Adobe Experience Manager Sites & More

ganeshboggavara · 4/2/19

Hi Guys,

I'm trying to Sync groups and Users from Active Directory to AEM Environment using AEM LDAP (Identity Provider , Sync Handler , External Login Module)

The Connection and Bind seems successful but the groups don't Sync, I see from logs that the messages that transfer between AD and AEM are empty messages as below even though there are several groups in the AD

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.ldap.codec.actions.controls.StoreControlValue Control value : 0x30 0x84 0x00 0x00 0x00 0x05 0x02 0x01 0x00 0x04 0x00

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.asn1.ber.Asn1Decoder <<<------------------------------------------

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.asn1.ber.Asn1Decoder <-- Stop decoding : TLV[ 0x04, 11, DATA[0x30 0x84 0x00 0x00 0x00 0x05 0x02 0x01 0x00 0x04 0x00 ]]

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.asn1.ber.Asn1Decoder <<<==========================================

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.CODEC_LOG Decoded LdapMessage : MessageType : SEARCH_RESULT_DONE

Message ID : 3

Search Result Done

Ldap Result

Result code : (SUCCESS) success

Matched Dn : ''

Diagnostic message : ''

Paged Search Control

oid : 1.2.840.113556.1.4.319

critical : false

size : '0'

cookie : ''

Paged Search Control

oid : 1.2.840.113556.1.4.319

critical : false

size : '0'

cookie : ''

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.ldap.client.api.LdapNetworkConnection -------> MessageType : SEARCH_RESULT_DONE

Message ID : 3

Search Result Done

Ldap Result

Result code : (SUCCESS) success

Matched Dn : ''

Diagnostic message : ''

Paged Search Control

oid : 1.2.840.113556.1.4.319

critical : false

size : '0'

cookie : ''

Paged Search Control

oid : 1.2.840.113556.1.4.319

critical : false

size : '0'

cookie : ''

Message received <-------

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.ldap.client.api.LdapNetworkConnection Getting <3, org.apache.directory.ldap.client.api.future.SearchFuture>

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.ldap.client.api.LdapNetworkConnection Search successful : MessageType : SEARCH_RESULT_DONE

Message ID : 3

Search Result Done

Ldap Result

Result code : (SUCCESS) success

Matched Dn : ''

Diagnostic message : ''

Paged Search Control

oid : 1.2.840.113556.1.4.319

critical : false

size : '0'

cookie : ''

Paged Search Control

oid : 1.2.840.113556.1.4.319

critical : false

size : '0'

cookie : ''

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.ldap.client.api.LdapNetworkConnection Removing <3, org.apache.directory.ldap.client.api.future.SearchFuture>

Here is the LDAP Identity Provider Config I gave

User base DN CN=AgCoVPNExt,OU=MA2-SOX,OU=Groups,DC=phibred,DC=com (also tried with OU=MA2-SOX,OU=Groups,DC=phibred,DC=com)

User object classes user

User id attribute CN

Group base DN OU=MA2-SOX,OU=Groups,DC=phibred,DC=com

Group object classes group

Group name attribute CN

Can someone help with these questions

1. Why don't I see the Groups Sync from AD to AEM?

2. Can we Invoke Groups from JMX just like we Invoke syncAllExternalUsers() in JMX

3.Does AEM LDAP Sync groups at all?

Thanks,

Ganesh Bogga

Jaideep_Brar · 4/2/19

You are probably missing one of the sync config. Check [1] for more details and answers to your questions.

[1] Configuring LDAP with AEM 6

Vish_dhaliwal · 4/3/19

Hello,

Check the "User membership nesting depth" in the "Apache Jackrabbit Oak Default Sync Handler" config. Change it to 1 (or greater integer).

Answers:

1. Make sure your group Base DN is correct.

2. No

3. No, When ldap user will try to login to AEM, it will automatically sync ldap groups which user is a part of.

For example,

You have 3 users,

UI

U2

U3

5 groups:

G1 - U1, U2

G2 - U3

G3 - U1

G4

G5

Now, when U1 will login to AEM, groups G1 and G3 will be synced automatically.

ganeshboggavara · 4/3/19

Hi Vish,

Thanks a lot for the reply, I tried logging in with one of the user synced to AEM, I can see the user in useradmin but I could not login with that username and password (that i already know of that user from AD)

Does LDAP Authenticate user credentials(username and password) from AD dynamically? or Do we need to create a password after the user is synced to AEM?

Appreciate your response

Vish_dhaliwal · 4/3/19

Hello Ganesh,

If this user is indeed an LDAP user (check the pre:principalName and externalId property), then the password defined in AD should work.

Do you see any error in browser or aem logs? Can you try to update the password in aem and see if that works?

Regards,

Vishu

ganeshboggavara · 4/3/19

Yes It says bad password entry, This is what I see in logs when I login with zf3693, Am I missing a certificate or some LDAP config to validate password with AD?

