ActiveDirectory Group Sync Issue using AEM LDAP

Avatar

Avatar

ganeshboggavara

Avatar

ganeshboggavara

ganeshboggavara

02-04-2019

Hi Guys,

I'm trying to Sync  groups and Users from Active Directory to AEM Environment using AEM LDAP (Identity Provider , Sync Handler , External Login Module)

The Connection and Bind seems successful but the groups don't Sync, I see from logs that the messages that transfer between AD and AEM are empty messages as below even though there are several groups in the AD

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.ldap.codec.actions.controls.StoreControlValue Control value : 0x30 0x84 0x00 0x00 0x00 0x05 0x02 0x01 0x00 0x04 0x00

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.asn1.ber.Asn1Decoder <<<------------------------------------------

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.asn1.ber.Asn1Decoder <-- Stop decoding : TLV[ 0x04, 11, DATA[0x30 0x84 0x00 0x00 0x00 0x05 0x02 0x01 0x00 0x04 0x00 ]]

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.asn1.ber.Asn1Decoder <<<==========================================

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.api.CODEC_LOG Decoded LdapMessage : MessageType : SEARCH_RESULT_DONE

Message ID : 3

    Search Result Done

        Ldap Result

            Result code : (SUCCESS) success

            Matched Dn : ''

            Diagnostic message : ''

    Paged Search Control

        oid : 1.2.840.113556.1.4.319

        critical : false

        size   : '0'

        cookie   : ''

    Paged Search Control

        oid : 1.2.840.113556.1.4.319

        critical : false

        size   : '0'

        cookie   : ''

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.ldap.client.api.LdapNetworkConnection -------> MessageType : SEARCH_RESULT_DONE

Message ID : 3

    Search Result Done

        Ldap Result

            Result code : (SUCCESS) success

            Matched Dn : ''

            Diagnostic message : ''

    Paged Search Control

        oid : 1.2.840.113556.1.4.319

        critical : false

        size   : '0'

        cookie   : ''

    Paged Search Control

        oid : 1.2.840.113556.1.4.319

        critical : false

        size   : '0'

        cookie   : ''

Message received <-------

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.ldap.client.api.LdapNetworkConnection Getting <3, org.apache.directory.ldap.client.api.future.SearchFuture>

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.ldap.client.api.LdapNetworkConnection Search successful : MessageType : SEARCH_RESULT_DONE

Message ID : 3

    Search Result Done

        Ldap Result

            Result code : (SUCCESS) success

            Matched Dn : ''

            Diagnostic message : ''

    Paged Search Control

        oid : 1.2.840.113556.1.4.319

        critical : false

        size   : '0'

        cookie   : ''

    Paged Search Control

        oid : 1.2.840.113556.1.4.319

        critical : false

        size   : '0'

        cookie   : ''

02.04.2019 14:05:44.773 *DEBUG* [NioProcessor-8] org.apache.directory.ldap.client.api.LdapNetworkConnection Removing <3, org.apache.directory.ldap.client.api.future.SearchFuture>

Here is the LDAP Identity Provider Config I gave

User base DN                CN=AgCoVPNExt,OU=MA2-SOX,OU=Groups,DC=phibred,DC=com   (also tried with OU=MA2-SOX,OU=Groups,DC=phibred,DC=com)

User object classes      user

User id attribute            CN

Group base DN                OU=MA2-SOX,OU=Groups,DC=phibred,DC=com

Group object classes      group

Group name attribute      CN

Can someone help with these questions

1. Why don't I see the Groups Sync from AD to AEM?

2. Can we Invoke Groups from JMX just like we Invoke syncAllExternalUsers() in JMX

3.Does AEM LDAP Sync groups at all?

Thanks,

Ganesh Bogga

Replies

Highlighted

Avatar

Avatar

ganeshboggavara

Avatar

ganeshboggavara

ganeshboggavara

11-04-2019

Thanks for the help Vish.dhaliwal smacdonald2008,  I am able to sync Users and Groups in to AEM when the users and groups are present in the same base DN's

but when the Users are in one DN and the groups are in different DN and the users are added as members of the groups, I get the Users synced but not the groups, Here is the config I have

User base DN       :    OU=US,OU=CompanyName,OU=Clients,DC=--------,DC=com

User object classes   :        person , top , user , organizationalPerson

User id attribute      :     CN

User extra filter      :     (|(memberOf=CN=AEM-US-NA-Author,OU=Groups,OU=USA,DC=----,DC=com)(memberOf=CN=AEM-US-NA-publisher,OU=Groups,OU=USA,DC=----,DC=com)(memberOf=CN=AEM-US-NA-Reviewer,OU=Groups,OU=USA,DC=----,DC=com))

Group base DN     :      OU=Groups,OU=USA,DC=------,DC=com

Group object classes    :       top , group

Group name attribute    :       CN

Group extra filter  :

Let me know if any insights in this, Also

Is there a way to Debug the Group Sync?, I don't see anything related to group sync issues in the Logs

Thanks,  Appreciate your help!

Highlighted

Avatar

Avatar

ganeshboggavara

Avatar

ganeshboggavara

ganeshboggavara

03-05-2019

Hi,

Figured it out , the way group Sync works is based on the lastSync property that AEM pulls from LDAP , In my case I had configured the lastSync property in User Property Mapping by mapping it to lastLogged which made the lastSync to overeride

This made AEM think that Group has been synced just now and it never really synced , When I removed lastSynced User Property mapping in my LDAP IdentityProvider , Group Sync happened with no issues

Thanks,

Ganesh