Expand my Community achievements bar.

SOLVED

AEM 6.0 Importing external LDAP groups via JMX

Avatar

Level 2
Level 2
10/15/15 7:28:28 PM

Hi everyone,

I have a setup where our client has LDAP users which are imported into the repository by using the JMX calls "syncAllExternalUsers()" from "org.apache.jackrabbit.oak: External Identity Synchronization Management (UserManagement)". We have configured everything what's necessary for the LDAP sync in OSGi, like the "Apache Jackrabbit Oak Default Sync Handler", the "Apache Jackrabbit Oak External Login Module" and the "Apache Jackrabbit Oak LDAP Identity Provider".

Now after importing a few thousands of users, the users received additional groups which we would like to import. I changed the Default Sync Handler's "User membership nesting depth" property to include the groups.

When I execute the "syncAllExternalUsers()" again, none of the LDAP groups are created. Only when the users are deleted and created anew I also get the groups into the system. I also could not find anything like a "syncAllExternalGroups()" JMX call.

Does anyone have an idea how I could get the LDAP groups into the AEM system?

 

Also how can I have groups which are not in LDAP anymore removed from the repository? The "Group Expiration Time" property from the Default Sync Handler doesn't seem to have an effect on that.

 

Thanks in advance.

Views

1.7K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:28:28 PM

Sorry some how i missed it is aem6. Yes it is expiration time. Surprised to see it does not sync after expiration time. Please file an support ticket & in that attach debug logs of ldap as well as oak version. 

View solution in original post

Views

920

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Level 10
Level 10
10/15/15 7:28:28 PM

A user and their group membership is only synchronized with a given interval. This interval is equal to the cache.expiration configuration parameter.  Did you waited till the expiry?

Views

920

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
10/15/15 7:28:28 PM

Hi Sham,

I can't find the "cache.expiration" configuration parameter in AEM 6.0.

Did you mean the "User Expiration Time" (user.expirationTime) and "Group Expiration Time" (group.expirationTime) found in the "Apache Jackrabbit Oak Default Sync Handler" OSGi configuration?

The user.expirationTime property is set to 1h and the group.expirationTime property is set to 1d (default values). I tried setting the group.expirationTime to 5min but I couldn't see an effect. LDAP groups which were deleted in LDAP are still in AEM.

Views

1.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:28:28 PM

Sorry some how i missed it is aem6. Yes it is expiration time. Surprised to see it does not sync after expiration time. Please file an support ticket & in that attach debug logs of ldap as well as oak version. 

Views

921

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 1
Level 1
1/14/16 7:23:50 AM

I am experiencing the same issue.  Have you been able to resolve this issue?

Views

1.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
1/18/16 3:42:15 AM

Hey dawnd58690430, if you mean the JMX Function for synchronizing LDAP Groups, then the answer is no.

There is an OAK Ticket for the group sync function: https://issues.apache.org/jira/browse/OAK-1823

Views

1.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate