Hello,
I'm facing follwing situation:
I have two different users. Let's say user "A" is menber of ldab goup "UserGroupA" and "DifferentGroupS-A". User "B" is member of ldap "UserGroupB" and "CompleteDifferentOtherGroupS". The effect is, checking the users membership needs different queries.
For this reason, I have created two configuration bundles (Default Sync Handler, Ldap identiy provider and External login module). When I tried to login to instance the CMS executed only one query, depends on saved order. The effect is one user cannot be logged in.
My question: How can I solve this issue without combining the queries?
Solved! Go to Solution.
Views
Replies
Total Likes
This issue does disappear over a weekend. No idea why. But now a new issue has being raised. Ldap groups won't be created anymore even though the used queries returns valid results.
Hi,
Not very clear coul you please add more details with snapshot of configs
Regards
Ankur
Here the important parts of your requested configs:
------------------- Configuration for User A -----------------
========= Ldap Identity Provider ==================
:org.apache.felix.configadmin.revision:=L"5"
adminPool.lookupOnValidate=B"true"
adminPool.maxActive=L"8"
bind.dn=""
bind.password=""
customattributes=[ \
]
group.baseDN="OU\=MyGroups,DC\=example,DC\=com"
group.extraFilter="(&(objectClass\=group)(|(cn\=SGG-Ax)(&(extensionAttribute\=yyyy))(cn\=SUG-Bx)(cn\=sug-ix*)))"
group.makeDnPath=B"false"
group.memberAttribute="member"
group.nameAttribute="cn"
group.objectclass=[ \
"group", \
]
host.name="aaa.bbb.ccc.ddd"
host.noCertCheck=B"false"
host.port=""
host.ssl=B"false"
host.tls=B"false"
provider.name="ConfigA-idp"
searchTimeout="10s"
service.factoryPid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider"
service.pid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider~configA-idp"
useUidForExtId=B"false"
user.baseDN="OU\=MyUsers,DC\=example,DC\=com"
user.extraFilter="(&(objectClass\=person)(memberOf\=CN\=SGG-Ax,OU\=MyGroups,DC\=example,DC\=com))"
user.idAttribute="sAMAccountName"
user.makeDnPath=B"false"
user.objectclass=[ \
"person", \
]
userPool.lookupOnValidate=B"true"
userPool.maxActive=L"8"
=================== External Login Factory =========
:org.apache.felix.configadmin.revision:=L"9"
idp.name="ConfigA-idp"
jaas.controlFlag="SUFFICIENT"
jaas.ranking="50"
jaas.realmName=""
service.factoryPid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory"
service.pid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory~configA-login"
sync.handlerName="ConfigA-handler"
------------------- Configuration for User B -----------------
========= Ldap Identity Provider ==================
:org.apache.felix.configadmin.revision:=L"4"
adminPool.lookupOnValidate=B"true"
adminPool.maxActive=L"8"
bind.dn=""
bind.password=""
customattributes=[ \
]
group.baseDN="OU\=MyGroups,DC\=example,DC\=com"
group.extraFilter="(&(objectClass\=group)(|(cn\=sug-t*)(cn\=sug-s*)))"
group.makeDnPath=B"false"
group.memberAttribute="member"
group.nameAttribute="cn"
group.objectclass=[ \
"group", \
]
host.name="aaa.bbb.ccc.ddd"
host.noCertCheck=B"false"
host.port=""
host.ssl=B"false"
host.tls=B"false"
provider.name="ConfigB-idp"
searchTimeout="10s"
service.factoryPid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider"
service.pid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider~configB-idp"
useUidForExtId=B"false"
user.baseDN="OU\=MyUsers,DC\=example,DC\=com"
user.extraFilter="(&(objectClass\=person)(|(memberOf\=CN\=sug-t*,OU\=MyGroups,DC\=example,DC\=com)(memberOf\=CN\=sug-s*,OU\=MyGroups,DC\=example,DC\=com)))"
user.idAttribute="sAMAccountName"
user.makeDnPath=B"false"
user.objectclass=[ \
"person", \
]
userPool.lookupOnValidate=B"true"
userPool.maxActive=L"8"
=================== External Login Factory =========
:org.apache.felix.configadmin.revision:=L"9"
idp.name="ConfigB-idp"
jaas.controlFlag="SUFFICIENT"
jaas.ranking="50"
jaas.realmName=""
service.factoryPid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory"
service.pid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory~configB-login"
sync.handlerName="ConfigB-handler"
This issue does disappear over a weekend. No idea why. But now a new issue has being raised. Ldap groups won't be created anymore even though the used queries returns valid results.
Hi @Magicr ,
If I have understood your problem correctly, if the ldap provider is the same and under the same provider you have different users from different user groups, then this should not be a problem, as long as you have the same groups created in AEM too, users will be synced to those different groups with your standard configs.
Sorry, it is not clear as to why you need 2 configs here?
@ChitraMadan Take a closer eye on the queries. They are totaly different, so they grap different kind of users. Also keep the queries simple so other people can better read and understand them in the future.
By the way, even if to much work for this use case how does it work in general? Appently there are no documented exapmles - the old song