LDAPCP not permissioning groups about ldapcp HOT 19 CLOSED

By default LDAPCP creates group claims with the FQDN of groups as value, e.g. contoso.local\groupName.
You need to ensure that the STS uses the same format for the group. Otherwise you can change the format of the groups in LDAPCP Claims mapping page.

from ldapcp.

We added the FQDN piece back to the claims mapping however, we still see no permissions based on the groups that we pull in. Again, it pulls in the groups, we just don't get permissions assigned based on the groups....

from ldapcp.

Here is the error I get when trying to enable augmentation:

Unexpected [LDAPCP] Unexpected error while getting group membership of user in LDAP://CONNECTION: System.DirectoryServices.DirectoryServicesCOMException: The user name or password is incorrect. , Callstack: at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.PropertyValueCollection.PopulateList() at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) at System.DirectoryServices.PropertyCollection.get_Item(String propertyName) at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer() at System.DirectoryServices.A... a8de6e9e-8734-9052-8aed-6de740ef04a3
06/07/2018 14:34:50.69* w3wp.exe (USFED164131:0x1740) 0x1778 LDAPCP Augmentation 1337 Unexpected ...ccountManagement.PrincipalContext.DoDomainInit() at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue) at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue) at ldapcp.LDAPCP.<>c__DisplayClass47_0.b__0(DirectoryEntry directory) a8de6e9e-8734-9052-8aed-6de740ef04a3

The LDAP Connection tests out and works for user accounts, but not sure what "user name/password" it is looking for to find group memberships...

from ldapcp.

In this case, it uses the account running the process. So in this case, the farm account, since the w3wp of the STS runs with the farm account.
To use the credentials that you set in LDAP connection, you need to uncheck "This is an Active Directory server, use UserPrincipal.GetAuthorizationGroups"
Can you try this?

from ldapcp.

I'm not sure I follow where to make the change. I do not see any place in the LDAPCP Configuration where I check/uncheck "This is an Active Directory Server". Also, I am not sure I follow using "UserPrincipal.GetAuthorizationGroups"....

Can you give a little more detail on how to do what you are asking?

from ldapcp.

In Central administration > Security > LDAPCP global settings: there is a section "Augmentation" that lists the LDAP/AD servers that are registered. This is where you can update the settings.

But this is a workaround, you shouldn't have to set this and LDAPCP should use the credentials you set in your scenario. This is a bug and I will fix this in the next version.

from ldapcp.

This is the setting I had set up, when I received the errors in the log I attached before. When I remove that all together, I don't really get any activity against groups.

from ldapcp.

What is the LDAPCP version you are using?

from ldapcp.

LDAPCP v5.1

from ldapcp.

This version doesn't have the setting. You can update to the current one, or wait for the new version (probably next week), that will fix the bug

from ldapcp.

what are the implications or downtime that is associated to updating LDAPCP? I am using ADFS, of course, that leverages the solution. So I would retract/remove the solution, and add it back, and once I have my LDAP connection back in, it should just work as if it were never removed, correct?

Also, a little more background on this, we are trying to pull user and group information across domains. meaning, the farm lives in one domain, and we are pulling user accounts and group information from a different domain. I would think this wouldn't necessarily be a problem, as this is sort of what this is all designed to allow for, but wanted to be sure.

I appreciate all your help and prompt responses on this...my management is getting antsy on this issue. :-)

from ldapcp.

Updated the solution...do I need to check the box next to "Query this server" instead of "This is an active directory server...."?

from ldapcp.

If you check the box "This is an active directory server...." you will have the same issue.
In the next version, it will work, regardless of this checkbox value
Can you confirm issue is resolved?

from ldapcp.

It's still not working as expected, unfortunately. In the logs when I turned on Augmentation, I get the same error, and if I don't use augmentation, I don't get anything really that tries to associate my account with a group.

from ldapcp.

this is the current solution, correct? LDAPCP v2017.10

from ldapcp.

Using v2017.10, it should work if you do not check the box "This is an active directory server....", otherwise you will get the same error.
With the next version (not published yet), it should work in all scenarios.

from ldapcp.

