AEM LDAP Synchronization scheduler

Avatar

Avatar
Boost 5
Level 2
crich2784
Level 2

Likes

6 likes

Total Posts

55 posts

Correct reply

2 solutions
Top badges earned
Boost 5
Affirm 3
Boost 3
Give Back
Validate 1
View profile

Avatar
Boost 5
Level 2
crich2784
Level 2

Likes

6 likes

Total Posts

55 posts

Correct reply

2 solutions
Top badges earned
Boost 5
Affirm 3
Boost 3
Give Back
Validate 1
View profile
crich2784
Level 2

12-07-2021

 

We have set up multiple OUs in AEM and SSON is working.  How do we schedule a synchronization daily, weekly, etc?

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Boost 250
MVP
ChitraMadan
MVP

Likes

273 likes

Total Posts

165 posts

Correct reply

67 solutions
Top badges earned
Boost 250
Establish
Ignite 1
Give Back 5
Give Back 3
View profile

Avatar
Boost 250
MVP
ChitraMadan
MVP

Likes

273 likes

Total Posts

165 posts

Correct reply

67 solutions
Top badges earned
Boost 250
Establish
Ignite 1
Give Back 5
Give Back 3
View profile
ChitraMadan
MVP

12-07-2021

Hi @crich2784 ,

 

In order to have LDAP and User Synchronisation working with AEM, you need to create three OSGi configurations:

  1. An LDAP Identity Provider (IDP).
  2. A Sync Handler.
  3. An External Login Module.

Since you mentioned, SSO is working, you can check below properties to set expiration of the user. 

Once the user is expired, and it will login again, the user will be synced.

Untitled.png

 

But this process could slow down user login, hence the other way is to sync the users through an automated process,

which is to create a scheduled service in the backend to access the Mbean Server and run syncAllUsers() at some interval.

 

package my.project.scheduled;
 
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.AttributeType;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
 
import javax.management.MBeanServer;
import javax.management.ObjectName;
import java.lang.management.ManagementFactory;
 
 
/**
* Service to invoke the syncAllUsers() method of org.apache.jackrabbit.oak
* so AEM users can be synced with LDAP.
* */
@Component(
     immediate = true,
     configurationPid = "my.project.scheduled.SyncUsersService"
)
@Designate(ocd = SyncUsersService.Configuration.class)
public class SyncUsersService implements Runnable{
 
  protected static Logger logger = LoggerFactory.getLogger(SyncUsersService.class);
 
  @Activate
  public void activate(Configuration config){}
 
  /**
   * Runs the implementation at the scheduled interval
   *
   * @return void
   * */
  @Override
  public void run() {
     logger.info("Starting LDAP Sync Service");
     MBeanServer mBeanServer = ManagementFactory.getPlatformMBeanServer();
     ObjectName objectName = null;
     try {
        objectName = new ObjectName("org.apache.jackrabbit.oak:handler=\"Active Directory\","
              + "idp=\"Active Directory\",name=External Identity Synchronization Management,type=UserManagement");
        mBeanServer.invoke(objectName, "syncAllUsers", new Object[]{true},
              new String[]{boolean.class.getName()});
     } catch (Exception e) {
        logger.error("Error while running the Mbean to sync users with LDAP. ", e);
     }
  }
 
  @ObjectClassDefinition(name="LDAP User Sync Service")
  public @interface Configuration {
 
     @AttributeDefinition(
           name = "Expression",
           description = "Cron-job expression. Default: run every 30 min.",
           type = AttributeType.STRING)
 
     String scheduler_expression() default "0 */30 * ? * *";
  }
}

 

Also you can refer to this article for more details - 

https://kbwebconsult.com/aem-automatic-user-synchronization-with-ldap/

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/ldap-config.htm...

https://jackrabbit.apache.org/oak/docs/security/authentication/usersync.html

 

Thanks,

Chitra

Answers (0)