Expand my Community achievements bar.

SOLVED

AEM with Active Directory

Avatar

Level 6

Hi,

Does anyone have set AEM log against an AD Server and Sync the groups?

I am able to log using an user from LDAP and Sync it on AEM, but the groups are not being imported. Could someone help me on this?

The Group Base DN is correct.

For Group Object Class I'm using: group

And for Group Member Attribute: member

Any help is welcome.

Thanks

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi,

So you see nothing when you set debug level logging?[1]

what value have you set for "User membership nesting depth"[2]?

Regards,

Opkar

[1] https://docs.adobe.com/docs/en/aem/6-1/administer/security/ldap-config.html#Enabling debug logging

[2https://docs.adobe.com/docs/en/aem/6-1/administer/security/ldap-config.html#Configuring The Synchronization Handler

View solution in original post

9 Replies

Avatar

Level 10

Only Users get syncd. You need to create mapping for the group which is already existing in crx to be mapped when the user is created/syncd from LdAP

Avatar

Level 10

Refer [1] for the same

autocreate.user.membership="contributor" is the property to be used to map to the existing group when use is auto created.

[1] https://docs.adobe.com/docs/en/cq/5-6-1/core/administering/ldap_authentication.html

Avatar

Level 6

Hi bloski,

So AEM doesn´t bring the Groups from AD to the repository?

Avatar

Level 6

Hi,

I am using 6.1, is this config valid for 6.1 as well?

Thanks

Avatar

Level 10

Yes... You need to create the LDAP groups in AEM and you can map to the same group while syncing the users. Its mainly to sync the users.

Avatar

Employee

As far as I can remember, and it has been a while since I used LDAP, you should be able to synch users and groups. The documentation does mention this[1], see below

A Word on Group Affiliation

Users synchronized through LDAP can be part of different groups in AEM. These groups can be external LDAP groups that will be added to AEM as part of the synchronization process, but they can also be groups that are added separately and are not part of the original LDAP group affiliation scheme.

 

EDIT: have you enabled debugging for LDAP to see what is going on?

Regards,

Opkar

[1] https://docs.adobe.com/docs/en/aem/6-1/administer/security/ldap-config.html

[2] https://github.com/Adobe-Marketing-Cloud/aem-ldap-tutorial

Avatar

Level 6

Hi Opkar,

I've enabled the ldap log, but it doesn't display anything about groups sync.

It just displays the user authenticating against the AD server.

Is there any other configuration that I can check?

Thanks

Avatar

Correct answer by
Employee

Hi,

So you see nothing when you set debug level logging?[1]

what value have you set for "User membership nesting depth"[2]?

Regards,

Opkar

[1] https://docs.adobe.com/docs/en/aem/6-1/administer/security/ldap-config.html#Enabling debug logging

[2https://docs.adobe.com/docs/en/aem/6-1/administer/security/ldap-config.html#Configuring The Synchronization Handler

Avatar

Level 6

Hi opkar,

I was able to make the group sync. As you said I didn't set the User membership nesting depth, so I set that to 1.

And another thing was to change the  Group object classes  to be group and the  Group member attribute  to member.

Thanks for your help.