Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Doubts on LDAP integration

Avatar

Level 6

Hi experts,

I have successfully configured Apache DS with my CQ 5.4 instance. Now when a user is added (for example user1) in Apache DS then we will not be able to see newly created user in users list when we are logged in as admin. This user (user1) only be available after user1 try login first time with the credentials entered while creating user in ApacheDS. So, we need to ask business users (user1) to login and logout and then administrator can give permission to user1.

My doubt is there any way to automate this process so that when user1 will login for first time then it will have necessary permission and we do not need to ask user login and log out.

Kindly advise!

Sam

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi Sam,

I think there's something wrong in your usage of LDAP. It shouldn't be necessary for an admin to log in and grant permissions to each user. Rather these permissions should be assigned via an LDAP group.

CQ 5.4 is now 3 years old. You really should look at upgrading soon.

Justin

View solution in original post

6 Replies

Avatar

Level 7

Hello,
good points from Justin there.

What you would do is to create the user groups in the LDAP corresponding to the groups in CQ. Eg. have a group in the LDAP that is named "supergroup". Then when the first user belonging to that group is logging into CQ, that group will also be created in CQ. Set the right permissions to that group and the rest of the people logging in with that group as their group will get the right permissions. Always try to set permissions on group level and not on a single user.

It should be possible AFAIK to create that specific group in advance and already set the correct permissions so that every user, even if it is the first one, that logs in with that group will be added to it and auto. recieve the right permissions.

/Johan

Avatar

Correct answer by
Employee

Hi Sam,

I think there's something wrong in your usage of LDAP. It shouldn't be necessary for an admin to log in and grant permissions to each user. Rather these permissions should be assigned via an LDAP group.

CQ 5.4 is now 3 years old. You really should look at upgrading soon.

Justin

Avatar

Employee Advisor

Sam,

for recent versions of AEM an sync of all users to AEM is possible and described in the documentation [1]; in CQ 5.4 (which is indeed quite old) the option to import all users from LDAP already existed, IIRC in the CRX Explorer (http://localhost:4502/crx/explorer/index.jsp).

[1] http://dev.day.com/docs/en/cq/current/core/administering/ldap_authentication.html#LDAP%20User%20Sync...

Avatar

Level 6

Hello Justin,

Thank you for your help. I did not understand what could be the issue with ldap set up. I've attached screenshot here of my new ldap user. Could you please explain bit? 

I have following entry in ldap_login.conf - 

com.day.crx {
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required
              principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
              host="localhost"
              port="10389"
              secure="false"
              authDn="uid=admin,ou=system"
              authPw="secret"
              userRoot="ou=users,ou=system"
      userIdAttribute="userid"
      userFilter="(objectClass=*)"
              groupRoot="ou=groups, o=example"
              groupMembershipAttribute="uniquemember"
              autocreate="create"
              autocreate.user.membership="contributor"
              autocreate.user.mail="rep:e-mail"
              autocreate.user.cn="rep:fullname"
              autocreate.group.description="description"
              autocreate.group.mail="rep:e-mail"
              autocreate.group.cn="rep:fullname"
              autocreate.path="direct"
              cache.expiration="600"
              cache.maxsize="100";
};

I've followed this and as per explanation in section "Validate CQ-ApacheDS integration", it says the same problem which I am trying to automate. 

Kindly let me know if I'm missing something. 

Sam

Avatar

Level 6

Thank you all for your help...now my doubt is clear