Doubts on LDAP integration | Community
Skip to main content
S
Sam205505050
Level 6
October 16, 2015
Solved

Doubts on LDAP integration

  • October 16, 2015
  • 6 replies
  • 2198 views

Hi experts,

I have successfully configured Apache DS with my CQ 5.4 instance. Now when a user is added (for example user1) in Apache DS then we will not be able to see newly created user in users list when we are logged in as admin. This user (user1) only be available after user1 try login first time with the credentials entered while creating user in ApacheDS. So, we need to ask business users (user1) to login and logout and then administrator can give permission to user1.

My doubt is there any way to automate this process so that when user1 will login for first time then it will have necessary permission and we do not need to ask user login and log out.

Kindly advise!

Sam

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by JustinEd3

Hi Sam,

I think there's something wrong in your usage of LDAP. It shouldn't be necessary for an admin to log in and grant permissions to each user. Rather these permissions should be assigned via an LDAP group.

CQ 5.4 is now 3 years old. You really should look at upgrading soon.

Justin

6 replies

Ojjis
Ojjis
Level 7
October 16, 2015

Hello,
good points from Justin there.

What you would do is to create the user groups in the LDAP corresponding to the groups in CQ. Eg. have a group in the LDAP that is named "supergroup". Then when the first user belonging to that group is logging into CQ, that group will also be created in CQ. Set the right permissions to that group and the rest of the people logging in with that group as their group will get the right permissions. Always try to set permissions on group level and not on a single user.

It should be possible AFAIK to create that specific group in advance and already set the correct permissions so that every user, even if it is the first one, that logs in with that group will be added to it and auto. recieve the right permissions.

/Johan

J
Adobe Employee
JustinEd3Adobe EmployeeAccepted solution
Adobe Employee
October 16, 2015

Hi Sam,

I think there's something wrong in your usage of LDAP. It shouldn't be necessary for an admin to log in and grant permissions to each user. Rather these permissions should be assigned via an LDAP group.

CQ 5.4 is now 3 years old. You really should look at upgrading soon.

Justin

J
Adobe Employee
JustinEd3Adobe Employee
Adobe Employee
October 16, 2015

Well said Johan.

joerghoh
Adobe Employee
joerghohAdobe Employee
Adobe Employee
October 16, 2015

Sam,

for recent versions of AEM an sync of all users to AEM is possible and described in the documentation [1]; in CQ 5.4 (which is indeed quite old) the option to import all users from LDAP already existed, IIRC in the CRX Explorer (http://localhost:4502/crx/explorer/index.jsp).

[1] http://dev.day.com/docs/en/cq/current/core/administering/ldap_authentication.html#LDAP%20User%20Synchronization%20and%20Purging

S
Sam205505050Author
Level 6
October 16, 2015

Hello Justin,

Thank you for your help. I did not understand what could be the issue with ldap set up. I've attached screenshot here of my new ldap user. Could you please explain bit? 

I have following entry in ldap_login.conf - 

com.day.crx {
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required
              principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
              host="localhost"
              port="10389"
              secure="false"
              authDn="uid=admin,ou=system"
              authPw="secret"
              userRoot="ou=users,ou=system"
      userIdAttribute="userid"
      userFilter="(objectClass=*)"
              groupRoot="ou=groups, o=example"
              groupMembershipAttribute="uniquemember"
              autocreate="create"
              autocreate.user.membership="contributor"
              autocreate.user.mail="rep:e-mail"
              autocreate.user.cn="rep:fullname"
              autocreate.group.description="description"
              autocreate.group.mail="rep:e-mail"
              autocreate.group.cn="rep:fullname"
              autocreate.path="direct"
              cache.expiration="600"
              cache.maxsize="100";
};

I've followed this and as per explanation in section "Validate CQ-ApacheDS integration", it says the same problem which I am trying to automate. 

Kindly let me know if I'm missing something. 

Sam

S
Sam205505050Author
Level 6
October 16, 2015

Thank you all for your help...now my doubt is clear

Terms & ConditionsAccessibility statement

Loading footer...