1 – Problem description
I’ve seen cases where <space> is used as rootDSE by IBM Lotus Domino™ version 8.x.
But beware that setting the userContainer in the web.config like this:
userContainer=” “
does not provide the expected results.
You need to use " to represent the double quote. For example:
userContainer="" ""
and
groupContainer="" ""
I provide below the configuration files I used – maybe they’ll help you set up your environment.
This configuration file is provided “as is” (without any warranties, not supported, use it at your own risk). You need to adapt it to your own needs.
<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="LdapMembership" value="*"/>
<add key="LdapRole" value="*"/>
mio </PeoplePickerWildcards>
And
<membership defaultProvider="LdapMembership">
<providers>
<add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="<yourLDAPServer>"
port="389"
useSSL="false"
userDNAttribute="uid"
userNameAttribute="uid"
userObjectClass="dominoPerson"
userFilter="(|(ObjectCategory=dominoGroup)(ObjectClass=dominoPerson))"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server,Version=12.0.0.0,Culture=neutral,PublicKeyToken=71E9BCE111E9429C"
server="<yourLDAPServer>"
groupNameAttribute="cn"
groupMemberAttribute="member"
dnAttribute="fullname"
groupFilter="(ObjectClass=dominoGroup)"
scope="Subtree" />
</roleManager>
This configuration file is provided “as is” (without any warranty, not supported, use it at your own risk). You need to adapt it to your own needs.
Note the setting of the default Provider : <roleManager defaultProvider="LdapRole"
<add key="LdapMembership" value="*" />
<add key="LdapRole" value="*" />
</PeoplePickerWildcards>
AND
<add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
otherRequiredUserAttributes="sn,givenname,mail,cn" />
<roleManager defaultProvider="LdapRole" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">
<add name="LdapRole" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
groupFilter="(ObjectClass=dominoGroup)" scope="Subtree" />
Edit your SSP’s profile connection (Shared Services Administration: Your_SSP > User Profile and Properties > Manage Connections > Edit Connection) with suggested parameters:
Provider name: LdapMembership
Username attribute: uid
Search base: “ “ (no specific encoding needed here)
User filter: (&(objectClass=inetorgperson))
As I explained above, it is quite usual to find a <space> used as Root for LDAP server in Domino configuration. Setting directly “ “ in the config files without specifically escaping the double-quotes does not work correctly. The examples provided above illustrate clearly how to properly configure the web.config & Profile import connection for this to work.