I am in the process of setting up authentication via Active Directory LDAP. I have it working just fine for everyone in my AD to log in to CQ5, but I actually have about 1000 AD users and only 10 will be using CQ, at least in our test phase. I would like the LDAP authentication process to only create new user accounts in CQ based on membership in an AD group. (Example: TestUser1 belongs to group AEM_USERS so their account is created when they log into AEM for the first time, but TestUser2 is not a member so their account doesn't get created) Is this possible? How do I define that within my LDAP_Login.conf file? I have tried a couple of settings, and I either get no one able to log in, or everyone able to log in. My AD tree is also very departmentalized, so I can't put everyone who is going to use the software in one directory, although I have created a group for these 10 developers that I can put put anywhere in the tree (right now it is at the root, i.e., "CN=CMS_Users,OU=CAES,DC=CAESAD,DC=UGA,DC=EDU").
Here is what I have at present:
userRoot="OU=CAES,DC=CAESAD,DC=UGA,DC=EDU"
userFilter="(objectclass=person)"
userIdAttribute="sAMAccountName"
groupRoot="OU=CAES,DC=CAESAD,DC=UGA,DC=EDU"
groupMembershipAttribute="uniquemember"
autocreate="create"
autocreate.user.mail="profile/email"
autocreate.user.givenname="profile/givenName"
autocreate.user.familyname="profile/sn"
autocreate.user.cn="rep:fullname"
autocreate.user.sn="cq:last-name"
autocreate.user.description="profile/aboutMe
autocreate.path="splitdn"
cache.expiration="600"
cache.maxsize="100";
Thanks!
Diana