With SharePoint 2010, you now have the ability to synchronize user profiles between the SharePoint profile database and user repositories such as Active Directory, SUN One LDAP, IBM Tivoli, and Novell eDirectory. If you have a custom user repository such as a database, or any other source, you can still synchronize profiles using Business Data Connectivity.
Figure 1: Types of synchronization connections available in SharePoint 210
In this post, I will explain how you can set up profile synchronization between SharePoint 2010 and Sun LDAP Server.
User Profile Synchronization in SharePoint 2010 - Background
User profile synchronization in SharePoint 2010 is what used to be profile import in MOSS 2007 (configured from SSP administration page). The reason why the terminology has been changed is that in MOSS 2007, the user properties of user profiles used to flow one way, from Active Directory (or other LDAP system) to the SharePoint profile database. For example, if a user’s telephone number was changed in Active Directory, the information used to flow into the SharePoint profile database after an import. However, if a user changed their telephone number from their MySite (which shows information from the profile database), the updated telephone number could not flow back to the user’s Active Directory account. In SharePoint 2010, with every profile property, you can configure a synchronization direction (either import or export). If you choose the direction to be “import” the source of the property’s value will be the external system (Active Directory, SUN LDAP etc.), and the property’s value will be copied from the external system to the SharePoint profile database. If you choose the direction to be “export”, the source of the profile property will be the SharePoint profile database. So if a user updates their profile property (such as their picture), that infromation would flow back to the external system after an incremental synchronization.
Figure 2: Configuring synchronization flow in SharePoint 2010
Hope this explains why profile import is now called profile synchronization, now let’s get started with creating a synchronization connection between SharePoint 2010 and SUN LDAP.
Step 1: Collect Information about the SUN LDAP Server
First things first. Before you begin, you will need the following information about your SUN LDAP Server:
- The server name (name of the computer where SUN LDAP is running)
- The port that the LDAP is listening on (By default, LDAP traffic flows over port 389)
- The account name that has the appropriate permissions on the LDAP directory. You will also need the account’s password. Note that you will need the account name in the distinguished name format (e.g. “CN=Directory Manager”)
- The LDAP path of the container that contains the user profiles in the SUN LDAP Server (e.g. OU=People,DC=example,DC=com )
- The exact version of the SUN LDAP Server (e.g. Sun-Directory-Server/7.0 B2009.1104.2330)
Step 2: Register a Trusted Authentication Provider
If not already done, you will need to register a trusted authentication provider. The fact that you are synchronization profiles with SUN One also means that users will probably log into SharePoint using their SUN One accounts and Forms Based Authentication. To allow users to log into SharePoint using their SUN one accounts over FBA, you will need to register an authentication provider, and you will then need to use this authentication provider when creating a synchronization connection. If you are using a trusted claims prvider, you can use the clams provider when creating the synchronization connection.
It is important to understand that profile synchronization does not use the authentication provider at all. Profile synchronization is just interested in knowing the authentication provider that you are using to allow users to log into SharePoint, The reason for this is that when a user logs into a SharePoint site, a profile for the user is created in the SharePoint site collection database. On the other hand, the profiles that you import from Acitve Directory or SUN One LDAP are stored in the SharePoint profile database. To enable MySites functionality and updated user information across all site collections, the user profiles in the site collection database need to be “linked” to a profile in the profile database. This is the reason why we need to tell profile synchronization about the authentication provider that the profiles should be linked to.
If you have already registered your claims or trusted authentication provider, you can skip the rest of this section and move to the next step. Otherwise, complete the following steps to create a new web application and a trusted authentication provider for the web application:
Registering a trusted authentication provider
- We will be modifying the web.config of the central administration site so please create a backup copy of the file before modifying so that we can revert back to it in case something goes wrong.
- Open the web.config file of the central administration web site.
- Search for the “<membership>” tag.
- Between the “<providers>” and “</providers>” element , paste in the following string:
<add name="LDAPmembership" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=188.8.131.52, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="SunLDAPServerName" port="389" useSSL="false" userDNAttribute="entryDN" userNameAttribute="uid" userContainer="OU=People,DC=example,DC=com" userObjectClass="InetOrgPerson" userFilter="(&(ObjectClass=InetOrgPerson))" scope="Subtree" otherRequiredUserAttributes="sn,givenName,cn" connectionUsername="cn=Directory Manager" connectionPassword="Password1" />
Note that you will need to modify the above string to match your environment. In most cases, you will need to modify these attributes: server, userContainer, connectionUsername and connectionPassword. Use the information collected in step 1.
- Save and close web.config file
- Open the central administration web site
- From the left navigation bar, click on “Application Management”
- Under “Web Applications”, click on “Manage Web Applications”
- From the Ribbon menu, click on “New”
- Choose “Claims Authentication” as the authentication type
- Select “Enable Forms Based Authentication” and type in the name of the membership provider you added to web.config in step 4, as shown in the following screenshot:
- Fill in all other required values and click “OK”. After the web application gets created, your trusted authentication provider will also get registered.
Step 3: Add the registry entry to the server running the profile synchronization service
In step 1, I had mentioned that you will need to collect the exact build version of the SUN LDAP Server. We will be using that information in this step. If the version of SUN LDAP server is 5.x or lower, you can skip this step and move on to the next step.
The version of SUN LDAP server that I am using is 7.0 (exact build information obtained in step 1: “Sun-Directory-Server/7.0 B2009.1104.2330”). Please log on to the server in your SharePoint farm where the “Forefront Identity Manager Synchronization Service” is running (which is basically FIM), as shown in the following screenshot:
On this server, you will need to edit the registry and add the exact build information of the SUN LDAP Server. Details on how.where the registry entry needs to be made can be found at http://support.microsoft.com/kb/2290443 . Excerpt from the article is provided below:
To resolve this problem, create the following registry key and specify the version of the Sun Java System Directory Server you are attempting to connect to.
