From c7daef4d197b844add2cdc0a75e1c916ad724b4f Mon Sep 17 00:00:00 2001 From: Yvan Duhamel Date: Tue, 20 Aug 2019 11:30:02 +0200 Subject: [PATCH] Fixing https://github.com/Yvand/LDAPCP/issues/87 --- LDAPCP/LDAPCP.cs | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/LDAPCP/LDAPCP.cs b/LDAPCP/LDAPCP.cs index 3c6a2e1..4687fad 100644 --- a/LDAPCP/LDAPCP.cs +++ b/LDAPCP/LDAPCP.cs @@ -1003,8 +1003,11 @@ protected virtual void SetLDAPConnection(Uri currentContext, LDAPConnection ldap { Domain computerDomain = Domain.GetComputerDomain(); ldapConnection.Directory = computerDomain.GetDirectoryEntry(); + + // Set properties LDAPConnection.DomainFQDN and LDAPConnection.DomainName here as a workaround to issue https://github.com/Yvand/LDAPCP/issues/87 ldapConnection.DomainFQDN = computerDomain.Name; ldapConnection.DomainName = OperationContext.GetDomainName(ldapConnection.DomainFQDN); + // Property LDAPConnection.AuthenticationSettings must be set, in order to build the PrincipalContext correctly in GetGroupsFromActiveDirectory() ldapConnection.AuthenticationSettings = ldapConnection.Directory.AuthenticationType; } @@ -1893,17 +1896,20 @@ protected override void FillSchema(Microsoft.SharePoint.WebControls.SPProviderSc /// /// Return the identity claim type /// - /// + /// Identity claim type. Should not return null to prevent exceptions in SharePoint when users sign-in public override string GetClaimTypeForUserKey() { - // Initialization may fail because there is no yet configuration (fresh install) - // In this case, LDAPCP should not return null because it causes null exceptions in SharePoint when users sign-in + // Elevation of privileges when calling LDAPCP.Initialize is very important to prevent issue https://github.com/Yvand/LDAPCP/issues/87 + // But calling SPSecurity.RunWithElevatedPrivileges here is not possible as it causes a StackOverflowException Initialize(null, null); this.Lock_Config.EnterReadLock(); try { - if (SPTrust == null) { return String.Empty; } + if (SPTrust == null) + { + return String.Empty; + } return SPTrust.IdentityClaimTypeInformation.MappedClaimType; } @@ -1921,20 +1927,27 @@ public override string GetClaimTypeForUserKey() /// /// Return the user key (SPClaim with identity claim type) from the incoming entity /// - /// + /// SPClaim corresponding to the user key of the incoming entity. Should not return null to prevent exceptions in SharePoint when users sign-in /// protected override SPClaim GetUserKeyForEntity(SPClaim entity) { - // Initialization may fail because there is no yet configuration (fresh install) - // In this case, LDAPCP should not return null because it causes null exceptions in SharePoint when users sign-in - bool initSucceeded = Initialize(null, null); + bool initSucceeded = false; + + // Elevation of privileges when calling LDAPCP.Initialize is very important to prevent issue https://github.com/Yvand/LDAPCP/issues/87 + SPSecurity.RunWithElevatedPrivileges(delegate () + { + initSucceeded = Initialize(null, null); + }); this.Lock_Config.EnterReadLock(); try { // If initialization failed but SPTrust is not null, rest of the method can be executed normally // Otherwise return the entity - if (!initSucceeded && SPTrust == null) { return entity; } + if (!initSucceeded && SPTrust == null) + { + return entity; + } // There are 2 scenarios: // 1: OriginalIssuer is "SecurityTokenService": Value looks like "05.t|yvanhost|yvand@yvanhost.local", claim type is "http://schemas.microsoft.com/sharepoint/2009/08/claims/userid" and it must be decoded properly