If you’re seeing the following error in the ULS logs, hopefully it’ll be as simple a fix for you as it was for me:
LdapRoleProvider.GetRolesFor() exception: {0}.System.ArgumentException: The (&(((ObjectClass=group))(member=CN=Some User,CN=Users,DC=domain,DC=local)) search filter is invalid.
at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()
at Microsoft.Office.Server.Security.LdapRoleProvider.GetRolesFor(String userOrGroupDN, DirectoryEntry groupContainer, LdapDistinguishedNameManager ldapDnManager, List`1& userRoles)
To resolve this error, all that’s required is to updated the Group and User filter values for the role provider in the forms web application and the security token’s web configuration files.
The role provider settings I had looked something like:
<roleManager> <providers> <add name="SPRoleManager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="domain.local" port="389" useSSL="false" groupContainer="CN=users,DC=domain,DC=local" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="((ObjectClass=group)" userFilter="((ObjectClass=person)" scope="Subtree" /> </providers> </roleManager> |
Notice the values for groupFilter and userFilter – ((ObjectClass=person).
This is correct for the Central Administration web configuration. For the forms web application and security token’s configuration this should be updated to (&(ObjectClass=person)).
Perform an IIS reset and next time you log in the exception in the ULS log should be resolved.
