Compartilhar via


How to Setup User Profile Synchronization between SharePoint 2010 and SUN LDAP

Introduction

With SharePoint 2010, you now have the ability to synchronize user profiles between the SharePoint profile database and user repositories such as Active Directory, SUN One LDAP, IBM Tivoli, and Novell eDirectory. If you have a custom user repository such as a database, or any other source, you can still synchronize profiles using Business Data Connectivity.

image

Figure 1: Types of synchronization connections available in SharePoint 210

 

In this post, I will explain how you can set up profile synchronization between SharePoint 2010 and Sun LDAP Server.

User Profile Synchronization in SharePoint 2010 - Background

User profile synchronization in SharePoint 2010 is what used to be profile import in MOSS 2007 (configured from SSP administration page). The reason why the terminology has been changed is that in MOSS 2007, the user properties of user profiles used to flow one way, from Active Directory (or other LDAP system) to the SharePoint profile database. For example, if a user’s telephone number was changed in Active Directory, the information used to flow into the SharePoint profile database after an import. However, if a user changed their telephone number from their MySite (which shows information from the profile database), the updated telephone number could not flow back to the user’s Active Directory account. In SharePoint 2010, with every profile property, you can configure a synchronization direction (either import or export). If you choose the direction to be “import” the source of the property’s value will be the external system (Active Directory, SUN LDAP etc.), and the property’s value will be copied from the external system to the SharePoint profile database. If you choose the direction to be “export”, the source of the profile property will be the SharePoint profile database. So if a user updates their profile property (such as their picture), that infromation would flow back to the external system after an incremental synchronization.

image

Figure 2: Configuring synchronization flow in SharePoint 2010

Hope this explains why profile import is now called profile synchronization, now let’s get started with creating a synchronization connection between SharePoint 2010 and SUN LDAP.

Step 1: Collect Information about the SUN LDAP Server

First things first. Before you begin, you will need the following information about your SUN LDAP Server:

  • The server name (name of the computer where SUN LDAP is running)
  • The port that the LDAP is listening on (By default, LDAP traffic flows over port 389)
  • The account name that has the appropriate permissions on the LDAP directory. You will also need the account’s password. Note that you will need the account name in the distinguished name format (e.g. “CN=Directory Manager”)
  • The LDAP path of the container that contains the user profiles in the SUN LDAP Server (e.g. OU=People,DC=example,DC=com )
  • The exact version of the SUN LDAP Server (e.g. Sun-Directory-Server/7.0 B2009.1104.2330)

Step 2: Register a Trusted Authentication Provider

If not already done, you will need to register a trusted authentication provider. The fact that you are synchronization profiles with SUN One also means that users will probably log into SharePoint using their SUN One accounts and Forms Based Authentication. To allow users to log into SharePoint using their SUN one accounts over FBA, you will need to register an authentication provider, and you will then need to use this authentication provider when creating a synchronization connection. If you are using a trusted claims prvider, you can use the clams provider when creating the synchronization connection.

It is important to understand that profile synchronization does not use the authentication provider at all. Profile synchronization is just interested in knowing the authentication provider that you are using to allow users to log into SharePoint, The reason for this is that when a user logs into a SharePoint site, a profile for the user is created in the SharePoint site collection database.  On the other hand, the profiles that you import from Acitve Directory or SUN One LDAP are stored in the SharePoint profile database. To enable MySites functionality and updated user information across all site collections, the user profiles in the site collection database need to be “linked” to a profile in the profile database. This is the reason why we need to tell profile synchronization about the authentication provider that the profiles should be linked to.

If you have already registered your claims or trusted authentication provider, you can skip the rest of this section and move to the next step. Otherwise, complete the following steps to create a new web application and a trusted authentication provider for the web application:

Registering a trusted authentication provider

  1. We will be modifying the web.config of the central administration site so please create a backup copy of the file before modifying so that we can revert back to it in case something goes wrong.

  2. Open the web.config file of the central administration web site.

  3. Search for the “<membership>”  tag.

  4. Between the “<providers>”  and “</providers>” element , paste in the following string:
    <add name="LDAPmembership" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="SunLDAPServerName" port="389" useSSL="false" userDNAttribute="entryDN" userNameAttribute="uid" userContainer="OU=People,DC=example,DC=com" userObjectClass="InetOrgPerson" userFilter="(&amp;(ObjectClass=InetOrgPerson))" scope="Subtree" otherRequiredUserAttributes="sn,givenName,cn" connectionUsername="cn=Directory Manager" connectionPassword="Password1" />

    Note that you will need to modify the above string to match your environment. In most cases, you will need to modify these attributes: server, userContainer, connectionUsername and connectionPassword. Use the information collected in step 1.

