Adobe Experience Manager Sites & More

Magicr · 1/25/23

Hello,

I'm facing follwing situation:

I have two different users. Let's say user "A" is menber of ldab goup "UserGroupA" and "DifferentGroupS-A". User "B" is member of ldap "UserGroupB" and "CompleteDifferentOtherGroupS". The effect is, checking the users membership needs different queries.

For this reason, I have created two configuration bundles (Default Sync Handler, Ldap identiy provider and External login module). When I tried to login to instance the CMS executed only one query, depends on saved order. The effect is one user cannot be logged in.

My question: How can I solve this issue without combining the queries?

Magicr · 2/7/23

This issue does disappear over a weekend. No idea why. But now a new issue has being raised. Ldap groups won't be created anymore even though the used queries returns valid results.

View solution in original post

Ankur_Khare · 1/25/23

Hi,

Not very clear coul you please add more details with snapshot of configs

Regards

Ankur

Magicr · 1/27/23

Here the important parts of your requested configs:

------------------- Configuration for User A -----------------
========= Ldap Identity Provider ==================
:org.apache.felix.configadmin.revision:=L"5"
adminPool.lookupOnValidate=B"true"
adminPool.maxActive=L"8"
bind.dn=""
bind.password=""
customattributes=[ \
  ]
group.baseDN="OU\=MyGroups,DC\=example,DC\=com"
group.extraFilter="(&(objectClass\=group)(|(cn\=SGG-Ax)(&(extensionAttribute\=yyyy))(cn\=SUG-Bx)(cn\=sug-ix*)))"
group.makeDnPath=B"false"
group.memberAttribute="member"
group.nameAttribute="cn"
group.objectclass=[ \
  "group", \
  ]
host.name="aaa.bbb.ccc.ddd"
host.noCertCheck=B"false"
host.port=""
host.ssl=B"false"
host.tls=B"false"
provider.name="ConfigA-idp"
searchTimeout="10s"
service.factoryPid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider"
service.pid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider~configA-idp"
useUidForExtId=B"false"
user.baseDN="OU\=MyUsers,DC\=example,DC\=com"
user.extraFilter="(&(objectClass\=person)(memberOf\=CN\=SGG-Ax,OU\=MyGroups,DC\=example,DC\=com))"
user.idAttribute="sAMAccountName"
user.makeDnPath=B"false"
user.objectclass=[ \
  "person", \
  ]
userPool.lookupOnValidate=B"true"
userPool.maxActive=L"8"
=================== External Login Factory =========
:org.apache.felix.configadmin.revision:=L"9"
idp.name="ConfigA-idp"
jaas.controlFlag="SUFFICIENT"
jaas.ranking="50"
jaas.realmName=""
service.factoryPid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory"
service.pid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory~configA-login"
sync.handlerName="ConfigA-handler"
------------------- Configuration for User B -----------------
========= Ldap Identity Provider ==================
:org.apache.felix.configadmin.revision:=L"4"
adminPool.lookupOnValidate=B"true"
adminPool.maxActive=L"8"
bind.dn=""
bind.password=""
customattributes=[ \
  ]
group.baseDN="OU\=MyGroups,DC\=example,DC\=com"
group.extraFilter="(&(objectClass\=group)(|(cn\=sug-t*)(cn\=sug-s*)))"
group.makeDnPath=B"false"
group.memberAttribute="member"
group.nameAttribute="cn"
group.objectclass=[ \
  "group", \
  ]
host.name="aaa.bbb.ccc.ddd"
host.noCertCheck=B"false"
host.port=""
host.ssl=B"false"
host.tls=B"false"
provider.name="ConfigB-idp"
searchTimeout="10s"
service.factoryPid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider"
service.pid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider~configB-idp"
useUidForExtId=B"false"
user.baseDN="OU\=MyUsers,DC\=example,DC\=com"
user.extraFilter="(&(objectClass\=person)(|(memberOf\=CN\=sug-t*,OU\=MyGroups,DC\=example,DC\=com)(memberOf\=CN\=sug-s*,OU\=MyGroups,DC\=example,DC\=com)))"
user.idAttribute="sAMAccountName"
user.makeDnPath=B"false"
user.objectclass=[ \
  "person", \
  ]
userPool.lookupOnValidate=B"true"
userPool.maxActive=L"8"
=================== External Login Factory =========
:org.apache.felix.configadmin.revision:=L"9"
idp.name="ConfigB-idp"
jaas.controlFlag="SUFFICIENT"
jaas.ranking="50"
jaas.realmName=""
service.factoryPid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory"
service.pid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory~configB-login"
sync.handlerName="ConfigB-handler"

Magicr · 2/7/23

This issue does disappear over a weekend. No idea why. But now a new issue has being raised. Ldap groups won't be created anymore even though the used queries returns valid results.

ChitraMadan · 1/31/23

Hi @Magicr ,

If I have understood your problem correctly, if the ldap provider is the same and under the same provider you have different users from different user groups, then this should not be a problem, as long as you have the same groups created in AEM too, users will be synced to those different groups with your standard configs.

Sorry, it is not clear as to why you need 2 configs here?

Magicr · 2/1/23

@ChitraMadan Take a closer eye on the queries. They are totaly different, so they grap different kind of users. Also keep the queries simple so other people can better read and understand them in the future.

By the way, even if to much work for this use case how does it work in general? Appently there are no documented exapmles - the old song - and I wonder how it works.

Adobe Experience Manager Sites & More

AEM Ldap Integration: How can two different configs lives side by side?

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe