Hi all, I'm trying to get alerts working for our extranet users, which are stored in AD LDS. Alerts work fine when I add a user explicitly to a List's ACL instead of using the LDAP group (role) the user is a member of. I've narrowed it down to the fact that the Timer service is not aware of the role provider I've set up, as per this article: http://msdn.microsoft.com/en-us/library/bb977430.aspx Thus the timer service thinks the user doesn't have access to the list, and should not receive an alert for the list - i.e. security trimming. The article is for the SQL role provider though, not LDAP, so I think my syntax is wrong somewhere. This is what I configured: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <configuration> <system.web> <membership defaultProvider="ADAMMembership"> <providers> <add name="ADAMMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="mysrv01" port="50000" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="CN=Users,CN=SharePoint,DC=mydomain,DC=local" userObjectClass="user" userFilter="(ObjectClass=user)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> </providers> </membership> <roleManager defaultProvider="LdapRole" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole"> <providers> <add name="LdapRole" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="mysrv01" port="50000" useSSL="false" groupContainer="CN=Users,CN=SharePoint,DC=mydomain,DC=local" groupNameAttribute="cn" groupMemberAttribute="member" userNameAttribute="cn" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" scope="Subtree"/> </providers> </roleManager> <authentication mode="Forms"> <forms loginUrl="/_layouts/login.aspx" /> </authentication> <identity impersonate="true" /> <globalization fileEncoding="utf-8" /> </system.web> </configuration> I've restarted the timer service after adding the file to the \bin folder. Any ideas? thanks Ray

Hello, Thank you for your question. I am trying to involve someone familiar with this topic to further look at this issue. Thanks, Rock Wang Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.Rock Wang TechNet Community Support

Hi, Here is my sample of the web.configs from my test farm. CA: <membership> <providers> <add name="Ldap" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="myLDSserver" port="389" useSSL="false" enableSearchMethods="true" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="cn=users,o=ms,c=us" userObjectClass="person" userFilter="(|(ObjectCategory=group)(ObjectClass=user))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn,employeeID" /> </providers> </membership> <roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole"> <providers> <add name="LDAPRole" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="myLDSserver" port="389" useSSL="false" groupContainer="cn=users,o=ms,c=us" groupNameAttribute="cn" groupMemberAttribute="member" userNameAttribute="cn" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" scope="Subtree" /> </providers> </roleManager> App: <membership defaultProvider="Ldap"> <providers> <add name="Ldap" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="myLDSserver" port="389" useSSL="false" enableSearchMethods="true" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="cn=users,o=ms,c=us" userObjectClass="person" userFilter="(|(ObjectCategory=group)(ObjectClass=user))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn,employeeID" /> </providers> </membership> <roleManager defaultProvider="LDAPRole" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole"> <providers> <add name="LDAPRole" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="myLDSserver" port="389" useSSL="false" groupContainer="cn=users,o=ms,c=us" groupNameAttribute="cn" groupMemberAttribute="member" userNameAttribute="cn" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" scope="Subtree" /> </providers> </roleManager> Ive tested this with a user in LDAPRole:group1 is able to login and add alerts and receive them just fine. However, if you add just LDAPRole:group1 youll get an error message indicating there is no email address for group1. Checking further in the group1 schema, there is no mail attribute. This would be expected. If it still does not work, you might want to consider opening a paid support ticket to have an engineer look at your setup.Regards, Savoeurn Va Microsoft Online Community Support

Hi Savoeurn, Many thanks for your reply! When you tested Alerts, did you test an alert for an item actually changing in the list, or just that the initial email was sent saying that the alert had been successfully created? From what I've read, different methods are used for sending these - the actual alert emails e.g. for a changed item in a list are generated by timer jobs. My web.configs appear to be working fine, as permissions using Roles instead of individual users are otherwise 100% - it's just alerts. I'm convinced I'm having the issue that is outlined in the MSDN article in my first post... so I'm specifically looking for sample owstimer.exe.config syntax when used with LDAP, so that timer jobs know how to find my role provider, so that security trimming doesn't remove users who do not have explicit permissions to a list (but are inheriting permissions via their ldap role membership). Tomorrow I'll compare my web.configs to yours anyway for good measure in case I missed something - thanks for sharing them. :-) I will definitely consider logging a support call... will keep my post open for a while though before I do so. ;-) regards Ray

After creating the alerts, a change was done to the several list types. An email indicating changes did come through around the timer job fire time frame.Regards, Savoeurn Va Microsoft Online Community Support

After creating the alerts, a change was done to the several list types. An email indicating changes did come through around the timer job fire time frame.Regards, Savoeurn Va Microsoft Online Community Support

OK thanks Savoeurn. Will check my configs and do some more testing...