In SAML authentication mode, SharePoint does not try to resolve user input in the people picker, and anything users type is validated without any check. This claims provider implements this:
It is entirely customizable with administration pages added in Central administration > Security:
- Connect to multiple LDAP / AD in parallel (multi-threaded requests).
- Customize list of claim types used, and their mapping with LDAP attributes.
- Set a custom LDAP filter for each claim type, for example to only return users that are member of a specific security group.
- Set a keyword to bypass LDAP lookup. For example, input "extuser:email@example.com" directly creates permission "firstname.lastname@example.org" on configured claim type.
- Set a prefix to add to LDAP results, for example add "domain\" to groups returned by LDAP.
Important - Limitations
Due to limitations of SharePoint API,
do not associate LDAPCP with more than 1 SPTrustedIdentityTokenIssuer. Developers can bypass this limitation by inheriting LDAPCP to create new claims providers (with different names). Read “Developers section” below for further information.
If a SharePoint server does not have SharePoint service “Microsoft SharePoint Foundation Web Application” started, ldapcp.dll assembly will not be deployed in its GAC. In that case, you must manually add it
or some features may not work. In SharePoint 2013 (.NET 4.5), the GAC is located in C:\Windows\Microsoft.NET\assembly.
Version 2 is a critical update that
ensures thread safety and fully implements SharePoint logging infrastructure (messages are recorded in Area/Product "LDAPCP"). Its logging level can be customized with PowerShell or Central Administration.
How to install LDAPCP
Install and deploy the solution (that will automatically activate the “LDAPCP” farm-scoped feature):
Add-SPSolution -LiteralPath "PATH TO WSP FILE"
Install-SPSolution -Identity "LDAPCP.wsp" -GACDeployment
At this point claim provider is inactive and it must be associated to an SPTrustedIdentityTokenIssuer to work:
$trust = Get-SPTrustedIdentityTokenIssuer "SPTRUST NAME"
$trust.ClaimProviderName = "LDAPCP"
How to update LDAPCP
Simply run Update-SPSolution cmdlet and wait for the timer job to deploy the update (you can monitor the progress in farm solutions page). Note that it will recycle central administration site.
Update-SPSolution -GACDeployment -Identity "LDAPCP.wsp" -LiteralPath "C:\Dev\LDAPCP.wsp"
How to remove LDAPCP
For an unknown reason, randomly SharePoint 2013 doesn’t uninstall correctly the solution because it tries to call the feature receiver (that removes the claim provider) after it removed the assembly
from the GAC… When this happens, the claim provider is not removed from the farm and that creates problems when you try to re-install it.
To avoid any issue,
deactivate the farm feature before retracting the solution:
Disable-SPFeature -identity "LDAPCP"
Uninstall-SPSolution -Identity "LDAPCP.wsp"
Remove-SPSolution -Identity "LDAPCP.wsp"
Validate that claims provider was removed: "Get-SPClaimProvider| ft DisplayName". If LDAPCP appears, remove it: "Remove-SPClaimProvider LDAPCP"
LDAPCP has a default mapping between claim types and LDAP attributes, but you can easily change it from “Claims table” page available in Central Administration > Security.
Default list is following:
||LDAP attribute name
||LDAP object class
|linked to identity claim
|linked to identity claim
|linked to identity claim
None of the claim types above is mandatory in the SPTrust, but the identity claim must either be one of them, or added through LDAPCP admin pages.
To enhance search experience, LDAPCP also queries user input against common LDAP attributes such as the display name (displayName) and the common name (cn).
Project has evolved a lot since the beginning, and now 99% of all possible customizations can be made with LDAPCP administration pages in standard solution. Possible customizations not covered by standard package
that can be achieved with "LDAPCP for Developers.zip" are:
- Use LDAPCP in multiple trusts (SPTrustedIdentityTokenIssuer objects), so that each trust has a claim provider with a unique name.
- Customize the display text or the value of permissions created by LDAPCP
"LDAPCP for Developers.zip" contains a Visual Studio project with sample classes that cover various use-case scenarios. Only 1 inherited claim provider is installed at a time, you need to edit the
feature event receiver to install the claim provider you want to test.
Common mistakes to avoid:
- Always deactivate the farm feature before retracting the solution (see "how to remove" above to understand why).
- When you create your own SharePoint solution, DO NOT forget to include the ldapcp.dll assembly in the wsp package.
If you did any of the mistakes above, you will likely experience issues when you try to redeploy the solution because the feature was already installed. All features in the solution must be uninstalled before
it can be redeployed.
In any case, DO NOT directly edit LDAPCP class, it has been designed to be inherited so that you can customize it to fit your needs. If a scenario that you need is not covered, please submit it in the discussions