Example Web.config files for LDAP forms-based authentication

  • Article

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.

 

Topic Last Modified: 2016-11-14

When configuring forms-based authentication against an LDAP data store for Microsoft Office Project Server 2007, you must specify where the data store is located and where in the directory structure to store the user accounts for the site. You specify these settings by using the Web site's configuration file (Web.config). The same changes also must be made in the Web.config file for the SharePoint Central Administration Web site.

This article provides two examples of changes that need to occur in the Web.config files for Project Server 2007 forms-based authentication against an LDAP data store. For more information about how to implement the changes, see Create a Project Web Access site that uses forms-based authentication against an LDAP data store.

Web.config file example 1

The following is a simple example of the <membership> section that is required in the Web.config file for a site based on forms authentication.

In this basic example, you have a single site using forms-based authentication against a single membership provider. The LDAP directory store is located on a computer named "Contoso1" and is configured to use port 50000. Authentication would be against objects in the userContainer that matches the userFilter. In this case, the objects would be all items in the container defined by: CN=Users,OU=WSS,O=nondomain,C=US.

<membership defaultProvider="LDAPMembership">

<providers>

<add

name="LDAPMembership"

type="Microsoft.Office.Server.Security.LDAPMembershipProvider,Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,PublicKeyToken=71E9BCE111E9429C"

server="Contoso1"

port="50000"

useSSL="false"

userDNAttribute="distinguishedName"

userNameAttribute="cn"

userContainer="CN=Users,OU=Support,O=Contoso,C=US"

userObjectClass="user"

userFilter="(ObjectClass=user)"

scope="Subtree"

otherRequiredUserAttributes="sn,givenname,cn" />

</providers>

</membership>

The following table describes the parameter values that are used in the previous Web.config file example.

Parameter Description

name="LDAPMembership"

Specifies the membership provider name. This value must match the membership provider name specified on the Authentication Providers page in Central Administration. In the example, "LDAPMembership" is the value for the membership provider name.

server="Contoso1"

Specifies the name of the computer hosting the LDAP service. In the example, this value states that the directory service is located on the server "Contoso1". For example, this could be an instance of Active Directory Application Mode (ADAM) or a domain controller in a Windows Server Active Directory directory service environment.

port="50000"

Specifies the port that LDAP is listening on. The default port is 389.

useSSL="false"

Specifies that SSL is not being used to communicate to the LDAP data store.

Only anonymous binds to the LDAP provider are currently supported. Make sure this value is set to false.

userDNAttribute="distinguishedName"

Attribute for the user's distinguished name. This name appears in Windows SharePoint Services).

userNameAttribute="cn"

Attribute of the user name object — in this case a common name (cn).

userContainer="CN=Users,OU=WSS,O=nondomain,C=US"

Defines the full distinguished name of the container for users.

userObjectClass="user"

Class of the user object — in this case, user.

userFilter="(ObjectClass=user)"

The userFilter is a standard filter for LDAP queries that can be set to control a subset of users that should be available to authenticate against.

The filter in the example is configured to resolve only against user objects. You could have groups and other objects in the OU container.

scope="Subtree"

Sets the search scope of the selection.

otherRequiredUserAttributes="sn,givenname,cn" />

Other user attributes to return. sn is the family name (or surname). givenname is the first name. cn is the relative distinguished name constructed from the other two attributes (for example, "John Doe").

Web.config file example 2

The following is a more complex example. In this scenario, the company uses two sites that use forms-based authentication — one for an intranet and one for an extranet. Each site uses a different LDAP membership provider.

In this scenario, the Web.config files for Central Administration, the intranet site, and the extranet site must be configured differently. Each site's Web.config file needs to contain information for the specific LDAP membership provider needed for its users to access the site.

Web.config file for Central Administration

In this scenario, the Web.config file for Central Administration must have information about both membership providers (LDAPMembership and LDAPMembership2). The <membership> section of the Web.config file for Central Administration is as follows:

<membership defaultProvider="LDAPMembership">

<providers>

<add

server="ps2007ldap"

port="50000"

useSSL="false"

userDNAttribute="distinguishedName"

userNameAttribute="cn"

userContainer="CN=Users,OU=Support,O=fabricam,C=US"

userObjectClass="user"

userFilter="(ObjectClass=user)"

scope="Subtree"

otherRequiredUserAttributes="sn,givenname,cn" name="LDAPMembership"

type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" />

<add

server="ps2007ldap"

port="50000"

useSSL="false"

userDNAttribute="distinguishedName"

userNameAttribute="cn"

userContainer="CN=Users,OU=Extranet,O=fabricam,C=US"

userObjectClass="user"

userFilter="(&amp;(memberOf=CN=ProjectUsers,OU=Extranet,O=fabricam,C=US)(memberOf=CN=WSSUsers,OU=Extranet,O=fabricam,C=US))"

scope="Subtree"

otherRequiredUserAttributes="sn,givenname,cn" name="LDAPMembership2"

type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" />

</providers>

</membership>

Web.config file for the intranet site

The <membership> section of the Web.config file for the intranet site is as follows:

<membership defaultProvider="LDAPMembership">

<providers>

<add

server="ps2007ldap"

port="50000"

useSSL="false"

userDNAttribute="distinguishedName"

userNameAttribute="cn"

userContainer="CN=Users,OU=Support,O=fabricam,C=US"

userObjectClass="user"

userFilter="(ObjectClass=user)"

scope="Subtree"

otherRequiredUserAttributes="sn,givenname,cn" name="LDAPMembership"

type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" />

</providers>

</membership>

The Intranet site is using the LDAPMembership membership provider and is authenticating against users in the CN=Users,OU=Support,O=fabricam,C=US container.

Web.config file for the extranet site

The membership provider for the extranet site is defined as LDAPMembership2. The <membership> section of the Web.config file for the extranet site is as follows:

<membership defaultProvider="LDAPMembership">

<providers>

<add

server="ps2007ldap"

port="50000"

useSSL="false"

userDNAttribute="distinguishedName"

userNameAttribute="cn"

userContainer="CN=Users,OU=Extranet,O=fabricam,C=US"

userObjectClass="user"

userFilter="(&amp;(memberOf=CN=ProjectUsers,OU=Extranet,O=fabricam,C=US)(memberOf=CN=WSSUsers,OU=Extranet,O=fabricam,C=US))"

scope="Subtree"

otherRequiredUserAttributes="sn,givenname,cn" name="LDAPMembership2"

type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" />

</providers>

</membership>

The extranet site is using the LDAPMembership2 membership provider and is authenticating against users in the same container as LDAPMembership ("CN=Users,OU=Extranet,O=fabricam,C=US"). However, the extranet site is using the filter ="(&amp;(memberOf=CN=ProjectUsers,OU=Extranet,O=fabricam,C=US)(memberOf=CN=WSSUsers,OU=Extranet,O=fabricam,C=US))". This will only authenticate users in both the ProjectUsers and WSSUsers groups defined in the directory. Also note the &amp;. It replaces the usual & used in LDAP queries.

The format of the <membership> sections in example 2 is different from the format of example 1. It still contains exactly the same attributes, but in a different order. The reason is that the second example has been edited by using the Internet Information Services Manager user interface.

Note

There is a problem caused by using the Internet Information Services Manager user interface. The <configuration> element is rewritten as <configuration xmlns="https://schemas.microsoft.com/.NetConfiguration/v2.0">, and this causes an application error in Windows SharePoint Services. For more information, see Knowledge Base Article 917238 (https://go.microsoft.com/fwlink/?LinkId=92744&clcid=0x409).