This project has moved. For the latest updates, please go here.

Limit LDAP Query to specific OU (multi-tenancy)

Feb 6, 2014 at 4:03 PM
Hi Yvand,

first of all thx for this great project!

We are using ADFS for a hosted multi-tenancy SP2013 with one Relying Party Trust per tenant/site collection. We activated your solution and everthing works as expected. We can pick users (UPN) and roles (AD-Groups). Every tenant has its own Organizational Unit (OU) in AD and normally we would create a custom searchfilter for the peoplepicker to be sure that one tenant can only see its users and groups. But this is ADFS and your Custom Claims Provider bypasses the peoplepickers LDAP query (right?).

Is it possible - in our scenario - to add a dynamic filter for the LDAP query to your solution? Or is there a way to combine your solution with the stsadm peoplepicker-settings (that can scope sitesubscriptionIDs)?

Thx in advance!

Feb 7, 2014 at 12:19 PM
Hello Michael,
thanks a lot for your feedback :)
No, LDAPCP does not rely on stsadm peoplepicker settings.
Theorically, if you are a developer, you could inherit LDAPCP and override method SetLDAPConnections(Uri context, string[] entityTypes) to customize LDAP connection depending on context parameter (that should contain the current site).
But due to an unexpected behavior of SharePoint (let's say like this), wherever the people picker is used, when LDAPCP (or any claims provider) is called through method FillResolve(Uri context, string[] entityTypes, SPClaim resolveInput, List<PickerEntity> resolved) (, value of context is always the default zone of the root site collection of the web app.
So because of that, what you are trying to achieve is pretty much impossible.
With that said, I'm waiting for approval to rely on something else than context parameter, I'll update this thread when I have the final reply, and of course update LDAPCP if required.
Apr 16, 2014 at 10:16 AM
I have a similar request.
The Name Resolution works fine.
However, I only want to be able to resolve users that are in a adgroup.
For Example, a Group called Site1_Users.
I do not want to be able to resolve other ad accounts.
Is this possible?
Any Ideas?
Apr 17, 2014 at 1:45 PM
I implemented this feature and it will be available with the next update.
I can't tell when I will publish the update because I still have work to do with other new features, but that shouldn't be long :)
Apr 21, 2014 at 11:19 PM
Hi Yvan,

thanks for your detailed explanation. The last posting of you seems to be a huge step from "what you are trying to achieve is pretty much impossible" to "I implemented this feature and it will be available with the next update" that is why I want to clarify if we all talk about the same thing. If I understood you correctly the LDAPCP is bound to a WebApplication (default zone of the root site collection) and its Relying Party Trust (ADFS), which is the context for the method FillResolve. This context is the reason why all tenants (host-named site collections within the same WebApplication with their own Relying Party Trusts) see each other using the people picker.

A feature for resolving only users that are in a focused AD-group will take effect on the whole context again, right? Result would be that all tenants would see members of the focused AD-group when using people picker. Still I cannot separate tenants within people picker and point to different AD-groups. Correct?

The feature shoots for on-premise installations where you have to filter on one AD-group with all users or groups that are allowed to have access to SharePoint.

Apr 22, 2014 at 12:20 PM
hello Michael,

actually, my previous reply was mostly for Ben regarding the possibility to specify a custom LDAP filter, so that a user can only be found if he is member of a specific security group. The update released today includes this feature.

Regarding your question: yes you are correct. LDAPCP gets the context from SharePoint. Unfortunately, in method FillResolve(SPClaim), context is always the value of the root site of the web application. Due to this behavior, the best thing you can assume to know for sure is the current web application, and this is why I said that what you want to achieve is not possible (until Product Group decides to supply a reliable context, if that ever happens).
With that said, there is one more thing: LDAPCP sets LDAP filters only from its constructor (which is called more or less only once), so currently you cannot set a LDAP filter based on the context. With that said, I could change the design to offer the possiblity to set LDAP filters everytime LDAPCP is called, but considering the SharePoint limitation I mentioned above, is it really worth doing it?

Marked as answer by Flashback333 on 7/18/2014 at 8:46 AM
Jul 15, 2014 at 11:22 PM
Hi again Yvand,

I try to use your solution for a dedicated customer now and tried to focus the peoplepicker to one OU (LDAP-Connection) and further more to show only members of one security group within the OU. The members of the security group are users or/and groups.

The result is that I get the users within that security group (cool!) but not the Groups (sad). On the admin page you mention that you query objects of type "user". Is it possible to query the groups as role Claims, too?

Active Directory Domain
-->Customer-OU (LDAP-Connection)
                   -->Security Group with members (LDAP query MembersOf)
                                                                        --> users (identifier claim is upn or email)
                                                                        --> groups (role claim - token groups - unqualified domain)                                              

Beside this Problem I´m still looking for a solution that could be used in a multi-tenancy environment. Each tenant has his own OU with users and groups. Same Situation here: I want to query LDAP for a tenants security group within his OU. If you have some good ideas about that please feel free to contact me.


Jul 18, 2014 at 12:12 PM
hello Michael,
to query objects that are members of a security group, you can either specify a filter (for user objects) in global admin page, but you can also specify a filter individually for each object in "claims mapping" page, including group objects.
Regarding multi-tenancy, LDAPCP is definitely not designed to support that, but if you are a developer you can download "LDAPCP for Developers" and check if you can somehow get the current tenant in "SetLDAPConnections" method, it may be easy to do.
Marked as answer by Flashback333 on 7/18/2014 at 8:45 AM
Jul 18, 2014 at 4:45 PM
AWESOME! Thanks a lot for the guidance, Yvan. Got it.