LDAP Sync Callback | Community
Skip to main content
A
Anonymous
October 16, 2015
Solved

LDAP Sync Callback

  • October 16, 2015
  • 7 replies
  • 1359 views

I am using CQ 6.1, and trying to implement LDAP login for users. I also want some extra logic during sync that will place users into certain groups based on certain parameter.
The thing I found was Callbacks on this page: http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/ldap_authentication.html

Since this is old documentation, and LDAP is not set like this I do not know how to use this, and this is just what I need. In newer documentation how I actually set the ldap (http://docs.adobe.com/docs/en/aem/6-0/administer/security/ldap-config.html) callbacks are not mentioned.

Is there some other way I can do this, and how?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by gopalKa

Hi Please refer to the org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider(http://grepcode.com/file/repo1.maven.org/maven2/org.apache.jackrabbit/oak-auth-ldap/0.17.1/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java) .  Over all though, please refer to http://jackrabbit.apache.org/oak/docs/security/authentication.html for better understanding. When you write a external login module,the synchandler is wht syncs the attributes. Please refer to org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler for synchandler. The key is the getName() in this should return the unique id of the class. http://jackrabbit.apache.org/oak/docs/security/authentication/usersync.html describes how to do this. This name has to be configured in the ExternalLoginModule configuration in osgi at sync.handlerName property. Please let me know if this helps.

7 replies

G
Adobe Employee
gopalKaAdobe Employee
Adobe Employee
October 16, 2015

Please refer to http://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html and http://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html. Please let me know if this is not helpful.

A
Anonymous
October 16, 2015

No this is not clear. I have configured the same parameters on osgi (see image), and the LDAP is working. But it does not mention callbacks or something that I would need to implement.

It mentions writing custom handler or manager, but this seems like an overkill since my LDAP is working already. 
I was thinking maybe extending the existing one, but I cannot find anything mentioning what methods to override or how to really implement this.

G
Adobe Employee
gopalKaAdobe EmployeeAccepted solution
Adobe Employee
October 16, 2015

Hi Please refer to the org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider(http://grepcode.com/file/repo1.maven.org/maven2/org.apache.jackrabbit/oak-auth-ldap/0.17.1/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java) .  Over all though, please refer to http://jackrabbit.apache.org/oak/docs/security/authentication.html for better understanding. When you write a external login module,the synchandler is wht syncs the attributes. Please refer to org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler for synchandler. The key is the getName() in this should return the unique id of the class. http://jackrabbit.apache.org/oak/docs/security/authentication/usersync.html describes how to do this. This name has to be configured in the ExternalLoginModule configuration in osgi at sync.handlerName property. Please let me know if this helps.

A
Anonymous
October 16, 2015

No, rewriting the whole Ldap login manager is not an option since it is working.

Finally I have solved the issued by placing an event listener to the /home/users node where users are created, and then a check action if the parameters match, and adding the user to correct group it they match it.

This works, but those callbacks seemed a lot better than implementing this that way.

Lokesh_Shivalingaiah
Lokesh_Shivalingaiah
Level 10
October 16, 2015

Hi,

In AEM 6, LDAP support comes with a new implementation that requires a different type of configuration than with previous versions.

Please raise a support ticket on the same, so that the team will let you know alternative if exists else they can look at the options.

G
Adobe Employee
gopalKaAdobe Employee
Adobe Employee
October 16, 2015

Synchandler would do the same. Please post the snippet of what you trying to accomplish with a listener. Let me try.

A
Anonymous
October 16, 2015

I have a basin event listener that does the job

private LdapUserChangeEventListener observer; private Session session; private ObservationManager om; @Reference private SlingRepository repository; private void runNodeObserver() { try { this.session = this.repository.loginAdministrative(null); this.om = this.session.getWorkspace().getObservationManager(); LOG.debug("Adding event listener"); this.observer = new LdapUserChangeEventListener(this.roleMappings, this.repository); this.om.addEventListener(this.observer, Event.PROPERTY_CHANGED | Event.PROPERTY_ADDED, "/home/users", true, null, null, false); } catch (Exception e) { LOG.error(e.getMessage(), e); } } private void closeNodeObserver() { try { LOG.debug("Closing event listener"); this.om.removeEventListener(this.observer); } catch (Exception e) { LOG.error(e.getMessage(), e); } finally { if (this.session != null) { this.session.logout(); this.session = null; } } }
Terms & ConditionsAccessibility statement

Loading footer...