Expand my Community achievements bar.

SOLVED

AEM 6 integration with LDAP

Avatar

Level 2
Level 2
10/15/15 7:28:39 PM

Hi,

I am trying to integrate AEM6 SP2 with LDAP, a fairly straightforward process as mentioned at - http://docs.adobe.com/docs/en/aem/6-0/administer/security/ldap-config.html. I have configured the LdapIdentityProvider, DefaultSyncHandler and an ExternalLoginModuleFactory in the OSGi console. These configurations seem to have been registered successfully. I have also re-started AEM, but still I don't see my LDAP users and groups in the AEM useradmin console.

I also tried to manually sync all users using the JMX console, but still no sync. I don't see any errors in error.log either.

Have I missed something somewhere?

 

Snapshot of error.log -

------------------Start LdapIdentityProvider------------------------

07.05.2015 15:01:54.178 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.b3a2590d-5ce4-4d88-9a06-164a71c45680)] org.apache.jackrabbit.oak-auth-ldap Service [org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.b3a2590d-5ce4-4d88-9a06-164a71c45680,2886] ServiceEvent REGISTERED
07.05.2015 15:01:54.335 *INFO* [JcrInstaller.1] org.apache.sling.installer.provider.jcr.impl.JcrInstaller Registering resource with OSGi installer: [InstallableResource, priority=200, id=/apps/system/config/org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider-b3a2590d-5ce4-4d88-9a06-164a71c45680.config]

------------------End LdapIdentityProvider--------------------------

------------------Start DefaultSyncHandler--------------------------

7.05.2015 15:13:36.181 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler.1e52f461-1ced-48a5-a2eb-50c417ff3015)] org.apache.jackrabbit.oak-auth-external Service [org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler.1e52f461-1ced-48a5-a2eb-50c417ff3015,2887] ServiceEvent REGISTERED
07.05.2015 15:13:36.275 *INFO* [JcrInstaller.1] org.apache.sling.installer.provider.jcr.impl.JcrInstaller Registering resource with OSGi installer: [InstallableResource, priority=200, id=/apps/system/config/org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler-1e52f461-1ced-48a5-a2eb-50c417ff3015.config]

------------------End DefaultSyncHandler----------------------------

------------------Start ExternalLoginModuleFactory------------------

07.05.2015 15:17:34.670 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory.5b7a8f3c-4666-4950-905b-e839262b915b)] org.apache.jackrabbit.oak-auth-external Service [org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory.5b7a8f3c-4666-4950-905b-e839262b915b,2888] ServiceEvent REGISTERED
07.05.2015 15:17:34.670 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory.5b7a8f3c-4666-4950-905b-e839262b915b)] org.apache.jackrabbit.oak-auth-external Service [2889] ServiceEvent REGISTERED
07.05.2015 15:17:34.670 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory.5b7a8f3c-4666-4950-905b-e839262b915b)] org.apache.felix.jaas Registering LoginModuleFactory org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory@46027b94

------------------End ExternalLoginModuleFactory-------------------

Regards,

Kunal

Views

2.4K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 3
Level 3
10/15/15 7:28:39 PM

Are you able to log in into AEM using active directory credentials? 

 

syncAllUsers does not bring all your ldap users to aem. it only syncs existing local users from ldap. local users are created on first login or manually by calling syncUsers() method. see documentation here-

http://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/...

View solution in original post

Views

1.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Level 2
Level 2
10/15/15 7:28:39 PM

Please share the configurations.

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
10/15/15 7:28:39 PM

Here are the configs -

LDAPIdentityProvider

# Configuration created by Apache Sling JCR Installer
userPool.maxActive=L"8"
searchTimeout="60s"
host.name="ldap.host.com"
adminPool.maxActive=L"8"
group.makeDnPath=B"false"
user.baseDN="ou\=users,dc\=abc,dc\=com"
group.objectclass=["groupOfUniqueNames"]
user.objectclass=["person"]
host.noCertCheck=B"false"
user.makeDnPath=B"false"
bind.dn="uid\=user_name,ou\=accounts,ou\=administration,dc\=abc,dc\=com"
group.baseDN="ou\=groups,dc\=abc,dc\=com"
group.extraFilter=""
user.extraFilter=""
host.port=I"389"
bind.password="password"
group.nameAttribute="cn"
provider.name="LDAP"
host.ssl=B"false"
host.tls=B"false"
user.idAttribute="uid"
group.memberAttribute="uniqueMember"

 

Sync Handler 

# Configuration created by Apache Sling JCR Installer
group.pathPrefix=""
group.expirationTime="1d"
user.membershipExpTime="1h"
user.pathPrefix=""
user.propertyMapping=[""]
handler.name="LDAPSync"
user.autoMembership=[""]
user.expirationTime="1h"
group.propertyMapping=[""]
user.membershipNestingDepth=I"1"
group.autoMembership=[""]

 

 

Login Module

# Configuration created by Apache Sling JCR Installer
jaas.controlFlag="SUFFICIENT"
jaas.ranking=I"50"
sync.handlerName="LDAPSync"
jaas.realmName=""
idp.name="LDAP"

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 3
Level 3
10/15/15 7:28:39 PM

Are you able to log in into AEM using active directory credentials? 

 

syncAllUsers does not bring all your ldap users to aem. it only syncs existing local users from ldap. local users are created on first login or manually by calling syncUsers() method. see documentation here-

http://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/...

Views

1.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
10/15/15 7:28:39 PM

Hi,

My initial problem was that AEM 6 SP2 was not connecting to LDAP at all. I had verified and re-verified my configs multiple times and they were all fine as I was able to connect to the LDAP using similar settings via other LDAP clients. My last throw of dice was to upgrade from Java 7 to 8 and voila, AEM was connecting to LDAP.

I am still having issues with syncing all external users but those are to do with memory and number of ldap objects. Thanks for the help.

Regards,

Kunal

Views

1.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Want to get the content of YAML files instead of downloading them (AEM 6.5)

Views

112

Likes

0

Replies

4
Cloud server is throwing error with felix plugin

Views

95

Likes

0

Replies

1
Sitemap custom cannot be accessed on my AEM website

Views

188

Likes

0

Replies

4
User reports for AEM

Views

87

Like

1

Replies

2
AEM Cannot extract metadata from pdf

Views

209

Likes

0

Replies

9