  5. Save and close web.config file

  6. Open the central administration web site

  7. From the left navigation bar, click on “Application Management”

  8. Under “Web Applications”, click on “Manage Web Applications”

  9. From the Ribbon menu, click on “New”

  10. Choose “Claims Authentication” as the authentication type

  11. Select “Enable Forms Based Authentication” and type in the name of the membership provider you added to web.config in step 4, as shown in the following screenshot:
    image

  12. Fill in all other required values and click “OK”. After the web application gets created, your trusted authentication provider will also get registered.

Step 3: Add the registry entry to the server running the profile synchronization service

In step 1, I had mentioned that you will need to collect the exact build version of the SUN LDAP Server. We will be using that information in this step. If the version of SUN LDAP server is 5.x or lower, you can skip this step and move on to the next step.

The version of SUN LDAP server that I am using is 7.0 (exact build information obtained in step 1: “Sun-Directory-Server/7.0 B2009.1104.2330”). Please log on to the server in your SharePoint farm where the “Forefront Identity Manager Synchronization Service” is running (which is basically FIM), as shown in the following screenshot:

image 

On this server, you will need to edit the registry and add the exact build information of the SUN LDAP Server. Details on how.where the registry entry needs to be made can be found at https://support.microsoft.com/kb/2290443 . Excerpt from the article is provided below:

To resolve this problem, create the following registry key and specify the version of the Sun Java System Directory Server you are attempting to connect to.
Click Start, click Run, type Regedt32, and then click OK.
Locate and then right-click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters Click New, and then click Multi-string Value. Set the following parameter values:
Value name: iPlanetMASupportedServers Value type: (REG_MULTI_SZ)
Set the value of the registry key to the following value:
Sun-Java(tm)-System-Directory/6.3 B2008.0311.0946 Note The precise format of the value will vary in different versions of Sun ONE. Be sure to use the correct version number for your environment.

Step 4: Create the synchronization connection

In this step, we will create the synchronization connection.

  1. From the central administration web site, browse to the user profile service application management page:

    image

  2. Click on “Configure Synchronization Connections”

  3. Click on “Create New Connection”

  4. Type in the name of the connection

  5. In the connection type, select “Sun Java System Directory Server”

  6. In “Directory Service Server Name”, type in the name of the computer where SUN LDAP Server is running (use the information collected in step 1).

  7. This step is a little tricky.In this step, you will need to select the trusted authentication provider that you would like to associate to the user profiles. This is the same authentication provider that you registered in Step 2. In the “Authentication Provider Type” drop down, select “Trusted Claims Provider Authentication”. If you don’t see your authentication provider in the “Authentication Provider Instance” drop down, select “Forms Authentication” from the “Authentication Provider Type” drop down. Now you should see the authentication provider that you registered in step 2:

    image

    HINT: If you don’t see your authentication provider instance in the drop down, toggle the “Authentication Provider Type” to Claims and then back to forms authentication.  This should re-populate the list.

  8. In the “Account Name” text box, type in the distinguished name of the account that has the appropriate permissions on the SUN LDAP Directory (this information was collected in step 1. Example: CN=Directory Manager).  

  9. Type in the password and the password confirmation for the account

  10. Type in the port that the LDAP server is listening on

  11. Click on “Populate Containers”. Wait for the containers to be populated and then select the container that contains the user profiles. NOTE: If you get an error when you click on “Populate Containers”, verify that the information you entered in Server Name, Account Name, Password and Port is correct.

  12. Click OK

After the synchronization connection gets created, go ahead start a full synchronization and you should see user profiles getting synchronized.

Troubleshooting

  1. You get the “Unable to process Create message” error when creating the synchronization connection

    This is a known issue that occurs if you are running Sun 6.x or higher and have not added the registry entry correctly as mentioned in step 3 (Add the registry entry to the server running the profile synchronization service). To resolve this issue, please verify that you have the correct build information about the SUN LDAP Server and edit the registry entry to reflect the correct information. For more information about this problem and the solution, please review https://support.microsoft.com/kb/2290443

  2. You get the “Unable to process Put message” error when creating the synchronization connection
    Please review the application event log of the server where the Forefront Identify Manager Synchronization Service is running. If you see the below error in the event log, you will need to request a configuration change in the SUN LDAP server:

    Log Name:      Application
    Source:        FIMSynchronizationService
    Date:          11/21/2010 7:48:34 PM
    Event ID:      6306
    Task Category: Server
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      tehnoonr-WS08-5.tehnoonr01.lab
    Description:
    The server encountered an unexpected error while performing an operation for the client.
    "ERR: MMS(3564): amparse.cpp(1765): AM: attribute 'givenName' not found in source schema
    BAIL: MMS(3564): amparse.cpp(1765): 0x80230516 (The attribute mapping rules XML defines an invalid/incomplete rule.)

