ldap_login.conf LDAPLoginModule question

Question

I'm running CQ 5.4 and successfully integrated with AD via LDAP with the following settings:

com.day.crx.core.CRXLoginModule sufficient;
com.day.crx.security.ldap.LDAPLoginModule required
userRoot="CN=ABC,OU=hello,DC=world"

As long as the user is a member of the ABC group, he can sign in and their user is then created in the CRX. If I then remove the user from ABC group, however, they can still login. I understand that CRXLoginModule is set to sufficient, but I thought LDAPLoginModule takes precedence due to "required" setting. Of course, once I delete the user in the CRX, the user can no longer login.

Is this normal behavior, or should a user not be able to login?

Thanks.

leoberliant · Accepted Answer

Yes it’s expected. An LDAP user should be able to login during a time specified in ldap config file as cache.expiration. After a cache expiration it will fail to login.

A good practice is to force an LDAP Synchronization through /crx/config/index.jsp

rakesh2k78 · Answer

Hi ICQuestions,Just to elaborate more on the following two entries in JAAS config filecom.day.crx.core.CRXLoginModule sufficient;com.day.crx.security.ldap.LDAPLoginModule requiredsufficient - If the CRXLoginModule succeeds then the overall login succeeds, and control returns to the application. If the login fails then it continues to execute the other login modules in the list which is LDAPLoginModule.Now suppose user is not present in CRX then LDAPLoginModule will be asked to authenticate the user directly from LDAP.Since LDAPLoginModule is given a flag "required" which means -LDAPLoginModule  must authenticate the user. But if it fails, the authentication nonetheless continues with the other login modules in the list (if any) and there is none other, so it fails globally.Suppose now LDAPLoginModule is successfully able to authenticate the user from LDAP then it will sync it back to CRX if configured that way in JAAS config file.Apart from this a cache of successful logins is maintained whose size and duration is configured by1.cache.expiration (this controls how long successful logins stays in cache) WeakHashMap and LRUMap based implementation under the hood.2. cache.maxsize(how many)Now considering your case where you have deleted the user from CRX, CRXLoginModule will fail this time and the LDAPLoginModule will authenticate the user either directly from "cache" or from LDAP iself.consider providing "optional" flag to CRXLoginModule and make the cache.expiration as 1(second).Then try to login again after deleting user from CRX. you will see login will succeed, as now onwards LDAPLoginModule is consulted every time irrespective of what.So you should be able to authenticate with your current settings even if you deleted the user from CRX.Hope this is helpful.Thanks,Rakesh

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded