Mapping User Profile Properties in SharePoint 2010 to LDAP Attributes

Updated 02/02/2012 – Added two more scenarios to “Known Issues” section based on feedback

Introduction

SharePoint 2010 uses Forefront Identity Manager to synchronize user profiles between the SharePoint 2010 profile database and backend user repositories such as Active Directory, SUN Java Directory Server, IBM Tivoli or Novell eDirectory. After you have created a synchronization connection between SharePoint 2010 and the backend user repository, you would want to map additional attributes from the backend user repository to the SharePoint profile properties, as by default, only a handful of attributes get mapped. For example, if you have created a custom attribute in SUN or Active Directory named “EmployeeID”, by default the synchronization connection that you create will probably not bring in the “employeeNumber” of users when you perform a synchronization. You will need to perform additional steps in SharePoint 2010 to map the “employeeNumber” attribute to a SharePoint user profile property.

Creating the Mapping

The mapping can be created by completing the following steps. We will first create the SharePoint user profile property and will perform the mapping afterwards:

1. Open the central administration web site
2. Browse to the management page of your user profile service application
   
3. From the management page, click on “Manage User Properties”
4. Click on “New Property”
5. Type in the “Name” and the “Display Name” of the property
6. Select the data type of the property. The data type should match the data type of the corresponding attribute in the LDAP user repository that you intend to map the property to.
7. From the “Source Data Connection” drop down, select the synchronization connection that has the LDAP attribute
8. From the “Attribute” drop down, select the attribute that you wish to map. Note that in certain cases , you may not see the attribute you are looking for in the “Attribute” drop down. In this case, you will need to create the mapping using PowerShell. If this is the case, move on to step 11.
9. From the “Direction” drop down , select the direction of the attribute. If you want the attribute from the user repository to be copied over to SharePoint Profile Database, the direction should be “Import”. If you want the attribute from SharePoint profile database to be copied over to the user repository, the direction should be “export”
10. Click Add
11. Click OK.

Mapping Attributes missing from the “Attributes” drop down

In certain cases, the attribute that you are trying to map may not be visible in the attributes drop down on the user profile property creation page. In this case, you will need to use PowerShell to map the LDAP attribute to SharePoint profile property. In order to run the script successfully, pleas ensure the following:

1. You know the name (not Display Name) of the SharePoint Profile Property to which you need to map the attribute
2. You know the name of the LDAP attribute that you wish to map (case sensitive)
3. You are logged in as the farm account (the account under which the timer service and central administration application pool is running)
4. The user profile service application where you need to perform the mapping should be the default service application associated to the central administration web site. Here is how you can verify this:

   • From central administration, click on “Application Management” on the left navigation bar

   • Click on “Manage Web Applications”

   • Select “SharePoint Central Administration v4”

   • From the Ribbon menu, click on “Service Connections”
     

   • Verify that from the list of connections, the user profile service application that you are performing the mapping for is checked and is set as the default service connection.

     

   • If the user profile service application proxy where you are performing the mapping is not set as default, please select “custom” as the service connection group and then choose the user profile service application connection that you are working with to perform the mapping.

After you have verified the above, please run the following script to perform the property mapping. Set the value of $url to the url of the central administration web site. Update the values of $spsProperty, $fimProperty and $connectionName to match your environment. Note that the direction of this mapping will be “Import”.

$url = " https://tehnoonr-ws08-4:1125" #URL of any site collection that is associated to the user profile service application.
$spsProperty = "EID" #Internal name of the SharePoint user profile property
$fimProperty = "employeeNumber" #Name of the attribute in FIM/LDAP source
$connectionName = "sun" #Name of the SharePoint synchronization connection

$site = Get-SPSite $url

if ($site)
{Write-Host "Successfully obtained site reference!"}
else
{Write-Host "Failed to obtain site reference"}

$serviceContext = Get-SPServiceContext($site)

if ($serviceContext)
{Write-Host "Successfully obtained service context!"}
else
{Write-Host "Failed to obtain service context"}
$upManager = new-object Microsoft.Office.Server.UserProfiles.UserProfileConfigManager($serviceContext)

if ($upManager)
{Write-Host "Successfully obtained user profile manager!"}
else
{Write-Host "Failed to obtain user profile manager"}
$synchConnection = $upManager.ConnectionManager[$connectionName]

if ($synchConnection)
{Write-Host "Successfully obtained synchronization connection!"}
else
{Write-Host "Failed to obtain user synchronization connection!"}

Write-Host "Adding the attribute mapping..."
$synchConnection.PropertyMapping.AddNewMapping([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsProperty, $fimProperty)
Write-Host "Done!"

