This project has moved. For the latest updates, please go here.

Question re MultipleLDAP custom feature

Sep 19, 2013 at 8:24 AM
Edited Sep 19, 2013 at 8:25 AM
Hi again,
I'm having some good success with connecting to 2 LDAP sources (both AD domains - one for staff and one for student in our organisation). When resolving names in the people picker, the first LDAP source specified resolves well giving both displayName and Upn (sAMAccountName). The second source will only give the Upn.

It's all working very well except for the second LDAP source ... any ideas?

Thanks again for this great work!

I've added the LIST<AtributeHelper> PopulateAttributesDefinition() to the MultipleLDAP feature and the mappings as listed below:
new AttributeHelper{LDAPAttributeName="sAMAccountName", LDAPObjectClass="user", claimType=nsmsclaims.ClaimTypes.Upn, claimEntityType = SPClaimEntityTypes.User},
                new AttributeHelper{LDAPAttributeName="displayName", LDAPObjectClass="user", ResolveAsIdentityClaim=true, peopleEditorEntityDataKey=PeopleEditorEntityDataKeys.DisplayName},
                new AttributeHelper{LDAPAttributeName="cn", LDAPObjectClass="user", ResolveAsIdentityClaim=true},              
                new AttributeHelper{LDAPAttributeName="cn", LDAPObjectClass="group", claimType=nsmsclaims.ClaimTypes.Role, claimEntityType = SPClaimEntityTypes.FormsRole},
Sep 19, 2013 at 10:02 AM
Apologies Yvand ... I feel embarrassed as with the second LDAP connection, I was not pointing it to the correct base DN .. doh!

All is working ok now perfectly ... thank you again for a top solution. This saved me a lot of time !
Dean.
Coordinator
Sep 20, 2013 at 1:30 PM
hello Dean,
no worries :)
For your information, next week I will release an update that will (among other things) dramatically improve the way multiple LDAP connections are handled, and make it a lot easier for developers to set the connections.
It will also handle errors per LDAP connection, so that if 1 server fails, results of other servers can still be displayed.
So stay tuned !
Cheers,
Yvan
Sep 23, 2013 at 9:14 PM
Hello Yvand,
Can you please let me know if I can use the multiple LDAP feature through the direct solution?

If it is only through the code, can you please let me know how to make that change so that it supports multiple LDAP.
Sep 24, 2013 at 1:40 AM
Hi Yvand,

I used to be able to specify LDAPUseServerBind = true; in the SetCustomSettings() for LDAP connections ... has this changed?

cheers,
Dean.
Coordinator
Sep 24, 2013 at 7:53 AM
hello Dean,
yes this has changed, now you need to override SetLDAPConnections() method to specify all the LDAP connections. I just updated the package to add a LDAP connection that enables ServerBind authentication mode (LDAPCP_Custom class).
Sorry I did not advertise it, but this new method gives developers a lot more control since they create the connection exactly as they want, and it's a lot easier to specify multiple LDAP connections.
Please let me know if it works.
cheers,
Yvan
Sep 26, 2013 at 12:00 PM
Hi Yvand,

I think i'm understanding on how to add the multiple ldap connections but is the ServerBind authentication mode implied by default? I've tried a couple of ways to override the method to include the serverbind but am failing dismally (my lack of coding ability!) ... Thanking you
protected override DirectoryEntry[] SetLDAPConnections()
        {
            
            return new DirectoryEntry[] { 
                //Domain.GetComputerDomain().GetDirectoryEntry(),     // Same AD as SharePoint server - not sure if i need this as i'm specifying connections directly below?
                
                new DirectoryEntry ("LDAP://myldap.server1/OU=staff,DC=Staff,DC=some,DC=other,DC=setting", @"MyDomain1\useracct", "password"),   // Staff AD
                new DirectoryEntry ("LDAP://myldap.server2/OU=students,DC=Student,DC=some,DC=other,DC=setting", @"MyDomain2\useracct", "password"),   // Student AD
            };
        
        }
Coordinator
Sep 26, 2013 at 4:19 PM
Edited Sep 26, 2013 at 4:20 PM
hello,
no worries, that's very simple:
you just set the connections you want in SetLDAPConnections method. If you don't want to connect to same AD as SharePoint servers, just don't include it.
If you want ServerBind, you just add it in the DirectoryEntry constructor (I do it below for each LDPA connection below):

If you want to connect to 1 LDAP server, you do this:
protected override DirectoryEntry[] SetLDAPConnections()
{
    return new DirectoryEntry[] { 
        new DirectoryEntry ("LDAP://dc.domain.com/dc=DOMAIN,dc=COM", @"YOURDOMAIN\username", "password", AuthenticationTypes.ServerBind), 
    };
}
If you want to connect to 2 LDAP servers, you do this:
protected override DirectoryEntry[] SetLDAPConnections()
{
    return new DirectoryEntry[] { 
        new DirectoryEntry ("LDAP://dc.domain.com/dc=DOMAIN,dc=COM", @"YOURDOMAIN\username", "password", AuthenticationTypes.ServerBind),
        new DirectoryEntry ("LDAP://10.10.0.1/DC=CONTOSO,DC=COM", @"CONTOSO\username", "password", AuthenticationTypes.ServerBind),
    };
}
I hope this helps.
cheers,
Yvan
Sep 27, 2013 at 3:08 AM
Love your work Yvan ... the new solution is working really well now thank you! I'm not well versed in the development side of things (I probably know enough to be dangerous).

