# 
 # AD LDS must have "sp-farm", "sp-intranet" and "sp-sts" as members of Readers group
 # Central Administration is running under sp-farm and needs the lookup for people picker
 # STS is running under sp-sts and authenticates the user itself
 # Web Application runs under the sp-intranet and needs LDAP lookup only for people picker
 #
 # FORMS authentication does not perform simple bind directly with the "login" obtained,
 # it rather searches for userNameAttribute or groupNameAttribute before performing logon
 #
 # to Central Administration goes <membership>, <roleManager> as whole
 #    mind the "enabled=true ..." part of the element
 #   CONDITIONS: if we need lookup in object pickers, otherwise it is not necessary
 #
 # to SecurityTokenService on all frontends (SPCA, WFEx) goes <system.web>
 #    the element is not present by default, paste it directly under </system.net>
 #    copy there the whole <membership> element, and then copy the whole <roleManager enabled="true"> except you delete 
 #    the defaultProvider attribute
 #   CONDITIONS: performs the actual authentication after a user types his/her login/password
 #               you do not need to have this on SPCA if the LDS users are not to go into Central Administration
 #
 # to web.config of WebApps goes just the <add...>, <add...> subelements,
 #    because it already contains the <providers> elements
 #   CONDITIONS: lookup when modifying permissions only. it is NOT necessary for a user to log on to the web
 #               the STS performs logon validation, not the web application itself
 #
 # on TMG be sure to DO NOT Verify Normalization (the login URL contains %25)
 #
 #
 # Relatively good reference on the provider members can be found here:
 #    http://msdn.microsoft.com/en-us/library/dd897500(v=office.12).aspx
 #
 # userNameAttribute/groupNameAttribute (userNameAlternateSearchAttribute and groupNameAlternateSearchAttribute)
 #    - must be typed as whole into object picker (does not search partial imputs)
 #    - will be displayed in all interfaces
 #    - must be used as login
 #
 # userDNAttribute
 #    - attribute containing the user's LDAP distinguishedName or userPrincipalName for later SIMPLE BIND
 #    - during credential validation, the search query asks for value of this attribute first
 #    - and after that it verifies password with SIMPLE BIND to object defined by this attribute value
 #      (simply said - the userNameAttribute is used to find the object in database, while the userDNAttribute
 #       is then used to validate password against the object)
 #
 # useUserDNAttribute/dnAttribute/userNameAttribute/userFilter (on role provider only)
 #    - the useUserDNAttribute=true instructs the role provider to use the value specified in dnAttribute as DN for object identification.
 #    - if the useUserDNAttribute=false, the role provider would determine DN attribute name dynamically from the LDAP server
 #      which may be necessary for some third party LDAP databases
 #    - userFilter is always used if present
 #    - userNameAttribute is used only when useUserDNAttribute=false. The value of userNameAttribute is added to the userFilter.
 #
 # cacheDurationInMinutes 
 #    - works since 2007 SP1, default 30 minutes if not specified, only for role provider to cache membership in memory to save some LDAP queries
 #
 # otherRequiredAttributes
 #    - probably ignored
 #
 # groupNameAlternateSearchAttribute, userNameAlternateSearchAttribute
 #    - only groupNameAlternateSearchAttribute works for groups
 #    - the userNameAlternateSearchAttribute does not work for users at all, not in pickers and not in login form
 #
 # AD LDS and simple bind:
 #    a) AD LDS supports simple bind with distinguishedName and userPrincipalName attributes
 #
 # Password validation:
 #    a) first, we search for userNameAttribute provided by user in the FBA who is logging on
 #    b) this query produces userDNAttribute value (probably distinguishedName, but works with userPrincipalName as well)
 #    c) then SIMPLE BIND is attempted against an object specified by the userDNAttribute obtained in previous step
 #
 # Group membership query:
 #    a) we find the user object by his userNameAttribute again and obtain his dnAttribute
 #    b) find all groups, whose groupMemberAttribute contains the user's dnAttribute
 #    c) do it recursively
 #
 # LDAP over TLS/SSL
 #    a) set the follwoing: useSSL="false", port="636"
 #       LDAPS does not work with authentication for other ports than 636,
 #       636 is SSL/TLS by default and does need own support from the provider (useSSL="false")
 #    b) in case you would like to use a different port than 636 you would have to specify useSSL="true"
 #    c) but the useSSL="true" supports Anonymous binds only and cannot authenticate (oh boy, why?) which LDS rejects by default
 #       documented here: http://technet.microsoft.com/en-us/library/cc197251(v=office.12).aspx
 #


 </system.net> 
 <system.web>

    <membership>
      <providers>
        <add name="PartnerLDAPMembership" 
             type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" 
             server="spca.idtt.virtual" 
             port="50001" 
             useSSL="false" 
             userDNAttribute="distinguishedName" 
             userNameAttribute="userPrincipalName"
             userNameAlternateSearchAttribute="displayName"
             userContainer="CN=Users,CN=SPPartners,DC=idtt,DC=lds" 
             userObjectClass="person" 
             userFilter="(objectClass=person)" 
             scope="Subtree" 
             otherRequiredUserAttributes="sn,givenName,cn,department" />
      </providers>
    </membership>

    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" > 
      <providers>
        <add name="PartnerLDAPRoles" 
             type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
             server="spca.idtt.virtual" 
             port="50001"
             useSSL="false"
             groupContainer="CN=SPPartners,DC=idtt,DC=lds"
             groupNameAttribute="cn"
             groupNameAlternateSearchAttribute="displayName"
             groupMemberAttribute="member"
             userNameAttribute="userPrincipalName"
             userFilter="(objectClass=person)"
             useUserDNAttribute="true" 
             dnAttribute="distinguishedName"
             groupFilter="(objectClass=group)"
             scope="Subtree"
             cacheDurationInMinutes="30" />
      </providers>
    </roleManager>

 </system.web>



 #
 # In case of PowerShell scripting, the LDS principals do not need to exist
 # at the time of the commands are issued and are not verified at all
 #


$ldsUser = 'ondrej@sevecek.com'
$ldsGroup = 'TemporaryEmployees'
$ldsClaim = 'i:0#.f|ldsmembership|kamil@sevecek.com'
$webApp = 'http://intranet'
$membership = 'LDSMembership'
$roles = 'LDSRoleManager'


$ldsPrinc = New-SPClaimsPrincipal -IdentityType FormsUser -Identity "$($membership):$ldsUser"
$ldsGroup = New-SPClaimsPrincipal -Identitytype FormsRole -Identity "$($roles):$ldsGroup"
$ldsPrincOrGroup = New-SPClaimsPrincipal -EncodedClaim $ldsClaim


$spWebApp = Get-SPWebApplication $webApp

$princPolicy = $spWebApp.Policies.Add($ldsPrinc.ToEncodedString(), "LDS $ldsUser")
$groupPolicy = $spWebApp.Policies.Add($ldsGroup.ToEncodedString(), "LDS $ldsGroup")
$claimPolicy = $spWebApp.Policies.Add($ldsPrincOrGroup.ToEncodedString(), "LDS $($ldsClaim.Split('|')[2])")

$fullControl = $spWebApp.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)

$princPolicy.PolicyRoleBindings.Add($fullControl)
$groupPolicy.PolicyRoleBindings.Add($fullControl)
$claimPolicy.PolicyRoleBindings.Add($fullControl)

$spWebApp.Update()