Create "linked to identity claim" entry for different LDAP class about ldapcp HOT 2 CLOSED

Seems more complex than I thought.

My identity claim type is http://...../upn. I have users from several directories, AD and some 3rd party LDAP.

What I want to configure is:

• In AD, my users have "objectclass=user" and their username is stored in attribute "userPrincipalName"
• In LDAP number 1, they have "objectclass=person" and username is stored in attribute "cn"
• In LDAP number 2, they have "objectclass=inetOrgPerson" and username is stored in attribute "userid"

For AD it is working of course. However I don't find how to configure my LDAP directories.
Is it possible to have such configuration in LDAPCP?
(it seems I cannot have more than one claim type http://...../upn defined, so the username has to be stored in attribute "userPrincipalName", no matter the directory)

from ldapcp.

Hi @matthieu-bt

Indeed, by default LDAPCP expects that objectclass of users is "user", but you can change this if you delete and recreate the mapping in LDAPCP page "claims mapping".

But as you noticed, you cannot specify a different objectclass based on the LDAP server it is hitting.

In theory, you could specify a different LDAP filter for each LDAP server if you created a custom version of LDAPCP and override method LDAPCP.GetLDAPFilter().
The method sets the LDAP filter per LDAP server.
The query would work as you wish but it would fail later during the processing of the results, because LDAPCP expects that there is 1 objectclass per object type.
Unfortunately, changing the design to fit your need would be a huge work.

The best solution I can think of is to use an objectclass that would fit all LDAP servers, You can set this objectclass in LDAPCP "claims mapping" page for each claim type that represents a user.
Would that be possible?

from ldapcp.