LdapRoleProvider GetRolesForUser bug?
- I have configured the standard LDAPRoleProvider to access a Sun Java SunOne LDAP according to the following document:
( http://msdn.microsoft.com/en-us/library/bb977430.aspx#MOSSFBAPart3_UsingLDAPProvider )
I am able to login via the membership provider and select roles from the role provider. The problem is that it does not recognize which users are in the LDAP groups. I coded a usercontrol to output the role provider's GetUsersInRole, IsUserInRole, and GetRolesForUser methods. The GetUsersInRole works successfully (listing the test users), but the latter methods return false and 0 results respectively. Has anyone successfully used the LdapRoleProvider?
Any help would be greatly appreciated.
Thank you,
Robert Freeman
RobertRFreeman
Respostas
- I found a solution to this issue and posted it in the community content on the source article above.
I will post it here as well:
Using LDAPRoleProvider with Sun Java Directory Server When configuring Sun Java Directory Server LDAPRoleProvider, the userContainer is also required if the uniqueMember attribute contains the full DN.
This would be the correct config section (Same as above with the userContainer):
<roleManager defaultProvider="myorgGroup" enabled="true" cacheRolesInCookie="false" cookieName=".PeopleDCRole" >
<providers>
<add
name="myorgGroup"
type="Microsoft.Office.Server.Security.LDAPRoleProvider,
Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,
PublicKeyToken=71E9BCE111E9429C"
server="SunDirectoryServer.myorg.net"
port="389"
useSSL="false"
groupContainer="ou=groups,o=myorg,c=us"
groupNameAttribute="cn"
groupMemberAttribute="uniqueMember"
userContainer="ou=people,o=myorg,c=us"
userNameAttribute="uid"
dnAttribute="entryDN"
groupFilter="(ObjectClass=groupofuniquenames)"
scope="Subtree"
/>
</providers>
</roleManager>Debugging Ldap Configuration When debugging your ldap configuration section, here are 2 must-have (free) tools:
- Softerra Ldap Browser (http://www.softerra.com/download.htm)
- Will allow you to easily browse the LDAP structure and test filter and baseDN settings
- Microsoft Network Monitor (http://www.microsoft.com/downloads/details.aspx?FamilyID=f4db40af-1e08-4a21-a26b-ec2f4dc4190d&DisplayLang=en)
- Used to monitor the ldap calls to and from sharePoint.
- Configure the monitor on your SharePoint server as follows (Swap out LdapServerIP)
- Don't forget to apply each filter before clicking run
Capture Filter:
// Show only LDAP frames
TCP.Port == 389 or UDP.Port == 389
and
IPV4.DestinationAddress == LdapServerIP
or
IPV4.SourceAddress == LdapServerIP
and
TCP.Port == 389 or UDP.Port == 389
Display Filter:
//LDAP
LDAP
RobertRFreeman- Marcado como RespostaRobertRFreeman quarta-feira, 18 de fevereiro de 2009 2:29
Todas as Respostas
- I found a solution to this issue and posted it in the community content on the source article above.
I will post it here as well:
Using LDAPRoleProvider with Sun Java Directory Server When configuring Sun Java Directory Server LDAPRoleProvider, the userContainer is also required if the uniqueMember attribute contains the full DN.
This would be the correct config section (Same as above with the userContainer):
<roleManager defaultProvider="myorgGroup" enabled="true" cacheRolesInCookie="false" cookieName=".PeopleDCRole" >
<providers>
<add
name="myorgGroup"
type="Microsoft.Office.Server.Security.LDAPRoleProvider,
Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,
PublicKeyToken=71E9BCE111E9429C"
server="SunDirectoryServer.myorg.net"
port="389"
useSSL="false"
groupContainer="ou=groups,o=myorg,c=us"
groupNameAttribute="cn"
groupMemberAttribute="uniqueMember"
userContainer="ou=people,o=myorg,c=us"
userNameAttribute="uid"
dnAttribute="entryDN"
groupFilter="(ObjectClass=groupofuniquenames)"
scope="Subtree"
/>
</providers>
</roleManager>Debugging Ldap Configuration When debugging your ldap configuration section, here are 2 must-have (free) tools:
- Softerra Ldap Browser (http://www.softerra.com/download.htm)
- Will allow you to easily browse the LDAP structure and test filter and baseDN settings
- Microsoft Network Monitor (http://www.microsoft.com/downloads/details.aspx?FamilyID=f4db40af-1e08-4a21-a26b-ec2f4dc4190d&DisplayLang=en)
- Used to monitor the ldap calls to and from sharePoint.
- Configure the monitor on your SharePoint server as follows (Swap out LdapServerIP)
- Don't forget to apply each filter before clicking run
Capture Filter:
// Show only LDAP frames
TCP.Port == 389 or UDP.Port == 389
and
IPV4.DestinationAddress == LdapServerIP
or
IPV4.SourceAddress == LdapServerIP
and
TCP.Port == 389 or UDP.Port == 389
Display Filter:
//LDAP
LDAP
RobertRFreeman- Marcado como RespostaRobertRFreeman quarta-feira, 18 de fevereiro de 2009 2:29
- Here are some details on the issue:
The group LDAP query filter without the userContainer would look like this:
(uid=sharepttest)
With the userContainer the correct filter is:
(&(ObjectClass=groupofuniquenames)(uniqueMember=uid=sharepttest,ou=people,o=myorg,c=us))
Note that the prior filter has 2 issues.
- It does not mention the uniqueMember attribute.
- It does not include the fully qualified DN
Hope this helps someone else. :)
RobertRFreeman
