Groups not syncing from LDAP

ramgopalm545617

07-02-2019

Hi,

we have recently changed the naming convention of the groups and now we see that the groups are not syncing from the LDAP, it is throwing warning saying that it is not able to recognize the whither it is a user or a group.

PFB configurations and error as well.

PID = org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider

  BundleLocation = Unbound

  adminPool.lookupOnValidate = false

  adminPool.maxActive = 8

  bind.dn = uid=appaem,ou=applicationids,ou=people,ou=intranet,dc=********,dc=com

  bind.password = XXXXXXXX

  customattributes = []

  group.baseDN = ou=groups,ou=intranet,dc=*******,dc=com

  group.extraFilter = (cn=AEM-EDAM-*-INT)

  group.makeDnPath = false

  group.memberAttribute = uniquemember

  group.nameAttribute = cn

  group.objectclass = [groupOfUniqueNames]

  host.name = ovdtest.******.com

  host.noCertCheck = true

  host.port = 636

  host.ssl = true

  host.tls = false

  provider.name = ovdidp

  searchTimeout = 60s

  service.pid = org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider

  useUidForExtId = false

  user.baseDN = ou=intranet,dc=********,dc=com

  user.extraFilter = (hmdynmemberof=AEM-EDAM-HHA-EVERYONE-INT)

  user.idAttribute = uid

  user.makeDnPath = false

  user.objectclass = [inetorgperson]

  userPool.lookupOnValidate = false

  userPool.maxActive = 8

Error log warning:

08.02.2019 01:03:57.940 *INFO* [qtp382561098-125692] org.apache.jackrabbit.oak.spi.security.authentication.external.impl.jmx.Delegatee synced DefaultSyncedIdentity{id='lid****', ref=ExternalIdentityRef{id='uid=lid****,ou=people,ou=intranet,dc=********,dc=com', providerName='ovdidp'}, isGroup=false, lastSynced=1549605837675}

08.02.2019 01:03:57.947 *WARN* [qtp382561098-125692] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-USERS-INT,ou=groups,ou=intranet,dc=********,dc=com;ovdidp

08.02.2019 01:03:57.947 *WARN* [qtp382561098-125692] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-USERS-INT,ou=groups,ou=intranet,dc=********,dc=com;ovdidp'.

08.02.2019 01:03:57.952 *WARN* [qtp382561098-125692] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-ADMINS-INT,ou=groups,ou=intranet,dc=********,dc=com;ovdidp

08.02.2019 01:03:57.952 *WARN* [qtp382561098-125692] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-ADMINS-INT,ou=groups,ou=intranet,dc=********,dc=com;ovdidp'

Accepted Solutions (0)

Answers (3)

Answers (3)

ramgopalm545617

12-02-2019

I have deleted all the configs and manually recreated all the configurations, but still not able to sync the newly created groups.

I have tried with he property 'group.extraFilter = (cn=AEM-*-INT)', in this scenario, it is giving the below input. I think it is able to sync the other groups, but when the 'group.extraFilter = (cn=AEM-EDAM-*-INT)', it is not able to sync the groups, do you think that there is an issue with groups creation.

12.02.2019 05:52:43.655 *INFO* [qtp1538804081-3219] com.adobe.granite.security.user.internal.audit.AuditGroupAction User 'lid***' was added to the group 'AEM-EHS-WORKFLOWUSERS-INT'

12.02.2019 05:52:43.658 *INFO* [qtp1538804081-3219] com.adobe.granite.security.user.internal.audit.AuditGroupAction User 'lid***' was added to the group 'AEM-EHS-ADMINS-INT'

12.02.2019 05:52:43.659 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-EDITORS-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp

12.02.2019 05:52:43.659 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-EDITORS-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp'.

12.02.2019 05:52:43.660 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-READ-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp

12.02.2019 05:52:43.660 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-READ-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp'.

12.02.2019 05:52:43.661 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-USERS-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp

12.02.2019 05:52:43.661 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-USERS-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp'.

Gaurav-Behl

MVP

08-02-2019

Check this snippet for error details -

Entry entry = connection.lookup(ref.getId(), "*");

  if (entry == null) {

  return null;

  } else if (entry.hasObjectClass(config.getUserConfig().getObjectClasses())) {

  return createUser(entry, null);

  } else if (entry.hasObjectClass(config.getGroupConfig().getObjectClasses())) {

  return createGroup(entry, null);

  } else {

  log.warn("referenced identity is neither user or group: {}", ref.getString());

  return null;

  }

source - https://svn.apache.org/repos/asf/jackrabbit/oak/branches/1.0/oak-auth-ldap/src/main/java/org/apache/...

I assume that you would have to create a fresh config with the updated group name.

https://helpx.adobe.com/experience-manager/using/configuring-aem6-apache-directory-service.html