Level 2

Solved

How to Force synchronization of LDAP users with AEM 6

Forum|Forum|10 years ago
October 16, 2015
13 replies
5170 views

When an individual user (not yet registered in CRX) attempts to login, CRX authenticates against LDAP and if authentication is successful then that user is synchronized with CRX. So, How to force synchronization of LDAP users with CRX so that rights can be assigned before the user first tries to login?

This question is answered in this link for CRX 2.3 - I have similar issue and unable to find any solution in AEM 6.0.0.SP2.

Solution mentioned in above link doesn't work because AEM 6 don't have com.adobe.granite.ldap MBeans registered under JMX Web Console.

What's best way to solve this issue to force authorization of LDAP users with AEM ? I want to add users to AEM [from LDAP] and at the same time wanna add them to pre-defined AEM Groups [without them required to sign-in AEM].

Thanks,

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by gopalKa

Sync on demand=sync while login. This is a available feature in the ldap config.

G

gopalKa

Adobe Employee

You will need LDAP configured on the server. Since in AEM 6, LDAP is in oak, it is in a different place..

Search for name "External Identity Synchronization Management" in the JMX Console. Here you will find all the LDAP related operations.

The syncExternalUsers([Ljava.lang.String;p1) should provide the same functionality, to sync new users from LDAP.

V

vipulp33825167Author

Level 2

Thanks Kalyanar,

We followed AEM 6 Docs to configure and connect to LDAP.

While clicking on "External Identity Synchronization Management" on JMX console, it throws 404. Not sure what's wrong.

HTTP ERROR: 404

Problem accessing /system/console/jmx/org.apache.jackrabbit.oak:handler%3d%22sync.corpAD%22%2cidp%3d%22corpAD%22%2cname%3dExternal%2bIdentity%2bSynchronization%2bManagement%2ctype%3dUserManagement. Reason:

Not Found

Is there any detail documentation to implement enforcement to sync. LDAP users in AEM.

Thanks,

G

gopalKa

Adobe Employee

Did you configure LDAP yet? I think it will work only after LDAP is configured

V

vipulp33825167Author

Level 2

Yep, LDAP is already configured on the server.

I can add LDAP [active directory] user in AEM directly. Problem I am running into is after user is added in AEM, new user need to signin to AEM [authenticated] before we can add them to any AEM Groups.

It looks like AEM don't authenticates against newly added user unless he/she log into AEM. I want to force authenticate/synchronize LDAP users with AEM so appropriate user/groups rights can be assigned within AEM before they try to login.

G

gopalKa

Adobe Employee

Just TBC, are you talking about http://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/SynchronizationMBean.html#syncExternalUsers(java.lang.String%5B%5D)

V

vipulp33825167Author

Level 2

Yes that looks to be correct.

Is there any way to configure this within AEM ? If not, then what's best way to sync users whenever user is added? [I am new to AEM development]. Also document indicates that it'll be expensive call so any way to optimize it?

Thanks,

G

gopalKa

Adobe Employee

LDAP can be configured to sync users on login. Since you wanted to add users before, you need either syncallusers or syncexternalusers (you need to send used ids as json like

["<dn>"]

G

gopalKa

Adobe Employee

the best performance optimization is to sync on demand(while login as opposed to sync once in a while)

V

vipulp33825167Author

Level 2

How can I sync on demand? Can you please provide some sample to do that?

Thanks,

G

gopalKa