locked
Cannot import users from OpenLDAP in my SSP RRS feed

  • Question

  • Hi all,

    I am facing a problem about importing LDAP users in my SSP.
    I have already configured some WebApplications using forms based authentication using LDAP Membership. On those applications, users can connect without any problem.
    Now I would like to import users in my SSP, but I can't find the way to configure my connection properly. I have read lots of articles on the internet about configuring a LDAP Connection into SSP, but I have an error that I cannot find on the web...

    I have added a Membership configuration in the my central administration and SSP web.config, this is the same than I use in my WebApplication, and it looks like this :

      <membership defaultProvider="ldapMembers" >
       <providers>
        <add name="ldapMembers" connectionUsername="uid=ldapread,ou=users,o=ldap-services,dc=toto,dc=fr" connectionPassword="secret" server="althes.toto.fr" port="389" useSSL="false" userNameAttribute="uid" userContainer="dc=toto,dc=fr" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="uid,cn" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" />
       </providers>
      </membership>
    

    There is no problem in the central admin, I can find user who comes from this membership (to set them up as site collection administrator for instance).

    To create my Import Connection in the SSP, in use these settings :

    • Type => LDAP Directory
    • Connection name => Althes
    • Directory service server name => althes.toto.fr
    • Port => 389
    • Timeout => 120
    • Provider => ldapMembers
    • Username attribute => uid
    • Search Base => dc=toto,dc=fr
    • User filter => (ObjectClass=person)
    • Scope => subtree
    • Page size => 10
    • Page timeout => 120
    • Account name => uid=ldapread,ou=users,o=ldap-services,dc=toto,dc=fr
    • Password => secret

    When I try to validate, I have an error on the Search Base property which says:
    The specified search base object either does not exist or is stored outside of specified directory service connection.

    And when I try to use the autofill root search base functionnality, it does not return me any search base... :(

    Of course, I can not leave empty the Search base property, so I cannot create my connection...

    As anybody already encountered this kind of problem ? Any help would be appreciated :)

    Thanks in advance ! 

     


    tom-i the frenchie
    Thursday, March 24, 2011 1:03 PM

Answers

  • I have not had time to take care of that problem during last months. But this week I finally found the solution.


    I use those settings :

    • Type => LDAP Directory
    • Connection name => Althes
    • Directory service server name => toto.fr
    • Port => 389
    • Timeout => 120
    • Provider => ldapMembers
    • Username attribute => uid
    • Search Base => dc=toto,dc=fr
    • User filter => (&(ObjectCategory=Person)(ObjectClass=User))
    • Scope => subtree
    • Page size => 10
    • Page timeout => 120
    • Account name => ldapread
    • Password => secret

    So instead of specifying a server name, I finally specified a domain name, and since it works better !!! I really do not think that the label "Directory service server name" is well chosen...

    From that the autofill search base worked :)

    Then I just had to set a right filter and specify an LDAP account. At first  I thought that the account was taken from the provider in the web.config so I let "Use default account", but default account means the account you use to set up your connection... So you need to specify a correct LDAP account.

    Then you can register your import connection :)

     


    tom-i the frenchie
    Tuesday, July 5, 2011 11:54 AM

All replies

  • I created it, by specifying and not autodiscover- it solved lots of my problems. Then I wrote all those settings.

    Amongst other: shouldn't be account name something like: domain\user?

    My suggestion is that you should also look at that. At least at my settings it something like this. Cheers


    For the user filter I have - it autofill itself: (&(ObjectCategory=Person)(ObjectClass=User))
    Thursday, March 24, 2011 1:07 PM
  • Hi Riot7seven,

    Thanks for your answer.

    But I cannot use the autodiscover functionnality, it let my search base blank...

    About the account I cannot use a Domain\account as the LDAP is on Unix. That is why I try to use an LDAP account.

    If really think the problem comes from this account, not from the search base or the user filter.

    For information, my client uses OpenLDAP as LDAP Directory.

    Does anyone know if there is any way to create an import connection with this kind of LDAP Directory.

    Thanks in advance :)


    tom-i the frenchie
    Thursday, March 31, 2011 9:00 AM
  • Hi Tom,

    You may check the import by changing the import connection settings to below:

     

    • Type => LDAP Directory
    • Connection name => Althes
    • Directory service server name => althes.toto.fr
    • Port => 389
    • Timeout => 120
    • Provider => ldapMembers
    • Username attribute => uid
    • Search Base => ou=users,o=ldap-services,dc=toto,dc=fr
    • User filter => (ObjectClass=person)
    • Scope => subtree
    • Page size => 10
    • Page timeout => 120
    • Account name => ldapread
    • Password => secret

    Best Regards, Ashok Yadala
    Thursday, March 31, 2011 2:41 PM
  • Hi Ashock,

    It still does not work, I have en error message about the account which says :
    "The specified account cannot be validated at corresponding domain controller."

    I have the same error if I try specifying account like that :
    ldapread
    or like that :
    uid=ldapread,ou=users,o=ldap-services,dc=nordpasdecalais,dc=fr

    When I try your search base with the default account, I have an error about the search base:
    "The query is not valid based on the specified search base and search filter. Please validate your input of search base and filter."

     

    This import makes me crazy !!
    Does anyone knows what is the aim of specifying a new account, because I have already specified one in the membership provider in the web.config ?



    tom-i the frenchie
    Thursday, March 31, 2011 3:06 PM
  • I have not had time to take care of that problem during last months. But this week I finally found the solution.


    I use those settings :

    • Type => LDAP Directory
    • Connection name => Althes
    • Directory service server name => toto.fr
    • Port => 389
    • Timeout => 120
    • Provider => ldapMembers
    • Username attribute => uid
    • Search Base => dc=toto,dc=fr
    • User filter => (&(ObjectCategory=Person)(ObjectClass=User))
    • Scope => subtree
    • Page size => 10
    • Page timeout => 120
    • Account name => ldapread
    • Password => secret

    So instead of specifying a server name, I finally specified a domain name, and since it works better !!! I really do not think that the label "Directory service server name" is well chosen...

    From that the autofill search base worked :)

    Then I just had to set a right filter and specify an LDAP account. At first  I thought that the account was taken from the provider in the web.config so I let "Use default account", but default account means the account you use to set up your connection... So you need to specify a correct LDAP account.

    Then you can register your import connection :)

     


    tom-i the frenchie
    Tuesday, July 5, 2011 11:54 AM