LDAP Sync Callback | Community
Skip to main content
October 16, 2015
Solved

LDAP Sync Callback

  • October 16, 2015
  • 7 replies
  • 1359 views

I am using CQ 6.1, and trying to implement LDAP login for users. I also want some extra logic during sync that will place users into certain groups based on certain parameter.
The thing I found was Callbacks on this page: http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/ldap_authentication.html

Since this is old documentation, and LDAP is not set like this I do not know how to use this, and this is just what I need. In newer documentation how I actually set the ldap (http://docs.adobe.com/docs/en/aem/6-0/administer/security/ldap-config.html) callbacks are not mentioned.

Is there some other way I can do this, and how?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by gopalKa

Hi Please refer to the org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider(http://grepcode.com/file/repo1.maven.org/maven2/org.apache.jackrabbit/oak-auth-ldap/0.17.1/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java) .  Over all though, please refer to http://jackrabbit.apache.org/oak/docs/security/authentication.html for better understanding. When you write a external login module,the synchandler is wht syncs the attributes. Please refer to org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler for synchandler. The key is the getName() in this should return the unique id of the class. http://jackrabbit.apache.org/oak/docs/security/authentication/usersync.html describes how to do this. This name has to be configured in the ExternalLoginModule configuration in osgi at sync.handlerName property. Please let me know if this helps.

7 replies

Adobe Employee
October 16, 2015
October 16, 2015

No this is not clear. I have configured the same parameters on osgi (see image), and the LDAP is working. But it does not mention callbacks or something that I would need to implement.

It mentions writing custom handler or manager, but this seems like an overkill since my LDAP is working already. 
I was thinking maybe extending the existing one, but I cannot find anything mentioning what methods to override or how to really implement this.

gopalKaAdobe EmployeeAccepted solution
Adobe Employee
October 16, 2015

Hi Please refer to the org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider(http://grepcode.com/file/repo1.maven.org/maven2/org.apache.jackrabbit/oak-auth-ldap/0.17.1/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java) .  Over all though, please refer to http://jackrabbit.apache.org/oak/docs/security/authentication.html for better understanding. When you write a external login module,the synchandler is wht syncs the attributes. Please refer to org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler for synchandler. The key is the getName() in this should return the unique id of the class. http://jackrabbit.apache.org/oak/docs/security/authentication/usersync.html describes how to do this. This name has to be configured in the ExternalLoginModule configuration in osgi at sync.handlerName property. Please let me know if this helps.

October 16, 2015

No, rewriting the whole Ldap login manager is not an option since it is working.

Finally I have solved the issued by placing an event listener to the /home/users node where users are created, and then a check action if the parameters match, and adding the user to correct group it they match it.

This works, but those callbacks seemed a lot better than implementing this that way.

Lokesh_Shivalingaiah
Level 10
October 16, 2015

Hi,

In AEM 6, LDAP support comes with a new implementation that requires a different type of configuration than with previous versions.

Please raise a support ticket on the same, so that the team will let you know alternative if exists else they can look at the options.

Adobe Employee
October 16, 2015

Synchandler would do the same. Please post the snippet of what you trying to accomplish with a listener. Let me try.

October 16, 2015

I have a basin event listener that does the job

private LdapUserChangeEventListener observer; private Session session; private ObservationManager om; @Reference private SlingRepository repository; private void runNodeObserver() { try { this.session = this.repository.loginAdministrative(null); this.om = this.session.getWorkspace().getObservationManager(); LOG.debug("Adding event listener"); this.observer = new LdapUserChangeEventListener(this.roleMappings, this.repository); this.om.addEventListener(this.observer, Event.PROPERTY_CHANGED | Event.PROPERTY_ADDED, "/home/users", true, null, null, false); } catch (Exception e) { LOG.error(e.getMessage(), e); } } private void closeNodeObserver() { try { LOG.debug("Closing event listener"); this.om.removeEventListener(this.observer); } catch (Exception e) { LOG.error(e.getMessage(), e); } finally { if (this.session != null) { this.session.logout(); this.session = null; } } }