locked
Issue adding OpenLDAP as a claims provider trust in ADFS 4.0 RRS feed

  • Question

  • I am trying to take advantage of the new feature in ADFS 4.0 to add an non AD claims provider trust. I followed along the article: https://technet.microsoft.com/en-us/itpro/powershell/windows/adfs/add-adfslocalclaimsprovidertrust.  When I run the powershell command Add-AdfsLocalClaimsProviderTrust with proper parameters, i get the following error:

    Add-AdfsLocalClaimsProviderTrust : The specified directory service attribute or value does not exist.
    At C:\Shared\adfsldap.ps1:27 char:1
    + Add-AdfsLocalClaimsProviderTrust -Name "OpenLDAP" `
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidData: (:) [Add-AdfsLocalClaimsProviderTrust], COMException
        + FullyQualifiedErrorId : The specified directory service attribute or value does not exist.
    ,Microsoft.IdentityServer.Management.Commands.AddLocalClaimsProviderTrustCommand


    My Environment is 2 servers, Server 1 is my Windows 2016 machine, and Server 2 host the OpenLDAP backend.

    I have confirmed Server 1 can successfully connect and browse the OpenLDAP backend by running both jExplorer and a LDAP C# app using the same connection string and credentials on Server 1.

    My Code: 

    $directory = New-AdfsLdapServerConnection -HostName "my.host.name" -Port 636 -SslMode Ssl -AuthenticationMethod Basic -Credential $DirctoryCred

    Add-AdfsLocalClaimsProviderTrust -Name "OpenLDAP" `
    -Identifier "urn:openldap" `
    -LdapServerConnection $directory `
    -UserContainer "dc=mycontainerforusers," `
    -UserObjectClass inetOrgPerson  `
    -LdapAuthenticationMethod Basic `
    -AnchorClaimLdapAttribute uid `
    -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" `
    -Type LDAP
    -Enabled $true

    Using wireshark, I captured the network traffic to see what was being sent. I noticed a difference between the successful connections from the test and the unsuccessful connection from ADFS.  In the successful connections it is passing long the base dc that is in the connection string.  For ADFS, i thought this would be defined as the same thing for -UserContainer, so that is where i put it.  See screen shots below:

    Am i defining the base dc in the wrong place???  Any help is greatly appreciated.  Also, I am not complete sure what the error is referring to.

    Thursday, June 8, 2017 1:55 PM

Answers

  • All the research and struggle just to determine, the account that was running the powershell console didn't have the right permissions to execute the script.

    The account I was using was a local admin, not a domain admin, thus the resulting error.

    NOTE: Ensure you are running the console as a domain admin to execute the script.

    It would be nice if the error actually stated that, and not send me down the rabbit hole after some non-existent issue.


    • Marked as answer by BGullo Monday, October 9, 2017 3:38 PM
    • Edited by BGullo Monday, October 9, 2017 7:50 PM
    Monday, October 9, 2017 3:38 PM

All replies

  • Looking at the error message, it appears that you are trying to use uid attribute and it is failing to query that

    The specified directory service attribute or value does not exist.

    Did you check if your query for this attribute was successful? Does OpenLDAP has this attribute present?

    Thursday, July 13, 2017 7:54 AM
  • All the research and struggle just to determine, the account that was running the powershell console didn't have the right permissions to execute the script.

    The account I was using was a local admin, not a domain admin, thus the resulting error.

    NOTE: Ensure you are running the console as a domain admin to execute the script.

    It would be nice if the error actually stated that, and not send me down the rabbit hole after some non-existent issue.


    • Marked as answer by BGullo Monday, October 9, 2017 3:38 PM
    • Edited by BGullo Monday, October 9, 2017 7:50 PM
    Monday, October 9, 2017 3:38 PM