Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

AEM 6.3 - LDAP integration - Group sync issue

Avatar

Community Advisor


I have created ldap configuration in AEM 6.3(see attached) which enable to connect with ldap successfully & all user information get created in AEM but unable to sync few groups. Specially those groups which start with Aem* even with out any group.extraFilter = " " also.


Error in logs "org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext Existing authorizable 'Aem-test-local-administrators' is not a group from this IDP 'ldap' "

I want to highlight that same configuration working in AEM 6.1.

1356845_pastedImage_0.png

1356846_pastedImage_1.png

1356847_pastedImage_2.png

/Brijesh

8 Replies

Avatar

Level 10

It should work the same way as it did in AEM 6.1. There has been no changes (not documented anyhow) that would account for this not workign like it did in AEM 6.1.

Avatar

Community Advisor

Yes that's true it should work same way but can't figured out why these groups (Aem-*) does not synch and no changes to the groups also. Same thing is working in 6.1 on same machine but not for 6.3

Avatar

Administrator

Recommend you to check and follow the documentation:- Configuring LDAP with AEM 6

and FYI..

See this AEM 6 integration with LDAP

//syncAllUsers does not bring all your ldap users to aem. it only syncs existing local users from ldap. local users are created on first login or manually by calling syncUsers() method. see documentation here-

http://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authe ntication/external/impl/jmx/SynchronizationMBean.html

Also make sure to add IdP Certificate to the AEM TrustStore:-  https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/saml-2-0-authenticationhand... to Groups



Kautuk Sahni

Avatar

Community Advisor

Hi Kautuk,

Thanks for sharing the information but i have already gone through these documents & did not find anything which explain troubleshooting of group issues.
Adding IdP Certificate to the AEM TrustStore is only required when we are using SAML authentication handler which is not valid in my case.

/Brijesh

Avatar

Level 3

Hi Yadav

Did you ever get the solution to this issue? Experiencing the same (6.3)

Avatar

Level 3

Update:

I am using PpenLdap. OpenLdap uses the memberUid attribute to identify members of a group and not uniqueMember.

uniqueMember is the full DN which is also what oak uses for querying groups for members. Hence my users are not found in groups.

Example:

memberUid = pjones

uniqueMember = cn=Peter Jones,ou=users,dc=example,dc=com

Avatar

Community Advisor

After redeploy LDAP configurations It works for me on AEM 6.3 with same configuration used in AEm 6.1.

We are using group.baseDN and group.extraFilter for identifying members.

/Brijesh

Avatar

Level 1

Hi Yadav

Did you get the solution to this issue? Experiencing the same (6.4)