Mapping User Profile Properties in SharePoint 2010 to LDAP Attributes


Updated 02/02/2012 – Added two more scenarios to “Known Issues” section based on feedback

Introduction

SharePoint 2010 uses Forefront Identity Manager to synchronize user profiles between the SharePoint 2010 profile database and backend user repositories such as Active Directory, SUN Java Directory Server, IBM Tivoli or Novell eDirectory. After you have created a synchronization connection between SharePoint 2010 and the backend user repository, you would want to map additional attributes from the backend user repository to the SharePoint profile properties, as by default, only a handful of attributes get mapped. For example, if you have created a custom attribute in SUN or Active Directory named “EmployeeID”, by default the synchronization connection that you create will probably not bring in the “employeeNumber” of users when you perform a synchronization. You will need to perform additional steps in SharePoint 2010 to map the “employeeNumber” attribute to a SharePoint user profile property.

Creating the Mapping

The mapping can be created by completing the following steps. We will first create the SharePoint user profile property and will perform the mapping afterwards:

  1. Open the central administration web site
  2. Browse to the management page of your user profile service application
    image
  3. From the management page, click on “Manage User Properties”
  4. Click on “New Property”
  5. Type in the “Name” and the “Display Name” of the property
  6. Select the data type of the property. The data type should match the data type of the corresponding attribute in the LDAP user repository that you intend to map the property to.
  7. From the “Source Data Connection” drop down, select the synchronization connection that has the LDAP attribute
  8. From the “Attribute” drop down, select the attribute that you wish to map. Note that in certain cases , you may not see the attribute you are looking for in the “Attribute” drop down. In this case, you will need to create the mapping using PowerShell. If this is the case, move on to step 11.
  9. From the “Direction” drop down , select the direction of the attribute. If you want the attribute from the user repository to be copied over to SharePoint Profile Database, the direction should be “Import”. If you want the attribute from SharePoint profile database to be copied over to the user repository, the direction should be “export”
  10. Click Add
  11. Click OK.

Mapping Attributes missing from the “Attributes” drop down

In certain cases, the attribute that you are trying to map may not be visible in the attributes drop down on the user profile property creation page. In this case, you will need to use PowerShell to map the LDAP attribute to SharePoint profile property. In order to run the script successfully, pleas ensure the following:

  1. You know the name (not Display Name) of the SharePoint Profile Property to which you need to map the attribute
  2. You know the name of the LDAP attribute that you wish to map (case sensitive)
  3. You are logged in as the farm account (the account under which the timer service and central administration application pool is running)
  4. The user profile service application where you need to perform the mapping should be the default service application associated to the central administration web site. Here is how you can verify this:
    • From central administration, click on “Application Management” on the left navigation bar
    • Click on “Manage Web Applications”
    • Select “SharePoint Central Administration v4”
    • From the Ribbon menu, click on “Service Connections”
      image
    • Verify that from the list of connections, the user profile service application that you are performing the mapping for is checked and is set as the default service connection.

      image

    • If the user profile service application proxy where you are performing the mapping is not set as default, please select “custom” as the service connection group and then choose the user profile service application connection that you are working with to perform the mapping.

After you have verified the above, please run the following script to perform the property mapping. Set the value of $url to the url of the central administration web site. Update the values of $spsProperty, $fimProperty and $connectionName to match your environment. Note that the direction of this mapping will be “Import”.

$url = "http://tehnoonr-ws08-4:1125" #URL of any site collection that is associated to the user profile service application.
$spsProperty = "EID" #Internal name of the SharePoint user profile property
$fimProperty = "employeeNumber" #Name of the attribute in FIM/LDAP source
$connectionName = "sun" #Name of the SharePoint synchronization connection

$site = Get-SPSite $url

if ($site)
{Write-Host "Successfully obtained site reference!"}
else
{Write-Host "Failed to obtain site reference"}

$serviceContext = Get-SPServiceContext($site)

if ($serviceContext)
{Write-Host "Successfully obtained service context!"}
else
{Write-Host "Failed to obtain service context"}
$upManager = new-object Microsoft.Office.Server.UserProfiles.UserProfileConfigManager($serviceContext)

if ($upManager)
{Write-Host "Successfully obtained user profile manager!"}
else
{Write-Host "Failed to obtain user profile manager"}
$synchConnection = $upManager.ConnectionManager[$connectionName]

if ($synchConnection)
{Write-Host "Successfully obtained synchronization connection!"}
else
{Write-Host "Failed to obtain user synchronization connection!"}

Write-Host "Adding the attribute mapping…"
$synchConnection.PropertyMapping.AddNewMapping([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsProperty, $fimProperty)
Write-Host "Done!"

