LLiu

 

Hi, dear MOSS community,

We are trying to implement user authentication against Active Directory via LDAP. We have successfully configured the LDAPMembershipProvider WITHOUT SSL for the authentication. But if we try to do the authentication via LDAPS by changing the the attribute "useSSL" from false to true, and the port from the stardard "389" to "636", user cannot log in with their credentials anymore. Are there any steps that we are missing in the configuration By the way, we have already installed the certificates of the Active Directory on the local machine.

 Hier ist the configuration for the LDAPMembershipProvider:

<add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="kim-v-sts" port="636" useSSL="true" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="CN=Users,DC=kim,DC=net" userObjectClass="person" userFilter="(|(ObjectCategory=group)(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn,employeeID" />

Any help will be greatly appreciated!

 

Best Regards,

KIM




Re: SharePoint - Setup, Upgrade, Administration and Operation LDAP Membership Provider with SSL

LLiu

Does nobody have any experience with SSL-enabled LDAP authentication in MOSS 2007

Cheers...

KIM






Re: SharePoint - Setup, Upgrade, Administration and Operation LDAP Membership Provider with SSL

Curt Jackson

I am working on the same issue, however I am using ADAM to authenticate against. Are you able to run ldp to connect and bind via 636 to your LDAP environment If not, I would verify connectivity and if the certificates are being recoginzed by the id your using for the SPS webapplication account.

I hope this helps!

Curt

jti@nni.com





Re: SharePoint - Setup, Upgrade, Administration and Operation LDAP Membership Provider with SSL

Gouranga1

So did anyone ever figure this out I am in the same boat with LDAP via SSL. I have a couple different LDAP browsers I have installed to make sure I can actually hit it from this machine.

Initially I got invalid certificate errors until I hit the server through IE and installed the certificates on my box. Then all the LDAP browsers started playing nice. However, I added the LDAP provider to the web config on the SSP admin and Central Admin sites to see if I could get it to hook in and allow me to import profiles before adding it to my MOSS Web app web config.

As of right now all I get is: "The specified directory service server is not available. Please confirm that you entered the correct server name and port setting. If you are using SSL, please ensure that the specified directory service server has the correct certificates installed" under the Directory Service server name field.

Just to make sure, what is th ebest way to verify that the cert i have is matching what the LDAP has





Re: SharePoint - Setup, Upgrade, Administration and Operation LDAP Membership Provider with SSL

ETweedy

According to the Microsoft information on their site, and also from my Premier Support rep, MOSS 2007 will not support SSL for the LDAP membership provider until Service Pack 1 is released later this year.



Re: SharePoint - Setup, Upgrade, Administration and Operation LDAP Membership Provider with SSL

Gouranga1

Yeah, unfortunately I got the same answer so I had to roll my own membership and role provider, which is pretty easy once you know how to do it. Makes me wonder though if it was that easy for me should have been easier for MS to role that capability into their own provider. That little caveat would have actually LOST them some SharePoint contracts had it been known up front.





Re: SharePoint - Setup, Upgrade, Administration and Operation LDAP Membership Provider with SSL

ETweedy

According to the Microsoft information on their site, and also from my Premier Support rep, MOSS 2007 will not support SSL for the LDAP membership provider until Service Pack 1 is released later this year.



Re: SharePoint - Setup, Upgrade, Administration and Operation LDAP Membership Provider with SSL

A_455

Hi there,

I have been trying to work out this same problem, for a SharePoint site (MOSS 2007, WSS 3.0). Could you please supply the links you mentioned on the MS site about this please

Also, Gouranga1: could you please give more information as to how you implemented your own provider to get around this

Does this mean it is quite straightforward to get the LdapMembership provider to work with SSL despite these problems

I find that there seem to be so many (undocumented) issues like this that have to be worked around with MOSS 2007 at the moment: it is so frustrating!





Re: SharePoint - Setup, Upgrade, Administration and Operation LDAP Membership Provider with SSL

Gouranga1

I feel your pain on that!! This was one of about a hundred retarded little items that just about put me on the window ledge. What you need to do is write your own provider. You them set your MOSS site up for forms auth, instead of hitting the SQL or some other provider you set it to hit the custom LDAP provider you created.

