Welcome: Guest!

MOSS Forum

 
Home » Forum » MOSS       Ask a questionRSS Feeds

ADAM as Role Provider in MOSS 2k7

  Asked By: Lacy Barker         Date: Jun 29, 2009      Category: MOSS      Views: 470
 

Configuration:
Web App with a Site Collection - default zone (Windows Auth)
Extended Web App to same Site Collection - Extranet zone
Configured web.config on CA & wss virtual directories with memberrship
provider....
Restarted IIS

Peoplepicker works!

Using the Extranet zone URL, I'm able to authenticate with accounts
stored in ADAM.
However, I'm having no luck in configuring ADAM to support groups in
ADAM (either the Readers, Users or Administrators default groups), or
any other groups I create. I have added the ADAM accounts into these
groups one a time, configured the security on the site collection by
putting the ADAM groups into the Visitors group (shows up
adammembership:Users), bounced IIS and try to logon.
I get access denied for the adam user account.

However, if I add in the specific user account to the Visitors group,
I can logon with no issues.

We're looking at having 5,000+ accounts in ADAM for non-AD users to
logon to a Sharepoint Site, and the thought of adding each individual
user into the Visitors group a management nightmare.

All my searching shows using a SQL DB as a store for roles, or writing
our own role provider.

Is there an OoB solution to use ADAM as a role provider?

Am I missing something to the web.config to allow using ADAM groups
instead of individual named accounts?

Tagged:              

 

3 Answers Found

 
Answer #1       Answered By: Bailey Lewis          Answered On: Jun 29, 2009       

To use ADAM as for groups you need to implement a separate RoleProvider that
also points at ADAM. I did this a couple years ago and used AZMAN.msc to manage
the mapping of groups in ADAM for use in SharePoint. I don't have the config
files anymore so I can't post an example, but it wasn't all that difficult. I
used AZMAN to establish the group mappings and saved them as an XML file, then
pointed the rolemanager at the xml file. Take a look at the following article.

msdn.microsoft.com/en-us/library/ms998314.aspx

 
Answer #2       Answered By: Quentin Cummings          Answered On: Jun 29, 2009       

I just spent the last 6 hours trying to make AzMan work, and I'm
still back to where I was.
It's probably something simple or stupid that I'm missing, but I
cannot make MOSS use groups in ADAM or AzMan.
Learned some things, which is always good .

I'm going to step away from this for a day or two to give the brain a
break.

 
Answer #3       Answered By: Bhoomi Chabaria          Answered On: Jun 29, 2009       

Fixed this finally.

Got ADAM groups to work inside of SharePoint
The final web.config components that seemed to work are:
<configuration>
<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="ADAMRoles" value="*" />
<add key="ADAMMembership" value="*" />
</PeoplePickerWildcards>
</configuration>

<system.web>
<authorization>
<allow users="*" roles="Users" />
</authorization>
<membership defaultProvider="ADAMMembership">
<providers>
<add name="ADAMMembership"
type="Microsoft.Office.Server.Security.LDAPMembershipProvider,
Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,
PublicKeyToken=71E9BCE111E9429C"
server="<servername>"
port="<port>"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="sAMAccountName"
userContainer="<ldap path in ADAM>"
userObjectClass="user"
userFilter="(|(ObjectCategory=group)(ObjectClass=user))"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager
enabled="true"
cacheRolesInCookie="true"
cookieName=".PeopleDCRole"
defaultProvider="ADAMRoles">
<providers>
<add
server="<server name>"
port="<port number>"
useSSL="false"
groupContainer="<ldap path in ADAM>"
groupNameAttribute="cn"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(ObjectClass=group)"
scope="Subtree"
name="ADAMRoles"
type="Microsoft.Office.Server.Security.LDAPRoleProvider,
Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,
PublicKeyToken=71E9BCE111E9429C" />
</providers>
</roleManager>

Put the Membership & RoleProvder in the original web  application that
uses Integrated Auth.
In the extended Web app  that was created for Extranet Zone using FBA,
put everything in the web.config in the appropriate sections.
(Do this for all WFE servers)
Restart IIS
Logon to the original web app, go to Peoples & Groups
Click the Visitors group
Click the people picker icon (address book)
Type in the group name you have in ADAM
It should show up as: ADAMROLES:<group name>
Click OK & OK to save.

Logon to the FBA url with the ADAM account.

 
Didn't find what you were looking for? Find more on ADAM as Role Provider in MOSS 2k7 Or get search suggestion and latest updates.


Your Answer
  • Answer should be atleast 30 Characters.
  • Please put code inside [Code] your code [/Code].

 
Hall of Fame  |  Facebook  |  Twitter  |  LinkedIn  |  Terms of Use  |  Privacy Policy  |  Contact us
RSS Feeds: Articles |  Forum |  New Users |  Activities |  Interview FAQ |  Poll |  Hotlinks


Go4Sharepoint, is a Microsoft Featured Community. Microsoft, Windows, Sharepoint, Sharepoint logo, Windows logo, etc are trademarks of the Microsoft Corporation. All product names, logos, copyrights, and trademarks mentioned are acknowledged as the registered intellectual property of their respective owners. This site is not in any way affiliated with, nor has it been authorized, sponsored, or otherwise approved by, Microsoft Corporation.

Copyright © 2008-2011