Perform a full synchronization after the mapping has been created.

Hope this has been helpful!

Happy SharePointing!

Known Issues

A) The AddNewMapping function throws “Unable to process Put message”

This happens when the attribute specified in the $fimProperty variable is not valid. Please ensure that you have not misspelled the attribute and the data type of the attribute is compatible with the data type of the SharePoint managed property. For example, the “manager” LDAP attribute cannot be mapped to a SharePoint property of type “string” – it has to be mapped to a managed property of type “Person”. Additionally, please verify that you can see the LDAP attribute in the FIM client and you have typed in the LDAP attribute in the $fimProperty variable exactly as it appears in the FIM client.

To verify that you can see the desired LDAP attribute in FIM client (WARNING: DO NOT MODIFY ANYTHING IN THE FIM CLIENT):

  • On the server running the User Profile Synchronization Service, open miisclient.exe (Located at Drive:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell)
  • Click on the “Management Agents” tab
  • There should be a management agent in the list that represents your synchronization connection. For Active Directory synchronization connections, the management agent will have the name MOSSAD-YourSynchConnectionName . Double click on the management agent that represents your synchronization connection
  • Click on “Select Attributes”
  • Select the “Show All” check box
  • This should show you a list of all LDAP attributes that can be mapped to SharePoint managed properties. Remember that the $fimProperty variable in the script should have the exact same value as the attribute appears here. If the desired attribute is not in this list, the script will throw “Unable to process Put message” error.
  • image

B) The Script gets completed without errors, but the mapping is not created

This happens if the value in the $spsProperty variable of the script is incorrect. Please ensure that you have specified the Internal Name of the managed property, not the display name. To get the internal name of the managed property, click on the desired property from the “Manager User Properties” page and select “Edit” from the ECB menu. The EditProperty.aspx page will show you the internal name of the managed property (The “Name” field)

image

C) You get the message “Failed to obtain user profile manager” when you run the script

This can happen in two scenarios: The URL you specified does not have a user profile service application associated or you don’t have the right permissions on the user profile service application. The permissions issue seems to be the more common one. If the UP service app. is in the local farm, you should just be able to log in as the account that runs the timer service and be able to run the script. Alternatively, you can also grant the appropriate permissions to the account that you’re running the script as. This can be done from central administration by selecting the user profile service application and clicking on “Permissions” from the ribbon:

image

D) The script creates an “import” mapping of the attribute, but you are trying to create an “export” mapping

I had this one request where they were trying to do the export mapping. Note that the script creates an “import” mapping. In order to create an “export” mapping, replace the following:

$synchConnection.PropertyMapping.AddNewMapping([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsProperty, $fimProperty)

with:

$synchConnection.PropertyMapping.AddNewExportMapping([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsProperty, $fimProperty)

Comments (42)

  1. Tania says:

    Thanks for a good and effective info. Keep it up and post more.

    godwinsblog.cdtech.in/…/sharepoint-2010-installation-language.html

  2. Sumit says:

    Thank you very much….

    I am also facing the same problem.

    How can we execute above script?

    Thanks,

    SP~

  3. Hi Sumit,

    You can save the above script in a .ps1 file (using notepad) and then execute it from the SharePoint server using the SharePoint Management Shell (you can find the SharePoint Management Shell in the start menu).  After starting the management shell, all you need is to change the current directory to where you have saved the .ps1 file and then run the file using the format ".filename.ps1". This should execute the script.

  4. praveen says:

    Hi,

    How can i export property  programatically

  5. dbiegunski@gmail.com says:

    Im getting an error on the AddNewMapping method.

    Any idea why this would occur ?

    PS D:tools> .AddLDAPAttribute.ps1

    Successfully obtained site reference!

    Successfully obtained service context!

    Successfully obtained user profile manager!

    Successfully obtained synchronization connection!

    Adding the attribute mapping…

    Exception calling "AddNewMapping" with "3" argument(s): "Unable to process Put message"

    At D:toolsAddLDAPAttribute.ps1:35 char:47

    + $synchConnection.PropertyMapping.AddNewMapping <<<< ([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsPr

    operty, $fimProperty)

       + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

       + FullyQualifiedErrorId : DotNetMethodException

    Done!

  6. This is typically caused by a data type mismatch. The data type of the property in your LDAP directory should match the data type in SharePoint that you are trying to map.

  7. Merijn van den Kroonenberg says:

    How would I map to an URL profile property? The PictureURL property in sharepoint is of type URL, but I want to import the value from a BDC (but same problem for importing from AD). It doesnt match with string types in the BDC.

