Search results display only email address

Nov 5, 2013 at 8:12 PM
Hello,

I have deployed the package and it seems to only display email address. It does not includes groups. Second what elements can I search on. I tried to search on my first name and it does not find me. Also what options do we have for the display right now it only shows the email address .

Could you please advise?
Nov 6, 2013 at 12:34 PM
hello,
it's probably because the default list of claim types handled by LDAPCP doesn't match the claim types associated to groups (that you defined when you created the trust).
To verify this, run this cmdlet in your environment:
(Get-SPTrustedIdentityTokenIssuer).ClaimTypeInformation
And compare claim types with the table in the homepage of the project.
If it doesn't match, you can easily change the list in central administration > Security > Claims mapping
cheers,
Yvan
Nov 6, 2013 at 2:28 PM
Hi Yvan

Please find the output when I ran the command "(Get-SPTrustedIdentityTokenIssuer).ClaimTypeInformation"

DisplayName : EmailAddress
InputClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
MappedClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
IsIdentityClaim : True
AcceptOnlyKnownClaimValues : False
ClaimValueModificationAction : None
ClaimValueModificationArgument :
KnownClaimValues : {}
UpgradedPersistedProperties :

DisplayName : Role
InputClaimType : http://schemas.microsoft.com/ws/2008/06/identity/claims/role
MappedClaimType : http://schemas.microsoft.com/ws/2008/06/identity/claims/role
IsIdentityClaim : False
AcceptOnlyKnownClaimValues : False
ClaimValueModificationAction : None
ClaimValueModificationArgument :
KnownClaimValues : {}
UpgradedPersistedProperties :

Not sure what is missing here, what we wanted to achieve here is when we search for any name it should display the possible names and groups as available(like the default peoplepicker behaviour). Appreciate if you could give us the direction on where might be the issue from our end.

Thanks,
Smruti
Nov 7, 2013 at 12:23 PM
hello,
this would work if you were on SharePoint 2013, but in 2010, the groups claim type used by LDAPCP is "http://schemas.xmlsoap.org/claims/Group".
So you ned to change it to http://schemas.microsoft.com/ws/2008/06/identity/claims/role in central administration > Security > Claims mapping
Cheers,
Yvan
Nov 11, 2013 at 11:31 PM
Edited Nov 11, 2013 at 11:43 PM
Hello Yuvan,

Thanks for the information, it just took one step closer to what we are looking here. Post to the changes we are now getting "Email ID" and associated "Role" in the people picker search result. As stated earlier, our expectation here is to display default people picker search result like when search for a given name it starts with that name and all names resembling that name. For example when we search "Marc" and it should display "Marce", "Marcel", etc. with first name + last name combinations; which is not happening now. So far we able to get the "Email id" and his/her designation as part of the search result.

For further information on what could be missing here; I have given the output of the command "(Get-SPTrustedIdentityTokenIssuer).ClaimTypeInformation" on my last post.

Also please find the content of "Security > Claims mapping" page for reference

Claim type LDAP attribute LDAP object class Actions

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress mail user Edit Delete

http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname sAMAccountName user Edit Delete

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn userPrincipalName user Edit Delete

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname givenName user Edit Delete

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality physicalDeliveryOfficeName user Edit Delete

http://schemas.microsoft.com/ws/2008/06/identity/claims/role sAMAccountName group Edit Delete

linked to identity claim displayname user Delete

linked to identity claim cn user Delete

linked to identity claim sn user Delete

Used as metadata for the permission created title user Delete

Used as metadata for the permission created msRTCSIP-PrimaryUserAddress user Delete

Used as metadata for the permission created telephoneNumber user Delete

To achieve this do I need to
Either
        Add new claims/claimtypes (if yes, please let me know what all claims?)
        Then create new claim mapping
        Lastly, add this mapping to our trusted identity provider
Or
        Need to make some changes in the Claims mapping page?
Please suggest.

Thanks,
Smruti
Nov 12, 2013 at 12:08 PM
hello Smruti,

did you deploy standard package or package for developers ?

Based on the table, that should work as you wish. So to summarize what you should do:
  • Filter SharePoint logs on category "LDAPCP" and you will see the actual LDAP query sent to LDAP server, with number of results and all the permissions created. Then you can easily see why it's not working on some attributes like firstname/lastname, etc...
  • In the LDAP query, you should see something like 'UserInput*', so that it searches everything that starts with 'UserInput'. If query is only 'UserInput', that means it searches this value exactly and explains why query 'Marc' doesn't return 'Marcel' (for example)
  • An attribute that is "linked to identity claim" means it will always be in LDAP query, but LDAPCP will create the permission with the attribute linked to the identity claim of the result. For example, you search 'lastname': permission will be created on email 'firstname.lastname@contoso.com' (assuming email is the identity claim type)
I hope it will help you, keep me posted.

cheers,
Yvan
Nov 14, 2013 at 10:22 AM
Edited Nov 14, 2013 at 11:45 AM
hello Yuvan,

Based on your input, please see below my findings
  1. I have deployed the standard package.
  2. I queried the the input text as "marcel"
  3. Entries found from Log(Here I am putting all related entries to one result for reference):
Got 20 results with query "(|(&(objectclass=user) (mail=marcel*))(&(objectclass=group) (sAMAccountName=marcel*))(&(objectclass=user) (displayName=marcel*))(&(objectclass=user) (cn=marcel*))(&(objectclass=user) (sn=marcel*)))"


Added metadata "Email" with value "marcel.dakan@abc.net" to permission
Added metadata "DisplayName" with value "Marcel Dakan" to permission
Added metadata "Title" with value "Product Engineer" to permission
Added metadata "WorkPhone" with value "-" to permission
Created permission: display text: "marcel.dakan@abc.net", value: "marcel.dakan@abc.net", claim type: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress".

Added permission created with LDAP lookup: claim value: "marcel.dakan@abc.net", claim type: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" to the list of results.
  1. Results I got at peoplepicker w.r.t. the specific entry:
                                             marcel.dakan@abc.net
                                             Product Engineer
    
I was expecting it will display all other attributes too like "DisplayName"

Also it appears to me from the log that; it is not searching for any "Group" / "Role" attribute cause I could not see any metadata for "Role/Group" in the log.

Hope it helps in narrowing down my issue and thanks a lot for your constant help.

Thanks,
Smruti
Nov 14, 2013 at 12:50 PM
hello,

that part of the query searches groups: "(&(objectclass=group) (sAMAccountName=marcel*))"
But it didn't return anything since I guess there are no group name that start with marcel

The display is exactly as expected. If you want to display something else instead of the mail (for example the cn attribute which is the display name), you can do so in central admin > security > global configuration:
check option "Always use a specific LDAP attribute for the display text of the permission", type cn in the textbox and save

cheers,
Yvan