I am trying to connect to the AEM 6.1 SP2 Java 8 environment running on Linux with a Windows Java 8 JConsole. I can connect to it unauthenticated. I can connect to it with SSL Client-Certs. I can not connect to it if I try to enable/configure external ldap server which requires authentication (ie. non-anonymous bind).
I am having problems with the JAAS configuration. It seems I have found that the OSGi packaging affects the JNDI InitialContext which manages the SharedState values that the LdapLoginModule uses. Specifically the javax.security.auth.login.password is not there which I see when I use the tryFirstPass=true in the JAAS configuration. I identified that the com.day.common.simplejndi integration appears to change the shared state configuration to allow for the multiple osgi applications.
So I am hoping someone on the forum has configured and tested JMX remote monitoring with SSL client authentication and external ldap authentication might be able to share the options used in the ldap.conf file to bind to the ldap server? I require both SSL certificates for network traffic encryption and external ldap authentication to limit role access to prevent JMX operations from being executed.
Please some suggestions, ideas, tests.....I want to 'Configure over Customize' by using OOTB login modules rather than create a new one. (I even tried to use the Oak external login module in the jre/lib/ext directory but that has too many dependencies to take it out of the OSGi packaged environment.)
Here's a sample ldap.conf
ThisCompanyConfig3 {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldaps://the-ldap-server/ou=Employee,ou=People,o=Company,c=US"
userFilter="(uid={USERNAME})"
authIdentity="specialDN=1234567,ou=Employee,ou=People,o=Company,c=US"
clearPass=true
storePass=false
debug=true
authzIdentity=monitorRole;
};
Solved! Go to Solution.
Views
Replies
Total Likes
Hi Bob,
Rest looks good to me. Please goahead with official route as you have planned & sounds like a bug to me.
Thanks,
Views
Replies
Total Likes
Hi Bob,
AEM 6.1 does not require ldap.conf and everything moved into osgi. May be some of ldap bundle from previous version of aem 5x exist. can you verify using http://www.aemstuff.com/tools/coi.html and clean all unwanted bundles and then verify.
Thanks,
Views
Replies
Total Likes
Thanks for replying. No, no old bundles exist. It is a clean install with CRXDE disabled and Geometrix removed (per security checklist).
So please suggest other things to check/try or what information you might see better this concern. I will be opening an Adobe Support ticket to follow-up on this....
Views
Replies
Total Likes
Hi Bob,
Rest looks good to me. Please goahead with official route as you have planned & sounds like a bug to me.
Thanks,
Views
Replies
Total Likes