ActiveDirectory Group Sync Issue using AEM LDAP | Community
Skip to main content
ganeshboggavara
ganeshboggavara
Level 3
April 2, 2019

ActiveDirectory Group Sync Issue using AEM LDAP

  • April 2, 2019
  • 1 reply
  • 11971 views

Hi Guys,

I'm trying to Sync  groups and Users from Active Directory to AEM Environment using AEM LDAP (Identity Provider , Sync Handler , External Login Module)

The Connection and Bind seems successful but the groups don't Sync, I see from logs that the messages that transfer between AD and AEM are empty messages as below even though there are several groups in the AD

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.ldap.codec.actions.controls.StoreControlValue Control value : 0x30 0x84 0x00 0x00 0x00 0x05 0x02 0x01 0x00 0x04 0x00

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.asn1.ber.Asn1Decoder <<<------------------------------------------

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.asn1.ber.Asn1Decoder <-- Stop decoding : TLV[ 0x04, 11, DATA[0x30 0x84 0x00 0x00 0x00 0x05 0x02 0x01 0x00 0x04 0x00 ]]

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.asn1.ber.Asn1Decoder <<<==========================================

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.CODEC_LOG Decoded LdapMessage : MessageType : SEARCH_RESULT_DONE

Message ID : 3

    Search Result Done

        Ldap Result

            Result code : (SUCCESS) success

            Matched Dn : ''

            Diagnostic message : ''

    Paged Search Control

        oid : 1.2.840.113556.1.4.319

        critical : false

        size   : '0'

        cookie   : ''

    Paged Search Control

        oid : 1.2.840.113556.1.4.319

        critical : false

        size   : '0'

        cookie   : ''

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.ldap.client.api.LdapNetworkConnection -------> MessageType : SEARCH_RESULT_DONE

Message ID : 3

    Search Result Done

        Ldap Result

            Result code : (SUCCESS) success

            Matched Dn : ''

            Diagnostic message : ''

    Paged Search Control

        oid : 1.2.840.113556.1.4.319

        critical : false

        size   : '0'

        cookie   : ''

    Paged Search Control

        oid : 1.2.840.113556.1.4.319

        critical : false

        size   : '0'

        cookie   : ''

Message received <-------

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.ldap.client.api.LdapNetworkConnection Getting <3, org.apache.directory.ldap.client.api.future.SearchFuture>

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.ldap.client.api.LdapNetworkConnection Search successful : MessageType : SEARCH_RESULT_DONE

Message ID : 3

    Search Result Done

        Ldap Result

            Result code : (SUCCESS) success

            Matched Dn : ''

            Diagnostic message : ''

    Paged Search Control

        oid : 1.2.840.113556.1.4.319

        critical : false

        size   : '0'

        cookie   : ''

    Paged Search Control

        oid : 1.2.840.113556.1.4.319

        critical : false

        size   : '0'

        cookie   : ''

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.ldap.client.api.LdapNetworkConnection Removing <3, org.apache.directory.ldap.client.api.future.SearchFuture>

Here is the LDAP Identity Provider Config I gave

User base DN                CN=AgCoVPNExt,OU=MA2-SOX,OU=Groups,DC=phibred,DC=com   (also tried with OU=MA2-SOX,OU=Groups,DC=phibred,DC=com)

User object classes      user

User id attribute            CN

Group base DN                OU=MA2-SOX,OU=Groups,DC=phibred,DC=com

Group object classes      group

Group name attribute      CN

Can someone help with these questions

1. Why don't I see the Groups Sync from AD to AEM?

2. Can we Invoke Groups from JMX just like we Invoke syncAllExternalUsers() in JMX

3.Does AEM LDAP Sync groups at all?

Thanks,

Ganesh Bogga

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

1 reply

U
Adobe Employee
user05162Adobe Employee
Adobe Employee
April 3, 2019

You are probably missing one of the sync config. Check [1] for more details and answers to your questions.

[1] Configuring LDAP with AEM 6

V
Adobe Employee
vish.dhaliwalAdobe Employee
Adobe Employee
April 3, 2019

Hello,

Check the "User membership nesting depth" in the "Apache Jackrabbit Oak Default Sync Handler" config. Change it to 1 (or greater integer).

Answers:

1. Make sure your group Base DN is correct.

2. No

3. No, When ldap user will try to login to AEM, it will automatically sync ldap groups which user is a part of.

For example,

You have 3 users,

UI

U2

U3

5 groups:

G1 - U1, U2

G2 - U3

G3 - U1

G4

G5

Now, when U1 will login to AEM, groups G1 and G3 will be synced automatically.

ganeshboggavara
ganeshboggavaraAuthor
Level 3
April 3, 2019

Hi Vish,

Thanks a lot for the reply, I tried logging in with one of the user synced to AEM, I can see the user in useradmin but I could not login with that username and password (that i already know of that user from AD)

Does LDAP Authenticate user credentials(username and password) from AD dynamically? or Do we need to create a password after the user is synced to AEM?

Appreciate your response

Terms & ConditionsAccessibility statement

Loading footer...