Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

CQ and LDAP integration

Avatar

Level 4

Hi,

We are not able to successfully integrate CQ with LDAP. 

Based on the existing LDAP integration documentation, we are unable to get CQ to start when the following updates were done
-updated repository.xml, per the steps outlined in the documentation
-updated quickstart.bat to include the ldap config file
-included the ldap config file

The error logs have this error :

31.03.2014 09:57:20.560 *ERROR* [FelixStartLevel] com.day.crx.sling.server [com.day.crx.sling.server.impl.jmx.ManagedRepository] The activate method has thrown an exception (javax.jcr.RepositoryException: Neither JAAS nor RepositoryConfig contained a valid configuration for com.day.crx) javax.jcr.RepositoryException: Neither JAAS nor RepositoryConfig contained a valid configuration for com.day.crx

Based on what we found, one of the reason for this could be the ldap_login.conf couldn't be found. We tried the following but it did not help

1) Specifying an absolute path to the configuration file (with Djava.security.auth.login.config=...)

We even put the ldap_login.conf file in the same folder where the quickstart.bat is and set Djava.security.auth.login.config=ldap_login.conf.  This also did not work.  Can anyone help give pointers? 

Here is an excerpt of the quickstart.bat file we are using

*******************************************************

::* use jaas.config
set CQ_USE_JAAS=true

::* config for jaas
set CQ_JAAS_CONFIG=ldap_login.conf

::* default JVM options
set CQ_JVM_OPTS=-Xmx1024m -XX:MaxPermSize=256M

::* ------------------------------------------------------------------------------
::* do not configure below this point
::* ------------------------------------------------------------------------------

chdir /D %~dp0
cd ..\..
set START_OPTS=-use-control-port
if defined CQ_PORT            set START_OPTS=%START_OPTS% -p %CQ_PORT%
if defined CQ_GUI             set START_OPTS=%START_OPTS% -gui
if defined CQ_NOBROWSER       set START_OPTS=%START_OPTS% -nobrowser
if defined CQ_VERBOSE         set START_OPTS=%START_OPTS% -verbose
if defined CQ_NOFORK          set START_OPTS=%START_OPTS% -nofork
if defined CQ_FORK            set START_OPTS=%START_OPTS% -fork
if defined CQ_FORKARGS        set START_OPTS=%START_OPTS% -forkargs %CQ_FORKARGS%
if defined CQ_RUNMODE         set START_OPTS=%START_OPTS% -r %CQ_RUNMODE%
if defined CQ_BASEFOLDER      set START_OPTS=%START_OPTS% -b %CQ_BASEFOLDER%
if defined CQ_LOWMEMACTION    set START_OPTS=%START_OPTS% -low-mem-action %CQ_LOWMEMACTION%
if defined CQ_HOST            set CQ_JVM_OPTS=%CQ_JVM_OPTS% -Dorg.apache.felix.http.host=%CQ_HOST%
if defined CQ_HOST            set START_OPTS=%START_OPTS% -a %CQ_HOST%
if defined CQ_USE_JAAS        set CQ_JVM_OPTS=%CQ_JVM_OPTS% -Djava.security.auth.login.config=%CQ_JAAS_CONFIG%
if not defined CQ_JARFILE     for %%X in (*.jar) do set CQ_JARFILE=%%X

tasklist > oldTaskList.txt
start "CQ" cmd.exe /K java %CQ_JVM_OPTS% -jar %CQ_JARFILE% %START_OPTS%
tasklist > newTaskList.txt

*******************************************

Here is an excerpt of the repository.xml file we edited, based on what we could understand from the documentation

********************************************

    <!--
    security configuration
    -->
    <Security appName="com.day.crx">
        <!--
            security manager:
            class: FQN of class implementing the JackrabbitSecurityManager interface
        -->
        <!--SecurityManager class="com.day.crx.core.CRXSecurityManager" workspaceName="" -->
        <SecurityManager class="com.day.crx.core.CRXSecurityManager">
            <WorkspaceAccessManager class="org.apache.jackrabbit.core.security.simple.SimpleWorkspaceAccessManager"/>
            <!--
            optional user manager configuration
            -->
            <UserManager class="org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserManager">
                <param name="usersPath" value="/home/users"/>
                <param name="groupsPath" value="/home/groups"/>
                <param name="defaultDepth" value="1"/>
                <param name="autoExpandTree" value="true"/>
                <AuthorizableAction class="org.apache.jackrabbit.core.security.user.action.AccessControlAction">
                  <param name="groupPrivilegeNames" value="jcr:read"/>
                  <param name="userPrivilegeNames" value="jcr:all"/>
                </AuthorizableAction>
                <!--AuthorizableAction class="com.day.crx.core.ntlm.NTLMAuthorizableAction"/>-->
            </UserManager>

            <!--
            optional workspace access manager configuration
           -->
        </SecurityManager>
        <!--
        access manager:
        class: FQN of class implementing the AccessManager interface
        -->
        <AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager"></AccessManager>
        <!--
        Use LoginModule authenticating against repository itself
        -->
        <!-- // see http://dev.day.com/docs/en/cq/current/core/administering/ldap_authentication.html
        <LoginModule class="com.day.crx.core.CRXLoginModule">
            <param name="anonymousId" value="anonymous"/>
            <param name="adminId" value="admin"/>
            <param name="disableNTLMAuth" value="true"/>
            <param name="tokenExpiration" value="43200000"/>
        </LoginModule>
        -->
    </Security>

************************************************

Thank you.

1 Accepted Solution

Avatar

Correct answer by
Level 4

This is done.  The fork settings was actually causing ldap-config not getting picked up.  Setting nofork, we managed to get LDAP working.  That is good enough, for now.

View solution in original post

3 Replies

Avatar

Correct answer by
Level 4

This is done.  The fork settings was actually causing ldap-config not getting picked up.  Setting nofork, we managed to get LDAP working.  That is good enough, for now.

Avatar

Level 6

Give the actual path of conf file - 

if not defined CQ_JAAS_CONFIG set CQ_JAAS_CONFIG=C:/LDAP/ldap_login.conf

Avatar

Level 10

There is a step by step article that shows how to hook into an LDAP system (Apache Directory Service) with CQ. See this article:

http://helpx.adobe.com/experience-manager/using/configuring-cq-apache-directory-service.html