LDAPCPSE An item with LDAP newAttribute 'userPrincipalName' and LDAP class 'user' already exists for the object type 'User'

Yvand / LDAPCP

A claims provider to connect SharePoint Subscription / 2019 / 2016 with Active Directory and LDAP directories in federated authentication

https://ldapcp.com

Apache License 2.0

57 stars 25 forks source link

LDAPCPSE An item with LDAP newAttribute 'userPrincipalName' and LDAP class 'user' already exists for the object type 'User' #204

Closed Paconaut closed 5 months ago

Paconaut commented 7 months ago

Hi @Yvand

Appreciate if you can help me understand why I get the following error preventing me from opening Global configuration and Mapping of permissions under SharePoint Server 2019 central admin after installing LDAPCPSE v17.0.20240226.2:

"An item with LDAP newAttribute 'userPrincipalName' and LDAP class 'user' already exists for the object type 'User'"

LDAPCP Classic uninstalled by following the documentation.

Thanks in advance!

Yvand commented 7 months ago

@Paconaut to understand your scenario, can you please send the output of those commands:

Add-Type -AssemblyName "Yvand.LDAPCPSE, Version=1.0.0.0, Culture=neutral, PublicKeyToken=80be731bc1a1a740"
$config = [Yvand.LdapClaimsProvider.LDAPCPSE]::GetConfiguration()
$config.Settings.ClaimTypes | ft LDAPAttribute, EntityType, ClaimType, UseMainClaimTypeOfDirectoryObject

$trust = Get-SPTrustedIdentityTokenIssuer "YOUR_SPTRUST_NAME"
$trust.ClaimTypeInformation | fl MappedClaimType, IsIdentityClaim

Paconaut commented 7 months ago

@Yvand Thanks for your help!

[Yvand.LdapClaimsProvider.LDAPCPSE]::GetConfiguration() return nothing [Yvand.LdapClaimsProvider.LDAPCPSE]::ClaimsProviderName return "LDAPCPSE"

MappedClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UPN IsIdentityClaim : True

MappedClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress IsIdentityClaim : False

MappedClaimType : http://schemas.microsoft.com/ws/2008/06/identity/claims/role IsIdentityClaim : False

Yvand commented 7 months ago

Can you try to create the configuration using this command:

[Yvand.LdapClaimsProvider.LDAPCPSE]::CreateConfiguration()

Paconaut commented 7 months ago

Exception calling "CreateConfiguration" with "0" argument(s): "An item with LDAP newAttribute 'userPrincipalName' and LDAP class 'user' already exists for the object type 'User'" At line:1 char:1

CategoryInfo : NotSpecified: (:) [], MethodInvocationException FullyQualifiedErrorId : InvalidOperationException

Yvand commented 7 months ago

Definitely looks like a bug, I will try to repro using the same claim types in the trust and come back to you, most likely next week. In the meantime, if it is possible/acceptable for you, you can consider a workaround by removing the claim type emailaddress from the trust (I would totally understand you reject this test)

Paconaut commented 7 months ago

I excluded emailaddress but still the same error messages in central admin and PowerShell.

Yvand commented 7 months ago

@Paconaut FYI, I was able to repro exactly the same error, I'll investigate and report the progress in this thread

Yvand commented 7 months ago

I confirm this is a bug, fixed in https://github.com/Yvand/LDAPCP/pull/205

Yvand commented 7 months ago

More info: It happens becaue you claim type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UPN has upper-case letters UPN. A workaround to fix the issue on the current version, is to delete the trust and recreate it, using a claim type with lower-case only: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

github-actions[bot] commented 6 months ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.