    Cheers,

    Merijn

  8. Merijn van den Kroonenberg says:

    Hmm, correction…after adding a new property of type URL i can import from a string just fine. So the PictureURL seems to be a special case. Pity.

    Merijn

  9. Hi, I ran the script to add the property userAccountControl and the script completed without errors but I couldn’t see it in the list of user property mapping.

  10. @isaDudu: Please ensure that the value in the $spsProperty has been properly set. I have added a "Known Issues" section to the post which explains the problem.

  11. Bryant says:

    This was very helpful, thank you.

  12. Joel says:

    Hi. I deleted the mapping between SPS-DistinguishedName and the dn attribute, but I get "Unable to process Put message" when I try to add it back. Do you have any ideas on how to fix this?

  13. Joel, I have seen this problem quite a few times, but unfortunaltey, since the dn attribute is not visible in the "FIM" client, you can't re-create the mapping using the script. I will dig into this when I have time and update this post, but for now, your workaround is to: 1) Delete the synch connection 2) Disable the MySite cleanup job 3) Create a new synch connection and redo any custom mappings 4) Perform at least 3 full synchs. 4) Please verify that all user profiles have been imported and none are marked for deletion (there is a bDeleted flag in the UserProfile_Full table of the UPA.

    After you have done the above, please enable the MySite cleanup job.

  14. Joel says:

    Technoon, we did as you suggested but Sharepoint did not create the mapping for SPS-DistinguishedName, and the full synchs we did all threw an Exception saying that the SPS-DistinguishedName property was required. Do you have any other idea or we may be missing something?

  15. I thought re-creating the synch connection would have created the mapping. Anyways, another option here is to reset the synchronization database. Resetting the synchronization database will automatically delete your synchronization connection. After the reset, please recreate the synchronization connection and proceed with all actions as suggested earlier.

    Steps to reset synchronization database can be found here:

    technet.microsoft.com/…/ff681014.aspx

  16. Nemil says:

    how I can map the multi value property? I have used the same script that you provided and it successfully added however it does not add the mapping. Any idea why ? … Data type is correct, no errors on script just the difference is it is custom property in LDAP.

  17. Hey Nemil, have you checked the issues mentioned in "Known Issues" section of the article? Did you use the correct name for the SharePoint property?

  18. Nemil says:

    Thanks for the reply, I have managed to resolved the issue for multi value, issue was with length of the string, I just used 25, however value length was more than that, I changed the value to somewhat more and now it worked, however even after the sync finished succefully I dont see value populated …. any idea why ?

  19. Mark says:

    This looks like what i need, but my script bombs out on "failed to obtain user profile manager'

    none of my web applications have [default] next to the service application. they are in the 'default' group of connections, and checked.

    Why is yours UP2? I guess just a test.

    I'm trying to import user details (for directory lookup). I already have 2 AD's connected for users and logon. these are additional LDAP eDirectory users, not for logon. I can see all the attributes in FIM.

    I'm on SP1

  20. This looks like what i need, but my script bombs out on "failed to obtain user profile manager'

    none of my web applications have [default] next to the service application. they are in the 'default' group of connections, and checked.

    Why is yours UP2? I guess just a test.

    I'm trying to import user details (for directory lookup). I already have 2 AD's connected for users and logon. these are additional LDAP eDirectory users, not for logon. I can see all the attributes in FIM.

    I'm on SP1

  21. That's a permissions problem (failed to obtain user profile manager). Can you log in with the same account that the timer service is running under and see if it works?

    UP2 is just the name of the user profile service application. It can be anything really, doesn't make a difference..  

  22. Another issue i've spent 3 days trying to figure out – my domain admin account was not the correct account to run this as!

    you need to add the user to the service application administrators. as far as admin via CA everything seemed to suggest i could do all. but via PS i couldn't. no access denied errors, or anything though.

  23. How do you use this script to export? says:

    I can't find a way to setup an export relationship between AD fields that do not appear in the drop down list and profile properties.  Script works fine for import. Export works fine on our system for items in the dropdown list.  Looking for a way to setup export for AD fields that do not appear.

  24. I can't find a way to setup an export relationship between AD fields that do not appear in the drop down list and profile properties.  Script works fine for import. Export works fine on our system for items in the dropdown list.  Looking for a way to setup export for AD fields that do not appear.

