前提:
1、SharePoint 2010和AD LDS已安装
2、假设需要和AD LDS集成的Web Application为 http://server-01/
集成概要:
1、把Web application http://server-01/ 的身份验证类型设为启用基于窗体的身份验证(FBA)
2、修改SharePoint Central Administration、SecurityTokenServiceApplication、以及http://server-01/ 三个web application 的web.config
3、验证配置是否正确
4、附录:AD LDS的配置
1、把Web application http://server-01/ 的身份验证类型设为启用基于窗体的身份验证(FBA)
fyi:
为基于声明的 Web 应用程序配置基于表单的身份验证 (SharePoint Server 2010)
http://technet.microsoft.com/zh-cn/library/ee806890.aspx
a. 运行SharePoint 2010 Management Shell,执行下列命令:
| $w = Get-SPWebApplication "http://server-01/"
$w.UseClaimsAuthentication = 1
$w.Update()
$w.ProvisionGlobally() |
注:如果是新建web application,那么在新建时直接选择启用基于窗体的身份验证(FBA)
b. 在SharePoint中打开管理中心->应用程序管理->管理Web 应用程序,选择上方菜单上的身份验证提供程序
c. 点击上图的默认,弹出下图,注意选择FBA,并输入名称
2、SecurityTokenServiceApplication、以及http://server-01/ 三个web application 的web.config
a. 修改SharePoint Central Administration的web.config
| <system.web> <membership defaultProvider="AspNetSqlMembershipProvider">
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="SERVER-01"
port="50000"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="cn"
userContainer="CN=Users,OU=mgtStore,DC=cowise,DC=com"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership> <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="SERVER-01"
port="50000"
useSSL="false"
groupContainer="CN=Roles,OU=mgtStore,DC=cowise,DC=com"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="cn"
dnAttribute="distinguishedName"
groupFilter="(ObjectClass=group)"
userFilter="(ObjectClass=person)"
scope="Subtree" />
</providers>
</roleManager>
</system.web> <system.webServer>
<security>
|
| 相应修改下列内容: | <PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="LdapMember" value="*" />
<add key="LdapRole" value="*" />
</PeoplePickerWildcards> | |
| |
b. 修改SecurityTokenServiceApplication的web.config
在IIS Manager中选中上图的节点,右键弹出菜单,选择explore,可以看到web.config文件,修改下列内容:
| <system.web>
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="SERVER-01"
port="50000"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="cn"
userContainer="CN=Users,OU=mgtStore,DC=cowise,DC=com"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership> <roleManager enabled="true">
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="SERVER-01"
port="50000"
useSSL="false"
groupContainer="CN=Roles,OU=mgtStore,DC=cowise,DC=com"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="cn"
dnAttribute="distinguishedName"
groupFilter="(ObjectClass=group)"
userFilter="(ObjectClass=person)"
scope="Subtree" />
</providers>
</roleManager>
</system.web> |
c. 修改http://server-01/的web.config
根据上面的方式找到相应的web.config, 修改为下列内容:
| <membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="SERVER-01" port="50000" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="CN=Users,OU=mgtStore,DC=cowise,DC=com" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="SERVER-01" port="50000" useSSL="false" groupContainer="CN=Roles,OU=mgtStore,DC=cowise,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="cn" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" />
</providers>
</roleManager>
|
相应修改下列内容:
| <PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="LdapMember" value="*" />
<add key="LdapRole" value="*" />
</PeoplePickerWildcards> |
3、验证配置是否正确
a. 重启IIS server
b. 打开管理中心->应用程序管理->管理WEB应用程序,选择 http://server-01/ 应用程序,选择菜单用户策略
c. 选择添加用户
点击通讯录的图标
输入合适的查询条件,看是否能查询到AD LDS中的用户
如果可以查询到,说明已集成成功
4、附录:AD LDS的配置
注:AD LDS 部署、备份和还原参考: http://www.nanmu.net/sharepoint2010/sharepoint-2010-chinese/Lists/Posts/Post.aspx?ID=22
a. 打开程序ADSI Edit
b. 建立Container: CN=Users
c. 建立用户
右键左边的节点:CN=Users, 选择New, class为user
d. 设置用户密码
参考文档:
1、http://technet.microsoft.com/en-us/library/ee806882.aspx
注意事项:
1、经过以上配置后,如果发现Sharepoint和AD LDS还不能集成,请检查AD LDS中的权限设置,把IIS中Application Pools中的Identity 用户加入到cn=Readers….的member中
