My company has invested in Novell eDirectory for it's identity management deployment. With eDirectory, we're able to consolidate and sync multiple LDAPs so current users can experience a single-sign-on experience. It also provides account self-provisioning and management for users via an externally facing website.
First the links:
- Microsoft documents multiple authentication providers for SharePoint and setting up an LDAP membership provider with examples here.
- Nick Kellett did a great job documenting every step required to connect the eDirectory LDAP here.
- Wen He provided a piece Nick missed to expose the LDAP through the SharePoint people picker here.
- My own blog details some steps to push out the web.config changes to all of your farm web apps here.
Now here's what I did:
- Planned out the membership provider attributes to use in the web.config.
- Downloaded and installed the free Softerra LDAP browser recommended in Nick Kellett's post on a Web Front End Server in my test Farm.
- Obtained the Novell LDAP server name and port information from the team at my company that manages Novell eDirectory.
- Entered server information and port into the LDAP Browser and started browsing objects.
- Drilled down the browser to the user container object and simply right clicked on the container and took the LDAP path from properties screen to use in the the provider.
- Started browsing the available attributes of users.
- Decided on using the mail attribute for the login in the provider. Setting userNameAttribute='mail' so when people use this form of authentication, they will use e-mail address as their username. We have both employees and non-employee content managers using this authentication to SharePoint sites in our DMZ. With this, our employees can login using the same password they use to login to our network in conjunction with their e-mail address. For external users, they can also login with their e-mail address and password set and maintained by visiting an externally facing site.
- Tested and discovered the useDNAttribute="false" has to be set -- which kind of renders some of the other attributes useless -- but value of "true" makes your entire provider useless
- My provider looks like this:
<add name='IDM'
type='Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C'
server='[ldap server name]'
port='389'
useSSL='false'
useDNAttribute='false'
userDNAttribute='cn'
userNameAttribute='mail'
userContainer='[Ldap path discovered using ldap browser]'
userObjectClass='person'
userFilter='(ObjectClass=*)'
scope='Subtree'
otherRequiredUserAttributes='sn,givenname,cn'>
- The usage will be in a DMZ so I had firewall opened up on ports 389 and 686 (used for SSL) bi-directionally between the internal NIC IP addresses of all of the Web front end servers and the eDirectory LDAP server IP.
- Through SharePoint Central Administration site, extended web apps to Custom zone (our default zone uses Windows Based Authentication).
- Manually added the peoplepicker and provider values to the Central Admin site web.config.
- Ran Powershell script detailed in my previous blog to update the web.config files for all of my portal web applications (see link above).
- Updated the Zone provider for all the portals via a batch file -- for this, I threw in stsadm command like following for all the newly extended sites (used batch file to save my Operations team from having to perform same steps through Central Admin -- also, this prevents chance of them putting in wrong value): stsadm -o authentication -url http://[extended site host header value] -type forms -membershipprovider [membership provider name] -allowanonymous
- In Central Administration, added site collection administrator for one of the root portal sites (browsed through people picker and was able to select my e-mail address).
- Opened IIS and browsed new website where I was prompted with the standard Sharepoint forms login page. Entered my e-mail address and network password and successfully signed in.
No comments:
Post a Comment