Configuring the LDAP membership provider and role provider to integrate with an LDAP server that uses “ “ (a space) as root.

  • Article

1 – Problem description

 I’ve seen cases where <space> is used as rootDSE by IBM Lotus Domino™ version 8.x.

But beware that setting the userContainer in the web.config like this:

      userContainer=” “

does not provide the expected results.

2 - How to specify an empty space in the configuration file?

You need to use &quot; to represent the double quote. For example:

  userContainer="&quot; &quot;"

    and

  groupContainer="&quot; &quot;"

I provide below the configuration files I used – maybe they’ll help you set up your environment.

2-a) Example configuration file for the Admin WebApp

This configuration file is provided “as is” (without any warranties, not supported, use it at your own risk). You need to adapt it to your own needs.

            <PeoplePickerWildcards>

                  <clear />

                  <add key="AspNetSqlMembershipProvider" value="%" />

                  <add key="LdapMembership" value="*"/>

      <add key="LdapRole" value="*"/>

      mio </PeoplePickerWildcards>

And

<membership defaultProvider="LdapMembership">

            <providers>

                  <add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="<yourLDAPServer>"

                  port="389"

                  useSSL="false"

                  userDNAttribute="uid"

                  userNameAttribute="uid"

                  userContainer="&quot; &quot;"

                  userObjectClass="dominoPerson"

                  userFilter="(|(ObjectCategory=dominoGroup)(ObjectClass=dominoPerson))"

                  scope="Subtree"

                  otherRequiredUserAttributes="sn,givenname,cn" />

            </providers>

      </membership>

      <roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">

            <providers>

                  <add name="LdapRole"

                  type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server,Version=12.0.0.0,Culture=neutral,PublicKeyToken=71E9BCE111E9429C"

                  server="<yourLDAPServer>"

                  port="389"

                  useSSL="false"

                  groupContainer="&quot; &quot;"

                  groupNameAttribute="cn"

                  groupMemberAttribute="member"

                  userNameAttribute="uid"

                  dnAttribute="fullname"

                  groupFilter="(ObjectClass=dominoGroup)"

                  scope="Subtree" />

            </providers>

      </roleManager>

2-b) Example configuration file for the extended WebApp

This configuration file is provided “as is” (without any warranty, not supported, use it at your own risk). You need to adapt it to your own needs.

Note the setting of the default Provider : <roleManager defaultProvider="LdapRole"

    <PeoplePickerWildcards>

      <clear />

      <add key="AspNetSqlMembershipProvider" value="%" />

      <add key="LdapMembership" value="*" />

      <add key="LdapRole" value="*" />

    </PeoplePickerWildcards>

AND

<membership defaultProvider="LdapMembership">

      <providers>

        <add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"

             server="<yourLDAPServer>"

             port="389"

             useSSL="false"

             userDNAttribute="uid"

             userNameAttribute="uid"

             userContainer="&quot; &quot;"

             userObjectClass="dominoPerson"

             userFilter="(|(ObjectCategory=dominoGroup)(ObjectClass=dominoPerson))"

             scope="Subtree"

             otherRequiredUserAttributes="sn,givenname,mail,cn" />

      </providers>

    </membership>

    <roleManager defaultProvider="LdapRole" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">

      <providers>

        <add name="LdapRole" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"

             server="<yourLDAPServer>"

             port="389"

             useSSL="false"

             groupContainer="&quot; &quot;"

             groupNameAttribute="cn"

             groupMemberAttribute="member"

             userNameAttribute="uid"

             dnAttribute="fullname"

             groupFilter="(ObjectClass=dominoGroup)" scope="Subtree" />

      </providers>

    </roleManager>

3) Example configuration the Profile Import connection

Edit your SSP’s profile connection (Shared Services Administration: Your_SSP > User Profile and Properties > Manage Connections > Edit Connection) with suggested parameters:

      Provider name: LdapMembership

      Username attribute: uid

      Search base: “ “ (no specific encoding needed here)

      User filter: (&(objectClass=inetorgperson))

4) Summary

As I explained above, it is quite usual to find a <space> used as Root for LDAP server in Domino configuration. Setting directly “ “ in the config files without specifically escaping the double-quotes does not work correctly. The examples provided above illustrate clearly how to properly configure the web.config & Profile import connection for this to work.