Adobe Experience Manager Sites & More

ramgopalm545617 · 2/7/19

Hi,

we have recently changed the naming convention of the groups and now we see that the groups are not syncing from the LDAP, it is throwing warning saying that it is not able to recognize the whither it is a user or a group.

PFB configurations and error as well.

PID = org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider

BundleLocation = Unbound

adminPool.lookupOnValidate = false

adminPool.maxActive = 8

bind.dn = uid=appaem,ou=applicationids,ou=people,ou=intranet,dc=********,dc=com

bind.password = XXXXXXXX

customattributes = []

group.baseDN = ou=groups,ou=intranet,dc=*******,dc=com

group.extraFilter = (cn=AEM-EDAM-*-INT)

group.makeDnPath = false

group.memberAttribute = uniquemember

group.nameAttribute = cn

group.objectclass = [groupOfUniqueNames]

host.name = ovdtest.******.com

host.noCertCheck = true

host.port = 636

host.ssl = true

host.tls = false

provider.name = ovdidp

searchTimeout = 60s

service.pid = org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider

useUidForExtId = false

user.baseDN = ou=intranet,dc=********,dc=com

user.extraFilter = (hmdynmemberof=AEM-EDAM-HHA-EVERYONE-INT)

user.idAttribute = uid

user.makeDnPath = false

user.objectclass = [inetorgperson]

userPool.lookupOnValidate = false

userPool.maxActive = 8

Error log warning:

08.02.2019 01:03:57.940 *INFO* [qtp382561098-125692] org.apache.jackrabbit.oak.spi.security.authentication.external.impl.jmx.Delegatee synced DefaultSyncedIdentity{id='lid****', ref=ExternalIdentityRef{id='uid=lid****,ou=people,ou=intranet,dc=********,dc=com', providerName='ovdidp'}, isGroup=false, lastSynced=1549605837675}

08.02.2019 01:03:57.947 *WARN* [qtp382561098-125692] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-USERS-INT,ou=groups,ou=intranet,dc=********,dc=com;ovdidp

08.02.2019 01:03:57.947 *WARN* [qtp382561098-125692] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-USERS-INT,ou=groups,ou=intranet,dc=********,dc=com;ovdidp'.

08.02.2019 01:03:57.952 *WARN* [qtp382561098-125692] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-ADMINS-INT,ou=groups,ou=intranet,dc=********,dc=com;ovdidp

08.02.2019 01:03:57.952 *WARN* [qtp382561098-125692] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-ADMINS-INT,ou=groups,ou=intranet,dc=********,dc=com;ovdidp'

Gaurav-Behl · 2/8/19

Check this snippet for error details -

Entry entry = connection.lookup(ref.getId(), "*");

if (entry == null) {

return null;

} else if (entry.hasObjectClass(config.getUserConfig().getObjectClasses())) {

return createUser(entry, null);

} else if (entry.hasObjectClass(config.getGroupConfig().getObjectClasses())) {

return createGroup(entry, null);

} else {

log.warn("referenced identity is neither user or group: {}", ref.getString());

return null;

}

source - https://svn.apache.org/repos/asf/jackrabbit/oak/branches/1.0/oak-auth-ldap/src/main/java/org/apache/...

I assume that you would have to create a fresh config with the updated group name.

https://helpx.adobe.com/experience-manager/using/configuring-aem6-apache-directory-service.html

ramgopalm545617 · 2/12/19

I have deleted all the configs and manually recreated all the configurations, but still not able to sync the newly created groups.

I have tried with he property 'group.extraFilter = (cn=AEM-*-INT)', in this scenario, it is giving the below input. I think it is able to sync the other groups, but when the 'group.extraFilter = (cn=AEM-EDAM-*-INT)', it is not able to sync the groups, do you think that there is an issue with groups creation.

12.02.2019 05:52:43.655 *INFO* [qtp1538804081-3219] com.adobe.granite.security.user.internal.audit.AuditGroupAction User 'lid***' was added to the group 'AEM-EHS-WORKFLOWUSERS-INT'

12.02.2019 05:52:43.658 *INFO* [qtp1538804081-3219] com.adobe.granite.security.user.internal.audit.AuditGroupAction User 'lid***' was added to the group 'AEM-EHS-ADMINS-INT'

12.02.2019 05:52:43.659 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-EDITORS-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp

12.02.2019 05:52:43.659 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-EDITORS-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp'.

12.02.2019 05:52:43.660 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-READ-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp

12.02.2019 05:52:43.660 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-READ-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp'.

12.02.2019 05:52:43.661 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-USERS-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp

12.02.2019 05:52:43.661 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-USERS-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp'.

Gaurav-Behl · 2/12/19

Not sure, you may want to validate each step of this tutorial against your configurations. That's a better way to rule out any wrong configurations for that group -

GitHub - Adobe-Marketing-Cloud/aem-ldap-tutorial

Configuring LDAP with AEM 6