Highlighted

AEM 6.3 - LDAP integration - Group sync issue

BrijeshYadav

23-11-2017


I have created ldap configuration in AEM 6.3(see attached) which enable to connect with ldap successfully & all user information get created in AEM but unable to sync few groups. Specially those groups which start with Aem* even with out any group.extraFilter = " " also.


Error in logs "org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext Existing authorizable 'Aem-test-local-administrators' is not a group from this IDP 'ldap' "

I want to highlight that same configuration working in AEM 6.1.

1356845_pastedImage_0.png

1356846_pastedImage_1.png

1356847_pastedImage_2.png

/Brijesh

Replies

Highlighted

smacdonald2008

23-11-2017

It should work the same way as it did in AEM 6.1. There has been no changes (not documented anyhow) that would account for this not workign like it did in AEM 6.1.

Highlighted

BrijeshYadav

23-11-2017

Yes that's true it should work same way but can't figured out why these groups (Aem-*) does not synch and no changes to the groups also. Same thing is working in 6.1 on same machine but not for 6.3

Highlighted

kautuk_sahni

Community Manager

26-11-2017

Recommend you to check and follow the documentation:- Configuring LDAP with AEM 6

and FYI..

See this AEM 6 integration with LDAP

//syncAllUsers does not bring all your ldap users to aem. it only syncs existing local users from ldap. local users are created on first login or manually by calling syncUsers() method. see documentation here-

http://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authe ntication/external/impl/jmx/SynchronizationMBean.html

Also make sure to add IdP Certificate to the AEM TrustStore:-  https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/saml-2-0-authenticationhand... to Groups

Highlighted

BrijeshYadav

27-11-2017

Hi Kautuk,

Thanks for sharing the information but i have already gone through these documents & did not find anything which explain troubleshooting of group issues.
Adding IdP Certificate to the AEM TrustStore is only required when we are using SAML authentication handler which is not valid in my case.

/Brijesh

Highlighted

kabelol26243436

09-02-2018

Update:

I am using PpenLdap. OpenLdap uses the memberUid attribute to identify members of a group and not uniqueMember.

uniqueMember is the full DN which is also what oak uses for querying groups for members. Hence my users are not found in groups.

Example:

memberUid = pjones

uniqueMember = cn=Peter Jones,ou=users,dc=example,dc=com

Highlighted

BrijeshYadav

08-03-2018

After redeploy LDAP configurations It works for me on AEM 6.3 with same configuration used in AEm 6.1.

We are using group.baseDN and group.extraFilter for identifying members.

/Brijesh