Perform a full synchronization after the mapping has been created.

Hope this has been helpful!

Happy SharePointing!

Known Issues

A) The AddNewMapping function throws “Unable to process Put message”

This happens when the attribute specified in the $fimProperty variable is not valid. Please ensure that you have not misspelled the attribute and the data type of the attribute is compatible with the data type of the SharePoint managed property. For example, the “manager” LDAP attribute cannot be mapped to a SharePoint property of type “string” – it has to be mapped to a managed property of type “Person”. Additionally, please verify that you can see the LDAP attribute in the FIM client and you have typed in the LDAP attribute in the $fimProperty variable exactly as it appears in the FIM client.

To verify that you can see the desired LDAP attribute in FIM client (WARNING: DO NOT MODIFY ANYTHING IN THE FIM CLIENT):

• On the server running the User Profile Synchronization Service, open miisclient.exe (Located at Drive:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell)
• Click on the “Management Agents” tab
• There should be a management agent in the list that represents your synchronization connection. For Active Directory synchronization connections, the management agent will have the name MOSSAD-YourSynchConnectionName . Double click on the management agent that represents your synchronization connection
• Click on “Select Attributes”
• Select the “Show All” check box
• This should show you a list of all LDAP attributes that can be mapped to SharePoint managed properties. Remember that the $fimProperty variable in the script should have the exact same value as the attribute appears here. If the desired attribute is not in this list, the script will throw “Unable to process Put message” error.
• 

B) The Script gets completed without errors, but the mapping is not created

This happens if the value in the $spsProperty variable of the script is incorrect. Please ensure that you have specified the Internal Name of the managed property, not the display name. To get the internal name of the managed property, click on the desired property from the “Manager User Properties” page and select “Edit” from the ECB menu. The EditProperty.aspx page will show you the internal name of the managed property (The “Name” field)

C) You get the message “Failed to obtain user profile manager” when you run the script

This can happen in two scenarios: The URL you specified does not have a user profile service application associated or you don’t have the right permissions on the user profile service application. The permissions issue seems to be the more common one. If the UP service app. is in the local farm, you should just be able to log in as the account that runs the timer service and be able to run the script. Alternatively, you can also grant the appropriate permissions to the account that you’re running the script as. This can be done from central administration by selecting the user profile service application and clicking on “Permissions” from the ribbon:

D ) The script creates an “import” mapping of the attribute, but you are trying to create an “export” mapping

I had this one request where they were trying to do the export mapping. Note that the script creates an “import” mapping. In order to create an “export” mapping, replace the following:

$synchConnection.PropertyMapping.AddNewMapping([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsProperty, $fimProperty)

with:

$synchConnection.PropertyMapping.AddNewExportMapping([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsProperty, $fimProperty)

Comments

• Anonymous
  December 21, 2010
  Thanks for a good and effective info. Keep it up and post more. godwinsblog.cdtech.in/.../sharepoint-2010-installation-language.html

• Anonymous
  January 27, 2011
  The comment has been removed

• Anonymous
  February 07, 2011
  The comment has been removed

• Anonymous
  March 04, 2011
  Hi, How can i export property  programatically

• Anonymous
  May 11, 2011
  Im getting an error on the AddNewMapping method. Any idea why this would occur ? PS D:tools> .AddLDAPAttribute.ps1 Successfully obtained site reference! Successfully obtained service context! Successfully obtained user profile manager! Successfully obtained synchronization connection! Adding the attribute mapping... Exception calling "AddNewMapping" with "3" argument(s): "Unable to process Put message" At D:toolsAddLDAPAttribute.ps1:35 char:47

• $synchConnection.PropertyMapping.AddNewMapping <<<< ([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsPr operty, $fimProperty)    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException    + FullyQualifiedErrorId : DotNetMethodException Done!

• Anonymous
  May 11, 2011
  This is typically caused by a data type mismatch. The data type of the property in your LDAP directory should match the data type in SharePoint that you are trying to map.

