Synchronizing SharePoint profiles data from LDS
Background
- On number of occasions, when using claims authentication, Trusted provider bases its authentication on Active Directory LDS.
- In these cases, profile data from LDS needs to be imported into SharePoint
Design
SharePoint 2010 supports synchronization , offers mechanism to integrate with different directory services like Active Directory Domain Services, SunOne, Novell directory etc. But out of the box there is no support for synchronizing user profiles with Active Directory Light Directory Services (AD LDS). Hence in scenarios where it is necessary to synchronize with AD LDS, it is recommended to make use of LDIFDE utility (available with Windows 2008 server OS) to extract the profile attributes into flat file and then follow the process as documented in Configure profile synchronization using a Lightweight Directory Interchange Format (LDIF) file (SharePoint Server 2010) - https://technet.microsoft.com/en-us/library/ff959234.aspx
Integration Design and Process
Listed below are the high level details associated with the profile synchronization process
Potential Issue
- Once imported, these profiles need to be linked up with individual users logging into SharePoint using configured Tursted Identity Provider. If this link is absent, then SharePoint ends up creating another profile based on data of the logged user (this contains nothing but the account name)
Requirement
- One profile per user should exist in SharePoint (not multiple)
Resolution
- My colleague Bryan Porter is the one who pointed me to the solution (noted in his blog https://blogs.msdn.com/b/brporter/archive/2010/07/19/trusted-identity-providers-amp-user-profile-synchronization.aspx). This blog talks about how to link profile data coming from Active Directory.
- For linking profiles coming from LDS, listed below are the values which need to be hard coded in ForeFront Identity Manager.
LDS Attribute Name (Used by LDIF MA) |
Fim Metaverse Attirbute Name (Used by ILM MA) |
SharePoint Property Name (Used by SharePoint MA) |
Comments |
CustomProperty_LoginID |
SPS-ClaimID |
SPS-ClaimID |
Value in this property needs to match the user's login id. This is the field that SharePoint checks once a user logs in and makes the link to the specific profile. |
"Trusted" |
SPS-ClaimProviderType |
SPS-ClaimProviderType |
Hard coded value. This value does not come from LDS |
"Trusted Identity Provider Name" |
SPS-ClaimProviderID |
SPS-ClaimProviderID |
Hard coded value. This value does not come from LDS |
Comments
- Anonymous
April 30, 2012
I need to syn between sharepoint 2010 and ad LDS. I've followed this article - technet.microsoft.com/.../ff959234.aspx. However, I'm not quite understand how to link profiles from LDS. You mention a custom property field - customProperty_LoginID. Can you please elaborate more on how to map this property to MOSS MA and LDIF MA. What I did is I create customProperty_LoginID in sharepoint Manager User Profile. Then use miisclient.exe to create the customProperty_LoginID as mentioned in technet.microsoft.com/.../ff959234.aspx. In LDIF MA, I modified the value
- SPS-ClaimProviderType to "Trusted".
- SPS-ClaimProviderID to the name which is being used in the <membership> in the web.config file
- for mapping, in LDIF MA, I mapped the customProperty_LoginID to customProperty_LoginID as import. In MOSS MA, I mapped SPS-ClaimID to SPS-ClaimID. Then I run synchronization profile from Central Admin but I cannot see the users get imported in the sharepoint. Please help Thanks.