Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.

AEM Ldap Integration module: How does option "expire" work?

Avatar

Level 7

Hello,

I’m facing an issue with the ldap module of AEM:

 

1. Precondition:

In configuration for a default sync handler, the values for expiring ldap groups and ldap users is 30m (30 minutes).

 

2. Timepoint 24-07-23 10:00:00 :

UserA has logged in into AEM and his user object contains the group memberships “sug-example-group-a” and “sug-example-group-b”. These groups allow him to get access to content folder “/content/sites/folder_ab” and not for folder “/content/sites/folder_cd”.

  • In AEM the existing group “sug-example-group-a” contains a reference to this user.
  • In AEM the existing group “sug-example-group-b” contains a reference to this user.
  • In AEM the existing group “sug-example-group-c” contains no reference to this user.

 

3. Timepoint 24-07-23: 11:15:00 :

UserA has logged in into AEM and his user object contains the group memberships “sug-example-group-a” and “sug-example-group-b”. These groups allow him to get access to content folder “/content/sites/folder_ab” and not for folder “/content/sites/folder_cd”.

  • In AEM the existing group “sug-example-group-a” contains a reference to this user.
  • In AEM the existing group “sug-example-group-b” contains a reference to this user.
  • In AEM the existing group “sug-example-group-c” contains no reference to this user.

 

4. Timepoint 24-07-2023 10:10:00 :

 The connected Active Directory has been updated for this user with a new group membership called “sug-example-group-c”. This group allows UserA to get access to content folder “/content/sites/folder_cd” in AEM.

 

My expectation at time point 24-07-23: 11:15:00 :

UserA has logged in and the user object contains the recently added group membership and the group object for “sug-example-group-c” contains a reference to him. But it doesn’t.

 

My question: What do I need to make this scenario work? And what does "expiring ldap groups and ldap users" mean?

 

Note: If I start the synchronization manually, by calling the Jmx service, the objects in AEM will be updated correctly. I’m using SP 16 and 17.

 

Thanks, in advanced

4 Replies

Avatar

Level 9

Hello,

 

QQ: between point #2 and #3 after modification in ldap group access if the user logged out and login again, at that point does the user group reflects correctly??

Avatar

Community Advisor

@Magicr ,

In this scenario, assuming you are testing it on local author or AMS instance, I would try the group addition in manual way first.

1) Create a local user using http://localhost:4502/useradmin

2) Add groups sug-example-group-a and sug-example-group-b to this local user and check if the permissions to the content folder “/content/sites/folder_ab” is showing up correct.

3) Logout the user and add the group sug-example-group-c to the local user and check if the permissions to the content folder “/content/sites/folder_cd” is set as expected or not by logging in again.

4) If the permission to the content folders are not set as expected via this debugging then, I would reinspect the group permissions itself.

 

 

 

 

Avatar

Level 7

Thanks for your answer. I think you haven't understand the issue properbly. For a better understanding here a simple summerize:

The main slogan of AEM is "Everything is content". That means user and groups for access management are also stored in the repository from CMS. The AEM Ldap modul reads users and groups from Active Directory and creates content in AEM. My problem is those created objects won't be updated in CMS when they have being updated in Active Directory.