Message ID : 4

Search Result Done

Ldap Result

Result code : (SUCCESS) success

Matched Dn : ''

Diagnostic message : ''

03.04.2019 14:15:57.226 *DEBUG* [NioProcessor-5] org.apache.directory.ldap.client.api.LdapNetworkConnection -------> MessageType : SEARCH_RESULT_ENTRY

Message ID : 4

Search Result Entry

Entry

dn: CN=zf3693,OU=US,OU=xxxxx,OU=Clients,DC=xxxx,DC=com

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

proxyAddresses: smtp:zf3693@xxx.mail.xxxx.com

proxyAddresses: smtp:zf3693@xxxx.com

proxyAddresses: SMTP:xxx.xxx@xxxx.com

PHICA-S20: <root created="2018.11.19 19:44:23:375" updated="2018.11.19 19:44:23:375">

</profiles>

</settings>

......

.

/root>

badPwdCount: 1

countryCode: 0

houseIdentifier: JH36

ont-validobject: Y

givenName: xxxxx

objectSid: 0x01 0x05 0x00 0x00 0x00 0x00 0x00 0x05 0x15 0x00 0x00 0x00 0x40 0x4E 0x96 0x87 ...

userAccountControl: 512

accountNameHistory: DDNET1\zf3693

mailNickname: zf3693

ont-badlogincount: 0

extensionAttribute13: MA Create

badPasswordTime: 131987896731664770

Thanks

ganeshboggavara · 4/3/19

Yes, If I change password, it works, but the groups are not getting synced

Prince_Shivhare · 4/3/19

could you please go with this article and let us know if any issues you face.

AEM Developer Blog: INTEGRATE AEM WITH LDAP

~ Prince

ganeshboggavara · 4/4/19

I'm getting a Sync Handler Error , It says rep:lastSynced is not set, Can you let me know what do I map it to?

04.04.2019 10:52:23.893 *DEBUG* [qtp1038288387-349] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider authenticate(vw9684) (connect=4.94ms, bind=228.57ms)

04.04.2019 10:52:23.893 *DEBUG* [qtp1038288387-349] org.apache.jackrabbit.oak.security.authentication.ldap.impl.PoolableUnboundConnectionFactory passivate connection: org.apache.jackrabbit.oak.security.authentication.ldap.impl.PoolableUnboundConnectionFactory$TlsGuardingConnection@5f2ca64d

04.04.2019 10:52:23.894 *DEBUG* [qtp1038288387-349] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext Properties of user 'vw9684' need sync. rep:lastSynced not set.

04.04.2019 10:52:23.894 *DEBUG* [qtp1038288387-349] org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule SyncHandler phibredsync throws sync exception for 'vw9684'

org.apache.jackrabbit.oak.spi.security.authentication.external.SyncException: javax.jcr.nodetype.ConstraintViolationException: Attempt to set an protected property rep:principalName

at org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext.sync(DefaultSyncContext.java:266)

at org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule.syncUser(ExternalLoginModule.java:355)

at org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule.login(ExternalLoginModule.java:234)

Thanks,

Ganesh

smacdonald2008 · 4/4/19

See the AEM LDAP article we have. It shows all steps - using Apache DS as an example -- Adobe Experience Manager Help | Configuring Adobe Experience Manager 6.4 to use Apache Directory Ser...

ganeshboggavara · 4/11/19

Thanks for the help Vish.dhaliwal smacdonald2008, I am able to sync Users and Groups in to AEM when the users and groups are present in the same base DN's

but when the Users are in one DN and the groups are in different DN and the users are added as members of the groups, I get the Users synced but not the groups, Here is the config I have

User base DN : OU=US,OU=CompanyName,OU=Clients,DC=--------,DC=com

User object classes : person , top , user , organizationalPerson

User id attribute : CN

User extra filter : (|(memberOf=CN=AEM-US-NA-Author,OU=Groups,OU=USA,DC=----,DC=com)(memberOf=CN=AEM-US-NA-publisher,OU=Groups,OU=USA,DC=----,DC=com)(memberOf=CN=AEM-US-NA-Reviewer,OU=Groups,OU=USA,DC=----,DC=com))

Group base DN : OU=Groups,OU=USA,DC=------,DC=com

Group object classes : top , group

Group name attribute : CN

Group extra filter :

Let me know if any insights in this, Also

Is there a way to Debug the Group Sync?, I don't see anything related to group sync issues in the Logs

Thanks, Appreciate your help!

ganeshboggavara · 5/3/19

Hi,

Figured it out , the way group Sync works is based on the lastSync property that AEM pulls from LDAP , In my case I had configured the lastSync property in User Property Mapping by mapping it to lastLogged which made the lastSync to overeride

This made AEM think that Group has been synced just now and it never really synced , When I removed lastSynced User Property mapping in my LDAP IdentityProvider , Group Sync happened with no issues

Thanks,

Ganesh

Adobe Experience Manager Sites & More

ActiveDirectory Group Sync Issue using AEM LDAP

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe