Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

AEM ldap Integration: How to sync groups from ldap users

Avatar

Level 7
Level 7
2/15/23 2:19:29 AM

Hello,

I'm using this modul to synchronize users from active directory. The sync action with users works well. My requriemtent is I also need to create groups which are the users are  members of. How can I achive this?

 

Thanks in advanced.  

Views

1.9K

Replies

8
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 7
Level 7
2/20/23 2:21:20 AM

I think I could solve my issue. by doing three things:

  1. Disabling the option "Dynamic membership".
  2. Add a slash at begin to properties where you can define users and groups are stored.
  3. By using simple queries first I found out all my queries where "wrong", even though they generated valid results in AEM it self. The fields user extra filters and group extra filters does contains only the "second" part of a query.
    Query example: 
    (&(objectClass=<person/group>)(|(memberOf=CN=sug-xxx,OU=groupfolder,DC=exampledomain,DC=com)(memberOf=CN=sug-yyy,OU=groupfolder,DC=exampledomain,DC=com))
    So the working result for me was adding below query to filter fields: 
    (|(memberOf=CN=sug-xxx,OU=groupfolder,DC=exampledomain,DC=com)(memberOf=CN=sug-yyy,OU=groupfolder,DC=exampledomain,DC=com))
    Due to the fact there exists no well explained examples at the Internet and by missleading log output this was a big exploration journey for me.

 

View solution in original post

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
8 Replies

Avatar

Level 7
Level 7
2/15/23 6:16:39 AM
In response to Saravanan_Dharmaraj
@Saravanan_Dharmaraj  schrieb:

Please check the below blog on how to set up the groups in AEM

https://www.tothenew.com/blog/ldap-integration-with-aem-apache-directory-server/ 

Thanks for your answer. The posted link could not help me to solve my issue.

From offcial site from Adobe - https://experienceleague.adobe.com/docs/experience-manager-64/administering/security/ldap-config.htm... - I enabled the logging for ExternalLoginModule and Authatication.

The created log file contains a huge number of 

 org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule No 'SupportedCredentials' configured. Using default implementation supporting 'SimpleCredentials'.

Could it be the reason why I'm unable to get groups from ldap? How can I fix it? The research for this message points always here to an post in this forum. The containing link points to a todo list which I have already followed.

 

Views

1.9K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 7
Level 7
2/15/23 6:41:47 AM
In response to Chandra_Hire

I followed this list on a fresh new instance and it could not fix the issue. Users are imported, groups not.

Views

1.9K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 7
Level 7
2/15/23 7:40:08 AM
In response to Magicr

Maybe I found a helpful log entry who disappears between all lines of debug output. The following output is

*DEBUG* [qtp31820972-1821] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider getDeclaredGroupRefs: search below OU=xxx,DC=example,DC=com with (& (xxx)) found 0 entries. (connect=1,99ms, search=963,00us, iterate=2,38ms)

Actually this makes sense why groups are not created.

Views

1.9K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 5
Level 5
2/15/23 12:48:46 PM
In response to Magicr

Please check with LDAP administrator for value of 'Bind DN' & 'Group DN' configuration in Identity Provider OSGi configuraiton. 

Views

1.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
2/15/23 11:39:38 AM

Through admin console you get ldap and group create with email start sync and integration.

Views

1.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 7
Level 7
2/20/23 2:21:20 AM

I think I could solve my issue. by doing three things:

  1. Disabling the option "Dynamic membership".
  2. Add a slash at begin to properties where you can define users and groups are stored.
  3. By using simple queries first I found out all my queries where "wrong", even though they generated valid results in AEM it self. The fields user extra filters and group extra filters does contains only the "second" part of a query.
    Query example: 
    (&(objectClass=<person/group>)(|(memberOf=CN=sug-xxx,OU=groupfolder,DC=exampledomain,DC=com)(memberOf=CN=sug-yyy,OU=groupfolder,DC=exampledomain,DC=com))
    So the working result for me was adding below query to filter fields: 
    (|(memberOf=CN=sug-xxx,OU=groupfolder,DC=exampledomain,DC=com)(memberOf=CN=sug-yyy,OU=groupfolder,DC=exampledomain,DC=com))
    Due to the fact there exists no well explained examples at the Internet and by missleading log output this was a big exploration journey for me.

 

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Not able to use credentials for login after installing AEM service pack 9 for 6.5 Solved

Views

149

Likes

0

Replies

3
How to restrict anonymous access /crx/explorer/ui/search.jsp

Views

36

Likes

0

Replies

1
how to write junit for the below code

Views

88

Likes

0

Replies

2
Unable to render url or html content as page via sightly

Views

59

Likes

0

Replies

1
Suggestion | Creating a Custom Video Plugin for aem as cloud services Rich Text Editor

Views

102

Likes

0

Replies

2