Expand my Community achievements bar.

July 31st AEM Gems Webinar: Elevate your AEM development to master the integration of private GitHub repositories within AEM Cloud Manager.
Register Now
SOLVED

AEM and LDAP Group Mapping and permission management Best practices

Avatar

Level 1
Level 1
9/8/23 12:11:21 PM

Hi Everyone,

 

I would like to take some recommendations and best practices wrt AEM internal groups and LDAP groups mapping & permission management.

 

We have AEM and LDAP groups setup in our project, both internal and LDAP groups are named identical. We are on AEM 6.5 and using ACL Netcentric to maintain the permissions. Below is one of the sample config we have with the yaml file.

 

- aem-publishers-myapp-gb:
	- name: MyApp Publishers GB
	  isMemberOf: aem-common-myapp
	  path: myapp/gb
	  externalId: "CN=aem-publishers-myapp-gb,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=COM;XXXX"

 

  1. Is it recommended to both the internal and LDAP groups identical name?
  2. Are there any known limitation with this kind of setup?
  3. Would it be advised to have the unique names among AEM internal and LDAP?

We are currently facing some issues when a LDAP group details got updated and then users either lost permissions or unable to login to AEM, where the log throws this group already exists in AEM. The investigation for this issue is in progress but meanwhile we suspect this would be due to the group naming conventions followed.

It would be great to get any of your views on the above mentioned setup.

 

Thanks in Advance!

Mani

Views

606

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
9/8/23 2:16:52 PM

@mani_devaraj ,

I am not sure about the best practices around LDAP and AEM group naming conventions but we are doing like the below approach at my organization.

1) "publishers-myapp-gb" : The main AEM group where the permissions to various paths are managed.

2) "aem-publishers-myapp-gb": A proxy group to the "publishers-myapp-gb" in AEM and added "aem-publishers-myapp-gb" as the member of the main group(publishers-myapp-gb).

3) All the LDAP group names follow the convention of "aem-<main-group-name>"

4) LDAP Default Sync Handler syncs the user from LDAP group to the proxy group present in AEM.

 

With this method, we almost never had any issue with user permissions. This enabled us to easily manage both AEM permission groups and LDAP Sync groups without effecting each other during the updates to the groups.

Even when sync does happen with issues from LDAP, it only effects the proxy group and the main AEM group stays intact.

 

Hope this helps!

View solution in original post

Views

577

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
9/8/23 2:16:52 PM

@mani_devaraj ,

I am not sure about the best practices around LDAP and AEM group naming conventions but we are doing like the below approach at my organization.

1) "publishers-myapp-gb" : The main AEM group where the permissions to various paths are managed.

2) "aem-publishers-myapp-gb": A proxy group to the "publishers-myapp-gb" in AEM and added "aem-publishers-myapp-gb" as the member of the main group(publishers-myapp-gb).

3) All the LDAP group names follow the convention of "aem-<main-group-name>"

4) LDAP Default Sync Handler syncs the user from LDAP group to the proxy group present in AEM.

 

With this method, we almost never had any issue with user permissions. This enabled us to easily manage both AEM permission groups and LDAP Sync groups without effecting each other during the updates to the groups.

Even when sync does happen with issues from LDAP, it only effects the proxy group and the main AEM group stays intact.

 

Hope this helps!

Views

578

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 1
Level 1
9/11/23 6:56:07 AM
In response to Sudheer_Sundalam

Thank you @Sudheer_Sundalam for your response!

It's good to know your organisation setup.

 

How do you manage the new LDAP group creation and the association with AEM internal group?

Is this a manual activity after syncing the LDAP groups and then assign the AEM group to sync'ed group. We would like to have an automated way for the group assignments as we have the more frequent new groups for the suppliers.

 

This may become a overhead in the long run with the project release process.

 

Thanks

Views

538

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
9/11/23 7:09:44 AM
In response to mani_devaraj

@mani_devaraj ,

We manage the groups and permissions in AEM and raise service request to LDAP team to add user to the required group in LDAP. When the user logs in, they are synced with AEM Proxy group with same name with that of LDAP group. This process allows AEM authors get into the correct group with required permissions. 

Views

531

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Is there a way to reuse AEM policy styleGroups?

Views

57

Likes

0

Replies

0
Experience Fragment and countries

Views

143

Likes

0

Replies

5
global content find and replace in touch UI

Views

353

Likes

0

Replies

3
How to exclude immidiate child nodes in AEM query Builder ?

Views

104

Likes

0

Replies

3
Tag Garbage Collector observation in AEM 65

Views

86

Likes

0

Replies

0