPRoleProvider,
Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,
PublicKeyToken=71E9BCE111E9429C"
server="SunDirectoryServer.myorg.net"
port="389"
useSSL="false"
groupContainer="ou=groups,o=myorg,c=us"
groupNameAttribute="cn"
groupMemberAttribute="uniqueMember"
userContainer="ou=people,o=myorg,c=us"
userNameAttribute="uid"
dnAttribute="entryDN"
groupFilter="(ObjectClass=groupofuniquenames)"
scope="Subtree"
/>
</providers>
</roleManager>

Debugging Ldap Configuration

When debugging your ldap configuration section, here are 2 must-have (free) tools:

Softerra Ldap Browser (http://www.softerra.com/download.htm)

Will allow you to easily browse the LDAP structure and test filter and baseDN settings

Microsoft Network Monitor (http://www.microsoft.com/downloads/details.aspx?FamilyID=f4db40af-1e08-4a21-a26b-ec2f4dc4190d&DisplayLang=en)

Used to monitor the ldap calls to and from sharePoint.
Configure the monitor on your SharePoint server as follows (Swap out LdapServerIP)
Don't forget to apply each filter before clicking run

Capture Filter:
// Show only LDAP frames
TCP.Port == 389 or UDP.Port == 389
and
IPV4.DestinationAddress == LdapServerIP
or
IPV4.SourceAddress == LdapServerIP
and
TCP.Port == 389 or UDP.Port == 389

Display Filter:
//LDAP
LDAP

RobertRFreeman

LdapRoleProvider GetRolesForUser bug?

Wed, 18 Feb 2009 02:40:07 Z

Here are some details on the issue:

The group LDAP query filter without the userContainer would look like this:
(uid=sharepttest)

With the userContainer the correct filter is:
(&(ObjectClass=groupofuniquenames)(uniqueMember=uid=sharepttest,ou=people,o=myorg,c=us))

Note that the prior filter has 2 issues.

It does not mention the uniqueMember attribute.
It does not include the fully qualified DN

Hope this helps someone else. :)

RobertRFreeman