This project has moved. For the latest updates, please go here.

LDAPCP not resolving claims through Site Permissions

Jan 8, 2014 at 7:23 AM
Edited Jan 8, 2014 at 7:24 AM
Warm Greetings !

Environment - SP Farm consisting of 3 WFEs and 1 APP.

I am facing an issue while granting permissions to a user. On typing a user name, the results would only list the Active Directory entity and not even a single entry corresponding to any of the claims mapped with LDAPCP.

One important thing to note here is that if i enter the entire string (for example - i:0ǵ.t|<token_name>|<username> ), i do get the desired entry and am able to add the user with appropriate permissions. Would you be able to explain this behavior and suggest a resolution for it ? We have started encountering this issue only after deploying LDAPCP and associating it with the installed token issuer.

On another note, while adding users through User Policy at the web application level, I do not face the above issue and it works as expected.

I would very much appreciate if there is a solution for this problem. Thanks in advance.

Best Regards,
Harsh Bhatia
Jan 9, 2014 at 7:19 AM
Guys,

Any suggestions ??
Coordinator
Jan 9, 2014 at 12:16 PM
hello,

what claim types did you declare in the SharePoint trust? It looks like none of the claim types match one used by default in LDAPCP (which you can see in the homepage, in the claim type mapping table)
You can list the claim types declared in the trust with those cmds:
(Get-SPTrustedIdentityTokenIssuer).ClaimTypeInformation
(Get-SPTrustedIdentityTokenIssuer).IdentityClaimTypeInformation

cheers,
Yvan
Jan 10, 2014 at 6:58 AM
Hey,

The issue is resolved now. We had to change the LDAP query to point to a specific AD and modify some of the default claim mappings.

I would like to know if one can modify the LDAPCP claim mapping using PowerShell.


Regards,
Harsh
Coordinator
Jan 10, 2014 at 11:10 AM
hello,
no this is currently not possible through PowerShell, maybe in a later version.
cheers,
Yvan
Jan 10, 2014 at 12:27 PM
Hi,

I found a solution for it. You can read the SPPersistedObject from PowerShell and edit its AttributesList property. It has worked for me on a DEV VM.

Hoping this approach doesn't break anything.


Regards,
Harsh