Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

LDAP Authentication with Group Membership

Avatar

Level 2

I am in the process of setting up authentication via Active Directory LDAP.  I have it working just fine for everyone in my AD to log in to CQ5, but I actually have about 1000 AD users and only 10 of my developers will be using CQ, at least in our test phase.  I would like the authentication process to only create new users in CQ based on their membership in an AD group.  Is this possible?  How do I define that within my LDAP_Login.conf file?  I have tried a couple of settings, and I either get no one able to log in, or everyone able to log in.  My AD tree is also very departmentalized, so I can't put everyone who is going to use the software in one directory, although I have created a group for these 10 developers that I can put put anywhere in the tree (right now it is at the root, i.e., "CN=CMS_Users,OU=CAES,DC=CAESAD,DC=UGA,DC=EDU"

Here is what I have at present:

              userRoot="OU=CAES,DC=CAESAD,DC=UGA,DC=EDU"
              userFilter="(objectclass=person)"
              userIdAttribute="sAMAccountName"

              groupRoot="OU=CAES,DC=CAESAD,DC=UGA,DC=EDU"
              groupMembershipAttribute="uniquemember"

              autocreate="create"
              autocreate.user.mail="profile/email"
              autocreate.user.givenname="profile/givenName"
              autocreate.user.familyname="profile/sn"
              autocreate.user.cn="rep:fullname"
              autocreate.user.sn="cq:last-name"
              autocreate.user.description="profile/aboutMe     
              autocreate.path="splitdn"
              cache.expiration="600"
              cache.maxsize="100";

 

Thanks!

Diana

1 Accepted Solution

Avatar

Correct answer by
Level 5

Diana,

For that you might have to wither extend login module and use your own on top of LDAP one (And let that module create user or group) or use http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/ldap_authentication.html#Callback... feature. In this you can disable User sync and then use only Group sync to create user.

Yogesh

View solution in original post

1 Reply

Avatar

Correct answer by
Level 5

Diana,

For that you might have to wither extend login module and use your own on top of LDAP one (And let that module create user or group) or use http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/ldap_authentication.html#Callback... feature. In this you can disable User sync and then use only Group sync to create user.

Yogesh