Hi Everyone,
I would like to take some recommendations and best practices wrt AEM internal groups and LDAP groups mapping & permission management.
We have AEM and LDAP groups setup in our project, both internal and LDAP groups are named identical. We are on AEM 6.5 and using ACL Netcentric to maintain the permissions. Below is one of the sample config we have with the yaml file.
- aem-publishers-myapp-gb:
- name: MyApp Publishers GB
isMemberOf: aem-common-myapp
path: myapp/gb
externalId: "CN=aem-publishers-myapp-gb,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=COM;XXXX"
We are currently facing some issues when a LDAP group details got updated and then users either lost permissions or unable to login to AEM, where the log throws this group already exists in AEM. The investigation for this issue is in progress but meanwhile we suspect this would be due to the group naming conventions followed.
It would be great to get any of your views on the above mentioned setup.
Thanks in Advance!
Mani
Solved! Go to Solution.
Views
Replies
Total Likes
I am not sure about the best practices around LDAP and AEM group naming conventions but we are doing like the below approach at my organization.
1) "publishers-myapp-gb" : The main AEM group where the permissions to various paths are managed.
2) "aem-publishers-myapp-gb": A proxy group to the "publishers-myapp-gb" in AEM and added "aem-publishers-myapp-gb" as the member of the main group(publishers-myapp-gb).
3) All the LDAP group names follow the convention of "aem-<main-group-name>"
4) LDAP Default Sync Handler syncs the user from LDAP group to the proxy group present in AEM.
With this method, we almost never had any issue with user permissions. This enabled us to easily manage both AEM permission groups and LDAP Sync groups without effecting each other during the updates to the groups.
Even when sync does happen with issues from LDAP, it only effects the proxy group and the main AEM group stays intact.
Hope this helps!
I am not sure about the best practices around LDAP and AEM group naming conventions but we are doing like the below approach at my organization.
1) "publishers-myapp-gb" : The main AEM group where the permissions to various paths are managed.
2) "aem-publishers-myapp-gb": A proxy group to the "publishers-myapp-gb" in AEM and added "aem-publishers-myapp-gb" as the member of the main group(publishers-myapp-gb).
3) All the LDAP group names follow the convention of "aem-<main-group-name>"
4) LDAP Default Sync Handler syncs the user from LDAP group to the proxy group present in AEM.
With this method, we almost never had any issue with user permissions. This enabled us to easily manage both AEM permission groups and LDAP Sync groups without effecting each other during the updates to the groups.
Even when sync does happen with issues from LDAP, it only effects the proxy group and the main AEM group stays intact.
Hope this helps!
Thank you @Sudheer_Sundalam for your response!
It's good to know your organisation setup.
How do you manage the new LDAP group creation and the association with AEM internal group?
Is this a manual activity after syncing the LDAP groups and then assign the AEM group to sync'ed group. We would like to have an automated way for the group assignments as we have the more frequent new groups for the suppliers.
This may become a overhead in the long run with the project release process.
Thanks
We manage the groups and permissions in AEM and raise service request to LDAP team to add user to the required group in LDAP. When the user logs in, they are synced with AEM Proxy group with same name with that of LDAP group. This process allows AEM authors get into the correct group with required permissions.
Views
Likes
Replies