From this morning's testing, it looks like augmentation is working, but still not able to get permissions from the groups. I rebuilt the token issuer, and reset the LDAPCP settings, and was able to at least see that groups seemed to be associated to my user account. But still getting access denied based on the group along...below are the logs showing what looks to be successful augmentation:

06/11/2018 09:34:55.41 w3wp.exe (ServerName:0x04DC) 0x0AEC LDAPCP Core 1337 Medium [LDAPCP] LdapcpConfig PersistedObject changed, refreshing configuration 2417709e-9779-9052-8aed-61aa56322ad4
06/11/2018 09:34:55.61 w3wp.exe (ServerName:0x04DC) 0x0AEC LDAPCP Augmentation 1337 Medium [LDAPCP] Domain .com returned 97 groups for user [email protected]. Lookup took 53ms on LDAP server 'LDAP://' 2417709e-9779-9052-8aed-61aa56322ad4
06/11/2018 09:34:55.61 w3wp.exe (ServerName:0x04DC) 0x0AEC LDAPCP Augmentation 1337 Medium [LDAPCP] User '[email protected]' was augmented with 97 groups of claim type 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role' 2417709e-9779-9052-8aed-61aa56322ad4
06/11/2018 09:34:55.64 w3wp.exe (ServerName:0x176C) 0x1F9C LDAPCP Core 1337 Medium [LDAPCP] LdapcpConfig PersistedObject changed, refreshing configuration 2417709e-9779-9052-8aed-61aa56322ad4
06/11/2018 09:35:39.80 w3wp.exe (ServerName:0x07D4) 0x0C54 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] A user was ignored because it is missing the identity attribute 'mail' 0717709e-5739-9052-89fa-eb1ba7167987
06/11/2018 09:39:02.98 w3wp.exe (ServerName:0x2488) 0x2768 LDAPCP Configuration 1337 Medium Updated PersistedObject LdapcpConfig to version 4461931 6017709e-97ec-9052-f3cd-ab03fc0eb9bb
06/11/2018 09:40:02.97 w3wp.exe (ServerName:0x04DC) 0x0AF4 LDAPCP Core 1337 Medium [LDAPCP] LdapcpConfig PersistedObject changed, refreshing configuration 6f17709e-f78f-9052-8aed-6d9ddb36cddf
06/11/2018 09:40:02.98 w3wp.exe (ServerName:0x04DC) 0x1D80 LDAPCP Augmentation 1337 Medium [LDAPCP] Domain .com returned 11 groups for user [email protected]. Lookup took 5ms on LDAP server 'LDAP://'
06/11/2018 09:40:03.14 w3wp.exe (ServerName:0x04DC) 0x0AF4 LDAPCP Augmentation 1337 Medium [LDAPCP] Domain .com returned 97 groups for user [email protected]. Lookup took 53ms on LDAP server 'LDAP://' 6f17709e-f78f-9052-8aed-6d9ddb36cddf
06/11/2018 09:40:03.14 w3wp.exe (ServerName:0x04DC) 0x0AF4 LDAPCP Augmentation 1337 Medium [LDAPCP] User '[email protected]' was augmented with 108 groups of claim type 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role' 6f17709e-f78f-9052-8aed-6d9ddb36cddf
06/11/2018 09:40:03.19 w3wp.exe (ServerName:0x176C) 0x09F0 LDAPCP Core 1337 Medium [LDAPCP] LdapcpConfig PersistedObject changed, refreshing configuration 6f17709e-f78f-9052-8aed-6d9ddb36cddf

Am I missing something else to make sure that we get permissions leveraging groups?

from ldapcp.

I just published version 10, that should completely fix the issue.
Can you give it a try?

from ldapcp.

I was able to get the previous version you sent me to work late yesterday evening. I had to rebuild the trust provider, and select only "Query this server" under augmentation. I appreciate your help on this...I now have to move these changes to our production farm, so fingers crossed everything I did on our Stage farm will work on Prod!

Thanks!!

from ldapcp.