Comments (12)
Hello,
interesting, it seems it tries to get a LDAP property that does not exist, which should not happen since it should verify if it exists before.
- Do you get this with every user?
- Can you share your claims mapping configuration?
- What version of LDAPCP are you using?
from ldapcp.
Hi there,
Yes, its pretty much all users. Requested info below. i just tried again, all returned results are "i:0#.w" windows users
Get-SPTrustedIdentityTokenIssuer (relevant data)
ClaimTypes : {http://schemas.xmlsoap.org/ws/2005/05/identity
/claims/emailaddress, http://schemas.xmlsoap.or
g/ws/2005/05/identity/claims/upn, http://schema
s.microsoft.com/ws/2008/06/identity/claims/role
, http://schemas.microsoft.com/ws/2008/06/ident
ity/claims/primarysid}
HasClaimTypeInformation : True
ClaimTypeInformation : {EmailAddress, UPN, Role, SID}
ClaimProviderName : LDAPCP
UseWReplyParameter : False
UseWHomeRealmParameter : False
RegisteredIssuerName :
IdentityClaimTypeInformation : Microsoft.SharePoint.Administration.Claims.SPTr
ustedClaimTypeInformation
Description : AD Federation Server
Get-SPClaimProvider -Identity LDAPCP
DisplayName : LDAPCP
Description : LDAPCP
IsEnabled : True
IsUsedByDefault : True
IsVisible : True
AssemblyName : ldapcp, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=80be731bc1a1a740
TypeName : ldapcp.LDAPCP
ClaimProvider : ldapcp.LDAPCP
ClaimProviderType : ldapcp.LDAPCP
IsValid : True
UpgradedPersistedProperties : {}
The "ldapcp.dll" in "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ldapcp\v4.0_1.0.0.0__80be731bc1a1a740" is version 2017.06
Also, in case it matters, the ADFS relying party claims rules, looks like this:
I'm actually just thinking, maybe i screwed up with the claims mapping on the ADFS side. I just added UPN to the active directory mapping, and removed pass-though UPN. I used to following map commands, maybe im specifying the wrong provider
New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming
New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming
New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming
New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid” -IncomingClaimTypeDisplayName “SID” -SameAsIncoming
from ldapcp.
Can you send a screenshot of the LDAPCP claims mapping page in central administration > security?
from ldapcp.
Ah, LDAPCP claims mapping. Sorry. See image below. I removed the error ones, IIS Reset and searched for a user david. See log below. I tested the query manually (in AD), and it works fine.
08/24/2017 17:25:11.88 w3wp.exe (SHPTSrvr:0x6C8C) 0x286C LDAPCP Core 1337 Medium [LDAPCP] LdapcpConfig PersistedObject changed, refreshing configuration f484129e-7dfd-d04e-d6c0-f7f33246dd86
08/24/2017 17:25:12.80 w3wp.exe (SHPTSrvr:0x6C8C) 0x286C LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Got 17 result(s) in 5ms from "LDAP://MyDomain.local/DC=MyDomain,DC=local" with query "(| (&(objectclass=user)(mail=david*)) (&(objectclass=user)(userPrincipalName=david*)) (&(objectclass=group)(sAMAccountName=david*)) (&(objectclass=user)(displayName=david*)) (&(objectclass=user)(cn=david*)(!(objectClass=computer))) (&(objectclass=user)(sn=david*)) (&(objectclass=group)(displayName=david*)) )" f484129e-7dfd-d04e-d6c0-f7f33246dd86
08/24/2017 17:25:12.86 w3wp.exe (SHPTSrvr:0x6C8C) 0x286C LDAPCP Claims Picking 1337 Unexpected [LDAPCP] Unexpected error in SearchOrValidate: System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index, Callstack: at System.Collections.ArrayList.get_Item(Int32 index) at System.DirectoryServices.ResultPropertyValueCollection.get_Item(Int32 index) at ldapcp.ConsolidatedResultCollection.Contains(LDAPSearchResultWrapper result, AttributeHelper attribute, Boolean compareWithDomain) at ldapcp.LDAPCP.ProcessLdapResults(RequestInformation requestInfo, List1& LDAPSearchResultWrappers) at ldapcp.LDAPCP.SearchOrValidateWithLDAP(RequestInformation requestInfo, List
1& permissions) at ldapcp.LDAPCP.SearchOrValidate(RequestInformation requestInfo) f484129e-7dfd-d04e-d6c0-f7f33246dd86
from ldapcp.
