Logo 
Search:

MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

ADAM as Role Provider in MOSS 2k7

  Asked By: Lacy    Date: Jun 29    Category: MOSS    Views: 1094

Configuration:
Web App with a Site Collection - default zone (Windows Auth)
Extended Web App to same Site Collection - Extranet zone
Configured web.config on CA & wss virtual directories with memberrship
provider....
Restarted IIS

Peoplepicker works!

Using the Extranet zone URL, I'm able to authenticate with accounts
stored in ADAM.
However, I'm having no luck in configuring ADAM to support groups in
ADAM (either the Readers, Users or Administrators default groups), or
any other groups I create. I have added the ADAM accounts into these
groups one a time, configured the security on the site collection by
putting the ADAM groups into the Visitors group (shows up
adammembership:Users), bounced IIS and try to logon.
I get access denied for the adam user account.

However, if I add in the specific user account to the Visitors group,
I can logon with no issues.

We're looking at having 5,000+ accounts in ADAM for non-AD users to
logon to a Sharepoint Site, and the thought of adding each individual
user into the Visitors group a management nightmare.

All my searching shows using a SQL DB as a store for roles, or writing
our own role provider.

Is there an OoB solution to use ADAM as a role provider?

Am I missing something to the web.config to allow using ADAM groups
instead of individual named accounts?

Share: 

 

3 Answers Found

 
Answer #1    Answered By: Bailey Lewis     Answered On: Jun 29

To use ADAM as for groups you need to implement a separate RoleProvider that
also points at ADAM. I did this a couple years ago and used AZMAN.msc to manage
the mapping of groups in ADAM for use in SharePoint. I don't have the config
files anymore so I can't post an example, but it wasn't all that difficult. I
used AZMAN to establish the group mappings and saved them as an XML file, then
pointed the rolemanager at the xml file. Take a look at the following article.

msdn.microsoft.com/en-us/library/ms998314.aspx

 
Answer #2    Answered By: Quentin Cummings     Answered On: Jun 29

I just spent the last 6 hours trying to make AzMan work, and I'm
still back to where I was.
It's probably something simple or stupid that I'm missing, but I
cannot make MOSS use groups in ADAM or AzMan.
Learned some things, which is always good .

I'm going to step away from this for a day or two to give the brain a
break.

 
Answer #3    Answered By: Bhoomi Chabaria     Answered On: Jun 29

Fixed this finally.

Got ADAM groups to work inside of SharePoint
The final web.config components that seemed to work are:
<configuration>
<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="ADAMRoles" value="*" />
<add key="ADAMMembership" value="*" />
</PeoplePickerWildcards>
</configuration>

<system.web>
<authorization>
<allow users="*" roles="Users" />
</authorization>
<membership defaultProvider="ADAMMembership">
<providers>
<add name="ADAMMembership"
type="Microsoft.Office.Server.Security.LDAPMembershipProvider,
Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,
PublicKeyToken=71E9BCE111E9429C"
server="<servername>"
port="<port>"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="sAMAccountName"
userContainer="<ldap path in ADAM>"
userObjectClass="user"
userFilter="(|(ObjectCategory=group)(ObjectClass=user))"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager
enabled="true"
cacheRolesInCookie="true"
cookieName=".PeopleDCRole"
defaultProvider="ADAMRoles">
<providers>
<add
server="<server name>"
port="<port number>"
useSSL="false"
groupContainer="<ldap path in ADAM>"
groupNameAttribute="cn"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(ObjectClass=group)"
scope="Subtree"
name="ADAMRoles"
type="Microsoft.Office.Server.Security.LDAPRoleProvider,
Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,
PublicKeyToken=71E9BCE111E9429C" />
</providers>
</roleManager>

Put the Membership & RoleProvder in the original web  application that
uses Integrated Auth.
In the extended Web app  that was created for Extranet Zone using FBA,
put everything in the web.config in the appropriate sections.
(Do this for all WFE servers)
Restart IIS
Logon to the original web app, go to Peoples & Groups
Click the Visitors group
Click the people picker icon (address book)
Type in the group name you have in ADAM
It should show up as: ADAMROLES:<group name>
Click OK & OK to save.

Logon to the FBA url with the ADAM account.

 
Didn't find what you were looking for? Find more on ADAM as Role Provider in MOSS 2k7 Or get search suggestion and latest updates.




Tagged: