How to Set Up Novell eDirectory Authentication for Microsoft SharePoint


NB:  There are two versions of Microsoft SharePoint:  Microsoft Office SharePoint Services (MOSS) and Windows SharePoint Services (WSS).  MOSS provides built-in connectors that allow you to configure a third-party LDAP authentication provider (for example eDirectory or OpenLDAP). 

WSS does not have connectors to allow third-party LDAP authentication.  WSS only ships with support for Active Directory authentication.  To overcome this restriction, Omni has developed a set of connectors that allow WSS to use eDirectory/LDAP for authentication.  For more information on the Riva WSS eDirectory/LDAP authentication connector, please use our Contact Us page.  These connectors are provided free-of-charge for Riva SharePoint Integration customers. 

The following information applies to MOSS and WSS (after installing the Riva WSS eDirectory/LDAP connectors). 

Many Novell eDirectory and GroupWise customers looking to deploy our Riva SharePoint Integration for GroupWise are not interested in deploying Active Directory to manage SharePoint. No problem! SharePoint can be configured to use eDirectory for authentication and access control based on standard Microsoft documented practices that describe how to configure SharePoint to use a non-AD LDAP server.

The following links were used as the basis for this article on how to set up eDirectory to provide authentication and access control for Microsoft SharePoint:

http://msdn.microsoft.com/en-us/library/bb977430.aspx#MOSSFBAPart3_UsingLDAPProvider
http://www.simple-talk.com/dotnet/windows-forms/configuring-forms-authentication-in-sharepoint-2007/

Setting Up eDirectory Authentication For SharePoint


Extend the shared services web application to another zone that will use eDirectory as its membership provider.
  1. On the SharePoint Central Administration site, go to:
    Central Administration > Application Management > Create or extend Web Application

  2. Select *Extend an existing Web application*.

  3. Under Web Application select your Shared Services web application.

  4. Configure the Web Site as appropriate, and hit ok. Take note of the zone you are adding the website to.

  5. On the SharePoint Central Administration site, go to:
    Central Administration > Application Management > Authentication Providers

  6. Select the web application you wish to configure in the drop down.

  7. Select the Zone you want to configure. This will take you to the Edit Authentication page.

  8. Select 'Forms' authentication, under Authentication Type.

  9. Find the appropriate web.config file, usually located at:
    C:\Inetpub\wwwroot\wss\VirtualDirectories\

  10. Under the element, add a membership element.
    <membership defaultProvider="LdapMembershipProvider">
       <providers>
            <add 
              name="LdapMembershipProvider"
              type="Microsoft.Office.Server.Security.LDAPMembershipProvider, 
              Microsoft.Office.Server,  Version=12.0.0.0, Culture=neutral,       
              PublicKeyToken=71E9BCE111E9429C" 
              server="10.10.2.140" 
              port="389" 
              useSSL="false" 
              userDNAttribute="entryDN" 
              userNameAttribute="cn" 
              userContainer="OU=users,O=omni"
              userObjectClass="inetOrgPerson"
              userFilter="(|(ObjectCategory=groupOfNames)
              (ObjectClass=inetOrgPerson))" 
              scope="Subtree" 
              otherRequiredUserAttributes="sn,givenname,cn,mail" 
              connectionUsername="cn=admin,ou=users,o=omni" 
              connectionPassword="trento"/>
       </providers>
    </membership>
    
    
    
  11. Add a roleManager element pointing to the LdapRoleProvider to have the eDirectory groups show up as roles (optional)
    <roleManager defaultProvider="LdapRoleProvider" enabled="true" 
    cacheRolesInCookie="true" cookieName=".PeopleDCRole">
       <providers>
            <add
              name="LdapRoleProvider" 
              type="Microsoft.Office.Server.Security.LDAPRoleProvider, 
              Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,    
              PublicKeyToken=71E9BCE111E9429C" 
              server="10.10.2.140" 
              port="389" 
              useSSL="false" 
              groupContainer="OU=users,O=omni" 
              groupNameAttribute="cn" 
              groupMemberAttribute="member" 
              userNameAttribute="cn" 
              dnAttribute="entryDN" 
              groupFilter="(ObjectClass=groupOfNames)" 
              scope="Subtree" 
              connectionUsername="cn=admin,ou=users,o=omni" 
              connectionPassword="trento"/>
       </providers>
    </roleManager>
    
    
    
  12. Find the web.config file for your central administration website, and copy the <membership> element you added above to the <system.web> element here.

  13. Copy the <roleManager> element to this web.config, however, you must edit the defaultProvider attribute to be "AspNetWindowsTokenRoleProvider"

  14. On the SharePoint Central Administration site, go to:
    Central Administration > Application Management > Policy for Web Application

  15. Click Add Users.

  16. Under Zones select the zone for which you are configuring this memebership provider and hit next.

  17. Enter the name of an eDirectory user or entity who you want to have full access to the site. When you select the "Check Names" icon, the name you entered should become underlined, to indicate that the user was found.

  18. Select Full Control to give this user full control.

  19. Now, login to your sharepoint site using the administration login you just entered.

  20. Under the Site Actions dropdown, select Site Settings > People and Groups

  21. Select Add Users to add the users and/or groups from eDirectory that you want to have access to the site. h2. Configuring The Shared Services Administration Site

  22. Extend the shared services web application to another zone that will use eDirectory as its membership provider.

  23. On the SharePoint Central Administration site, go to:
    Central Administration > Application Management > Create or extend Web Application

  24. Select *Extend an existing Web application *

  25. Under Web Application select your Shared Services web application.

  26. Configure the Web Site as appropriate, and hit ok. Take note of the zone you are adding the website to.

  27. On the SharePoint Central Administration site, go to:
    Central Administration > Application Management > Authentication Providers

  28. Select the Shared Services web application you wish to configure in the drop down.

  29. Select the Zone you want to configure. This will take you to the Edit Authentication page.

  30. Select 'Forms' authentication, under Authentication Type

  31. Find the appropriate web.config file, usually located at
    C:\Inetpub\wwwroot\wss\VirtualDirectories\

  32. Under the <g;system.web> element, add a membership element.
    <membership defaultProvider="LdapMembershipProvider">
         <providers>
           <add 
           name="LdapMembershipProvider" 
            type="Microsoft.Office.Server.Security.LDAPMembershipProvider, 
            Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,
            PublicKeyToken=71E9BCE111E9429C" server="10.10.2.140" 
            port="389" 
            useSSL="false" 
            userDNAttribute="entryDN" 
            userNameAttribute="cn" 
            userContainer="OU=users,O=omni" 
            userObjectClass="inetOrgPerson"                                  
            userFilter="(|(ObjectCategory=groupOfNames)(ObjectClass=inetOrgPerson))" 
            scope="Subtree" 
            otherRequiredUserAttributes="sn,givenname,cn,mail" 
            connectionUsername="cn=admin,ou=users,o=omni" 
            connectionPassword="trento"/>
          </providers>
    </membership>
    
    
  33. Add a roleManager element pointing to the LdapRoleProvider to have the eDirectory groups show up as roles (optional)
    <roleManager defaultProvider="LdapRoleProvider" enabled="true" 
    cacheRolesInCookie="true" cookieName=".PeopleDCRole">
          <providers>
            <add
              name="LdapRoleProvider" 
              type="Microsoft.Office.Server.Security.LDAPRoleProvider, 
              Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, 
              PublicKeyToken=71E9BCE111E9429C" 
              server="10.10.2.140" 
              port="389" 
              useSSL="false" 
              groupContainer="OU=users,O=omni" 
              groupNameAttribute="cn" 
              groupMemberAttribute="member" 
              userNameAttribute="cn" 
              dnAttribute="entryDN" 
              groupFilter="(ObjectClass=groupOfNames)" 
              scope="Subtree" 
              connectionUsername="cn=admin,ou=users,o=omni" 
              connectionPassword="trento"/>
          </providers>
        </roleManager>
    
    
  34. On the SharePoint Central Administration site, go to:
    Central Administration > Application Management > Policy for Web Application

  35. Click Add Users.

  36. Under Zones select the zone for which you are configuring this memebership provider and hit next.

  37. Enter the name of an eDirectory user or entity who you want to have full access to the site. When you select the "Check Names" icon, the name you entered should become underlined, to indicate that the user was found.