I can't see anything wrong in your config.
Interestingly you get the same System.ArgumentOutOfRangeException in 2 different methods: LDAPCP.CreatePickerEntityHelper and ConsolidatedResultCollection.Contains
Is it possible for you to capture a dump on the System.ArgumentOutOfRangeException and share it with me?
You can use procdump from sysinternals like this:
procdump.exe -ma PID_OF_w3wp -e 1 -f "System.ArgumentOutOfRangeException" -n 10
To get the PID of the w3wp, you can run this:
%systemroot%\system32\inetsrv\appcmd list wp
from ldapcp.
Hi there,
Attached is the dump result. I've also uploaded the full dump to WeTransfer. i actually have two dumps, one of them i zipped (to shrink the size). Click here to grab the dumb files
w3wp.exe_170830_143744_MultipleRules.zip
from ldapcp.
Thanks for your time to collect the dump, here is what happens:
The LDAP search returned 17 results, but one of the user does not have his identity attribute (mail) set, which causes the ArgumentOutOfRangeException exception. This user was found based on its cn, sn or displayname attribute.
This is a flaw in the LDAPCP logic: this kind of user should be detected and excluded, so that other results can be processed.
I'm writing a fix for this and a new version will be available soon.
In the meantime, if you wish I can send you the identity (e.g. his samaccountname) of this user, just let me know if I can paste it here, or contact me in private otherwise.
from ldapcp.
Thanks for the feedback. My issue is that i have a large number of users w/o the mail attribute. I just removed the mail claims mapping, and its working fine now.
I see you posted a fix. Perhaps if you could let me know when its available for download
Thanks!!
from ldapcp.
Yes, I needed some time to make additional tests, but now I'm happy with the result and I just published the update (v2017.09), you can download it directly from http://ldapcp.com/
Now, when this scenario happens, result is simply ignored and this message is recorded:
LDAPCP LDAP Lookup 1337 Medium [LDAPCP] A user was ignored because it is missing the identity attribute 'mail'
Can you please test the update and confirm if the issue is fully resolved?
from ldapcp.
Ill give it a shot next week. If you can share with me your contacts, ill PM with the results.
Thank you for a fantastic solution!
from ldapcp.
HI @Joeostr, did you have time to test the update?
from ldapcp.
Closing issue since @Joeostr is unresponsive
from ldapcp.
Related Issues (20)
- LDAPCP and securitytoken.svc timeout when .Net Helper is enabled under augmentation HOT 8
- Claims provider for ADFS: Resolving user thats belongs to a nested group HOT 6
- Filtering on Custom ldapcp HOT 3
- Set Custom LDAP filter by powershell HOT 5
- LDAPCP not being queried when assigning targeted audiences (navigation, list items, etc) HOT 3
- Customization in LDAP solution HOT 3
- Replay LDAP query test returned user account result but people picker doesn't return this user account HOT 8
- Target Audience not working for LDAPCP groups added to sharepoint groups HOT 6
- LDAPCP on a non-ADFS federated setup HOT 2
- Domain groups can't be added after resolving it in people picker HOT 5
- LDAPCP on a farm with Windows / Kerberos authentication HOT 2
- need to remove the users with (role) prefix HOT 2
- Using Custom LDAPCP wsp and standard LDAPCP wsp HOT 9
- LDAP Filter for Two Classes HOT 4
- Augmentation does not work with Nintex Workflow and Other third party HOT 4
- Searching by Name on samAccountName HOT 2
- User Can't receive emails HOT 2
- EntraCP claimprovider issue HOT 4
- [LDAPCPSE] After adding a LDAPS connection as second option, going to global config page will error out HOT 21
- LDAPCPSE An item with LDAP newAttribute 'userPrincipalName' and LDAP class 'user' already exists for the object type 'User' HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ldapcp.