AEM 6.4 LDAP Group Sync Issue with AWS Directory Service Provider

ManojSj

17-06-2020

We have observed that the LDAP query for groups is not triggering consistently as observed in loggers because of which Group Sync failing [only users sync is successful ]. Referred the configuration as per link- https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/ldap-config.html

We are using 6.4 version of AEM and the sample LDIF file and configurations are mentioned below. Could you please let us know if something is wrong with the below configurations or steps followed.

 

Configurations:

# Apache Jackrabbit Oak LDAP Identity Provider

userPool.maxActive=L"8"

searchTimeout="60s"

host.name="xxxxx"

customattributes=[""]

adminPool.maxActive=L"8"

group.makeDnPath=B"false"

user.baseDN="dc\=example,dc\=ps,dc\=com"

group.objectclass=["group"]

user.objectclass=["person"]

userPool.lookupOnValidate=B"true"

host.noCertCheck=B"false"

user.makeDnPath=B"true"

bind.dn="CN\=ldaplookupuser,CN\=Users,DC\=example,DC\=com"

group.baseDN="CN\=Group,DC\=example,DC\=com"

group.extraFilter="(objectCategory\=group)"

user.extraFilter=""

host.port=I"3268"

bind.password="xxxxx"

adminPool.lookupOnValidate=B"true"

group.nameAttribute="CN"

provider.name="ldap"

host.ssl=B"false"

host.tls=B"false"

user.idAttribute="sAMAccountName"

group.memberAttribute="member"

 

# Apache Jackrabbit Oak Default Sync Handler

group.pathPrefix="/aemldapusers/ldap"

user.dynamicMembership=B"false"

group.expirationTime="1d"

user.membershipExpTime="1h"

user.pathPrefix="/aemldapusers/ldap"

user.propertyMapping=["rep:fullname\=cn","profile/email\=mail"]

handler.name="default"

enableRFC7613UsercaseMappedProfile=B"false"

user.autoMembership=["contributor"]

user.expirationTime="1h"

group.propertyMapping=[""]

group.autoMembership=[""]

user.disableMissing=B"false"

user.membershipNestingDepth=I"2"

 

# Apache Jackrabbit Oak External Login Module

jaas.controlFlag="SUFFICIENT"

jaas.ranking=I"50"

sync.handlerName="default"

jaas.realmName=""

idp.name="ldap"

 

LDIF File Snippet:

dn: CN=DnsUpdateProxy,CN=Users,DC=example,DC=com

objectClass: top

objectClass: group

 

cn: DnsUpdateProxy

description: DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).

instanceType: 4

whenCreated: 20200212074609.0Z

whenChanged: 20200212074609.0Z

uSNCreated: 3603

uSNChanged: 3603

name: DnsUpdateProxy

objectGUID:: fC+OYNPR1Um6d65Uctstpw==

objectSid:: AQUAAAAAAAUVAAAAlvzxoCLKglAqEEnqTgQAAA==

sAMAccountName: DnsUpdateProxy

sAMAccountType: 268435456

groupType: -2147483646

objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com

distinguishedName: CN=DnsUpdateProxy,CN=Users,DC=example,DC=com

 

dn: CN=DnsAdmins,CN=Users,DC=example,DC=com

objectClass: top

objectClass: group

cn: DnsAdmins

description: DNS Administrators Group

instanceType: 4

whenCreated: 20200212074609.0Z

whenChanged: 20200212074609.0Z

uSNCreated: 3602

uSNChanged: 3602

name: DnsAdmins

objectGUID:: uWRuKJKD7ESxSosncblwHA==

objectSid:: AQUAAAAAAAUVAAAAlvzxoCLKglAqEEnqTQQAAA==

sAMAccountName: DnsAdmins

sAMAccountType: 536870912

groupType: -2147483644

objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com

distinguishedName: CN=DnsAdmins,CN=Users,DC=example,DC=com

 

dn: CN=everyone,CN=Users,DC=example,DC=com

objectClass: top

objectClass: group

cn: everyone

description: everyone

instanceType: 4

whenCreated: 20200218143504.0Z

uSNCreated: 3764

name: everyone

objectGUID:: L8ujcWUxvUq9wZnuOMiOBw==

objectSid:: AQUAAAAAAAUVAAAAlvzxoCLKglAqEEnqRAYAAA==

sAMAccountName: everyone

sAMAccountType: 268435456

groupType: -2147483646

objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com

member: CN=john.doe,CN=Users,DC=example,DC=com

whenChanged: 20200218144440.0Z

uSNChanged: 3765

distinguishedName: CN=everyone,CN=Users,DC=example,DC=com

 

dn: CN=admin,CN=Users,DC=example,DC=com

objectClass: top

objectClass: group

cn: admin

description: test admin

instanceType: 4

whenCreated: 20200212165214.0Z

uSNCreated: 3757

name: admin

objectGUID:: nByiLbz5fUqur+MgO+1i+Q==

objectSid:: AQUAAAAAAAUVAAAAlvzxoCLKglAqEEnqQQYAAA==

sAMAccountName: admin

sAMAccountType: 268435456

groupType: -2147483646

objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com

member: CN=john.doe,CN=Users,DC=example,DC=com

member: CN=billy.joel,CN=Users,DC=example,DC=com

whenChanged: 20200212165805.0Z

uSNChanged: 3762

distinguishedName: CN=admin,CN=Users,DC=example,DC=com

AEM 6.4 authentication Groups LDAP LDAPADSync SSO

Accepted Solutions (1)

Accepted Solutions (1)

berliant

Employee

18-06-2020

user.membershipNestingDepth=I"2" - controls groups sync. Note, it does not syncing individual groups only when syncing a user's membership ancestry, i.e. if a syncing use is a member of a group, then teh group will be synced with AEM repository. 

Answers (0)