Everyone knows by now that quite a few things have changed in SharePoint when it comes to authentication. The introduction of claims based authentication has changed the landscape quite a bit.
When it comes to “plain and simple” LDAP authentication things have not changed all that much though. Off course, using LDAP means using forms based authentication, meaning claims based authentication, but from a functional point of view no improvements in this area. You could even say that support has been reduced somewhat. But I will get to that later.
You can find guides on how to configure SharePoint2010 for LDAP authentication on:
- Configuring Forms Based Authentication in SharePoint 2010
Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
I found out some points of attention I would like to share with you:
Below a sample Membership and Roleprovider definition.
<membership>
<providers>
<add name="LdapMembership" type="Microsoft.Office.Server.
Security.LdapMembershipProvider, Microsoft.Office.Server,
Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="openldap.advantive.nl" port="389" useSSL="false"
useDNAttribute="false" userNameAttribute="uid"
userContainer="ou=weert,o=advantive,c=nl" userObjectClass="person"
userFilter="(ObjectClass=person)" scope="Subtree"
otherRequiredUserAttributes="uid,cn" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add name="LdapRole" type="Microsoft.Office.Server.Security.
LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0,
Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="openldap.advantive.nl" port="389" useSSL="false"
groupContainer=" ou=weert,o=advantive,c=nl" groupNameAttribute="cn"
userNameAttribute="uid" useUserDNAttribute="false"
userFilter="(objectClass=person)"
groupFilter="(|(objectClass=person)(objectClass=groupOfNames))"
dnAttribute="" groupMemberAttribute="member" scope="Subtree" />
</providers>
</roleManager>
Beware of the following:
- Make sure you get the userNameAttribute, groupMemberAttribute and otherRequiredUserAttributes right.
- SharePoint will not be able to determine roles for users from the membership provider if the groupContainer and userContainer are in different trees.
- SharePoint does not longer support importing users from a generic LDAP service. According to microsoft services supported are:
- Active Directory Domain Services
- SunOne (LDAP) 5.2
- Novell eDirectory (LDAP) 8.7.3
- IBM Tivoli (LDAP) 5.2
Specifically the last issue can be a pain when dealing with openLdap. Instead you need to use a LDIF import connector as explained in http://technet.microsoft.com/en-us/library/ff959234.aspx.
Defining this connector is already quite a bit of work but also leaves you with the task of providing periodic exports of LDAP changes to LDIF format.