[LDAPCPSE] After adding a LDAPS connection as second option, going to global config page will error out about ldapcp HOT 21 CLOSED

Sent you 3 problem step recorder files for the following scenarios. All of them have identical error.

1. With default LDAP
2. With no LDAP
3. With default LDAP and random LDAP

from ldapcp.

@desmondkung the error happens because there is no group claim type set in the trust in your environment.
I opened PR #207 to handle this correctly.

In the meantime, you can fix the issue in the current version by removing the group claim type from the LDAPCPSE configuration, using the script below:

Add-Type -AssemblyName "Yvand.LDAPCPSE, Version=1.0.0.0, Culture=neutral, PublicKeyToken=80be731bc1a1a740"
$config = [Yvand.LdapClaimsProvider.LDAPCPSE]::GetConfiguration()
$settings = $config.Settings
$settings.ClaimTypes.Remove($settings.ClaimTypes.GroupIdentifierConfig)
$config.ApplySettings($settings, $true)

from ldapcp.

Alright! I'll test this out tomorrow morning =)

from ldapcp.

I just published a nightly build which contains this fix

from ldapcp.

Just tested. No more error messages =) Will the release build be created soon? Else, I might just use this nightly first.
Thank you so much!

from ldapcp.

@desmondkung this is clearly unexpected. You can add an LDAPS entry using this PowerShell script:

Add-Type -AssemblyName "Yvand.LDAPCPSE, Version=1.0.0.0, Culture=neutral, PublicKeyToken=80be731bc1a1a740"
$config = [Yvand.LdapClaimsProvider.LDAPCPSE]::GetConfiguration()
$settings = $config.Settings

# Add a new lDAP Connection
$ldapConnection = New-Object "Yvand.LdapClaimsProvider.Configuration.LdapConnection"
$ldapConnection.LdapPath = "LDAP://contoso.local:636/DC=contoso,DC=local"
$ldapConnection.Username = "<account>"
$ldapConnection.Password = "<password>"
$ldapConnection.EnableAugmentation = $true
$settings.LdapConnections.Add($ldapConnection)
$config.ApplySettings($settings, $true)

To understand your scenario, can you send the output of this:

$trust = Get-SPTrustedIdentityTokenIssuer "YOUR_SPTRUST_NAME"
$trust.ClaimTypeInformation | fl MappedClaimType, IsIdentityClaim

from ldapcp.

Hi @Yvand,

MappedClaimType: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
IsIdentityClaim: True

from ldapcp.

Is there a way to reset all LDAPCPSE settings back to default via PowerShell so that I can try again? Including the removal of the recently added LDAPS connection.

from ldapcp.

current ldap settings

Identifier                           : fe5fe0de-8c6a-48f6-8fff-d28e704771b6
LdapPath                             : Connect to SharePoint domain
Username                             : 
Password                             : 
AdditionalMetadata                   : 
AuthenticationType                   : Secure, Signing, Sealing
UseDefaultADConnection               : True
EnableAugmentation                   : False
GetGroupMembershipUsingDotNetHelpers : False
GroupMembershipLdapAttributes        : {memberOf, uniquememberof}
LdapEntry                            : System.DirectoryServices.DirectoryEntry
LdapEntryServerAndPort               : LDAP://<removed>
InitializationSuccessful             : False
DomainName                           : 
DomainFQDN                           : 
DomaindistinguishedName              : 
UpgradedPersistedProperties          : {}

Identifier                           : 9b9ec788-ad57-44e8-841d-5dabc8107cac
LdapPath                             : LDAP://<removed>
Username                             : <domain\username removed>
Password                             : <removed>
AdditionalMetadata                   : 
AuthenticationType                   : Secure, Signing, Sealing
UseDefaultADConnection               : False
EnableAugmentation                   : False
GetGroupMembershipUsingDotNetHelpers : False
GroupMembershipLdapAttributes        : {memberOf, uniquememberof}
LdapEntry                            : System.DirectoryServices.DirectoryEntry
LdapEntryServerAndPort               : LDAP://<removed>
InitializationSuccessful             : False
DomainName                           : 
DomainFQDN                           : 
DomaindistinguishedName              : 
UpgradedPersistedProperties          : {}

from ldapcp.

Is there a way to reset all LDAPCPSE settings back to default via PowerShell so that I can try again? Including the removal of the recently added LDAPS connection.

You can run those commands to delete and recreate the configuration:

[Yvand.LdapClaimsProvider.LDAPCPSE]::DeleteConfiguration()
[Yvand.LdapClaimsProvider.LDAPCPSE]::CreateConfiguration()

from ldapcp.

1. I've deleted and re-created the configuration via PowerShell by running those two commands.
2. In central admin, I deleted the default LDAP connection to SharePoint domain and added only the LDAP server I want to connect to.
3. Clicked on the "Test LDAP Connection" and it passed.
4. Clicked on "Add LDAP Connection", then click on "OK" at the top.
5. Back at the Security page, click on "Global configuration" and error appears.

from ldapcp.

Another way to reproduce.

1. Delete and re-create the configuration via PowerShell.
2. In central admin, go to security, click on global configuration.
3. Click on "OK" button at the top.
4. Back at the Security page, click on "Global configuration" and error appears.

from ldapcp.

Can you check the SharePoint log on the server running CA, filter on Produt/Area LDAPCP, and verify if errors/messages are recorded?

from ldapcp.

There's only 1 line if I filter ULS logs via Product.

"Successfully updated configuration 'LDAPCPSEConfig' with Id <guid>"

from ldapcp.

@desmondkung the log is not giving more information. I would really like to understand the root cause: Are you able to repro the issue, whatever you type in the new LDAP connection? Can you repro if you remove the default LDAP connection?

from ldapcp.

@desmondkung the log is not giving more information. I would really like to understand the root cause: Are you able to repro the issue, whatever you type in the new LDAP connection? Can you repro if you remove the default LDAP connection?

I can try tomorrow morning.
To make sure I understand correctly, are you asking if I remove the default LDAP connection, leaving it with no LDAP connection, will the issue occur?

BTW, the log you referring to, does it include the ULS log I sent to your mail?

from ldapcp.

Yes, basically I'm curious if you can reproduce the issue even with typing dummy data, e.g. LDAP://whatever.
Or, if it requires a specific test.
And also, if depends whever the default connection is present or not.
I'm sure it is a bug, but right now I cannot repro it. I hope I will be able to repro with your help

Yes, I reviewed the log you sent, and it contains nothing helpful

from ldapcp.

Error: Value cannot be null. Parameter name: type.

from ldapcp.

weird that I did not repro it, but it should be fixed in b4c5d97

from ldapcp.

I think the only way left to tell would be to deploy the new release once your pull request is done.

from ldapcp.

Thanks for confirming!

from ldapcp.