    The above error occurs if the attribute “nsslapd-return-exact-case” is set to “off” on the SUN LDAP Server.  In order to successfully create a synchronization connection between SharePoint and SUN LDAP Server, you will need to set this attribute to “on” while you create the synchronization connection. Once the synchronization connection has been created, you can set this attribute back to “off”. Setting this attribute to “off” causes all the attribute names to be returned in lower case, and SharePoint requires the attributes to be returned per the RFC 2256 standard during connection creation. 

  3. Profile synchronization gets completed but no user profiles get added to the profile database
    This is section covers a rather broad range of issues that you may be running into. If the profile synchronization completed but you don’t see any profiles, you should look for errors in the application event log of the server where the Forefront Identify Manager Synchronization Service is running. You can also bring up the FIM client (miisclient.exe from C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell) and see if you find any errors in the latest runs (Operations Tab):

    image

    If you don’t find any errors that stand out, there could be two reasons why the profiles are not coming in:

    a) The account that you are using to synchronize profiles (one you entered when creating the synchronization connection) does not have the required permissions on the SUN LDAP Server. The account needs to read certain attributes on the LDAP server including nsslapd-sizelimit attribute in cn=config container and lastchangenumber , nsUniqueId and numSubordinates attributes at the root of the container from which user profiles are being synchronized. The account should be able to read all these attributes in the SUN LDAP Server.

    b) You have created custom structural object classes in your SUN LDAP Server and associated the custom structural class to the users. In order to add additional attributes to user objects in SUN LDAP, you can create auxiliary or structural object classes. If you create structural object classes and associate them to user objects in SUN LDAP, the default synchronization connection that you created in SharePoint will not be able to synchronize those users. Additional configuration is required within the FIM client in order to import these users. Please contact Microsoft support if you require assistance in getting this configured. We are also working on creating public documentation on how this configuration can be made.
    To find out if a users in SUN LDAP have custom structural object classes associated to them, please contact your SUN LDAP administrator. You can also use a tool such as LDP.exe to view the “object-class” LDAP property of the user.

  4. You are unable to map additional attributes from SUN to SharePoint User Profile Properties
    This is also a known issue. I have written another detailed post on how you can create mappings between SharePoint user profile properties and backend LDAP attributes. You can find the post here 

I hope this has been a helpful post. Please leave your comments and issues that you are running into with profile synchronization between SharePoint and SUN LDAP, so I can update this post with more information.

Happy SharePointing!

Comments

  • Anonymous
    December 09, 2010
    Hi, Thanks for this nice Article. i was able to perform teh setup of the synchronization connection, but now I'm running against the following problem. The Number of User Profiles stays 0 even thought my Sun LDAP has over more than 4000 user accounts. Checking the MIISclient I don't see any outstanding errors. In my LDAP logging I can see a query for my user accounts. My Profile DB in Sharepoint stays empty. In the event log I can see some errors from the FIM (ID 6126 and 6006) when trying to run a full sync which was never successful before. The management agent "MOSS-b771ebcc-51c4-41f8-a8f6-5b578ace5035" completed run profile "MOSS_DELTAIMPORT_99a8e323-1ef0-4f4c-b3bd-7c322eb0b4e5" with a delta import or delta synchronization step type. The rules configuration has changed since the last full import or full synchronization. User Action To ensure the updated rules are applied to all objects, a run with step type of full import and full synchronization should be completed.   nsslapd-sizelimit (2 available) attribute in cn=config container and lastchangenumber (N/A with manual query) , nsUniqueId (entries available with manual query) and numSubordinates (2 available) I don't know if you have any ideas or hints?

  • Anonymous
    December 10, 2010
    HI there! Do you have custom structural object classes associated to users in the SUN directory? You SUN administrators should be able to answer that. The default object class is InetOrgPerson, but you can create custom structural or auxilary classes in SUN. You will not see any users imported if custom structural object classes were created.

  • Anonymous
    December 14, 2010
    hi i m traying to make new user connection and every things is ok,and i can make pppulat,but after i press OK i have this problem f6290f39-5a05-4382-9784-c8d42cba6445 and the page error (i have wxchange server 2010 on the same server with sharepoint 2010)

  • Anonymous
    December 14, 2010
    orwah: Can you share the error message? Are you just getting the GUID as the error message?

