AEM and LDAP Group Mapping and permission management Best practices | Community
Skip to main content
M
mani_devaraj
September 8, 2023
Solved

AEM and LDAP Group Mapping and permission management Best practices

  • September 8, 2023
  • 1 reply
  • 1473 views

Hi Everyone,

 

I would like to take some recommendations and best practices wrt AEM internal groups and LDAP groups mapping & permission management.

 

We have AEM and LDAP groups setup in our project, both internal and LDAP groups are named identical. We are on AEM 6.5 and using ACL Netcentric to maintain the permissions. Below is one of the sample config we have with the yaml file.

 

- aem-publishers-myapp-gb: - name: MyApp Publishers GB isMemberOf: aem-common-myapp path: myapp/gb externalId: "CN=aem-publishers-myapp-gb,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=COM;XXXX"

 

  1. Is it recommended to both the internal and LDAP groups identical name?
  2. Are there any known limitation with this kind of setup?
  3. Would it be advised to have the unique names among AEM internal and LDAP?

We are currently facing some issues when a LDAP group details got updated and then users either lost permissions or unable to login to AEM, where the log throws this group already exists in AEM. The investigation for this issue is in progress but meanwhile we suspect this would be due to the group naming conventions followed.

It would be great to get any of your views on the above mentioned setup.

 

Thanks in Advance!

Mani

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Sudheer_Sundalam

@mani_devaraj ,

I am not sure about the best practices around LDAP and AEM group naming conventions but we are doing like the below approach at my organization.

1) "publishers-myapp-gb" : The main AEM group where the permissions to various paths are managed.

2) "aem-publishers-myapp-gb": A proxy group to the "publishers-myapp-gb" in AEM and added "aem-publishers-myapp-gb" as the member of the main group(publishers-myapp-gb).

3) All the LDAP group names follow the convention of "aem-<main-group-name>"

4) LDAP Default Sync Handler syncs the user from LDAP group to the proxy group present in AEM.

 

With this method, we almost never had any issue with user permissions. This enabled us to easily manage both AEM permission groups and LDAP Sync groups without effecting each other during the updates to the groups.

Even when sync does happen with issues from LDAP, it only effects the proxy group and the main AEM group stays intact.

 

Hope this helps!

1 reply

Sudheer_Sundalam
Community Advisor
Sudheer_SundalamCommunity AdvisorAccepted solution
Community Advisor
September 8, 2023

@mani_devaraj ,

I am not sure about the best practices around LDAP and AEM group naming conventions but we are doing like the below approach at my organization.

1) "publishers-myapp-gb" : The main AEM group where the permissions to various paths are managed.

2) "aem-publishers-myapp-gb": A proxy group to the "publishers-myapp-gb" in AEM and added "aem-publishers-myapp-gb" as the member of the main group(publishers-myapp-gb).

3) All the LDAP group names follow the convention of "aem-<main-group-name>"

4) LDAP Default Sync Handler syncs the user from LDAP group to the proxy group present in AEM.

 

With this method, we almost never had any issue with user permissions. This enabled us to easily manage both AEM permission groups and LDAP Sync groups without effecting each other during the updates to the groups.

Even when sync does happen with issues from LDAP, it only effects the proxy group and the main AEM group stays intact.

 

Hope this helps!

    M
    mani_devarajAuthor
    September 11, 2023

    Thank you @sudheer_sundalam for your response!

    It's good to know your organisation setup.

     

    How do you manage the new LDAP group creation and the association with AEM internal group?

    Is this a manual activity after syncing the LDAP groups and then assign the AEM group to sync'ed group. We would like to have an automated way for the group assignments as we have the more frequent new groups for the suppliers.

     

    This may become a overhead in the long run with the project release process.

     

    Thanks

      Sudheer_Sundalam
      Community Advisor
      Sudheer_SundalamCommunity Advisor
      Community Advisor
      September 11, 2023

      @mani_devaraj ,

      We manage the groups and permissions in AEM and raise service request to LDAP team to add user to the required group in LDAP. When the user logs in, they are synced with AEM Proxy group with same name with that of LDAP group. This process allows AEM authors get into the correct group with required permissions. 

        Terms & ConditionsAccessibility statement

        Loading footer...