LDAPCP icon indicating copy to clipboard operation
LDAPCP copied to clipboard

Published 20 hours ago verified publisher icon Yvand

LDAPCPSE An item with LDAP newAttribute 'userPrincipalName' and LDAP class 'user' already exists for the object type 'User'

Open Paconaut opened this issue 10 months ago • 9 comments

Hi @Yvand

Appreciate if you can help me understand why I get the following error preventing me from opening Global configuration and Mapping of permissions under SharePoint Server 2019 central admin after installing LDAPCPSE v17.0.20240226.2:

"An item with LDAP newAttribute 'userPrincipalName' and LDAP class 'user' already exists for the object type 'User'"

LDAPCP Classic uninstalled by following the documentation.

Thanks in advance!

Paconaut avatar Apr 05 '24 09:04 Paconaut

@Paconaut to understand your scenario, can you please send the output of those commands:

Add-Type -AssemblyName "Yvand.LDAPCPSE, Version=1.0.0.0, Culture=neutral, PublicKeyToken=80be731bc1a1a740"
$config = [Yvand.LdapClaimsProvider.LDAPCPSE]::GetConfiguration()
$config.Settings.ClaimTypes | ft LDAPAttribute, EntityType, ClaimType, UseMainClaimTypeOfDirectoryObject

$trust = Get-SPTrustedIdentityTokenIssuer "YOUR_SPTRUST_NAME"
$trust.ClaimTypeInformation | fl MappedClaimType, IsIdentityClaim

Yvand avatar Apr 05 '24 09:04 Yvand

@Yvand Thanks for your help!

[Yvand.LdapClaimsProvider.LDAPCPSE]::GetConfiguration() return nothing [Yvand.LdapClaimsProvider.LDAPCPSE]::ClaimsProviderName return "LDAPCPSE"

MappedClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UPN IsIdentityClaim : True

MappedClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress IsIdentityClaim : False

MappedClaimType : http://schemas.microsoft.com/ws/2008/06/identity/claims/role IsIdentityClaim : False

Paconaut avatar Apr 05 '24 09:04 Paconaut

Can you try to create the configuration using this command:

[Yvand.LdapClaimsProvider.LDAPCPSE]::CreateConfiguration()

Yvand avatar Apr 05 '24 10:04 Yvand

Exception calling "CreateConfiguration" with "0" argument(s): "An item with LDAP newAttribute 'userPrincipalName' and LDAP class 'user' already exists for the object type 'User'" At line:1 char:1 [Yvand.LdapClaimsProvider.LDAPCPSE]::CreateConfiguration() CategoryInfo : NotSpecified: (:) [], MethodInvocationException FullyQualifiedErrorId : InvalidOperationException

Paconaut avatar Apr 05 '24 11:04 Paconaut

Definitely looks like a bug, I will try to repro using the same claim types in the trust and come back to you, most likely next week. In the meantime, if it is possible/acceptable for you, you can consider a workaround by removing the claim type emailaddress from the trust (I would totally understand you reject this test)

Yvand avatar Apr 05 '24 11:04 Yvand

I excluded emailaddress but still the same error messages in central admin and PowerShell.

Paconaut avatar Apr 05 '24 13:04 Paconaut

@Paconaut FYI, I was able to repro exactly the same error, I'll investigate and report the progress in this thread

Yvand avatar Apr 08 '24 09:04 Yvand

I confirm this is a bug, fixed in https://github.com/Yvand/LDAPCP/pull/205

Yvand avatar Apr 08 '24 12:04 Yvand

More info: It happens becaue you claim type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UPN has upper-case letters UPN. A workaround to fix the issue on the current version, is to delete the trust and recreate it, using a claim type with lower-case only: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

Yvand avatar Apr 08 '24 12:04 Yvand

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar May 09 '24 02:05 github-actions[bot]