User attributes not populated when "Prefix to bypass lookup" is configured

Feb 5, 2015 at 7:43 AM
In our SharePoint 2013 environment we have LDAPCP configured to resolve users from LDAP. There is no UPSA in our environment. If we configure the "Prefix to bypass lookup" users seem to be resolved correctly in the People Picker when not using the prefix. But for the resolved users, the user attributes are not populated if the users are not already in the User Information List. If we remove the prefix from the configuration, the attributes are populated correctly. When looking at the code I get the impression that the code for populating the attributes is never triggered if the prefix is configured. This would be correct in situations where the prefix is actually used, but not when a user is resolved. Is this a bug in the current version?
Coordinator
Feb 5, 2015 at 11:27 AM
Hello, indeed, if the option is checked, lookup on LDAP is bypassed and permission is created directly.
This is why metadata attributes are not populated, which is a side effect of the current design, not a bug.
But the impact should not be so big (except for email invitation), because user properties of newly added users are updated with data from User Profile service when quick sync job runs (every 5 min).
cheers,
Yvan
Feb 5, 2015 at 11:44 AM
Hi Ivan,
I do not mean the checkbox "Always resolve user input" on the "Global Configuration" page. That checkbox is not checked. I am talking about the "prefix to bypass lookup" field on the "Claims mapping" page. I would expect LDAP to be bypassed only when I am using the specified prefix in the lookup field. We entered CLAIM: in the prefix field. So I would expect "CLAIM:user@domain.com" to bypass the lookup and create the permission directly. And "user@domain.com" should be resolved against the LDAP, which does happen correctly in the GUI, but in the latter case the attributes are not populated. And as we do not have a User Profile Service in our environment this poses a problem for us.
Regards,
Wouter Berman
Coordinator
Feb 9, 2015 at 2:19 PM
Hello Wouter,
when you set a prefix, the same logic (bypass LDAP lookup) applies because LDAPCP has a chance to see the prefix only when permission is created.
After that, LDAPCP may be called by SharePoint to validate permission, but this time it doesn't know if permission was originally created with or without the prefix.
So this is why, in this case too, permission is validated by bypassing LDAP lookup.
Indeed, in your environment, this is not ideal because attributes metadata don't get a chance to be populated.
cheers,
Yvan