Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

AEM ldap Integration: How to sync groups from ldap users

Avatar

Level 7

Hello,

I'm using this modul to synchronize users from active directory. The sync action with users works well. My requriemtent is I also need to create groups which are the users are  members of. How can I achive this?

 

Thanks in advanced.  

1 Accepted Solution

Avatar

Correct answer by
Level 7

I think I could solve my issue. by doing three things:

  1. Disabling the option "Dynamic membership".
  2. Add a slash at begin to properties where you can define users and groups are stored.
  3. By using simple queries first I found out all my queries where "wrong", even though they generated valid results in AEM it self. The fields user extra filters and group extra filters does contains only the "second" part of a query.
    Query example:
    (&(objectClass=<person/group>)(|(memberOf=CN=sug-xxx,OU=groupfolder,DC=exampledomain,DC=com)(memberOf=CN=sug-yyy,OU=groupfolder,DC=exampledomain,DC=com))
    
    So the working result for me was adding below query to filter fields:
    (|(memberOf=CN=sug-xxx,OU=groupfolder,DC=exampledomain,DC=com)(memberOf=CN=sug-yyy,OU=groupfolder,DC=exampledomain,DC=com))
    
    Due to the fact there exists no well explained examples at the Internet and by missleading log output this was a big exploration journey for me.

 

View solution in original post

8 Replies

Avatar

Level 7

@Saravanan_Dharmaraj  schrieb:

Please check the below blog on how to set up the groups in AEM

https://www.tothenew.com/blog/ldap-integration-with-aem-apache-directory-server/ 


Thanks for your answer. The posted link could not help me to solve my issue.

From offcial site from Adobe - https://experienceleague.adobe.com/docs/experience-manager-64/administering/security/ldap-config.htm... - I enabled the logging for ExternalLoginModule and Authatication.

The created log file contains a huge number of 

 org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule No 'SupportedCredentials' configured. Using default implementation supporting 'SimpleCredentials'.

Could it be the reason why I'm unable to get groups from ldap? How can I fix it? The research for this message points always here to an post in this forum. The containing link points to a todo list which I have already followed.

 

Avatar

Level 7

I followed this list on a fresh new instance and it could not fix the issue. Users are imported, groups not.

Avatar

Level 7

Maybe I found a helpful log entry who disappears between all lines of debug output. The following output is

*DEBUG* [qtp31820972-1821] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider getDeclaredGroupRefs: search below OU=xxx,DC=example,DC=com with (& (xxx)) found 0 entries. (connect=1,99ms, search=963,00us, iterate=2,38ms)

Actually this makes sense why groups are not created.

Avatar

Level 5

Please check with LDAP administrator for value of 'Bind DN' & 'Group DN' configuration in Identity Provider OSGi configuraiton. 

Avatar

Level 2

Through admin console you get ldap and group create with email start sync and integration.

Avatar

Correct answer by
Level 7

I think I could solve my issue. by doing three things:

  1. Disabling the option "Dynamic membership".
  2. Add a slash at begin to properties where you can define users and groups are stored.
  3. By using simple queries first I found out all my queries where "wrong", even though they generated valid results in AEM it self. The fields user extra filters and group extra filters does contains only the "second" part of a query.
    Query example:
    (&(objectClass=<person/group>)(|(memberOf=CN=sug-xxx,OU=groupfolder,DC=exampledomain,DC=com)(memberOf=CN=sug-yyy,OU=groupfolder,DC=exampledomain,DC=com))
    
    So the working result for me was adding below query to filter fields:
    (|(memberOf=CN=sug-xxx,OU=groupfolder,DC=exampledomain,DC=com)(memberOf=CN=sug-yyy,OU=groupfolder,DC=exampledomain,DC=com))
    
    Due to the fact there exists no well explained examples at the Internet and by missleading log output this was a big exploration journey for me.