Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Properties DirectoryObjectAttribute and DirectoryObjectClass are required #221

Closed
ChristophHannappel opened this issue Aug 2, 2024 · 13 comments · Fixed by #223
Closed

Properties DirectoryObjectAttribute and DirectoryObjectClass are required #221

ChristophHannappel opened this issue Aug 2, 2024 · 13 comments · Fixed by #223
Assignees
@Yvand
Labels
Configuration Issue

Comments

@ChristophHannappel
Copy link

I did a fresh install of LDAPCPSE v18.0.20240513.3 on a new SharePoint Server SE Farm.
I used the automated Install Script.
When i try to open the Global configuration or Mapping of permissions at the Central Administration i'll get an error message Properties DirectoryObjectAttribute and DirectoryObjectClass are required.

I've attached the ULS Log:
ldapcp.log

What can i do to set those Properties?
@Yvand
Copy link
Owner

Yvand commented Aug 2, 2024

Hi @ChristophHannappel, can you send me the output of these commands:

$trust = Get-SPTrustedIdentityTokenIssuer "<YourTrustName>"
$trust.ClaimProviderName
$trust.ClaimTypeInformation

@Yvand Yvand self-assigned this Aug 2, 2024
@ChristophHannappel
Copy link
Author

Hi @Yvand ,

 $trust = Get-SPTrustedIdentityTokenIssuer 'ADFS'
$trust.ClaimProviderName
$trust.ClaimTypeInformation
LDAPCPSE


DisplayName                    : Primary SID
InputClaimType                 : http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
MappedClaimType                : http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
IsIdentityClaim                : True
AcceptOnlyKnownClaimValues     : False
ClaimValueModificationAction   : None
ClaimValueModificationArgument : 
KnownClaimValues               : {}
UpgradedPersistedProperties    : 

DisplayName                    : Group SID
InputClaimType                 : http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
MappedClaimType                : http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
IsIdentityClaim                : False
AcceptOnlyKnownClaimValues     : False
ClaimValueModificationAction   : None
ClaimValueModificationArgument : 
KnownClaimValues               : {}
UpgradedPersistedProperties    :

Thank you.

@Yvand
Copy link
Owner

Yvand commented Aug 2, 2024

@ChristophHannappel this is a bug in LDAPCP that happens because your trust uses none of the expected claim types for the identifier.
I will fix this. Just to be sure, did you choose claim type http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid for the user identifier because you intend to use the SID ?

@Yvand Yvand mentioned this issue Aug 2, 2024
Merged
@Yvand
Copy link
Owner

Yvand commented Aug 2, 2024

Fixed in #223

@Yvand Yvand linked a pull request Aug 2, 2024 that will close this issue
Fix init error if the identifier claim type is not well-known by LDAPCP #223
Merged
@ChristophHannappel
Copy link
Author

ChristophHannappel commented Aug 2, 2024
edited
Loading

Just to be sure, did you choose claim type http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid for the user identifier because you intend to use the SID ?

Yes, but if there is a more fitting one - i'm open to that :)

@Yvand
Copy link
Owner

Yvand commented Aug 5, 2024

@ChristophHannappel you do not need the update to get unblocked, you can create the configuration manually using PowerShell:

Add-Type -AssemblyName "Yvand.LDAPCPSE, Version=1.0.0.0, Culture=neutral, PublicKeyToken=80be731bc1a1a740"
[Yvand.LdapClaimsProvider.LDAPCPSE]::DeleteConfiguration()
$config = [Yvand.LdapClaimsProvider.LDAPCPSE]::CreateConfiguration()
$settings = $config.Settings

$settings.ClaimTypes.Clear()
$ct = New-Object "Yvand.LdapClaimsProvider.Configuration.ClaimTypeConfig"
$ct.ClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"
$ct.DirectoryObjectClass = "user"
$ct.DirectoryObjectAttribute = "objectSid"
$settings.ClaimTypes.Add($ct)

$ct = New-Object "Yvand.LdapClaimsProvider.Configuration.ClaimTypeConfig"
$ct.ClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"
$ct.DirectoryObjectClass = "group"
$ct.DirectoryObjectAttribute = "objectSid"
$settings.ClaimTypes.Add($ct)

$settings.ClaimTypes | ft LDAPAttribute, EntityType, ClaimType, UseMainClaimTypeOfDirectoryObject
$config.ApplySettings($settings, $true)

@ChristophHannappel
Copy link
Author

Hi @Yvand, unfortunately the script fails at line 3 with the following error:

$config = [Yvand.LdapClaimsProvider.LDAPCPSE]::CreateConfiguration()
Exception calling "CreateConfiguration" with "0" argument(s): "Properties DirectoryObjectAttribute and DirectoryObjectClass are required"
At line:1 char:1
+ $config = [Yvand.LdapClaimsProvider.LDAPCPSE]::CreateConfiguration()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException

@Yvand
Copy link
Owner

Yvand commented Aug 6, 2024
edited
Loading

Hi @ChristophHannappel, ok, in the script above, can you try to replace:

$config = [Yvand.LdapClaimsProvider.LDAPCPSE]::CreateConfiguration()
$settings = $config.Settings

with:

$config = New-Object Yvand.LdapClaimsProvider.Configuration.LdapProviderConfiguration("LDAPCPSEConfig", [Microsoft.SharePoint.Administration.SPFarm]::Local, "LDAPCPSE");
$config.Id = New-Object System.Guid ("F2D006C9-C536-46DA-845D-D5E88CBD15E6")
$settings = [Yvand.LdapClaimsProvider.Configuration.LdapProviderSettings]::GetDefaultSettings("LDAPCPSE")

@ChristophHannappel
Copy link
Author

Hi @Yvand, this leads to another error message:

Add-Type -AssemblyName "Yvand.LDAPCPSE, Version=1.0.0.0, Culture=neutral, PublicKeyToken=80be731bc1a1a740"

[Yvand.LdapClaimsProvider.LDAPCPSE]::DeleteConfiguration()

$config = New-Object LdapProviderConfiguration("LDAPCPSEConfig", [Microsoft.SharePoint.Administration.SPFarm]::Local, "LDAPCPSE");
New-Object : Cannot find type [LdapProviderConfiguration]: verify that the assembly containing this type is loaded.
At line:1 char:11
+ $config = New-Object LdapProviderConfiguration("LDAPCPSEConfig", [Mic ...
+           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidType: (:) [New-Object], PSArgumentException
    + FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

Thank you for your support.

@Yvand
Copy link
Owner

Yvand commented Aug 6, 2024

@ChristophHannappel I forgot to include the namespace, I fixed the script in the previous command, can you try again?

@ChristophHannappel
Copy link
Author

Hi @Yvand, this leads to the Properties DirectoryObjectAttribute and DirectoryObjectClass are required error.

Add-Type -AssemblyName "Yvand.LDAPCPSE, Version=1.0.0.0, Culture=neutral, PublicKeyToken=80be731bc1a1a740"

[Yvand.LdapClaimsProvider.LDAPCPSE]::DeleteConfiguration()

$config = New-Object Yvand.LdapClaimsProvider.Configuration.LdapProviderConfiguration("LDAPCPSEConfig", [Microsoft.SharePoint.Administration.SPFarm]::Local, "LDAPCPSE");
New-Object : Exception calling ".ctor" with "3" argument(s): "Properties DirectoryObjectAttribute and DirectoryObjectClass are required"
At line:1 char:11
+ $config = New-Object Yvand.LdapClaimsProvider.Configuration.LdapProvi ...
+           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodInvocationException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

@Yvand
Copy link
Owner

Yvand commented Aug 6, 2024

@ChristophHannappel hmm yes, I see why it won't work now. So at the moment, you have the following options:

  • Keep your config and try the nightly version
  • Or recreate your SPTrustedIdentityTokenIssuer to change the identifier claim type
  • Or wait for me to publish the new LDAPCP version, which should not take too long, I think 2 weeks max

@ChristophHannappel
Copy link
Author

Hi @Yvand, i've used the nightly version and the issue is solved.
Thank you very much.
For the production use i'll wait for the new LDACPCP Release.

@Yvand Yvand mentioned this issue Aug 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Yvand Yvand

Labels
Configuration Issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix init error if the identifier claim type is not well-known by LDAPCP Yvand/LDAPCP
2 participants
@Yvand @ChristophHannappel