Unexpected error in SearchOrValidate about ldapcp HOT 12 CLOSED

Hello,
interesting, it seems it tries to get a LDAP property that does not exist, which should not happen since it should verify if it exists before.

• Do you get this with every user?
• Can you share your claims mapping configuration?
• What version of LDAPCP are you using?

from ldapcp.

Hi there,

Yes, its pretty much all users. Requested info below. i just tried again, all returned results are "i:0#.w" windows users

Get-SPTrustedIdentityTokenIssuer (relevant data)
ClaimTypes : {http://schemas.xmlsoap.org/ws/2005/05/identity
/claims/emailaddress, http://schemas.xmlsoap.or
g/ws/2005/05/identity/claims/upn, http://schema
s.microsoft.com/ws/2008/06/identity/claims/role
, http://schemas.microsoft.com/ws/2008/06/ident
ity/claims/primarysid}
HasClaimTypeInformation : True
ClaimTypeInformation : {EmailAddress, UPN, Role, SID}
ClaimProviderName : LDAPCP
UseWReplyParameter : False
UseWHomeRealmParameter : False
RegisteredIssuerName :
IdentityClaimTypeInformation : Microsoft.SharePoint.Administration.Claims.SPTr
ustedClaimTypeInformation
Description : AD Federation Server

Get-SPClaimProvider -Identity LDAPCP
DisplayName : LDAPCP
Description : LDAPCP
IsEnabled : True
IsUsedByDefault : True
IsVisible : True
AssemblyName : ldapcp, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=80be731bc1a1a740
TypeName : ldapcp.LDAPCP
ClaimProvider : ldapcp.LDAPCP
ClaimProviderType : ldapcp.LDAPCP
IsValid : True
UpgradedPersistedProperties : {}

The "ldapcp.dll" in "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ldapcp\v4.0_1.0.0.0__80be731bc1a1a740" is version 2017.06

Also, in case it matters, the ADFS relying party claims rules, looks like this:

I'm actually just thinking, maybe i screwed up with the claims mapping on the ADFS side. I just added UPN to the active directory mapping, and removed pass-though UPN. I used to following map commands, maybe im specifying the wrong provider

New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming

New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming

New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming

New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid” -IncomingClaimTypeDisplayName “SID” -SameAsIncoming

from ldapcp.

Can you send a screenshot of the LDAPCP claims mapping page in central administration > security?

from ldapcp.

Ah, LDAPCP claims mapping. Sorry. See image below. I removed the error ones, IIS Reset and searched for a user david. See log below. I tested the query manually (in AD), and it works fine.

08/24/2017 17:25:11.88 w3wp.exe (SHPTSrvr:0x6C8C) 0x286C LDAPCP Core 1337 Medium [LDAPCP] LdapcpConfig PersistedObject changed, refreshing configuration f484129e-7dfd-d04e-d6c0-f7f33246dd86

08/24/2017 17:25:12.80 w3wp.exe (SHPTSrvr:0x6C8C) 0x286C LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Got 17 result(s) in 5ms from "LDAP://MyDomain.local/DC=MyDomain,DC=local" with query "(| (&(objectclass=user)(mail=david*)) (&(objectclass=user)(userPrincipalName=david*)) (&(objectclass=group)(sAMAccountName=david*)) (&(objectclass=user)(displayName=david*)) (&(objectclass=user)(cn=david*)(!(objectClass=computer))) (&(objectclass=user)(sn=david*)) (&(objectclass=group)(displayName=david*)) )" f484129e-7dfd-d04e-d6c0-f7f33246dd86

08/24/2017 17:25:12.86 w3wp.exe (SHPTSrvr:0x6C8C) 0x286C LDAPCP Claims Picking 1337 Unexpected [LDAPCP] Unexpected error in SearchOrValidate: System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index, Callstack: at System.Collections.ArrayList.get_Item(Int32 index) at System.DirectoryServices.ResultPropertyValueCollection.get_Item(Int32 index) at ldapcp.ConsolidatedResultCollection.Contains(LDAPSearchResultWrapper result, AttributeHelper attribute, Boolean compareWithDomain) at ldapcp.LDAPCP.ProcessLdapResults(RequestInformation requestInfo, List1& LDAPSearchResultWrappers) at ldapcp.LDAPCP.SearchOrValidateWithLDAP(RequestInformation requestInfo, List1& permissions) at ldapcp.LDAPCP.SearchOrValidate(RequestInformation requestInfo) f484129e-7dfd-d04e-d6c0-f7f33246dd86

from ldapcp.

I can't see anything wrong in your config.
Interestingly you get the same System.ArgumentOutOfRangeException in 2 different methods: LDAPCP.CreatePickerEntityHelper and ConsolidatedResultCollection.Contains

Is it possible for you to capture a dump on the System.ArgumentOutOfRangeException and share it with me?
You can use procdump from sysinternals like this:

procdump.exe -ma PID_OF_w3wp -e 1 -f "System.ArgumentOutOfRangeException" -n 10

To get the PID of the w3wp, you can run this:

%systemroot%\system32\inetsrv\appcmd list wp

from ldapcp.

Hi there,

Attached is the dump result. I've also uploaded the full dump to WeTransfer. i actually have two dumps, one of them i zipped (to shrink the size). Click here to grab the dumb files

w3wp.exe_170830_143744_MultipleRules.zip

from ldapcp.

Thanks for your time to collect the dump, here is what happens:
The LDAP search returned 17 results, but one of the user does not have his identity attribute (mail) set, which causes the ArgumentOutOfRangeException exception. This user was found based on its cn, sn or displayname attribute.

This is a flaw in the LDAPCP logic: this kind of user should be detected and excluded, so that other results can be processed.
I'm writing a fix for this and a new version will be available soon.

In the meantime, if you wish I can send you the identity (e.g. his samaccountname) of this user, just let me know if I can paste it here, or contact me in private otherwise.

from ldapcp.

Thanks for the feedback. My issue is that i have a large number of users w/o the mail attribute. I just removed the mail claims mapping, and its working fine now.

I see you posted a fix. Perhaps if you could let me know when its available for download

Thanks!!

from ldapcp.

Yes, I needed some time to make additional tests, but now I'm happy with the result and I just published the update (v2017.09), you can download it directly from http://ldapcp.com/
Now, when this scenario happens, result is simply ignored and this message is recorded:

LDAPCP	LDAP Lookup	1337	Medium	[LDAPCP] A user was ignored because it is missing the identity attribute 'mail'

Can you please test the update and confirm if the issue is fully resolved?

from ldapcp.

Ill give it a shot next week. If you can share with me your contacts, ill PM with the results.

Thank you for a fantastic solution!

from ldapcp.

HI @Joeostr, did you have time to test the update?

from ldapcp.

Closing issue since @Joeostr is unresponsive

from ldapcp.