Configuring the LDAP membership provider and role provider to integrate with an LDAP server that uses “ “ (a space) as root.


1 – Problem description


 I’ve seen cases where <space> is used as rootDSE by IBM Lotus Domino™ version 8.x.


But beware that setting the userContainer in the web.config like this:


      userContainer=” “


does not provide the expected results.


2 - How to specify an empty space in the configuration file?


You need to use &quot; to represent the double quote. For example:


  userContainer="&quot; &quot;"


    and


  groupContainer="&quot; &quot;"


I provide below the configuration files I used – maybe they’ll help you set up your environment.


2-a) Example configuration file for the Admin WebApp


This configuration file is provided “as is” (without any warranties, not supported, use it at your own risk). You need to adapt it to your own needs.


            <PeoplePickerWildcards>


                  <clear />


                  <add key="AspNetSqlMembershipProvider" value="%" />


                  <add key="LdapMembership" value="*"/>


                  <add key="LdapRole" value="*"/>


      mio   </PeoplePickerWildcards>


And


<membership defaultProvider="LdapMembership">


              <providers>


                    <add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="<yourLDAPServer>"


                    port="389"


                    useSSL="false"


                    userDNAttribute="uid"


                    userNameAttribute="uid"


                    userContainer="&quot; &quot;"


                    userObjectClass="dominoPerson"


                    userFilter="(|(ObjectCategory=dominoGroup)(ObjectClass=dominoPerson))"


                    scope="Subtree"


                    otherRequiredUserAttributes="sn,givenname,cn" />


              </providers>


        </membership>


        <roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">


              <providers>


                    <add name="LdapRole"


                    type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server,Version=12.0.0.0,Culture=neutral,PublicKeyToken=71E9BCE111E9429C"


                    server="<yourLDAPServer>"


                    port="389"


                    useSSL="false"


                    groupContainer="&quot; &quot;"


                    groupNameAttribute="cn"


                    groupMemberAttribute="member"


                    userNameAttribute="uid"


                    dnAttribute="fullname"


                    groupFilter="(ObjectClass=dominoGroup)"


                    scope="Subtree" />


              </providers>


        </roleManager>


2-b) Example configuration file for the extended WebApp


This configuration file is provided “as is” (without any warranty, not supported, use it at your own risk). You need to adapt it to your own needs.


Note the setting of the default Provider :  <roleManager defaultProvider="LdapRole"


 


    <PeoplePickerWildcards>


      <clear />


      <add key="AspNetSqlMembershipProvider" value="%" />


      <add key="LdapMembership" value="*" />


      <add key="LdapRole" value="*" />


    </PeoplePickerWildcards>


AND


<membership defaultProvider="LdapMembership">


      <providers>


        <add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"


             server="<yourLDAPServer>"


             port="389"


             useSSL="false"


             userDNAttribute="uid"


             userNameAttribute="uid"


             userContainer="&quot; &quot;"


             userObjectClass="dominoPerson"


             userFilter="(|(ObjectCategory=dominoGroup)(ObjectClass=dominoPerson))"


             scope="Subtree"


             otherRequiredUserAttributes="sn,givenname,mail,cn" />


      </providers>


    </membership>


    <roleManager defaultProvider="LdapRole" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">


      <providers>


        <add name="LdapRole" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"


             server="<yourLDAPServer>"


             port="389"


             useSSL="false"


             groupContainer="&quot; &quot;"


             groupNameAttribute="cn"


             groupMemberAttribute="member"


             userNameAttribute="uid"


             dnAttribute="fullname"


             groupFilter="(ObjectClass=dominoGroup)" scope="Subtree" />


      </providers>


    </roleManager>


3) Example configuration the Profile Import connection


Edit your SSP’s profile connection (Shared Services Administration: Your_SSP > User Profile and Properties > Manage Connections > Edit Connection) with suggested parameters:


      Provider name: LdapMembership


      Username attribute: uid


      Search base: “ “      (no specific encoding needed here)


      User filter: (&(objectClass=inetorgperson))


4) Summary


As I explained above, it is quite usual to find a <space> used as Root for LDAP server in Domino configuration. Setting directly “ “ in the config files without specifically escaping the double-quotes does not work correctly. The examples provided above illustrate clearly how to properly configure the web.config & Profile import connection for this to work.


Skip to main content