  • Anonymous
    December 15, 2010
    Hi, Thanks for your update on this. Our SUN administrators came back with the following feedback: we are using the default object class InetOrgPerson but also have or own auxilary classes created. Do you mean in this case we are not able to see any imported users ever? Or is there an additional workarround or process that should be followed? Kind regards, T

  • Anonymous
    December 15, 2010
    Hi, Thanks for your update on this. Our SUN administrators came back with the following feedback: we are using the default object class InetOrgPerson but also have or own auxilary classes created. Do you mean in this case we are not able to see any imported users ever? Or is there an additional workarround or process that should be followed? Kind regards, Thumbs

  • Anonymous
    December 16, 2010
    If you are using auxilary classes, you should'nt require any further confguration. You need additinal configuration if you are using structural classes. I think it may be a permissions issue, or, a query limit imposed on the LDAP server. The account that you are using to synchronize should have permissions to issue queries of unlimited length. I would check on the SUN LDAP server logs as to if there is a size limit that we are hitting. You can also capture a network trace from the SharePoint server while running profile synchronization and share with me. I'll have a look at it when I have time. You can use Wireshark to take the capture. Thanks!

  • Anonymous
    August 11, 2011
    I have a similar problem : customizing my LDAP is ok BUT sharepoint 2010 end up claiming that objectSID does not exists ( true, we have no AD connection ) Can I remove objectSID from Must have safely or is there a way to create and objectSID ?

  • Anonymous
    August 11, 2011
    Hi Frederic. Manually modifying the FIM metaverse is not supported as it may cause other problems. What type of synchronization connection you are creating?

  • Anonymous
    August 11, 2011
    Hi Frederic. Manually modifying the FIM metaverse is not supported as it may cause other problems. What type of synchronization connection you are creating?

  • Anonymous
    August 11, 2011
    Hi Frederic. Manually modifying the FIM metaverse is not supported as it may cause other problems. What type of synchronization connection you are creating?

  • Anonymous
    August 11, 2011
    I need to connect to a SUN LDAP 5.2 with custom schema so I need to tweak the metaverse for that. not too much but a bit. But by design LDAP does not have objectSID and Sharepoint mark it as mandatory. Have you already bypass this ? I will install soon the June update for SP1 to see if but ... I have poor chance... Are you sure about support ? Is there another way to fix this ?

  • Anonymous
    August 11, 2011
    My MSN login for easier notifications

  • Anonymous
    August 12, 2011
    Hey Frederic, I just verified that in my SUN environment, the objects do not have objectSid and everything works as expected. I think that the objectSid error may just be a bad error message, your synchronization is getting affected due to some other schema mapping problem. I have seen problems with custom schemas, FIM in SharePoint only supports schemas that are ldap rfc 2254 complaint.

  • Anonymous
    August 12, 2011
    We use an extension of inetorgperson with structural class on top of it, si I am in process 3c of troubleshooting on this page. Still no public docs available ? I will drop my connector and recreate it now that I have install june hotfix on top of sp1 regards fred

  • Anonymous
    August 13, 2011
    even with hotfix, seems like claims user + customized schema is a bit too much for my FIM knowledge and Sharepoint default setup. I will open a call at support. A pity there is so few docs available for non AD connection. Claims are great  to provide cross technology SSO

  • Anonymous
    August 15, 2011
    The comment has been removed

  • Anonymous
    September 15, 2011
    I have arranged to do it alone. Here is a public first doc : frednotes.wordpress.com/.../sharepoint-2010-user-profile-sso-and-custom-ldap-schema I love the result, users too

  • Anonymous
    February 27, 2014
    Hi, What about SharePoint 2013 and IBM Tivoli v6.3. Thanks m_elwaer@hotmail.com

  • Anonymous
    May 29, 2014
    Hi, i was trying to sync the Users from AD to SharePoint, but i was not able to sync the security groups. i followed many blogs but not able to process my sync. Do you have any idea on this???

  • Anonymous
    March 27, 2017
    Hi, Thanks for the great article. At the end i populated the containers successfully but when i clicked OK, i get Unable to process Create message” error although i added the registry entry to the server running the profile synchronization service. My Sun LDAP server version is: Sun-Directory-Server/11.1.1.7.3 B2015.0429.2115 64-bit.I tried putting these registry entries:Sun-Directory-Server/11.1.1.7.3 B2015.0429.2115 64-bitSun-Directory-Server/11.1.1.7.3 B2015.0429.2115Sun-Java(tm)-System-Directory/11.1.1.7.3 B2015.0429.2115Sun-Java(tm)-System-Directory/11.1 B2015.0429.2115I tried many combinations and reset the connection settings but i couldnt make this error gone. Every yime i click OK i get this error. I googled but i couldnt find any answer.Any suggestions?Thanks in advance.