Expand my Community achievements bar.

SOLVED

AEM Ldap Integration: How can two different configs lives side by side?

Avatar

Level 7

Hello,

 

I'm facing follwing situation:

I have two different users. Let's say user "A" is menber of ldab goup "UserGroupA" and "DifferentGroupS-A". User "B" is member of ldap "UserGroupB" and "CompleteDifferentOtherGroupS". The effect is, checking the users membership needs different queries. 

For this reason, I have created two configuration bundles (Default Sync Handler, Ldap identiy provider and External login module). When I tried to login to instance the CMS executed only one query, depends on saved order. The effect is one user cannot be logged in.

 

My question: How can I solve this issue without combining the queries?

1 Accepted Solution

Avatar

Correct answer by
Level 7

This issue does disappear over a weekend. No idea why. But now a new issue has being raised. Ldap groups won't be created anymore even though the used queries returns valid results.

View solution in original post

5 Replies

Avatar

Community Advisor

Hi,

Not very clear coul you please add more details with snapshot of configs 

 

Regards

Ankur

Avatar

Level 7

Here the important parts of your requested configs:

 

------------------- Configuration for User A -----------------
========= Ldap Identity Provider ==================
:org.apache.felix.configadmin.revision:=L"5"
adminPool.lookupOnValidate=B"true"
adminPool.maxActive=L"8"
bind.dn=""
bind.password=""
customattributes=[ \
  ]
group.baseDN="OU\=MyGroups,DC\=example,DC\=com"
group.extraFilter="(&(objectClass\=group)(|(cn\=SGG-Ax)(&(extensionAttribute\=yyyy))(cn\=SUG-Bx)(cn\=sug-ix*)))"
group.makeDnPath=B"false"
group.memberAttribute="member"
group.nameAttribute="cn"
group.objectclass=[ \
  "group", \
  ]
host.name="aaa.bbb.ccc.ddd"
host.noCertCheck=B"false"
host.port=""
host.ssl=B"false"
host.tls=B"false"
provider.name="ConfigA-idp"
searchTimeout="10s"
service.factoryPid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider"
service.pid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider~configA-idp"
useUidForExtId=B"false"
user.baseDN="OU\=MyUsers,DC\=example,DC\=com"
user.extraFilter="(&(objectClass\=person)(memberOf\=CN\=SGG-Ax,OU\=MyGroups,DC\=example,DC\=com))"
user.idAttribute="sAMAccountName"
user.makeDnPath=B"false"
user.objectclass=[ \
  "person", \
  ]
userPool.lookupOnValidate=B"true"
userPool.maxActive=L"8"
=================== External Login Factory =========
:org.apache.felix.configadmin.revision:=L"9"
idp.name="ConfigA-idp"
jaas.controlFlag="SUFFICIENT"
jaas.ranking="50"
jaas.realmName=""
service.factoryPid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory"
service.pid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory~configA-login"
sync.handlerName="ConfigA-handler"
------------------- Configuration for User B -----------------
========= Ldap Identity Provider ==================
:org.apache.felix.configadmin.revision:=L"4"
adminPool.lookupOnValidate=B"true"
adminPool.maxActive=L"8"
bind.dn=""
bind.password=""
customattributes=[ \
  ]
group.baseDN="OU\=MyGroups,DC\=example,DC\=com"
group.extraFilter="(&(objectClass\=group)(|(cn\=sug-t*)(cn\=sug-s*)))"
group.makeDnPath=B"false"
group.memberAttribute="member"
group.nameAttribute="cn"
group.objectclass=[ \
  "group", \
  ]
host.name="aaa.bbb.ccc.ddd"
host.noCertCheck=B"false"
host.port=""
host.ssl=B"false"
host.tls=B"false"
provider.name="ConfigB-idp"
searchTimeout="10s"
service.factoryPid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider"
service.pid="org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider~configB-idp"
useUidForExtId=B"false"
user.baseDN="OU\=MyUsers,DC\=example,DC\=com"
user.extraFilter="(&(objectClass\=person)(|(memberOf\=CN\=sug-t*,OU\=MyGroups,DC\=example,DC\=com)(memberOf\=CN\=sug-s*,OU\=MyGroups,DC\=example,DC\=com)))"
user.idAttribute="sAMAccountName"
user.makeDnPath=B"false"
user.objectclass=[ \
  "person", \
  ]
userPool.lookupOnValidate=B"true"
userPool.maxActive=L"8"
=================== External Login Factory =========
:org.apache.felix.configadmin.revision:=L"9"
idp.name="ConfigB-idp"
jaas.controlFlag="SUFFICIENT"
jaas.ranking="50"
jaas.realmName=""
service.factoryPid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory"
service.pid="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory~configB-login"
sync.handlerName="ConfigB-handler"

Avatar

Correct answer by
Level 7

This issue does disappear over a weekend. No idea why. But now a new issue has being raised. Ldap groups won't be created anymore even though the used queries returns valid results.

Avatar

Community Advisor

Hi @Magicr ,

 

If I have understood your problem correctly, if the ldap provider is the same and under the same provider you have different users from different user groups, then this should not be a problem, as long as you have the same groups created in AEM too, users will be synced to those different groups with your standard configs.

Sorry, it is not clear as to why you need 2 configs here?

Avatar

Level 7

@ChitraMadan Take a closer eye on the queries. They are totaly different, so they grap different kind of users. Also keep the queries simple so other people can better read and understand them in the future.

By the way, even if to much work for this use case how does it work in general? Appently there are no documented exapmles - the old song - and I wonder how it works.