This means you have to write a class that inherits from the MembershipProvider class from the System.Web.Security namespace and implment the proper functions. You will need one membershipand provider for authentication and fun *** like that, another possibly (role provider) for helping you out with your LDAP group membership. In addition you may need to write a custom profile importer to pull your LDAP profiles out of LDAP and into MOSS.

Personally, IMO, this is a totally unacceptable flaw in MOSS. MOSS is geared to be an enterprise product. Most companies I deal with have their entprise LDAP locked down and would not even consider leaving it unsecure and unencrypted like MS requires.





Re: SharePoint - Setup, Upgrade, Administration and Operation LDAP Membership Provider with SSL

Martin Winzig

Hi we already have LDAP membersip security provider which can be used.

1) You can configure account which is used to connect LDAP (OOTB provider usign application pool account) so you can use non microsoft LDAP server.

2) We are able handle basic SSL scenario, (our connector can't use client certificate to authenticate against LDAP server)





Re: SharePoint - Setup, Upgrade, Administration and Operation LDAP Membership Provider with SSL

A_455

Thanks for the response.

Speaking as someone new to this, I am guessing that this approach of creating a custom provider is relatively simple When you speak of implementing the proper functions, is this a large/complex development task Can you (or anyone else!) suggest some resources that would be worth looking at to understand how to go about this

Many thanks again.





Re: SharePoint - Setup, Upgrade, Administration and Operation LDAP Membership Provider with SSL

Gouranga1

It is one of those things that is hard as hell to start out on and once you got it, simple as anything.

To give you some guidance you HAVE to overwrite the following:

public override void Initialize(string name, NameValueCollection config)

public override bool ChangePassword(string name, string oldPwd, string newPwd)

public override bool ChangePasswordQuestionAndAnswer(string name, string password, string newPwdQuestion, string newPwdAnswer)

public override int GetNumberOfUsersOnline()

public override string GetPassword(string name, string answer)

public override string ResetPassword(string name, string answer)

public override bool UnlockUser(string userName)

public override void UpdateUser(MembershipUser user)
public override bool DeleteUser(string username, bool deleteAllRelatedData)

public override MembershipUser CreateUser(string username, string password, string email, string

* public override MembershipUserCollection GetAllUsers(int pageIndex, int pageSize, out int totalRecords)

* public override MembershipUser GetUser(object providerUserKey, bool userIsOnline)

* public override bool ValidateUser(string name, string password)

* public override MembershipUserCollection FindUsersByEmail(string emailToMatch, int pageIndex, int pageSize, out int totalRecords)

*public override MembershipUserCollection FindUsersByName(string usernameToMatch, int pageIndex, int pageSize, out int totalRecords)

* public override MembershipUser GetUser(string username, bool userIsOnline)

* public override string GetUserNameByEmail(string email)

That being said the last section (started with a *) are the only ones that I actually put any code into. They are what MOSS will use for your membership provider. MembershipUser objects are from the System.Web.Security namespace. ValidateUser is called for authentication. The others for actually searching for and retrieving users. The cool part for this was putting some logging in there and seeing at what points MOSS called the various functions.




Re: SharePoint - Setup, Upgrade, Administration and Operation LDAP Membership Provider with SSL

A_455

Hi,

I will look into this and let you know how I get on.

Thank you all for your suggestions.





Re: SharePoint - Setup, Upgrade, Administration and Operation LDAP Membership Provider with SSL

Poorvesh

Were you able to solve this issue .

What was the solution

I am not able to get it to work without SSL too.

I keep getting "file not found error. "






Re: SharePoint - Setup, Upgrade, Administration and Operation LDAP Membership Provider with SSL

leodegan

Success!

After a few hours of packet sniffing and messing with the settings and almost giving up, I was finally able to get this to work. The secret was to set the port="636", but leave useSSL="false". Even though in theory it should be connecting to port 636 as if it were non-secure, it seems to figure things out on its own and use ldaps(I'm not sure if this behavior should be considered smart or retarded). Anyway, hope this works for the rest of you. I have WSS SP1 and MOSS SP1 installed also, not sure if that makes a difference or not.