Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

AEM 6.4 LDAP Group Sync Issue with AWS Directory Service Provider

Avatar

Avatar
Shape 1
Level 1
ManojSj
Level 1

Likes

2 likes

Total Posts

7 posts

Correct Reply

0 solutions
Top badges earned
Shape 1
Boost 1
View profile

Avatar
Shape 1
Level 1
ManojSj
Level 1

Likes

2 likes

Total Posts

7 posts

Correct Reply

0 solutions
Top badges earned
Shape 1
Boost 1
View profile
ManojSj
Level 1

17-06-2020

We have observed that the LDAP query for groups is not triggering consistently as observed in loggers because of which Group Sync failing [only users sync is successful ]. Referred the configuration as per link- https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/ldap-config.html

We are using 6.4 version of AEM and the sample LDIF file and configurations are mentioned below. Could you please let us know if something is wrong with the below configurations or steps followed.

 

Configurations:

# Apache Jackrabbit Oak LDAP Identity Provider

userPool.maxActive=L"8"

searchTimeout="60s"

host.name="xxxxx"

customattributes=[""]

adminPool.maxActive=L"8"

group.makeDnPath=B"false"

user.baseDN="dc\=example,dc\=ps,dc\=com"

group.objectclass=["group"]

user.objectclass=["person"]

userPool.lookupOnValidate=B"true"

host.noCertCheck=B"false"

user.makeDnPath=B"true"

bind.dn="CN\=ldaplookupuser,CN\=Users,DC\=example,DC\=com"

group.baseDN="CN\=Group,DC\=example,DC\=com"

group.extraFilter="(objectCategory\=group)"

user.extraFilter=""

host.port=I"3268"

bind.password="xxxxx"

adminPool.lookupOnValidate=B"true"

group.nameAttribute="CN"

provider.name="ldap"

host.ssl=B"false"

host.tls=B"false"

user.idAttribute="sAMAccountName"

group.memberAttribute="member"

 

# Apache Jackrabbit Oak Default Sync Handler

group.pathPrefix="/aemldapusers/ldap"

user.dynamicMembership=B"false"

group.expirationTime="1d"

user.membershipExpTime="1h"

user.pathPrefix="/aemldapusers/ldap"

user.propertyMapping=["rep:fullname\=cn","profile/email\=mail"]

handler.name="default"

enableRFC7613UsercaseMappedProfile=B"false"

user.autoMembership=["contributor"]

user.expirationTime="1h"

group.propertyMapping=[""]

group.autoMembership=[""]

user.disableMissing=B"false"

user.membershipNestingDepth=I"2"

 

# Apache Jackrabbit Oak External Login Module

jaas.controlFlag="SUFFICIENT"

jaas.ranking=I"50"

sync.handlerName="default"

jaas.realmName=""

idp.name="ldap"

 

LDIF File Snippet:

dn: CN=DnsUpdateProxy,CN=Users,DC=example,DC=com

objectClass: top

objectClass: group

 

cn: DnsUpdateProxy

description: DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).

instanceType: 4

whenCreated: 20200212074609.0Z

whenChanged: 20200212074609.0Z

uSNCreated: 3603

uSNChanged: 3603

name: DnsUpdateProxy

objectGUID:: fC+OYNPR1Um6d65Uctstpw==

objectSid:: AQUAAAAAAAUVAAAAlvzxoCLKglAqEEnqTgQAAA==

sAMAccountName: DnsUpdateProxy

sAMAccountType: 268435456

groupType: -2147483646

objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com

distinguishedName: CN=DnsUpdateProxy,CN=Users,DC=example,DC=com

 

dn: CN=DnsAdmins,CN=Users,DC=example,DC=com

objectClass: top

objectClass: group

cn: DnsAdmins

description: DNS Administrators Group

instanceType: 4

whenCreated: 20200212074609.0Z

whenChanged: 20200212074609.0Z

uSNCreated: 3602

uSNChanged: 3602

name: DnsAdmins

objectGUID:: uWRuKJKD7ESxSosncblwHA==

objectSid:: AQUAAAAAAAUVAAAAlvzxoCLKglAqEEnqTQQAAA==

sAMAccountName: DnsAdmins

sAMAccountType: 536870912

groupType: -2147483644

objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com

distinguishedName: CN=DnsAdmins,CN=Users,DC=example,DC=com

 

dn: CN=everyone,CN=Users,DC=example,DC=com

objectClass: top

objectClass: group

cn: everyone

description: everyone

instanceType: 4

whenCreated: 20200218143504.0Z

uSNCreated: 3764

name: everyone

objectGUID:: L8ujcWUxvUq9wZnuOMiOBw==

objectSid:: AQUAAAAAAAUVAAAAlvzxoCLKglAqEEnqRAYAAA==

sAMAccountName: everyone

sAMAccountType: 268435456

groupType: -2147483646

objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com

member: CN=john.doe,CN=Users,DC=example,DC=com

whenChanged: 20200218144440.0Z

uSNChanged: 3765

distinguishedName: CN=everyone,CN=Users,DC=example,DC=com

 

dn: CN=admin,CN=Users,DC=example,DC=com

objectClass: top

objectClass: group

cn: admin

description: test admin

instanceType: 4

whenCreated: 20200212165214.0Z

uSNCreated: 3757

name: admin

objectGUID:: nByiLbz5fUqur+MgO+1i+Q==

objectSid:: AQUAAAAAAAUVAAAAlvzxoCLKglAqEEnqQQYAAA==

sAMAccountName: admin

sAMAccountType: 268435456

groupType: -2147483646

objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com

member: CN=john.doe,CN=Users,DC=example,DC=com

member: CN=billy.joel,CN=Users,DC=example,DC=com

whenChanged: 20200212165805.0Z

uSNChanged: 3762

distinguishedName: CN=admin,CN=Users,DC=example,DC=com

AEM 6.4 authentication Groups LDAP LDAPADSync SSO

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Give Back 50
Employee
berliant
Employee

Likes

207 likes

Total Posts

315 posts

Correct Reply

98 solutions
Top badges earned
Give Back 50
Give Back 5
Give Back 3
Give Back 25
Give Back 10
View profile

Avatar
Give Back 50
Employee
berliant
Employee

Likes

207 likes

Total Posts

315 posts

Correct Reply

98 solutions
Top badges earned
Give Back 50
Give Back 5
Give Back 3
Give Back 25
Give Back 10
View profile
berliant
Employee

18-06-2020

user.membershipNestingDepth=I"2" - controls groups sync. Note, it does not syncing individual groups only when syncing a user's membership ancestry, i.e. if a syncing use is a member of a group, then teh group will be synced with AEM repository. 

Answers (0)