This project has moved. For the latest updates, please go here.

Configure LDAP/AD to work only with same of Web Applications

Jun 10, 2015 at 10:34 AM
How to configure LDAP/AD to see only in this web application wchich I choose ? I want to see a LDAP acounts only in Two Web Applications, not in all the server.. How could I configure this ?
Jun 11, 2015 at 4:31 AM
Edited Jun 12, 2015 at 4:26 AM
We find that the LDAP/AD users are presented automatically in when browsing a site that is configured with a Trusted Identity Provider (e.g. auth via ADFS). I havn't seen any configuration options via admin page to manually control which web apps.
Jun 17, 2015 at 9:41 AM
LDAPCP should return results only in web apps on which its SPTrust is set.
Assuming you confirm this, what is the scenario in which LDAPCP shouldn't return results?
Jun 18, 2015 at 8:46 AM
Edited Jun 18, 2015 at 8:47 AM
Thanks Yvand,
We have configured a new web application using an ADFS SPTrustedIdentityTokenIssuer and installed LDAPCP.
I am now finding that one of the existing web applications (configured with Windows Authentication - Kerberos only) is presenting users from the LDAPCP, i.e. the people picker control is returning results such as '(Given Name) Ricky'.

This issue, has been intermittant, i.e. it resolved itself a day after it was first observed, but it has now returned again.

How do we confirm which web apps have the LDAPCP's SPTrust set?
The ldapcp/claimstable.aspx presents This text at the top:
This table is used by LDAPCP to link claim types with LDAP objects. Claim types should match those set in SPTrustedIdentityTokenIssuer "adfs saml provider".
The (Kerberos) web application where the issue is occuring does not have the "adfs saml provder" check box selected in the Authentication Providers page.

kind regards,
Jul 17, 2015 at 10:39 AM
Hello Ricky,
For a given web app, if the LDAPCP-s SPTrust is set in any zone, then LDAPCP will return results.
You can check this in central administration > manage web applications > authentication providers.
Sep 5, 2015 at 12:41 PM
Hi Yvand,

We are also facing the same mentioned by Ricky.

We installed LDAPCP in the SharePoint Farm. The people picker in the web application configured to use PingFederate is working fine. But another existing webapplication that uses NTLM authentication resolves both AD and PingFederate users.

We created a new web application using NTLM to check this issue, the people picker in the new web app using NTLM resolves only AD users.

Is there a way to check if LDAPCP's SPTrust has been set for the existing NTLM web application?

Please provide some pointers as how to resolve the issue in the existing web application using NTLM to resolve only AD users and not PingFederate users.

Sep 8, 2015 at 5:05 PM
Hello Harish,
To be sure I understood, can you confirm that LDAPCP returns results in a web app where its associated trust was not added in any zone?
Again, it is expected that LDAPCP returns result in a web app, if its trust is set in another zone of this web app.
Sep 9, 2015 at 12:57 AM
Edited Sep 9, 2015 at 2:14 AM
We were able to consistently reproduce our issue (where the applications without an associated trust were displaying results froom LDAPCP) by following these steps:

(crete a test site, with a list with a title field and a person field)

1) After an IISRESET the Kerberos-only web apps (i.e. no zones with an associated trust) would display people from Active Directory only.
2) browse to the list created above and use the 'Quick Edit' view (i.e. edit in datasheet)
3) Hover over the person field, and click on the 'people search' control.
4) Perform a search here and users are returned from the LDAPCP node.
5) after this, all future people searches (via people picker) in the Kerberos-only web app will return users from the LDAPCP custom provider (until the next iisreset)

A call was raise with MS Support to investigate and the resolution was to remove LDAPCP using the following commands:
$provider = Get-SPTrustedIdentityTokenIssuer "ADFS SAML Provider"
$provider.GetType().GetField("m_ClaimProviderName","NonPublic,Instance").SetValue($provider, $null)
Sep 9, 2015 at 2:42 PM
I just published v3.8 that fixes a potential issue where LDAPCP displays permissions despite it is not used in the web app.
The scenario is when 2 (or more) web applications use the same process, and 1 of them uses LDAPCP. In this case the one that does not use LDAPCP will also see LDAPCP results.
If possible please update your version and let me know if it resolved the issue.