  38. Select Full Control to give this user full control.

  39. You now have 2 websites that can access the Shared Services Administration page, the original one, which uses the original authentication method, and a new one which uses your eDirectory system.

  40. Now we need to grant the admin user of the eDirectoy site some additional privileges. Login to your original site, with your original administrator login. On your central administration website, in the left-hand navigation bar, under Shared Services Administration, select your shared service provider, which should bring you to the Shared Services Administration page.

  41. Under User Profiles and My Sites select Personalization services permissions to bring you to the the Manage Permissions: Shared Service Rights page.

  42. Although you are on your original site, which does not have access to the LDAP users, the LDAP administrator user you added above will be accessible here. Give that user all the permissions available.

  43. Now login to the Shared Services Administration web site that uses the eDirectoy membership provider, and login using your eDirectory admin account.

  44. Under User Profiles and My Sites select Personalization services permissions to bring you to the the Manage Permissions: Shared Service Rights page.

  45. Add users and groups from eDirectory here, and give them the appropriate permissions. In particular, you might give Create personal site and Use personal features to allow them to personalize sharepoint, and create a My Site.

  46. On the Shared Services Administration page, go to
    SharedServices1 > My Site Settings

  47. On the left hand navigation bar, select My Site Host Permissions

  48. Add the eDirectory users here, and give them the appropriate permissions. To be able to create a MySite, a user must have at least the Read - Can view only permission.

Importing eDirectory User Profiles


Certain features in SharePoint may require access to files on the local system. For instance, the Riva SharePoint Portal Integration Web Parts need to be able to access the resources from within the deployed assembly. In these cases, you may need to grant local File Access rights to the eDirectory user.

When using impersonation and an external forms authentication mechanism, file access made with the impersonated account will be made using the Internet Guest Account on the machine, usually IUSR_MACHINENAME. So to ensure your impersonated eDirectory users have access to the file folders needed, you should grant the required permissions to this account.
  1. Now we want to import users into SharePoint's user profile database. This will allow you to manage shared services against these users.

  2. On your central administration website, in the left-hand navigation bar, under Shared Services Administration, select your shared service provider, which should bring you to the Shared Services Administration page.

  3. Under User Profiles and My Sites select User profiles and properties.

  4. Under Profile and Import Settings click the View import connections link.

  5. Click on Create New Connection to bring you to the Add Connection page.

  6. Now configure a connection to your LDAP system.

  7. Under Type select LDAP Directory

  8. Fill out the rest of the fields as appropriate for your system and hit OK.

  9. Go back to the User Profile and Properties page and select the Start full import link to import the profiles.

Giving eDirectory Users Access to the File System


Note:  Certain "events" in SharePoint can cause SharePoint to reset the permissions on the bin folder for the web app. If you are installing a web part to bin, and need to give custom file access permissions to bin in order for your web part to work, your permissions may be overridden.

To overcome this, you should install your web part to a subFolder of bin. Then, modify the web.config to include a element to point to your sub-directory.

Integrate Novell GroupWise to Microsoft SharePoint



© 2012 Omni Technology Solutions, Inc.. All Rights Reserved. All trademarks are property of their respective owners.
Omni Technology Solutions Inc.   •   #103, 10301 – 109 Street  •  Edmonton  •  Alberta  •  Canada  •  T5J 1N4
Tel +1 408.675.5015 (U.S.)  •  +1 780.423.4200 (Canada)  •  Fax +1 780.423.4711  •  Send an Email  •  Site Map