Mapping User Profile Properties in SharePoint 2010 to LDAP Attributes

Updated 02/02/2012 – Added two more scenarios to “Known Issues” section based on feedback

Introduction

SharePoint 2010 uses Forefront Identity Manager to synchronize user profiles between the SharePoint 2010 profile database and backend user repositories such as Active Directory, SUN Java Directory Server, IBM Tivoli or Novell eDirectory. After you have created a synchronization connection between SharePoint 2010 and the backend user repository, you would want to map additional attributes from the backend user repository to the SharePoint profile properties, as by default, only a handful of attributes get mapped. For example, if you have created a custom attribute in SUN or Active Directory named “EmployeeID”, by default the synchronization connection that you create will probably not bring in the “employeeNumber” of users when you perform a synchronization. You will need to perform additional steps in SharePoint 2010 to map the “employeeNumber” attribute to a SharePoint user profile property.

Creating the Mapping

The mapping can be created by completing the following steps. We will first create the SharePoint user profile property and will perform the mapping afterwards:

  1. Open the central administration web site
  2. Browse to the management page of your user profile service application
    image
  3. From the management page, click on “Manage User Properties”
  4. Click on “New Property”
  5. Type in the “Name” and the “Display Name” of the property
  6. Select the data type of the property. The data type should match the data type of the corresponding attribute in the LDAP user repository that you intend to map the property to.
  7. From the “Source Data Connection” drop down, select the synchronization connection that has the LDAP attribute
  8. From the “Attribute” drop down, select the attribute that you wish to map. Note that in certain cases , you may not see the attribute you are looking for in the “Attribute” drop down. In this case, you will need to create the mapping using PowerShell. If this is the case, move on to step 11.
  9. From the “Direction” drop down , select the direction of the attribute. If you want the attribute from the user repository to be copied over to SharePoint Profile Database, the direction should be “Import”. If you want the attribute from SharePoint profile database to be copied over to the user repository, the direction should be “export”
  10. Click Add
  11. Click OK.

Mapping Attributes missing from the “Attributes” drop down

In certain cases, the attribute that you are trying to map may not be visible in the attributes drop down on the user profile property creation page. In this case, you will need to use PowerShell to map the LDAP attribute to SharePoint profile property. In order to run the script successfully, pleas ensure the following:

  1. You know the name (not Display Name) of the SharePoint Profile Property to which you need to map the attribute
  2. You know the name of the LDAP attribute that you wish to map (case sensitive)
  3. You are logged in as the farm account (the account under which the timer service and central administration application pool is running)
  4. The user profile service application where you need to perform the mapping should be the default service application associated to the central administration web site. Here is how you can verify this:
    • From central administration, click on “Application Management” on the left navigation bar

    • Click on “Manage Web Applications”

    • Select “SharePoint Central Administration v4”

    • From the Ribbon menu, click on “Service Connections”
      image

    • Verify that from the list of connections, the user profile service application that you are performing the mapping for is checked and is set as the default service connection.

      image

    • If the user profile service application proxy where you are performing the mapping is not set as default, please select “custom” as the service connection group and then choose the user profile service application connection that you are working with to perform the mapping.

After you have verified the above, please run the following script to perform the property mapping. Set the value of $url to the url of the central administration web site. Update the values of $spsProperty, $fimProperty and $connectionName to match your environment. Note that the direction of this mapping will be “Import”.

$url = " https://tehnoonr-ws08-4:1125" #URL of any site collection that is associated to the user profile service application.
$spsProperty = "EID" #Internal name of the SharePoint user profile property
$fimProperty = "employeeNumber" #Name of the attribute in FIM/LDAP source
$connectionName = "sun" #Name of the SharePoint synchronization connection

$site = Get-SPSite $url

if ($site)
{Write-Host "Successfully obtained site reference!"}
else
{Write-Host "Failed to obtain site reference"}

$serviceContext = Get-SPServiceContext($site)

if ($serviceContext)
{Write-Host "Successfully obtained service context!"}
else
{Write-Host "Failed to obtain service context"}
$upManager = new-object Microsoft.Office.Server.UserProfiles.UserProfileConfigManager($serviceContext)

if ($upManager)
{Write-Host "Successfully obtained user profile manager!"}
else
{Write-Host "Failed to obtain user profile manager"}
$synchConnection = $upManager.ConnectionManager[$connectionName]

if ($synchConnection)
{Write-Host "Successfully obtained synchronization connection!"}
else
{Write-Host "Failed to obtain user synchronization connection!"}

Write-Host "Adding the attribute mapping..."
$synchConnection.PropertyMapping.AddNewMapping([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsProperty, $fimProperty)
Write-Host "Done!"

Perform a full synchronization after the mapping has been created.

Hope this has been helpful!

Happy SharePointing!

Known Issues

A) The AddNewMapping function throws “Unable to process Put message”

This happens when the attribute specified in the $fimProperty variable is not valid. Please ensure that you have not misspelled the attribute and the data type of the attribute is compatible with the data type of the SharePoint managed property. For example, the “manager” LDAP attribute cannot be mapped to a SharePoint property of type “string” – it has to be mapped to a managed property of type “Person”. Additionally, please verify that you can see the LDAP attribute in the FIM client and you have typed in the LDAP attribute in the $fimProperty variable exactly as it appears in the FIM client.

To verify that you can see the desired LDAP attribute in FIM client (WARNING: DO NOT MODIFY ANYTHING IN THE FIM CLIENT):

  • On the server running the User Profile Synchronization Service, open miisclient.exe (Located at Drive:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell)
  • Click on the “Management Agents” tab
  • There should be a management agent in the list that represents your synchronization connection. For Active Directory synchronization connections, the management agent will have the name MOSSAD-YourSynchConnectionName . Double click on the management agent that represents your synchronization connection
  • Click on “Select Attributes”
  • Select the “Show All” check box
  • This should show you a list of all LDAP attributes that can be mapped to SharePoint managed properties. Remember that the $fimProperty variable in the script should have the exact same value as the attribute appears here. If the desired attribute is not in this list, the script will throw “Unable to process Put message” error.
  • image

B) The Script gets completed without errors, but the mapping is not created

This happens if the value in the $spsProperty variable of the script is incorrect. Please ensure that you have specified the Internal Name of the managed property, not the display name. To get the internal name of the managed property, click on the desired property from the “Manager User Properties” page and select “Edit” from the ECB menu. The EditProperty.aspx page will show you the internal name of the managed property (The “Name” field)

image

C) You get the message “Failed to obtain user profile manager” when you run the script

This can happen in two scenarios: The URL you specified does not have a user profile service application associated or you don’t have the right permissions on the user profile service application. The permissions issue seems to be the more common one. If the UP service app. is in the local farm, you should just be able to log in as the account that runs the timer service and be able to run the script. Alternatively, you can also grant the appropriate permissions to the account that you’re running the script as. This can be done from central administration by selecting the user profile service application and clicking on “Permissions” from the ribbon:

image

D ) The script creates an “import” mapping of the attribute, but you are trying to create an “export” mapping

I had this one request where they were trying to do the export mapping. Note that the script creates an “import” mapping. In order to create an “export” mapping, replace the following:

$synchConnection.PropertyMapping.AddNewMapping([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsProperty, $fimProperty)

with:

$synchConnection.PropertyMapping.AddNewExportMapping([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsProperty, $fimProperty)