Expand my Community achievements bar.

SOLVED

active directory group sync

Avatar

Level 2

Greeting All,

We have about 20,000 users and want to sync and continue to maintain a department as a subset of this group of users in AEM as a group. Is this possible using an Active Directory group via LDAP?

I have explored doing this by the following without success:

  • adding the group via /useradmin
  • adding the group via /crx/explorer group administration
  • tried the sync user function in JMX console

Thanks in advance,

Shaun

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Hm, so probably my comment has been deleted ...

1) Normally users are only synced on demand, when they are logging in. When you want to import all available users, the (IIRC still) documented way goes to the CRX Explorer and use the importing function there (http://localhost:4502/crx/explorer/index.jsp). I don't have a configured LDAP here, so I cannot tell you the details.

2) You will find there also the interface to sync all users and delete them if they are no longer available in the LDAP.

Please also check if there are any JMX Beans available to do this job (http://localhost:4502/system/console/jmx). If not, please report this as issue; the CRX explorer is discouraged, but at least for all of its functionality there should be an supported equivalent.

Jörg

View solution in original post

3 Replies

Avatar

Level 2

Hi,

Someone posted a reply about filters and then deleted their comment. Thanks so much for mentioning. Your advice was super helpful. And got our team a step closer to resolution.

The details of the problem. It looks like the problem was with my groupfilter configuration that filters out some of the groups. Two new problems have arisen:

  1. Users are only added to a group when a user is synced via the JMX console, or, when the user is logging in for the first time, they are added to the group. Existing users who are members are not being added. Know why?
  2. When a user is deleted in Active Directory/LDAP, the user is not deleted from the group existing in CQ. Any ideas?

Thanks!!!

Here's our ldap_login.conf file.

com.day.crx { com.day.crx.core.CRXLoginModule sufficient; com.day.crx.security.ldap.LDAPLoginModule required principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider" /** trust_credentials_attribute="TrustedInfo" */ host="ldap.prod.server.org" port="389" authDn="CN=ldap_read Application Account,OU=Application,OU=User Accounts,DC=prod,DC=server,DC=org" authPw="secret" secure="false" userRoot="OU=User Accounts,DC=prod,DC=server,DC=org" userFilter="(objectclass=organizationalPerson)" userIdAttribute="sAMAccountName" groupRoot="OU=Corporate,OU=Groups,DC=prod,DC=server,DC=org" groupFilter="(&(objectclass=group)(cn=wcm*))" groupMembershipAttribute="member" groupNameAttribute="cn" deny_anonymous_access="true" autocreate="create" autocreate.syncdelay="0" autocreate.user.mail="profile/email" autocreate.user.cn="profile/fullname" autocreate.user.sn="profile/familyName" autocreate.group.cn="profile/fullname" autocreate.group.mail="profile/email" autocreate.group.givenName="profile/givenName" autocreate.group.sn="profile/familyName" autocreate.path="splitdn" cache.expiration="86400" cache.maxsize="1000"; };

Avatar

Correct answer by
Employee Advisor

Hm, so probably my comment has been deleted ...

1) Normally users are only synced on demand, when they are logging in. When you want to import all available users, the (IIRC still) documented way goes to the CRX Explorer and use the importing function there (http://localhost:4502/crx/explorer/index.jsp). I don't have a configured LDAP here, so I cannot tell you the details.

2) You will find there also the interface to sync all users and delete them if they are no longer available in the LDAP.

Please also check if there are any JMX Beans available to do this job (http://localhost:4502/system/console/jmx). If not, please report this as issue; the CRX explorer is discouraged, but at least for all of its functionality there should be an supported equivalent.

Jörg

Avatar

Level 2

Thanks Jorg, I am looking into what might be required to create a Java bean that syncs groups similar to the way the JMX console does with users. The "syncuser" bean in the JMX console does not delete users if they were deleted from the AD/LDAP group and I am looking into what is required to extend the functionality of the syncuser bean to do that. I have a ticket open with Adobe Daycare to attempt to address this issue and will post any progress or findings here.

Shaun