• Anonymous
  May 22, 2011
  How would I map to an URL profile property? The PictureURL property in sharepoint is of type URL, but I want to import the value from a BDC (but same problem for importing from AD). It doesnt match with string types in the BDC. Cheers, Merijn

• Anonymous
  May 22, 2011
  Hmm, correction...after adding a new property of type URL i can import from a string just fine. So the PictureURL seems to be a special case. Pity. Merijn

• Anonymous
  August 31, 2011
  Hi, I ran the script to add the property userAccountControl and the script completed without errors but I couldn’t see it in the list of user property mapping.

• Anonymous
  September 13, 2011
  @isaDudu: Please ensure that the value in the $spsProperty has been properly set. I have added a "Known Issues" section to the post which explains the problem.

• Anonymous
  September 16, 2011
  This was very helpful, thank you.

• Anonymous
  September 23, 2011
  Hi. I deleted the mapping between SPS-DistinguishedName and the dn attribute, but I get "Unable to process Put message" when I try to add it back. Do you have any ideas on how to fix this?

• Anonymous
  September 23, 2011
  Joel, I have seen this problem quite a few times, but unfortunaltey, since the dn attribute is not visible in the "FIM" client, you can't re-create the mapping using the script. I will dig into this when I have time and update this post, but for now, your workaround is to: 1) Delete the synch connection 2) Disable the MySite cleanup job 3) Create a new synch connection and redo any custom mappings 4) Perform at least 3 full synchs. 4) Please verify that all user profiles have been imported and none are marked for deletion (there is a bDeleted flag in the UserProfile_Full table of the UPA. After you have done the above, please enable the MySite cleanup job.

• Anonymous
  September 23, 2011
  Technoon, we did as you suggested but Sharepoint did not create the mapping for SPS-DistinguishedName, and the full synchs we did all threw an Exception saying that the SPS-DistinguishedName property was required. Do you have any other idea or we may be missing something?

• Anonymous
  September 23, 2011
  I thought re-creating the synch connection would have created the mapping. Anyways, another option here is to reset the synchronization database. Resetting the synchronization database will automatically delete your synchronization connection. After the reset, please recreate the synchronization connection and proceed with all actions as suggested earlier. Steps to reset synchronization database can be found here: technet.microsoft.com/.../ff681014.aspx

• Anonymous
  November 17, 2011
  how I can map the multi value property? I have used the same script that you provided and it successfully added however it does not add the mapping. Any idea why ? ... Data type is correct, no errors on script just the difference is it is custom property in LDAP.

• Anonymous
  November 17, 2011
  Hey Nemil, have you checked the issues mentioned in "Known Issues" section of the article? Did you use the correct name for the SharePoint property?

• Anonymous
  November 23, 2011
  Thanks for the reply, I have managed to resolved the issue for multi value, issue was with length of the string, I just used 25, however value length was more than that, I changed the value to somewhat more and now it worked, however even after the sync finished succefully I dont see value populated .... any idea why ?

• Anonymous
  January 04, 2012
  The comment has been removed

• Anonymous
  January 04, 2012
  The comment has been removed

• Anonymous
  January 05, 2012
  That's a permissions problem (failed to obtain user profile manager). Can you log in with the same account that the timer service is running under and see if it works? UP2 is just the name of the user profile service application. It can be anything really, doesn't make a difference..  

• Anonymous
  January 09, 2012
  Another issue i've spent 3 days trying to figure out - my domain admin account was not the correct account to run this as! you need to add the user to the service application administrators. as far as admin via CA everything seemed to suggest i could do all. but via PS i couldn't. no access denied errors, or anything though.

• Anonymous
  February 02, 2012
  I can't find a way to setup an export relationship between AD fields that do not appear in the drop down list and profile properties.  Script works fine for import. Export works fine on our system for items in the dropdown list.  Looking for a way to setup export for AD fields that do not appear.

• Anonymous
  February 02, 2012
  I can't find a way to setup an export relationship between AD fields that do not appear in the drop down list and profile properties.  Script works fine for import. Export works fine on our system for items in the dropdown list.  Looking for a way to setup export for AD fields that do not appear.

