Level 6

Solved

AEM Ldap Integration: How can two different configs lives side by side?

Forum|Forum|3 years ago
January 25, 2023
2 replies
1566 views

Hello,

I'm facing follwing situation:

I have two different users. Let's say user "A" is menber of ldab goup "UserGroupA" and "DifferentGroupS-A". User "B" is member of ldap "UserGroupB" and "CompleteDifferentOtherGroupS". The effect is, checking the users membership needs different queries.

For this reason, I have created two configuration bundles (Default Sync Handler, Ldap identiy provider and External login module). When I tried to login to instance the CMS executed only one query, depends on saved order. The effect is one user cannot be logged in.

My question: How can I solve this issue without combining the queries?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by Magicr

This issue does disappear over a weekend. No idea why. But now a new issue has being raised. Ldap groups won't be created anymore even though the used queries returns valid results.

Ankur_Khare

Community Advisor

Hi,

Not very clear coul you please add more details with snapshot of configs

Regards

Ankur

MagicrAuthor

Level 6

Here the important parts of your requested configs:

------------------- Configuration for User A -----------------
========= Ldap Identity Provider ==================
:org.apache.felix.configadmin.revision:=L"5"
adminPool.lookupOnValidate=B"true"
adminPool.maxActive=L"8"
bind.dn=""
bind.password=""
customattributes=[ \
  ]
group.baseDN="OU\=MyGroups,DC\=example,DC\=com"
group.extraFilter="(&(objectClass\=group)(|(cn\=SGG-Ax)(&(extensionAttribute\=yyyy))(cn\=SUG-Bx)(cn\=sug-ix*)))"
group.makeDnPath=B"false"
group.memberAttribute="member"
group.nameAttribute="cn"
group.objectclass=[ \
  "group", \
  ]
host.name="aaa.bbb.ccc.ddd"
host.noCertCheck=B"false"
host.port=""
host.ssl=B"false"
host.tls=B"false"
provider.name="ConfigA-idp"
searchTimeout="10s"
service.factoryPid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider"
service.pid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider~configA-idp"
useUidForExtId=B"false"
user.baseDN="OU\=MyUsers,DC\=example,DC\=com"
user.extraFilter="(&(objectClass\=person)(memberOf\=CN\=SGG-Ax,OU\=MyGroups,DC\=example,DC\=com))"
user.idAttribute="sAMAccountName"
user.makeDnPath=B"false"
user.objectclass=[ \
  "person", \
  ]
userPool.lookupOnValidate=B"true"
userPool.maxActive=L"8"
=================== External Login Factory =========
:org.apache.felix.configadmin.revision:=L"9"
idp.name="ConfigA-idp"
jaas.controlFlag="SUFFICIENT"
jaas.ranking="50"
jaas.realmName=""
service.factoryPid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory"
service.pid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory~configA-login"
sync.handlerName="ConfigA-handler"
------------------- Configuration for User B -----------------
========= Ldap Identity Provider ==================
:org.apache.felix.configadmin.revision:=L"4"
adminPool.lookupOnValidate=B"true"
adminPool.maxActive=L"8"
bind.dn=""
bind.password=""
customattributes=[ \
  ]
group.baseDN="OU\=MyGroups,DC\=example,DC\=com"
group.extraFilter="(&(objectClass\=group)(|(cn\=sug-t*)(cn\=sug-s*)))"
group.makeDnPath=B"false"
group.memberAttribute="member"
group.nameAttribute="cn"
group.objectclass=[ \
  "group", \
  ]
host.name="aaa.bbb.ccc.ddd"
host.noCertCheck=B"false"
host.port=""
host.ssl=B"false"
host.tls=B"false"
provider.name="ConfigB-idp"
searchTimeout="10s"
service.factoryPid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider"
service.pid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider~configB-idp"
useUidForExtId=B"false"
user.baseDN="OU\=MyUsers,DC\=example,DC\=com"
user.extraFilter="(&(objectClass\=person)(|(memberOf\=CN\=sug-t*,OU\=MyGroups,DC\=example,DC\=com)(memberOf\=CN\=sug-s*,OU\=MyGroups,DC\=example,DC\=com)))"
user.idAttribute="sAMAccountName"
user.makeDnPath=B"false"
user.objectclass=[ \
  "person", \
  ]
userPool.lookupOnValidate=B"true"
userPool.maxActive=L"8"
=================== External Login Factory =========
:org.apache.felix.configadmin.revision:=L"9"
idp.name="ConfigB-idp"
jaas.controlFlag="SUFFICIENT"
jaas.ranking="50"
jaas.realmName=""
service.factoryPid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory"
service.pid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory~configB-login"
sync.handlerName="ConfigB-handler"

MagicrAuthorAccepted solution

Level 6

This issue does disappear over a weekend. No idea why. But now a new issue has being raised. Ldap groups won't be created anymore even though the used queries returns valid results.

ChitraMadan

Community Advisor

Hi @magicr ,

If I have understood your problem correctly, if the ldap provider is the same and under the same provider you have different users from different user groups, then this should not be a problem, as long as you have the same groups created in AEM too, users will be synced to those different groups with your standard configs.

Sorry, it is not clear as to why you need 2 configs here?

MagicrAuthor

Level 6

@chitramadan Take a closer eye on the queries. They are totaly different, so they grap different kind of users. Also keep the queries simple so other people can better read and understand them in the future.

By the way, even if to much work for this use case how does it work in general? Appently there are no documented exapmles - the old song 😢- and I wonder how it works.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded