Sync LDAP users with SharePoint site for Forms Authentication

  • Article

 

In my earlier post Getting Updates to User profile in SharePoint, I wrote about AD updates not rolling out to site for defafult AD user i.e. Windows authentication.  This post talks about the same problem but for Forms Authentication.

For simplicity I am using an example where I created LDAP Connection with users in AD.

This article will not cover how to create ldap connection but it is about trouble shooting if the properties of the ldap users are not shown and reflected in SharePoint site.

So there are 2 things here.  First the ldap users properties should be seen and reflected in User profile and second in the site collection.

So for ldap users’ properties to sync with SharePoint below are the steps that needs to be done

Check the properties are not synced.  From Central Admin –> Navigate to Manage Service Applications –> Click on User Profile Service Application.

Click Manage User Profiles

image

Put a user name and click Find.

Now if you find the user’s profile, click Edit profile and see the properties like Name, Department etc.  It should sync with the source.  If it is then User Profile sync is happening.  If not or even if the profile is not there the sync is not working.

Navigate back to Manager User Profile Service Application page and click on Configure Synchronization Connections.

image

Click on Create new connection.

image

Select Forms Authentication in Authentication Provider Type.  Authentication Provider Instance is populated in drop down based on the settings configured for authentication in web config.  Provide with Account name and Password.

This account should have replicate directory permission.   Be careful with this as if the account does not have sufficient priveliges there is no error thrown, just when the profile sync is run it does not import profiles from the source.  So it is not evident that the problem is insufficient priveleges

Click Populate Containers.  Select whatever you need to sync.  In my case it is just SPUsers OU.

image

Again careful here as the account specified is used to populate the containers.  If the account has AD read permissions, it will populate the containers but will not import profiles silently without any error if it does not have replicate directory permissions.

Once done click ok. 

Click on Manage User Properties.  Search for Claim User Identifier

image

Click Edit and on the next page you need to add mapping.

So basically in claims-based Web applications, SharePoint Server uses the Claim User Identifier property (SPS-ClaimID) to match an authenticated user to the correct user profile. If the SPS-ClaimID is not mapped to the directory service attribute that you want to use as the user identifier, when a user is authenticated, he or she is not matched to the correct user profile and will not see the imported user profile data.

To resolve this issue, map the SPS-ClaimID property to the directory service attribute that uniquely identifies the user in my case here it is samAccountName.

image

Once done and Start the profile synchronization.

image

When the profile sync starts you would see Synchronizing and Stop links.  Click on Synchronizing link to see the status.  Check the status once in a while.

image

Once done click on Manager User Profile and search for the user you searched in step 1.  Check the user profile properties should be updated.  

Next task is to go to a site collection and verify if the properties got propagated to site.

Navigate to web application, try to login with one of the ldap users and see the name that appears in the right corner.  If it is the updated name, the properties are updated, if not it means the user updates are not propagated to site.

This is a small issue that I noticed that after a ldap user logs in the site, the profile is pushed to the site and sometimes you need to run Profile synchronization to push the updates to the profile.  So if you cannot see the updates on the site but can see on user profile manage users profile page, try logging in the site with that user or add that user to some group (so that user’s profile is added to the site, later you can remove the user if you don't want him to be in any groups) and run the profile sync.

Hope it helps.