Just one last quick question though ... and this is probably more of a SharePoint thing. When updating the solution as I've done many times testing different combinations of mapped attributes etc, the people picker seems to cache any old entries that may have been added in the past. Searching the web seems to offer suggestions around the userlist for a site but I've removed any trace of an added user and it still seems to display older matches of attributes in the people picker. This is probably out of scope but was just wondering if in your trials you have come across this behavior?

Thanks again !
Dean.
Coordinator
Sep 27, 2013 at 1:34 PM
hello Dean,
many thanks for your great feedback :)
Actually yes I see this behavior quite frequently, but since I'm working on test environments, I find it easier to juste delete the site collection and recreate it... Of course this is not something you can do in production so I don't have easy solutions...
cheers,
Yvan
Jun 17, 2014 at 8:38 PM
protected override DirectoryEntry[] SetLDAPConnections()
{
return new DirectoryEntry[] { 
    new DirectoryEntry ("LDAP://dc.domain.com/dc=DOMAIN,dc=COM", @"YOURDOMAIN\username", "password", AuthenticationTypes.ServerBind),
    new DirectoryEntry ("LDAP://10.10.0.1/DC=CONTOSO,DC=COM", @"CONTOSO\username", "password", AuthenticationTypes.ServerBind),
};
}

Hi Yvand,

I hope you are doing good.

For the above method:
I do not want to hard code connection, username and password values as they may be different for different environments. what would be the best way to code them so they are read according to the environment:

Such as for my DEV, QA and UAT (test domains). I want to read from my TestAD1 and TestAD2 servers
For my PRD: I want to read from AD1 and AD2 servers
(and username and passwords are different for both environments)

I tried using Application Config but that does not seem to be working fine. If you have any suggestions let me know.

Regards,

Ali
Coordinator
Jun 18, 2014 at 12:36 PM
Edited Jun 18, 2014 at 12:37 PM
hello Ali,

well the best method I can think of is using a persisted object (SPPersistedObject): it's an XML object stored in SharePoint configuration database and is available in all SharePoint components.
You just need to be careful with your implementation, but you will find a lot of articles on the web.

Side note: With version v2.2 and above, you can create multiple LDAP connections directly from LDAPCP administration page, it doesn't require to make any custom code anymore.

cheers,
Yvan
Jan 11, 2015 at 12:53 AM
HI Yvand,

Recently, I have deployed latest V3.4 LDAPCP solution in our environment. Due to project and environment structure, We have 2 trusted Identity Security Issuer.
So, we download the developer version to inherits from LDAPCP due to limitation of LDAPCP solution. Both solution (V3.4 & Developer version) was deployed in our environment and assigned with 2 Trusted identity Security issuer successfully.

We are facing issue in the peoplepicker that two LDAP (AD & TAM) connected with LDAPCP and SharePoint default domain is connected with LDAPCP_Cusotm. We have assign LDAP AD to LDAPCP and LDAP TAM to LDAPCP_Custom.

Claim Table mapping screen is available for 1st Trusted Identity Token Issuer and unable to view & update claim mapping for second trusted Identity token Issuer.

Last but not least - Getting Zero result in the peoplesearch from TAM LDAP Server and the query as below: LDAPCP connection to the server is successful.

[LDAPCP] Connect as uid=spadminbind,ou=people,ou=marsh,o=mmc.com to LDAP://****..mc.com.

[LDAPCP] This LDAP query did not return any result: "(| (&(objectclass=user)(sAMAccountName=mohamed.farook)(!(objectClass=computer))) (&(objectclass=user)(mail=mohamed.farook)) (&(objectclass=user)(displayName=mohamed.farook)) (&(objectclass=user)(cn=mohamed.farook)(!(objectClass=computer))) (&(objectclass=user)(sn=mohamed.farook)) (&(objectclass=inetOrgPerson)(uid=mohamed.farook)) )"

UID LDAP Attribute with Object Class = inetOrgPerson/top/person accepted by LDAPCP solution in people picker query.

Could you please assist us in resolving the issue. Thanks in Advance.
Coordinator
Jan 12, 2015 at 1:07 PM
Hello,
You cannot use the admin pages when you use the custom LDAPCP, every customization (LDAP server to connect, and claims mapping) must be done programmatically (in SetCustomSettings method).
cheers,
Yvan