SharePoint 2010 和AD LDS的集成

前提：

1、SharePoint 2010和AD LDS已安装

2、假设需要和AD LDS集成的Web Application为 http://server-01/

集成概要：

1、把Web application http://server-01/ 的身份验证类型设为启用基于窗体的身份验证(FBA)

2、修改SharePoint Central Administration、SecurityTokenServiceApplication、以及http://server-01/ 三个web application 的web.config

3、验证配置是否正确

4、附录：AD LDS的配置

 

1、把Web application http://server-01/ 的身份验证类型设为启用基于窗体的身份验证(FBA)

fyi:

为基于声明的 Web 应用程序配置基于表单的身份验证 (SharePoint Server 2010)

 http://technet.microsoft.com/zh-cn/library/ee806890.aspx

a. 运行SharePoint 2010 Management Shell，执行下列命令：

$w = Get-SPWebApplication "http://server-01/" $w.UseClaimsAuthentication = 1 $w.Update() $w.ProvisionGlobally()

注：如果是新建web application，那么在新建时直接选择启用基于窗体的身份验证(FBA)

b. 在SharePoint中打开管理中心->应用程序管理->管理Web 应用程序，选择上方菜单上的身份验证提供程序

c. 点击上图的默认，弹出下图，注意选择FBA，并输入名称

 

2、SecurityTokenServiceApplication、以及http://server-01/ 三个web application 的web.config

a. 修改SharePoint Central Administration的web.config

<system.web>   <membership defaultProvider="AspNetSqlMembershipProvider">              <providers>                  <add name="LdapMember"                     type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"                     server="SERVER-01"                     port="50000"                     useSSL="false"                     userDNAttribute="distinguishedName"                     userNameAttribute="cn"                     userContainer="CN=Users,OU=mgtStore,DC=cowise,DC=com"                     userObjectClass="person"                     userFilter="(ObjectClass=person)"                     scope="Subtree"                     otherRequiredUserAttributes="sn,givenname,cn" />              </providers>        </membership>        <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">              <providers>                 <add name="LdapRole"                     type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"                                 server="SERVER-01"                     port="50000"                     useSSL="false"                     groupContainer="CN=Roles,OU=mgtStore,DC=cowise,DC=com"                     groupNameAttribute="cn"                     groupNameAlternateSearchAttribute="samAccountName"                     groupMemberAttribute="member"                     userNameAttribute="cn"                     dnAttribute="distinguishedName"                     groupFilter="(ObjectClass=group)"                     userFilter="(ObjectClass=person)"                     scope="Subtree" />              </providers>        </roleManager> </system.web> <system.webServer>   <security>

相应修改下列内容： <PeoplePickerWildcards> <clear /> <add key="AspNetSqlMembershipProvider" value="%" /> <add key="LdapMember" value="*" /> <add key="LdapRole" value="*" /> </PeoplePickerWildcards>

b. 修改SecurityTokenServiceApplication的web.config

在IIS Manager中选中上图的节点，右键弹出菜单，选择explore，可以看到web.config文件，修改下列内容：

<system.web>           <membership>               <providers>                   <add name="LdapMember"                      type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"                             server="SERVER-01"                      port="50000"                      useSSL="false"                      userDNAttribute="distinguishedName"                      userNameAttribute="cn"                      userContainer="CN=Users,OU=mgtStore,DC=cowise,DC=com"                      userObjectClass="person"                      userFilter="(ObjectClass=person)"                      scope="Subtree"                      otherRequiredUserAttributes="sn,givenname,cn" />               </providers>         </membership>         <roleManager enabled="true">               <providers>                  <add name="LdapRole"                      type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"                                  server="SERVER-01"                      port="50000"                      useSSL="false"                      groupContainer="CN=Roles,OU=mgtStore,DC=cowise,DC=com"                      groupNameAttribute="cn"                      groupNameAlternateSearchAttribute="samAccountName"                      groupMemberAttribute="member"                      userNameAttribute="cn"                      dnAttribute="distinguishedName"                      groupFilter="(ObjectClass=group)"                      userFilter="(ObjectClass=person)"                      scope="Subtree" />               </providers>         </roleManager>   </system.web>

c. 修改http://server-01/的web.config

根据上面的方式找到相应的web.config, 修改为下列内容：

<membership defaultProvider="i">   <providers>     <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />     <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="SERVER-01" port="50000" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="CN=Users,OU=mgtStore,DC=cowise,DC=com" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />   </providers> </membership> <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">   <providers>     <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />     <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="SERVER-01" port="50000" useSSL="false" groupContainer="CN=Roles,OU=mgtStore,DC=cowise,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="cn" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" />   </providers> </roleManager>

相应修改下列内容：

<PeoplePickerWildcards>       <clear />       <add key="AspNetSqlMembershipProvider" value="%" />       <add key="LdapMember" value="*" />        <add key="LdapRole" value="*" />  </PeoplePickerWildcards>

 

3、验证配置是否正确

a. 重启IIS server

b. 打开管理中心->应用程序管理->管理WEB应用程序，选择 http://server-01/ 应用程序，选择菜单用户策略

c. 选择添加用户

点击通讯录的图标

 

输入合适的查询条件，看是否能查询到AD LDS中的用户

如果可以查询到，说明已集成成功

 

4、附录：AD LDS的配置

注：AD LDS 部署、备份和还原参考： http://www.nanmu.net/sharepoint2010/sharepoint-2010-chinese/Lists/Posts/Post.aspx?ID=22

a. 打开程序ADSI Edit

b. 建立Container: CN=Users

c. 建立用户

右键左边的节点：CN=Users, 选择New, class为user

d. 设置用户密码

 

参考文档：

1、http://technet.microsoft.com/en-us/library/ee806882.aspx

 

注意事项：

1、经过以上配置后，如果发现Sharepoint和AD LDS还不能集成，请检查AD LDS中的权限设置，把IIS中Application Pools中的Identity 用户加入到cn=Readers….的member中