Expand my Community achievements bar.

SOLVED

ActiveDirectory custom attribute as a Group sync AEM LDAP

Avatar

Level 1

Hello,

 

When I create custom attribute “testattribute” in Active Directory and assigned to group class.

Then in Apache Jackrabbit Oak LDAP Identity Provider, set Group object class = group, and set Group name attribute = testattribute  Group member attribute = blank 

Then sync using Jmx console 

But when I checked useradmin, no group name is synced. My expectation is, value n testattribute should be synced in useradmin group name. I only see default group everyone.

 

I think this happens because AEM LDAP could not check membership of user? 
When I configure standard Active Directory user group sync shown below, user and group are successfully synced. I think because Group member attribute = member lets AEM LDAP back check if user belongs to the group.

 

Apache Jackrabbit Oak LDAP Identity Provider

User object classes = person organizationalPerson

 

User ID attribute sAMAccountName

 

Group object classes = group

 

Group Name attribute = sAMAccountName

 

Group Member attribute = member

in Windows Active Directory, member attribute in Group includes user names which belong to this Group.

I think - AEM LDAP back checks this member, and only if user name found in member, AEM LDAP adds group name in user in useradmin. This is my guess.

 

Anyway, my objective is to sync custom attribute as a group name in useradmin.

 

I appreciate your support.

 

Regards, Mike

1 Accepted Solution

Avatar

Correct answer by
Level 3

Hello @mikek8877 

 

Yes, you got it correct. Generally, in AEM when a user sync happens and the user is part of a group, the group would be synced. You need to define group member attribute. You can also put a debug level logger on org.apache.jackrabbit.oak.security.authentication.ldap and check what queries are being fired by AEM to the LDAP server and investigate this further

 

 

View solution in original post

3 Replies

Avatar

Correct answer by
Level 3

Hello @mikek8877 

 

Yes, you got it correct. Generally, in AEM when a user sync happens and the user is part of a group, the group would be synced. You need to define group member attribute. You can also put a debug level logger on org.apache.jackrabbit.oak.security.authentication.ldap and check what queries are being fired by AEM to the LDAP server and investigate this further

 

 

Avatar

Level 1
Manising, thank you for your reply. Can we disable this AEM behavior, that AEM LDAP checks membership before adding group? Or can we use other attribute such as groupOfNames instead of group?