DDavis

I have setup MOSS 2007 site for LDAP Authentication and successful to have individual users added to the site and able to login.

I have added the Role Manager in the web config to access groups, able to select and add group names to the sites users list. When loging in as a user under the "Domain Users" security group or any other group, I am not able to log in.

Any suggestions Thanks!



Re: SharePoint - General Question and Answers and Discussion Sharepoint 2007 LDAP Authentication for Group - All Domain Users - Forms Based Authentication

david80235

Hello,

Sorry, I don't have an answer for your question, but I have a question about your successes.

I finally got a test MOSS 2007 setup to use LDAP as an alternate authentication (for an extended web app) and when I do network traffic capture, we can see that MOSS can do the LDAP query and receives the correct answer (success when using correct user/password or failure when using a wrong username/pasword)

However, we can't seem to be able to "add" any LDAP users to any sites .. .when we try to add a user and when MOSS check names, it does nt even seem that MOSS contats teh LDAP server at all ...

Where did you configure or tell MOSS how to "search" teh LDAP authentication source and how where you able to successfully give rights to LDAP users to any sites/resource

Thanks!

David.





Re: SharePoint - General Question and Answers and Discussion Sharepoint 2007 LDAP Authentication for Group - All Domain Users - Forms Based Authentication

DDavis

Here are a couple links that helped me out.

http://blogs.msdn.com/sharepoint/archive/2006/08/16/702010.aspx

http://blogs.msdn.com/harsh/archive/2007/01/10/forms-based-authentication-in-moss.aspx

http://technet2.microsoft.com/Office/en-us/library/04d24638-37bf-4fda-aa47-dfd3dca09beb1033.mspx mfr=true

Key Items to remember:

  1. The code has to be added to each web config file used for the application, the main app and the extended, plus the admin sites config file.
  2. Your LDAP connection info has to be dead on correct. If incorrect, no error message will show up, you just won't be able to see any users when trying to add with the people picker.
  3. You need to have the RoleManager configured.

Here is the code to be put in the <system.web> section of the application config files: be sure to change "Add name" items

<membership defaultProvider="LdapMembership">

<providers>

<add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="add name here" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="CN=Users,DC=addname,DC=com" userObjectClass="user" userFilter="(|(ObjectCategory=group)(ObjectClass=user))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />

</providers>

</membership>

<roleManager defaultProvider="LDAPRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">

<providers>

<add name="LDAPRoleProvider" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="add server name here" port="389" useSSL="false" groupContainer="CN=Users,DC=addname,DC=com" groupNameAttribute="sAMAccountName" groupMemberAttribute="uniquemember" userNameAttribute="users" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" scope="Subtree" />

</providers>

</roleManager>

Here is the code for the admin web config to be placed in the <system.web> section.

<membership defaultProvider="LdapMembership">

<providers>

<add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="add name here" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="CN=Users,DC=add name here,DC=com" userObjectClass="user" userFilter="(|(ObjectCategory=group)(ObjectClass=user))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />

</providers>

</membership>

<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">

<providers>

<add name="LDAPRoleProvider" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="add server name here" port="389" useSSL="false" groupContainer="CN=Users,DC=addname,DC=com" groupNameAttribute="sAMAccountName" groupMemberAttribute="uniquemember" userNameAttribute="users" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" scope="Subtree" />

</providers>

</roleManager>

A few sites have mentioned that they need to add useDNAttribute="false" to the LdapMembership properties to get it working, but this was not the case for me.

Good Luck!





Re: SharePoint - General Question and Answers and Discussion Sharepoint 2007 LDAP Authentication for Group - All Domain Users - Forms Based Authentication

Ludovic Chungue

Assuming the LDAP defines a domain, and your SharePoint server isn't inside that domain.
Doesn't SharePoint require you to supply any username/password

Because that's what forced me to use the AD Provider ; but maybe that's simply because I've supplied wrong information





Re: SharePoint - General Question and Answers and Discussion Sharepoint 2007 LDAP Authentication for Group - All Domain Users - Forms Based Authentication

naijacoder

Ddavis before you started did you have to enable Forms Auth in the Sharepoint Central Admin

And after all is configured did you get a startpage url webform page to logon

Have yoy had any security issues after switching to Forms Auth using Active Directory

I'm using Windows Auth and users get a pop window before they login but thinking of changing it to Forms Auth using LDAP.

Any ideas





Re: SharePoint - General Question and Answers and Discussion Sharepoint 2007 LDAP Authentication for Group - All Domain Users - Forms Based Authentication

DDavis

You need to have forms authentication enabled and add the LDAP Membership and role to the appropriate locations on the extended applications authentication info page.



Re: SharePoint - General Question and Answers and Discussion Sharepoint 2007 LDAP Authentication for Group - All Domain Users - Forms Based Authentication

Danny Lambrechts

I have provided the LdapMembershipprovider and the roleManager in the confg.web to be able to authenticate and authorize users on my Sharepoint 2007 via LDAP:

------------------------------------------------------

<membership>
<providers>
<add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="ldap.uhasselt.be" port="389" useSSL="false" useDNAttribute="false" userDNAttribute="uid" userNameAttribute="uid" userContainer="o=UHASSELT,c=BE" userFilter="(ObjectClass=inetOrgPerson)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
</providers>

</membership>

<roleManager>
<providers>
<add name="LdapRole" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="ldap.uhasselt.be" port="389" useSSL="false" groupContainer="o=UHASSELT,c=BE" groupNameAttribute="cn" groupMemberAttribute="member" userNameAttribute="uid" useDNAttribute="false" dnAttribute="distinguishedName" groupFilter="(ObjectClass=*)" scope="Subtree" />
</providers>

--------------------------------------------------------

All users have been imported in the Shared Services / User Profiles in the administration as "LdapMembership:xxxxxxx". However no 'users' have been imported as 'LdapRole:yyyyyy'. I would expect my LDAP groups to be imported that way.

I'm able to apply a LDAP-group as member of for instance the group READERS in a SharePoint site. It shows up as LdapRole:[groupname]. However the Ldapusers in that group are not authorized to READ that site So they are authenticated but not allowed to READ as would the membership of that group assume.

I have tried numerous ways to change this but without success. Hope someone can point out what is going on here or what I obviously did wrong.

Thanks.

Best regards,

Danny