Hi experts,
I have successfully configured Apache DS with my CQ 5.4 instance. Now when a user is added (for example user1) in Apache DS then we will not be able to see newly created user in users list when we are logged in as admin. This user (user1) only be available after user1 try login first time with the credentials entered while creating user in ApacheDS. So, we need to ask business users (user1) to login and logout and then administrator can give permission to user1.
My doubt is there any way to automate this process so that when user1 will login for first time then it will have necessary permission and we do not need to ask user login and log out.
Kindly advise!
Sam
Solved! Go to Solution.
Views
Replies
Total Likes
Hi Sam,
I think there's something wrong in your usage of LDAP. It shouldn't be necessary for an admin to log in and grant permissions to each user. Rather these permissions should be assigned via an LDAP group.
CQ 5.4 is now 3 years old. You really should look at upgrading soon.
Justin
Views
Replies
Total Likes
Hello,
good points from Justin there.
What you would do is to create the user groups in the LDAP corresponding to the groups in CQ. Eg. have a group in the LDAP that is named "supergroup". Then when the first user belonging to that group is logging into CQ, that group will also be created in CQ. Set the right permissions to that group and the rest of the people logging in with that group as their group will get the right permissions. Always try to set permissions on group level and not on a single user.
It should be possible AFAIK to create that specific group in advance and already set the correct permissions so that every user, even if it is the first one, that logs in with that group will be added to it and auto. recieve the right permissions.
/Johan
Views
Replies
Total Likes
Hi Sam,
I think there's something wrong in your usage of LDAP. It shouldn't be necessary for an admin to log in and grant permissions to each user. Rather these permissions should be assigned via an LDAP group.
CQ 5.4 is now 3 years old. You really should look at upgrading soon.
Justin
Views
Replies
Total Likes
Well said Johan.
Views
Replies
Total Likes
Sam,
for recent versions of AEM an sync of all users to AEM is possible and described in the documentation [1]; in CQ 5.4 (which is indeed quite old) the option to import all users from LDAP already existed, IIRC in the CRX Explorer (http://localhost:4502/crx/explorer/index.jsp).
Views
Replies
Total Likes
Hello Justin,
Thank you for your help. I did not understand what could be the issue with ldap set up. I've attached screenshot here of my new ldap user. Could you please explain bit?
I have following entry in ldap_login.conf -
com.day.crx {
com.day.crx.core.CRXLoginModule sufficient;
com.day.crx.security.ldap.LDAPLoginModule required
principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
host="localhost"
port="10389"
secure="false"
authDn="uid=admin,ou=system"
authPw="secret"
userRoot="ou=users,ou=system"
userIdAttribute="userid"
userFilter="(objectClass=*)"
groupRoot="ou=groups, o=example"
groupMembershipAttribute="uniquemember"
autocreate="create"
autocreate.user.membership="contributor"
autocreate.user.mail="rep:e-mail"
autocreate.user.cn="rep:fullname"
autocreate.group.description="description"
autocreate.group.mail="rep:e-mail"
autocreate.group.cn="rep:fullname"
autocreate.path="direct"
cache.expiration="600"
cache.maxsize="100";
};
I've followed this and as per explanation in section "Validate CQ-ApacheDS integration", it says the same problem which I am trying to automate.
Kindly let me know if I'm missing something.
Sam
Views
Replies
Total Likes
Thank you all for your help...now my doubt is clear
Views
Replies
Total Likes
Views
Likes
Replies