  25. Hi Tommy,

    To do the export mapping just replace the following line in the script:

    $synchConnection.PropertyMapping.AddNewMapping([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsProperty, $fimProperty)

    Replace with:

    $synchConnection.PropertyMapping.AddNewExportMapping ([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsProperty, $fimProperty)

  26. Raj [MSFT] says:

    Hello

    I am not able to run this script my intention is to add "Integer" type sharepoint property to departmentNumber ldap property, however for some reason i dont get this property from GUI. so i tried to use your script.

    $spsProperty = "integer"

    $fimProperty = "departmentNumber"

    $connectionName = "Departments"

    But i get an error.

    You cannot call a method on a null-valued expression.

    At C:Test.ps1:33 char:47

    + $synchConnection.PropertyMapping.AddNewMapping <<<< ([Microsoft.Office.Server

    .UserProfiles.ProfileType]::User, $spsProperty, $fimProperty)

       + CategoryInfo          : InvalidOperation: (AddNewMapping:String) [], Run

      timeException

       + FullyQualifiedErrorId : InvokeMethodOnNull

  27. Fran says:

    Please forget my previous comment about the Connection Name duh!  I found that! BUT I am getting the exact same error as Raj "You cannot call a method with a  null-valued expression"  Can you please address this is you know the answer.  I am thinking it is set as an incorrect (does not match) datatype in LDAP?  Your thoughts?

  28. This error does not indicate a data type mis-match. Are you sure the synch connection is not null?

  29. Nick says:

    Hi, I'm also having the same issue as Raj. Could it be that there are spaces in connection name? Can you suggest any troubleshooting ideas/methods for why the connection fails?

  30. Nick: If you're not able to get a reference to the synch connection object ($synchConnection), that may mean that you're running into a permissions problem. Are you logged in with the same account that your SharePoint Timer Service is running under?

  31. Abraham says:

    Hi, I am trying to map the departmentNumber but getting the following exceptions in the last step after the message 'Adding the attribute mapping'.

    Exception calling "AddNewMapping" with "3" argument(s): Unable to process Put message"

    Highly appreciate any inputs on this issue.

  32. Abraham says:

    I have checked also the datatypes are matching. Its the same error dbiegunski@gmail.com   mentioned a bit above.

  33. AftabStack says:

    Hi Raza,

    I don't have EmployeeID in AD by default visible.

    Now I want to make available EmployeeID in sharePoint UserProfile.

    So (1)can I create a new EmployeeID directly in sharePoint ->New Property

    Or

    2) do I first need to create a new property in AD, then in sharepoint i need to create that property.

    PLS let me know.

    I am of the understanding that I can directly create in SharePoint.

    Thanks

  34. @AftabStacjk: SharePoint does not have the ability to modify the schema of your AD. You first need to create the attribute in AD, then you'll need to create the managed property in SharePoint. Finally, you can use the script in this post to do the mapping. Note that you'll need to do a full synchronization after the mapping.

  35. Naveen says:

    I am getting following error. For AD Sync connection also. We make sure both Fimproperty and Spsproperty having same data type called Sting.

    Pls help me how to fix this.

    Exception calling "AddNewMapping" with "3" argument(s): "Unable to process Put message"

    At C:upm.ps1:33 char:47

    + $synchConnection.PropertyMapping.AddNewMapping <<<< ([Microsoft.Office.Server.UserProfiles.Profil

    eType]::User, $spsProperty, $fimProperty)

       + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

       + FullyQualifiedErrorId : DotNetMethodException

  36. Anita says:

    I have verified  LDAP attribute in the $fimProperty variable exactly as it appears in the FIM client. but still throws error

    Exception calling "AddNewMapping" with "3" argument(s): "Unable to process Put message"

    any ideas?

  37. Anita says:

    verified LDAP attribute in the $fimProperty variable exactly as it appears in the FIM client.

    but still throws exception unable to process put message

    any ideas really appreciated

  38. Tehnoon Raza [MSFT] says:

    This could be a permissions issue. Can you log in as the same account that is running the SharePoint timer service and run the script again?

  39. Raj says:

    Hi Raza, In my case, i am not finding value for by default mapped field "Manager" for user profiles in staging environment. However, the i am able to see values for Manager field on production server user profiles. In both the places i am referring to same AD location. In staging, all attribute values are coming fine. Except Manager.

    could you please advice here.

    thank you beforehand.

  40. Barry says:

    Is there a way to "Configure a Term Set to be used for this property" ? When my properties are mapped, and I go back in, the Term Set is greyed out and I cannot edit.

  41. sowjanya says:

    Hi

      how to get userProfile by using LDAP,when i call getuserProfile() user email also displayed.how is it's possible can you provide code for my requirement ASAP plz

  42. very detailed explanation, thanks