Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

AEM and LDAP Group Mapping and permission management Best practices

Avatar

Level 1

Hi Everyone,

 

I would like to take some recommendations and best practices wrt AEM internal groups and LDAP groups mapping & permission management.

 

We have AEM and LDAP groups setup in our project, both internal and LDAP groups are named identical. We are on AEM 6.5 and using ACL Netcentric to maintain the permissions. Below is one of the sample config we have with the yaml file.

 

- aem-publishers-myapp-gb:
	- name: MyApp Publishers GB
	  isMemberOf: aem-common-myapp
	  path: myapp/gb
	  externalId: "CN=aem-publishers-myapp-gb,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=COM;XXXX"

 

  1. Is it recommended to both the internal and LDAP groups identical name?
  2. Are there any known limitation with this kind of setup?
  3. Would it be advised to have the unique names among AEM internal and LDAP?

We are currently facing some issues when a LDAP group details got updated and then users either lost permissions or unable to login to AEM, where the log throws this group already exists in AEM. The investigation for this issue is in progress but meanwhile we suspect this would be due to the group naming conventions followed.

It would be great to get any of your views on the above mentioned setup.

 

Thanks in Advance!

Mani

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

@mani_devaraj ,

I am not sure about the best practices around LDAP and AEM group naming conventions but we are doing like the below approach at my organization.

1) "publishers-myapp-gb" : The main AEM group where the permissions to various paths are managed.

2) "aem-publishers-myapp-gb": A proxy group to the "publishers-myapp-gb" in AEM and added "aem-publishers-myapp-gb" as the member of the main group(publishers-myapp-gb).

3) All the LDAP group names follow the convention of "aem-<main-group-name>"

4) LDAP Default Sync Handler syncs the user from LDAP group to the proxy group present in AEM.

 

With this method, we almost never had any issue with user permissions. This enabled us to easily manage both AEM permission groups and LDAP Sync groups without effecting each other during the updates to the groups.

Even when sync does happen with issues from LDAP, it only effects the proxy group and the main AEM group stays intact.

 

Hope this helps!

View solution in original post

3 Replies

Avatar

Correct answer by
Community Advisor

@mani_devaraj ,

I am not sure about the best practices around LDAP and AEM group naming conventions but we are doing like the below approach at my organization.

1) "publishers-myapp-gb" : The main AEM group where the permissions to various paths are managed.

2) "aem-publishers-myapp-gb": A proxy group to the "publishers-myapp-gb" in AEM and added "aem-publishers-myapp-gb" as the member of the main group(publishers-myapp-gb).

3) All the LDAP group names follow the convention of "aem-<main-group-name>"

4) LDAP Default Sync Handler syncs the user from LDAP group to the proxy group present in AEM.

 

With this method, we almost never had any issue with user permissions. This enabled us to easily manage both AEM permission groups and LDAP Sync groups without effecting each other during the updates to the groups.

Even when sync does happen with issues from LDAP, it only effects the proxy group and the main AEM group stays intact.

 

Hope this helps!

Avatar

Level 1

Thank you @Sudheer_Sundalam for your response!

It's good to know your organisation setup.

 

How do you manage the new LDAP group creation and the association with AEM internal group?

Is this a manual activity after syncing the LDAP groups and then assign the AEM group to sync'ed group. We would like to have an automated way for the group assignments as we have the more frequent new groups for the suppliers.

 

This may become a overhead in the long run with the project release process.

 

Thanks

Avatar

Community Advisor

@mani_devaraj ,

We manage the groups and permissions in AEM and raise service request to LDAP team to add user to the required group in LDAP. When the user logs in, they are synced with AEM Proxy group with same name with that of LDAP group. This process allows AEM authors get into the correct group with required permissions.