Expand my Community achievements bar.

Radically easy to access on brand approved content for distribution and omnichannel performant delivery. AEM Assets Content Hub and Dynamic Media with OpenAPI capabilities is now GA.

CQ and LDAP integration


Level 4


We are not able to successfully integrate CQ with LDAP. 

Based on the existing LDAP integration documentation, we are unable to get CQ to start when the following updates were done
-updated repository.xml, per the steps outlined in the documentation
-updated quickstart.bat to include the ldap config file
-included the ldap config file

The error logs have this error :

31.03.2014 09:57:20.560 *ERROR* [FelixStartLevel] com.day.crx.sling.server [com.day.crx.sling.server.impl.jmx.ManagedRepository] The activate method has thrown an exception (javax.jcr.RepositoryException: Neither JAAS nor RepositoryConfig contained a valid configuration for com.day.crx) javax.jcr.RepositoryException: Neither JAAS nor RepositoryConfig contained a valid configuration for com.day.crx

Based on what we found, one of the reason for this could be the ldap_login.conf couldn't be found. We tried the following but it did not help

1) Specifying an absolute path to the configuration file (with Djava.security.auth.login.config=...)

We even put the ldap_login.conf file in the same folder where the quickstart.bat is and set Djava.security.auth.login.config=ldap_login.conf.  This also did not work.  Can anyone help give pointers? 

Here is an excerpt of the quickstart.bat file we are using


::* use jaas.config
set CQ_USE_JAAS=true

::* config for jaas
set CQ_JAAS_CONFIG=ldap_login.conf

::* default JVM options
set CQ_JVM_OPTS=-Xmx1024m -XX:MaxPermSize=256M

::* ------------------------------------------------------------------------------
::* do not configure below this point
::* ------------------------------------------------------------------------------

chdir /D %~dp0
cd ..\..
set START_OPTS=-use-control-port
if defined CQ_PORT            set START_OPTS=%START_OPTS% -p %CQ_PORT%
if defined CQ_GUI             set START_OPTS=%START_OPTS% -gui
if defined CQ_NOBROWSER       set START_OPTS=%START_OPTS% -nobrowser
if defined CQ_VERBOSE         set START_OPTS=%START_OPTS% -verbose
if defined CQ_NOFORK          set START_OPTS=%START_OPTS% -nofork
if defined CQ_FORK            set START_OPTS=%START_OPTS% -fork
if defined CQ_FORKARGS        set START_OPTS=%START_OPTS% -forkargs %CQ_FORKARGS%
if defined CQ_RUNMODE         set START_OPTS=%START_OPTS% -r %CQ_RUNMODE%
if defined CQ_HOST            set CQ_JVM_OPTS=%CQ_JVM_OPTS% -Dorg.apache.felix.http.host=%CQ_HOST%
if defined CQ_HOST            set START_OPTS=%START_OPTS% -a %CQ_HOST%
if defined CQ_USE_JAAS        set CQ_JVM_OPTS=%CQ_JVM_OPTS% -Djava.security.auth.login.config=%CQ_JAAS_CONFIG%
if not defined CQ_JARFILE     for %%X in (*.jar) do set CQ_JARFILE=%%X

tasklist > oldTaskList.txt
start "CQ" cmd.exe /K java %CQ_JVM_OPTS% -jar %CQ_JARFILE% %START_OPTS%
tasklist > newTaskList.txt


Here is an excerpt of the repository.xml file we edited, based on what we could understand from the documentation


    security configuration
    <Security appName="com.day.crx">
            security manager:
            class: FQN of class implementing the JackrabbitSecurityManager interface
        <!--SecurityManager class="com.day.crx.core.CRXSecurityManager" workspaceName="" -->
        <SecurityManager class="com.day.crx.core.CRXSecurityManager">
            <WorkspaceAccessManager class="org.apache.jackrabbit.core.security.simple.SimpleWorkspaceAccessManager"/>
            optional user manager configuration
            <UserManager class="org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserManager">
                <param name="usersPath" value="/home/users"/>
                <param name="groupsPath" value="/home/groups"/>
                <param name="defaultDepth" value="1"/>
                <param name="autoExpandTree" value="true"/>
                <AuthorizableAction class="org.apache.jackrabbit.core.security.user.action.AccessControlAction">
                  <param name="groupPrivilegeNames" value="jcr:read"/>
                  <param name="userPrivilegeNames" value="jcr:all"/>
                <!--AuthorizableAction class="com.day.crx.core.ntlm.NTLMAuthorizableAction"/>-->

            optional workspace access manager configuration
        access manager:
        class: FQN of class implementing the AccessManager interface
        <AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager"></AccessManager>
        Use LoginModule authenticating against repository itself
        <!-- // see http://dev.day.com/docs/en/cq/current/core/administering/ldap_authentication.html
        <LoginModule class="com.day.crx.core.CRXLoginModule">
            <param name="anonymousId" value="anonymous"/>
            <param name="adminId" value="admin"/>
            <param name="disableNTLMAuth" value="true"/>
            <param name="tokenExpiration" value="43200000"/>


Thank you.

1 Accepted Solution


Correct answer by
Level 4

This is done.  The fork settings was actually causing ldap-config not getting picked up.  Setting nofork, we managed to get LDAP working.  That is good enough, for now.

View solution in original post

3 Replies


Correct answer by
Level 4

This is done.  The fork settings was actually causing ldap-config not getting picked up.  Setting nofork, we managed to get LDAP working.  That is good enough, for now.


Level 6

Give the actual path of conf file - 

if not defined CQ_JAAS_CONFIG set CQ_JAAS_CONFIG=C:/LDAP/ldap_login.conf


Level 10

There is a step by step article that shows how to hook into an LDAP system (Apache Directory Service) with CQ. See this article: