AEM 6.0 Importing external LDAP groups via JMX | Community
Skip to main content
Andras_Fejer
Andras_Fejer
Level 2
October 16, 2015
Solved

AEM 6.0 Importing external LDAP groups via JMX

  • October 16, 2015
  • 5 replies
  • 2301 views

Hi everyone,

I have a setup where our client has LDAP users which are imported into the repository by using the JMX calls "syncAllExternalUsers()" from "org.apache.jackrabbit.oak: External Identity Synchronization Management (UserManagement)". We have configured everything what's necessary for the LDAP sync in OSGi, like the "Apache Jackrabbit Oak Default Sync Handler", the "Apache Jackrabbit Oak External Login Module" and the "Apache Jackrabbit Oak LDAP Identity Provider".

Now after importing a few thousands of users, the users received additional groups which we would like to import. I changed the Default Sync Handler's "User membership nesting depth" property to include the groups.

When I execute the "syncAllExternalUsers()" again, none of the LDAP groups are created. Only when the users are deleted and created anew I also get the groups into the system. I also could not find anything like a "syncAllExternalGroups()" JMX call.

Does anyone have an idea how I could get the LDAP groups into the AEM system?

 

Also how can I have groups which are not in LDAP anymore removed from the repository? The "Group Expiration Time" property from the Default Sync Handler doesn't seem to have an effect on that.

 

Thanks in advance.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Sham_HC

Sorry some how i missed it is aem6. Yes it is expiration time. Surprised to see it does not sync after expiration time. Please file an support ticket & in that attach debug logs of ldap as well as oak version. 

5 replies

Sham_HC
Sham_HC
Level 10
October 16, 2015

A user and their group membership is only synchronized with a given interval. This interval is equal to the cache.expiration configuration parameter.  Did you waited till the expiry?

Andras_Fejer
Andras_FejerAuthor
Level 2
October 16, 2015

Hi Sham,

I can't find the "cache.expiration" configuration parameter in AEM 6.0.

Did you mean the "User Expiration Time" (user.expirationTime) and "Group Expiration Time" (group.expirationTime) found in the "Apache Jackrabbit Oak Default Sync Handler" OSGi configuration?

The user.expirationTime property is set to 1h and the group.expirationTime property is set to 1d (default values). I tried setting the group.expirationTime to 5min but I couldn't see an effect. LDAP groups which were deleted in LDAP are still in AEM.

Sham_HC
Sham_HCAccepted solution
Level 10
October 16, 2015

Sorry some how i missed it is aem6. Yes it is expiration time. Surprised to see it does not sync after expiration time. Please file an support ticket & in that attach debug logs of ldap as well as oak version. 

dawnd58690430
dawnd58690430
January 14, 2016

I am experiencing the same issue.  Have you been able to resolve this issue?

Andras_Fejer
Andras_FejerAuthor
Level 2
January 18, 2016

Hey dawnd58690430, if you mean the JMX Function for synchronizing LDAP Groups, then the answer is no.

There is an OAK Ticket for the group sync function: https://issues.apache.org/jira/browse/OAK-1823

Terms & ConditionsAccessibility statement

Loading footer...