Expand my Community achievements bar.

SOLVED

AEM LDAP Synchronization scheduler

Avatar

Level 7

 

We have set up multiple OUs in AEM and SSON is working.  How do we schedule a synchronization daily, weekly, etc?

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @crich2784 ,

 

In order to have LDAP and User Synchronisation working with AEM, you need to create three OSGi configurations:

  1. An LDAP Identity Provider (IDP).
  2. A Sync Handler.
  3. An External Login Module.

Since you mentioned, SSO is working, you can check below properties to set expiration of the user. 

Once the user is expired, and it will login again, the user will be synced.

Untitled.png

 

But this process could slow down user login, hence the other way is to sync the users through an automated process,

which is to create a scheduled service in the backend to access the Mbean Server and run syncAllUsers() at some interval.

 

package my.project.scheduled;
 
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.AttributeType;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
 
import javax.management.MBeanServer;
import javax.management.ObjectName;
import java.lang.management.ManagementFactory;
 
 
/**
* Service to invoke the syncAllUsers() method of org.apache.jackrabbit.oak
* so AEM users can be synced with LDAP.
* */
@Component(
     immediate = true,
     configurationPid = "my.project.scheduled.SyncUsersService"
)
@Designate(ocd = SyncUsersService.Configuration.class)
public class SyncUsersService implements Runnable{
 
  protected static Logger logger = LoggerFactory.getLogger(SyncUsersService.class);
 
  @Activate
  public void activate(Configuration config){}
 
  /**
   * Runs the implementation at the scheduled interval
   *
   * @return void
   * */
  @Override
  public void run() {
     logger.info("Starting LDAP Sync Service");
     MBeanServer mBeanServer = ManagementFactory.getPlatformMBeanServer();
     ObjectName objectName = null;
     try {
        objectName = new ObjectName("org.apache.jackrabbit.oak:handler=\"Active Directory\","
              + "idp=\"Active Directory\",name=External Identity Synchronization Management,type=UserManagement");
        mBeanServer.invoke(objectName, "syncAllUsers", new Object[]{true},
              new String[]{boolean.class.getName()});
     } catch (Exception e) {
        logger.error("Error while running the Mbean to sync users with LDAP. ", e);
     }
  }
 
  @ObjectClassDefinition(name="LDAP User Sync Service")
  public @interface Configuration {
 
     @AttributeDefinition(
           name = "Expression",
           description = "Cron-job expression. Default: run every 30 min.",
           type = AttributeType.STRING)
 
     String scheduler_expression() default "0 */30 * ? * *";
  }
}

 

Also you can refer to this article for more details - 

https://kbwebconsult.com/aem-automatic-user-synchronization-with-ldap/

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/ldap-config.htm...

https://jackrabbit.apache.org/oak/docs/security/authentication/usersync.html

 

Thanks,

Chitra

View solution in original post

1 Reply

Avatar

Correct answer by
Community Advisor

Hi @crich2784 ,

 

In order to have LDAP and User Synchronisation working with AEM, you need to create three OSGi configurations:

  1. An LDAP Identity Provider (IDP).
  2. A Sync Handler.
  3. An External Login Module.

Since you mentioned, SSO is working, you can check below properties to set expiration of the user. 

Once the user is expired, and it will login again, the user will be synced.

Untitled.png

 

But this process could slow down user login, hence the other way is to sync the users through an automated process,

which is to create a scheduled service in the backend to access the Mbean Server and run syncAllUsers() at some interval.

 

package my.project.scheduled;
 
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.AttributeType;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
 
import javax.management.MBeanServer;
import javax.management.ObjectName;
import java.lang.management.ManagementFactory;
 
 
/**
* Service to invoke the syncAllUsers() method of org.apache.jackrabbit.oak
* so AEM users can be synced with LDAP.
* */
@Component(
     immediate = true,
     configurationPid = "my.project.scheduled.SyncUsersService"
)
@Designate(ocd = SyncUsersService.Configuration.class)
public class SyncUsersService implements Runnable{
 
  protected static Logger logger = LoggerFactory.getLogger(SyncUsersService.class);
 
  @Activate
  public void activate(Configuration config){}
 
  /**
   * Runs the implementation at the scheduled interval
   *
   * @return void
   * */
  @Override
  public void run() {
     logger.info("Starting LDAP Sync Service");
     MBeanServer mBeanServer = ManagementFactory.getPlatformMBeanServer();
     ObjectName objectName = null;
     try {
        objectName = new ObjectName("org.apache.jackrabbit.oak:handler=\"Active Directory\","
              + "idp=\"Active Directory\",name=External Identity Synchronization Management,type=UserManagement");
        mBeanServer.invoke(objectName, "syncAllUsers", new Object[]{true},
              new String[]{boolean.class.getName()});
     } catch (Exception e) {
        logger.error("Error while running the Mbean to sync users with LDAP. ", e);
     }
  }
 
  @ObjectClassDefinition(name="LDAP User Sync Service")
  public @interface Configuration {
 
     @AttributeDefinition(
           name = "Expression",
           description = "Cron-job expression. Default: run every 30 min.",
           type = AttributeType.STRING)
 
     String scheduler_expression() default "0 */30 * ? * *";
  }
}

 

Also you can refer to this article for more details - 

https://kbwebconsult.com/aem-automatic-user-synchronization-with-ldap/

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/ldap-config.htm...

https://jackrabbit.apache.org/oak/docs/security/authentication/usersync.html

 

Thanks,

Chitra