Click Start, click Run, type Regedt32, and then click OK.
Locate and then right-click the following registry key:
Click New, and then click Multi-string Value.
Set the following parameter values:
Value name: iPlanetMASupportedServers
Value type: (REG_MULTI_SZ)
Set the value of the registry key to the following value:
Note The precise format of the value will vary in different versions of Sun ONE. Be sure to use the correct version number for your environment.
Step 4: Create the synchronization connection
In this step, we will create the synchronization connection.
- From the central administration web site, browse to the user profile service application management page:
- Click on “Configure Synchronization Connections”
- Click on “Create New Connection”
- Type in the name of the connection
- In the connection type, select “Sun Java System Directory Server”
- In “Directory Service Server Name”, type in the name of the computer where SUN LDAP Server is running (use the information collected in step 1).
- This step is a little tricky.In this step, you will need to select the trusted authentication provider that you would like to associate to the user profiles. This is the same authentication provider that you registered in Step 2. In the “Authentication Provider Type” drop down, select “Trusted Claims Provider Authentication”. If you don’t see your authentication provider in the “Authentication Provider Instance” drop down, select “Forms Authentication” from the “Authentication Provider Type” drop down. Now you should see the authentication provider that you registered in step 2:
HINT: If you don’t see your authentication provider instance in the drop down, toggle the “Authentication Provider Type” to Claims and then back to forms authentication. This should re-populate the list.
- In the “Account Name” text box, type in the distinguished name of the account that has the appropriate permissions on the SUN LDAP Directory (this information was collected in step 1. Example: CN=Directory Manager).
- Type in the password and the password confirmation for the account
- Type in the port that the LDAP server is listening on
- Click on “Populate Containers”. Wait for the containers to be populated and then select the container that contains the user profiles. NOTE: If you get an error when you click on “Populate Containers”, verify that the information you entered in Server Name, Account Name, Password and Port is correct.
- Click OK
After the synchronization connection gets created, go ahead start a full synchronization and you should see user profiles getting synchronized.
- You get the “Unable to process Create message” error when creating the synchronization connection This is a known issue that occurs if you are running Sun 6.x or higher and have not added the registry entry correctly as mentioned in step 3 (Add the registry entry to the server running the profile synchronization service). To resolve this issue, please verify that you have the correct build information about the SUN LDAP Server and edit the registry entry to reflect the correct information. For more information about this problem and the solution, please review http://support.microsoft.com/kb/2290443
- You get the “Unable to process Put message” error when creating the synchronization connection
Please review the application event log of the server where the Forefront Identify Manager Synchronization Service is running. If you see the below error in the event log, you will need to request a configuration change in the SUN LDAP server:
Log Name: Application
Date: 11/21/2010 7:48:34 PM
Event ID: 6306
Task Category: Server
The server encountered an unexpected error while performing an operation for the client.
"ERR: MMS(3564): amparse.cpp(1765): AM: attribute 'givenName' not found in source schema
BAIL: MMS(3564): amparse.cpp(1765): 0x80230516 (The attribute mapping rules XML defines an invalid/incomplete rule.)
The above error occurs if the attribute “nsslapd-return-exact-case” is set to “off” on the SUN LDAP Server. In order to successfully create a synchronization connection between SharePoint and SUN LDAP Server, you will need to set this attribute to “on” while you create the synchronization connection. Once the synchronization connection has been created, you can set this attribute back to “off”. Setting this attribute to “off” causes all the attribute names to be returned in lower case, and SharePoint requires the attributes to be returned per the RFC 2256 standard during connection creation.
- Profile synchronization gets completed but no user profiles get added to the profile database
This is section covers a rather broad range of issues that you may be running into. If the profile synchronization completed but you don’t see any profiles, you should look for errors in the application event log of the server where the Forefront Identify Manager Synchronization Service is running. You can also bring up the FIM client (miisclient.exe from C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell) and see if you find any errors in the latest runs (Operations Tab):
If you don’t find any errors that stand out, there could be two reasons why the profiles are not coming in:
a) The account that you are using to synchronize profiles (one you entered when creating the synchronization connection) does not have the required permissions on the SUN LDAP Server. The account needs to read certain attributes on the LDAP server including nsslapd-sizelimit attribute in cn=config container and lastchangenumber , nsUniqueId and numSubordinates attributes at the root of the container from which user profiles are being synchronized. The account should be able to read all these attributes in the SUN LDAP Server.
b) You have created custom structural object classes in your SUN LDAP Server and associated the custom structural class to the users. In order to add additional attributes to user objects in SUN LDAP, you can create auxiliary or structural object classes. If you create structural object classes and associate them to user objects in SUN LDAP, the default synchronization connection that you created in SharePoint will not be able to synchronize those users. Additional configuration is required within the FIM client in order to import these users. Please contact Microsoft support if you require assistance in getting this configured. We are also working on creating public documentation on how this configuration can be made.
To find out if a users in SUN LDAP have custom structural object classes associated to them, please contact your SUN LDAP administrator. You can also use a tool such as LDP.exe to view the “object-class” LDAP property of the user.
- You are unable to map additional attributes from SUN to SharePoint User Profile Properties
This is also a known issue. I have written another detailed post on how you can create mappings between SharePoint user profile properties and backend LDAP attributes. You can find the post here
I hope this has been a helpful post. Please leave your comments and issues that you are running into with profile synchronization between SharePoint and SUN LDAP, so I can update this post with more information.