Highlighted

AEM 6.3 - LDAP integration - Group sync issue

Avatar

Avatar

BrijeshYadav

Avatar

BrijeshYadav

BrijeshYadav

23-11-2017


I have created ldap configuration in AEM 6.3(see attached) which enable to connect with ldap successfully & all user information get created in AEM but unable to sync few groups. Specially those groups which start with Aem* even with out any group.extraFilter = " " also.


Error in logs "org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext Existing authorizable 'Aem-test-local-administrators' is not a group from this IDP 'ldap' "

I want to highlight that same configuration working in AEM 6.1.

1356845_pastedImage_0.png

1356846_pastedImage_1.png

1356847_pastedImage_2.png

/Brijesh

Replies

Highlighted

Avatar

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Answer

2.3K

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Answer

2.3K
smacdonald2008

23-11-2017

It should work the same way as it did in AEM 6.1. There has been no changes (not documented anyhow) that would account for this not workign like it did in AEM 6.1.

Highlighted

Avatar

Avatar

BrijeshYadav

Avatar

BrijeshYadav

BrijeshYadav

23-11-2017

Yes that's true it should work same way but can't figured out why these groups (Aem-*) does not synch and no changes to the groups also. Same thing is working in 6.1 on same machine but not for 6.3

Highlighted

Avatar

Avatar

kautuk_sahni

Community Manager

Total Posts

5.6K

Likes

963

Correct Answer

1.1K

Avatar

kautuk_sahni

Community Manager

Total Posts

5.6K

Likes

963

Correct Answer

1.1K
kautuk_sahni
Community Manager

26-11-2017

Recommend you to check and follow the documentation:- Configuring LDAP with AEM 6

and FYI..

See this AEM 6 integration with LDAP

//syncAllUsers does not bring all your ldap users to aem. it only syncs existing local users from ldap. local users are created on first login or manually by calling syncUsers() method. see documentation here-

http://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authe ntication/external/impl/jmx/SynchronizationMBean.html

Also make sure to add IdP Certificate to the AEM TrustStore:-  https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/saml-2-0-authenticationhand... to Groups

Highlighted

Avatar

Avatar

BrijeshYadav

Avatar

BrijeshYadav

BrijeshYadav

27-11-2017

Hi Kautuk,

Thanks for sharing the information but i have already gone through these documents & did not find anything which explain troubleshooting of group issues.
Adding IdP Certificate to the AEM TrustStore is only required when we are using SAML authentication handler which is not valid in my case.

/Brijesh

Highlighted

Avatar

Avatar

kabelol26243436

Avatar

kabelol26243436

kabelol26243436

08-02-2018

Hi Yadav

Did you ever get the solution to this issue? Experiencing the same (6.3)

Highlighted

Avatar

Avatar

kabelol26243436

Avatar

kabelol26243436

kabelol26243436

09-02-2018

Update:

I am using PpenLdap. OpenLdap uses the memberUid attribute to identify members of a group and not uniqueMember.

uniqueMember is the full DN which is also what oak uses for querying groups for members. Hence my users are not found in groups.

Example:

memberUid = pjones

uniqueMember = cn=Peter Jones,ou=users,dc=example,dc=com

Highlighted

Avatar

Avatar

BrijeshYadav

Avatar

BrijeshYadav

BrijeshYadav

08-03-2018

After redeploy LDAP configurations It works for me on AEM 6.3 with same configuration used in AEm 6.1.

We are using group.baseDN and group.extraFilter for identifying members.

/Brijesh

Highlighted

Avatar

Avatar

eyalf34460491

Avatar

eyalf34460491

eyalf34460491

24-12-2018

Hi Yadav

Did you get the solution to this issue? Experiencing the same (6.4)