No Results in OOTB People Pickers (SP2016) about ldapcp HOT 15 CLOSED

Can you check the SharePoint logs and filter on Product/Area "LDAPCP"?
It should give you more insight on what's happening.

from ldapcp.

I turned on Verbose logging for LDAPCP and get no results from it in logs.

from ldapcp.

This is a good example. I'm logged in as spadmin, but when I type it in to the people picker there no results. (I do have a couple of users that were previously NTLM and noticed they show up in the people picker, but no ADFS profiles)

from ldapcp.

Can you access LDAPCP administration page in central administration > security and confirm that there is nothing wrong (no error message in red)?
Then, in LDAPCP claims mapping page (same location), is the identity claim type (bold green line) present, with valid LDAP attribute/class?

from ldapcp.

Central Admin > Security

LDAP Claims Mapping Page

NOTE: when i installed this on 2013, I was able to choose the attribute from a drop down list on the User Profile Property, but with 2016 There was nothing populating the drop down so I had to type it in ("mail").

from ldapcp.

NOTE: I'm using this on an extended web application. Where the default is NTLM for search results, and the actual domain is using the extranet zone for ADFS authentication. I'm not sure if this would make a difference so I wanted to throw that out there.

from ldapcp.

It makes no sense that you don't see any LDAPCP activity in the logs, it should log something, especially in verbose.
Can you run that to double check logs:

Merge-SPLogFile -Path "C:\Temp\LDAPCP_logging.log" -Overwrite -Area "LDAPCP" -StartTime (Get-Date).AddDays(-1)

Can you also run this and confirm LDAPCP is displayed:

Get-SPClaimProvider "LDAPCP"

from ldapcp.

Thank you for your responses.
The logs are producing now.
I can see "Add AD Server" > "Connecting to..." and where I'm getting "Get 0 Results"
but no errors.

There are a few entries throughout the logs that are "Monitorable" and say "[LDAPCP] Entry with LDAP class group is defined but it doesn't match any entry with the same LDAP class and a claim type defined. Add an entry with same LDAP object class and a claim type to fix this issue."

from ldapcp.

So LDAPCP is connecting and does LDAP queries, but they return nothing.
Then the question is if LDAP server should actually return results, or if the LDAP query is invalid.
You can replay LDAP queries with PowerShell to investigate this further, you can use the script in http://ldapcp.com/Troubleshoot-LDAPCP.html

from ldapcp.

@jshenderson any update on this?

from ldapcp.

not yet. due to building the farm with the daggum port in the DB connection. I was unable to update the farm. So I am in the process of rebuilding, but I'm about done. I should have an answer very soon. Again, I really appreciate your tool, and your assistance. BTW, you're tool was suggested to me by a MS PFE .

from ldapcp.

Awesome, thanks for your feedback!
Please keep updating this thread with your progress

from ldapcp.

Thank you for your patience. I have rebuild the farm successfully and had good success with ADFS. However, I'm having the same issue with LDAPCP and the people picker having no results returned.

I have replayed the queries I found in the logs and they do bring back results in powershell, but say "Got 0 results..." in the logs.

Do you know what I could be missing?

from ldapcp.

Hi @jshenderson , you should pay attention about the LDAP filter, there must be something wrong with it that explains why LDAP server returns no result.
You can try to replay the LDAP query with PowerShell using the script available in http://ldapcp.com/Troubleshoot-LDAPCP.html
Hopefully you'll find what's wrong.

from ldapcp.

You can make this complete. I have found the issue, and now need to figure out how to fix it.
The LDAP query the server is running is on a subdomain hence the 0 results. But my user profile sync is running on the actual domain and pulling everything correctly. I'm not sure why this happening maybe because the server is in the subdomain?

from ldapcp.