• Anonymous
  February 02, 2012
  The comment has been removed

• Anonymous
  March 15, 2012
  Hello I am not able to run this script my intention is to add "Integer" type sharepoint property to departmentNumber ldap property, however for some reason i dont get this property from GUI. so i tried to use your script. $spsProperty = "integer" $fimProperty = "departmentNumber" $connectionName = "Departments" But i get an error. You cannot call a method on a null-valued expression. At C:Test.ps1:33 char:47

• $synchConnection.PropertyMapping.AddNewMapping <<<< ([Microsoft.Office.Server .UserProfiles.ProfileType]::User, $spsProperty, $fimProperty)    + CategoryInfo          : InvalidOperation: (AddNewMapping:String) [], Run   timeException    + FullyQualifiedErrorId : InvokeMethodOnNull

• Anonymous
  May 01, 2012
  Please forget my previous comment about the Connection Name duh!  I found that! BUT I am getting the exact same error as Raj "You cannot call a method with a  null-valued expression"  Can you please address this is you know the answer.  I am thinking it is set as an incorrect (does not match) datatype in LDAP?  Your thoughts?

• Anonymous
  May 02, 2012
  This error does not indicate a data type mis-match. Are you sure the synch connection is not null?

• Anonymous
  August 02, 2012
  Hi, I'm also having the same issue as Raj. Could it be that there are spaces in connection name? Can you suggest any troubleshooting ideas/methods for why the connection fails?

• Anonymous
  August 03, 2012
  Nick: If you're not able to get a reference to the synch connection object ($synchConnection), that may mean that you're running into a permissions problem. Are you logged in with the same account that your SharePoint Timer Service is running under?

• Anonymous
  August 29, 2012
  Hi, I am trying to map the departmentNumber but getting the following exceptions in the last step after the message 'Adding the attribute mapping'. Exception calling "AddNewMapping" with "3" argument(s): Unable to process Put message" ... Highly appreciate any inputs on this issue.

• Anonymous
  August 29, 2012
  I have checked also the datatypes are matching. Its the same error dbiegunski@gmail.com   mentioned a bit above.

• Anonymous
  November 19, 2012
  Hi Raza, I don't have EmployeeID in AD by default visible. Now I want to make available EmployeeID in sharePoint UserProfile. So (1)can I create a new EmployeeID directly in sharePoint ->New Property Or

2. do I first need to create a new property in AD, then in sharepoint i need to create that property. PLS let me know. I am of the understanding that I can directly create in SharePoint. Thanks

• Anonymous
  November 20, 2012
  @AftabStacjk: SharePoint does not have the ability to modify the schema of your AD. You first need to create the attribute in AD, then you'll need to create the managed property in SharePoint. Finally, you can use the script in this post to do the mapping. Note that you'll need to do a full synchronization after the mapping.

• Anonymous
  September 25, 2013
  I am getting following error. For AD Sync connection also. We make sure both Fimproperty and Spsproperty having same data type called Sting. Pls help me how to fix this. Exception calling "AddNewMapping" with "3" argument(s): "Unable to process Put message" At C:upm.ps1:33 char:47

• $synchConnection.PropertyMapping.AddNewMapping <<<< ([Microsoft.Office.Server.UserProfiles.Profil eType]::User, $spsProperty, $fimProperty)    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException    + FullyQualifiedErrorId : DotNetMethodException

• Anonymous
  October 31, 2013
  I have verified  LDAP attribute in the $fimProperty variable exactly as it appears in the FIM client. but still throws error Exception calling "AddNewMapping" with "3" argument(s): "Unable to process Put message" any ideas?

• Anonymous
  October 31, 2013
  verified LDAP attribute in the $fimProperty variable exactly as it appears in the FIM client. but still throws exception unable to process put message any ideas really appreciated

• Anonymous
  October 31, 2013
  This could be a permissions issue. Can you log in as the same account that is running the SharePoint timer service and run the script again?

• Anonymous
  March 02, 2014
  Hi Raza, In my case, i am not finding value for by default mapped field "Manager" for user profiles in staging environment. However, the i am able to see values for Manager field on production server user profiles. In both the places i am referring to same AD location. In staging, all attribute values are coming fine. Except Manager. could you please advice here. thank you beforehand.

• Anonymous
  April 07, 2014
  Is there a way to "Configure a Term Set to be used for this property" ? When my properties are mapped, and I go back in, the Term Set is greyed out and I cannot edit.

• Anonymous
  October 16, 2015
  Hi   how to get userProfile by using LDAP,when i call getuserProfile() user email also displayed.how is it's possible can you provide code for my requirement ASAP plz

• Anonymous
  November 10, 2015
  very detailed explanation, thanks