Expand my Community achievements bar.

SOLVED

LDAP Group Sync With AEM

Avatar

Former Community Member

Hi

I m using CQ(5.6.1) and LDAP(ApacheDS).

I have completed the ldap user sync to CQ, Now I have to do the group sync, groups have already been created in ldap, I have to add the user to the ldap groups dynamically depending on the country specific sites e.g. if user is trying to access the Worldwide site then I need to add that user to the worldwide group and same user group need to be synchronized to CQ whenever user gets synchronized with CQ.

However there is an attribute “autocreate.user.membership” through which we can add the user to a default group but here the prerequisite of case study is different.

I tried with the “memberOf” attribute and specify the group “dn” but when I am trying to add this property through java api, it’s throwing an error of SvcErr:DSID-031A11E5, problem 5003(WILL_NOT_PERFORM).

 

I have also tried to synchronize the admin user that client has provided, it contains all the attributes like “memberOf”  and group “dn” value has already been specified for the memberOf attribute, through JMX(com.adobe.granite.ldap) and sync the user using syncUser method  but only user is getting synchronized , group is not getting synchronized.

 

I have attached the ldap_login configuration file that I am using to connect to ldap.

I have followed the same web links but that did not work for group sync.

I am using AEM 5.6.1 and LDAP(Active Directory), I have completed the ldap user sync to CQ, Now I have to do the group sync, groups have already been created in ldap, I have to add the user to the ldap groups dynamically depending on the country specific sites e.g. if user is trying to access the Worldwide site then I need to add that user to the worldwide group and same user group need to be synchronized to CQ whenever user gets synchronized with CQ.

However there is an attribute “autocreate.user.membership” through which we can add the user to a default group but here the prerequisite of case study is different.

I tried with the “memberOf” attribute and specify the group “dn” but when I am trying to add this property through java api, it’s throwing an error of SvcErr:DSID-031A11E5, problem 5003(WILL_NOT_PERFORM).

 

I have also tried to synchronize the admin user that client has provided, it contains all the attributes like “memberOf”  and group “dn” value has already been specified for the memberOf attribute, through JMX(com.adobe.granite.ldap) and sync the user using syncUser method  but only user is getting synchronized , group is not getting synchronized.

 

I have attached the ldap_login configuration file that I am using to connect to ldap.

1 Accepted Solution

Avatar

Correct answer by
Level 6

you have to use callback mechanishm whenever user is synced. Follow this : http://dev.day.com/docs/en/crx/current/administering/ldap_authentication.html#CALLBACKS

1. mention this parameter syncCallbackClass in ldap_login.conf

2. get the userid from map

3. Assign the user to the group you want.

View solution in original post

3 Replies

Avatar

Correct answer by
Level 6

you have to use callback mechanishm whenever user is synced. Follow this : http://dev.day.com/docs/en/crx/current/administering/ldap_authentication.html#CALLBACKS

1. mention this parameter syncCallbackClass in ldap_login.conf

2. get the userid from map

3. Assign the user to the group you want.

Avatar

Former Community Member

I have tried that but repo session is not available in the callback class, i have also tried to get the repo session through jndi but this also didn't work. Everytime, it throws a repository exception.

Avatar

Former Community Member

I have fixed that issue. In order to do group sync, we need to add couple of attributes :

autocreate.group.localadmin="admin"
autocreate.group.uniquemember="uniquemember" and

add member attribute to group in ldap and pass the user dn value to that.