Thursday, March 26, 2009

LDAP Authentication – More Tips

After posting about why LDAP authentication for intranets are a bad idea, I received some more emails with some tips I thought I would share.

Although most people commented that they would try to take the approach of synchronizing their e-Directory identity store to a slave Active Directory, a few were in the unfortunate position of having to implement LDAP anyway.

So if you fall into that camp, here are a few more approaches that might help you. As always your mileage might vary:

Wen He posted some great advice on modifying the People Picker for LDAP Membership providers. This is a pretty common problem – even if the profiles are importing successfully, the people picker may not show them. So here’s the quick code to do this:

you will need to add a key specifying the LDAP Membership “LDAPMember” to the <PeoplePickerWildcards> section into the web.config for the web application and Central Admin as shown:

<PeoplePickerWildcards>

<clear />

<add key="AspNetSqlMembershipProvider" value="%" />

<add key="LDAPMember" value="*" />

</PeoplePickerWildcards>

The line with the key="LDAPMember" and the value value="*" that explicitly specify a wildcard enables PeoplePicker to be able to search for People and Groups by enumerating users from LDAP directory. You know that if you don’t add this line, the PeoplePicker will look only for an exact match on the user ID.

Wen He goes on to describe user and group filtering against LDAP in SharePoint. It’s a great post, highly descriptive and comprehensive.

I also received an email from Krzysztof Wolski – after setting up LDAP and trying to log in he was having problems with “Unknown Error” (one of my all-time favourite exception messages ever!):

We have to use LDAP authentication because this
is an official requirement of our client.
I've solved the problem with "Unknown error" - I've changed the default user
for Application pool and set the identity information in web.config for 81
web application to :
<identity impersonate="true" userName="WIN2003\#USER#" password="#PASS#" />
We've used the same user for Application pool and impersonation.

Krzysztof also mentions one other potential gotcha that occurs if your e-Directory store is set to not allow anonymous authentication. He solved it this way:

We've successfully installed Sharepoint with LDAP Authentication.
One more thing we've added to the LdapMembershipProvider in web.config:
    <membership>
      <providers>
        <add server="#IP#" port="389" useSSL="false" useDNAttribute="false"
userDNAttribute="cn" userNameAttribute="cn"
                userContainer="o=MyCompany" userObjectClass="user"
userFilter="(&amp;(ObjectClass=inetOrgPerson))" scope="Subtree"
                otherRequiredUserAttributes="sn,givenName,cn"
name="LdapMembership"
type="Microsoft.Office.Server.Security.LDAPMembershipProvider,
Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,
PublicKeyToken=71E9BCE111E9429C"
                connectionUsername="#USERNAME#"
                connectionPassword="#PASSWORD#" />
      </providers>
    </membership>
eDirectory configuration in our case was configured to not allow anonymous
access.

Thanks Krzysztof for the great tips!

I hope this information helps those of you doing LDAP integration – but even more I hope you don’t have to do this in the first place :)

No comments:

Post a comment

Note: only a member of this blog may post a comment.