Using an LDAP provider with form authentication means that users will user their Windows or AD account to login. However, because form based authentication will be used they don’t get the usual popup, but they will use a sign-in page to login in.
The following steps will help you set it up:
First, create users in AD LDS instance
Create a new AD LDS instance by AD LDS Setup Wizard.
Connect to the new instance by ADSI Edit tool,then create account in the instance as shown in the following screenshot.
Create a web application
Go to Central Administration>Application Management
Click on Manage Web Applications
Click New
Slect Claims Based Authentication
Identity providers
Check the Enable Windows Authentication box or you won’t be able to crawl site
Check the Enable ASP.NET Membership and Role Provider check-box
In the Membership provider name edit box,type LdapMembership1
In the Role provider name edit box,type LdapRole1.
Create a new site collection
Go to Central Administration>Application Management
Click Create site collections
Select the newly created web application
Fill in a name and select a template
Adjust the web.config of the Central Administration site
Open the Central Administration site’s web.config file
Find the <system.web>entry
Past the following XML directly below it
<membership defaultProvider=”LdapMembership1″>
<providers>
<add name=” LdapMembership1″ type=”Microsoft.Office.Server.Security.LdapMembershipProvider,
Microsoft.Office.Server.UserProfiles, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c”
server=”dc.BoostSolutions.com”
port=”389″
useSSL=”false”
userDNAttribute=”distinguishedName”
userNameAttribute=”cn”
userContainer=”CN=Users,CN=sharepoint,DC=boost,DC=COM”
userObjectClass=”user”
userFilter=”(ObjectClass=user)”
scope=”Subtree”
otherRequiredUserAttributes=”sn,givenname,cn” />
</providers>
</membership>
<roleManager enabled=”true” defaultProvider=”AspNetWindowsTokenRoleProvider”>
<providers>
<add name=”LdapRole1″ type=”Microsoft.Office.Server.Security.LdapRoleProvider,
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c”
server=”dc.BoostSolutions.com”
port=”389″
useSSL=”false”
groupContainer=”CN=Users,CN=sharepoint,DC=boost,DC=COM”
groupNameAttribute=”cn”
groupNameAlternateSearchAttribute=”samAccountName”
groupMemberAttribute=”member”
userNameAttribute=”cn”
dnAttribute=”distinguishedName”
groupFilter=”(ObjectClass=group)”
userFilter=”(ObjectClass=person)”
scope=”Subtree” />
</providers>
</roleManager>
Double check whether the <membership>and<rolemanager>entries only exist ones.Delete any double entries.
Paste the following XML below the <PeoplePickerWildcards>entry.
<clear />
<add key=”AspNetSqlMembershipProvider” value=”%” />
<add key=”LdapMemberShip1″ value=”*”/>
<add key=”LdapRole1″ value=”*”/>
Adjust the web.config of the claims based web application
Open the claims based web application’s web.config file
Locate the <membership>entry
Past the following XML directly below the <providers>entry.
<add name=” LdapMembership1″ type=”Microsoft.Office.Server.Security.LdapMembershipProvider,
Microsoft.Office.Server.UserProfiles, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c”
server=”dc.BoostSolutions.com”
port=”389″
useSSL=”false”
userDNAttribute=”distinguishedName”
userNameAttribute=”cn”
userContainer=”CN=Users,CN=sharepoint,DC=boost,DC=COM”
userObjectClass=”user”
userFilter=”(ObjectClass=user)”
scope=”Subtree”
otherRequiredUserAttributes=”sn,givenname,cn” />
Locate the <roleManager>entry
Past the following XML directly below the <providers>entry.
<add name=”LdapRole1″ type=”Microsoft.Office.Server.Security.LdapRoleProvider,
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c”
server=”dc.BoostSolutions.com”
port=”389″
useSSL=”false”
groupContainer=”CN=Users,CN=sharepoint,DC=boost,DC=COM”
groupNameAttribute=”cn”
groupNameAlternateSearchAttribute=”samAccountName”
groupMemberAttribute=”member”
userNameAttribute=”cn”
dnAttribute=”distinguishedName”
groupFilter=”(ObjectClass=group)”
userFilter=”(ObjectClass=person)”
scope=”Subtree” />
Past the following XML below the PeoplePickerWildcards entry
<clear />
<add key=”AspNetSqlMembershipProvider” value=”%” />
<add key=”LdapMemberShip1″ value=”*”/>
<add key=”LdapRole1″ value=”*”/>
Adjust the web.config of the Security Token Service(STS)virtual directory
NB:If your environment is multiple servers,you will need to change the Security Token Service virtual directory on each server hosting either Central Administration or the claims based web application
Open the Security Token Service (STS)virtual directory web.config file
Find the <system.web>entry
Add a <system.web> entry directory below it
Past the following XML directly below the <system.web> entry
<membership defaultProvider=”LdapMembership1″>
<providers>
<add name=” LdapMembership1″ type=”Microsoft.Office.Server.Security.LdapMembershipProvider,
Microsoft.Office.Server.UserProfiles, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c”
server=”dc.BoostSolutions.com”
port=”389″
useSSL=”false”
userDNAttribute=”distinguishedName”
userNameAttribute=”cn”
userContainer=”CN=Users,CN=sharepoint,DC=boost,DC=COM”
userObjectClass=”user”
userFilter=”(ObjectClass=user)”
scope=”Subtree”
otherRequiredUserAttributes=”sn,givenname,cn” />
</providers>
</membership>
<roleManager enabled=”true” defaultProvider=”AspNetWindowsTokenRoleProvider”>
<providers>
<add name=”LdapRole1″ type=”Microsoft.Office.Server.Security.LdapRoleProvider,
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c”
server=”dc.BoostSolutions.com”
port=”389″
useSSL=”false”
groupContainer=”CN=Users,CN=sharepoint,DC=boost,DC=COM”
groupNameAttribute=”cn”
groupNameAlternateSearchAttribute=”samAccountName”
groupMemberAttribute=”member”
userNameAttribute=”cn”
dnAttribute=”distinguishedName”
groupFilter=”(ObjectClass=group)”
userFilter=”(ObjectClass=person)”
scope=”Subtree” />
</providers>
</roleManager>
Add a </system.web>entry directly below it
Add a user policy to the web application
Go to Central administration>Application Management
Click on Management Web Applications
Select the claims based web application
Click on User Policy
Click on the Add Users link
Click Next button
Click the Address Book icon.
Type in the NT login or account name and click the search button.if it’s working correctly you should see at least two entries for the Account-one is for the user’s Active Directory account,and one is for that same account but which was found using LDAP provider.
Select the account in the User section and click the Add button
Click the OK button
Check the Full Control checkbox,then click the Finish button.
You can browser to the web application and log in using forms based authentication.
??
Select Forms Authentication in the dropdown
And fill in the appropriate user name and password.
Any questions, comments or suggestions? Please just comment on my post! 🙂 Cheers!
I actually got this to work with ApacheDS LDAP and can pick my site administrator by name, but when I try to hit the site with username and password, it doesn’t accept it. Any ideas?