Expand my Community achievements bar.

SOLVED

LDAP GROUPS NOT AUTOCREATED IN AEM

Avatar

Level 2
Level 2
10/15/15 7:28:47 PM

Hi.

Q1: I am using LDAP as a user repository and I have hooked it with an LDAP server. When I login to AEM using LDAP user , the user gets autocreated on AEM, but the groups are not created. Here are the details :

ldap_conf

com.day.crx{
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required 
       principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider" 
       host="127.0.0.1" 
       port="389" 
       secure="false" 
       authDn="cn=Manager,dc=maxcrc,dc=com" 
       authPw="secret" 
       userRoot="ou=Technology,o=xxxxxxxxx,dc=maxcrc,dc=com" 
       groupRoot="ou=Technology,o=xxxxxxxx,dc=maxcrc,dc=com" 
       groupMembershipAttribute="uniquemember" 
       autocreate="create" 
       autocreate.user.mail="profile/email"
           autocreate.user.givenname="profile/givenName"
           autocreate.user.sn="profile/familyName"
       autocreate.group.description="profile/aboutMe"
           autocreate.group.mail="profile/email"
           autocreate.path="direct"
       cache.expiration="600" 
       cache.maxsize="100"
       trust_credentials_attribute="TrustedInfo"
       anonymous_principal="anonymous";
};

AEM Version : 5.6.1

Hot Fixes Installed : 

cq-5.6.1-hotfix-3401

cq-5.6.1-hotfix-3491

cq-5.6.1-hotfix-3471

cq-5.6.1-hotfix-3591

cq-5.6.1-hotfix-3302

 

I want the groups and users created and associated as they are on LDAP( docs says that it is possible , but doesnt happen). 

Q2: I want to associate the LDAP users to the LDAP groups ( after both are auto created ) . There is an option "autocreate.user.membership" that allows to put some pre-existing groups. I dont want that. Possible ?

Views

676

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 2
Level 2
10/15/15 7:28:47 PM

Hello Sunjeet

Q1) Yes this should be possible. There might be a problem with the configuration. I suggest you set the log-level of the LDAP module to DEBUG, then you get the complete filter which you could paste into a GUI client and see if you really get the groups you expect out of the LDAP server. (check the groupRoot, groupMembershipAttribute and the groupFilter if they match your directory).

 

Q2) There are two mechanisms to add a user to a group. One (your use-case AFAIU) is automatic - once you get the group-import to run, this should work as expected (group-memberships get synchronized from LDAP). The second (autocreate.user.membership) is used to add LDAP users to (pre-existing) CQ groups. 

View solution in original post

Views

538

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Correct answer by
Level 2
Level 2
10/15/15 7:28:47 PM

Hello Sunjeet

Q1) Yes this should be possible. There might be a problem with the configuration. I suggest you set the log-level of the LDAP module to DEBUG, then you get the complete filter which you could paste into a GUI client and see if you really get the groups you expect out of the LDAP server. (check the groupRoot, groupMembershipAttribute and the groupFilter if they match your directory).

 

Q2) There are two mechanisms to add a user to a group. One (your use-case AFAIU) is automatic - once you get the group-import to run, this should work as expected (group-memberships get synchronized from LDAP). The second (autocreate.user.membership) is used to add LDAP users to (pre-existing) CQ groups. 

Views

539

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
10/15/15 7:28:47 PM

Thanks. 

1. One issue that I could get past was to change the objectClass of the the LDAP groups from groupOfNames to groupOfUniqueNames. That triggered the LDAPEntryResolver to recognize the LDAP group. {  Why is that ??  }

2. After that when I login , strangely, the group is still not created , but if I open the user , I can see the group name under the Groups tab !!

Here are the detailed logs :{ user: kapil.shekhar.raina , group : portaladministrators }

14.01.2014 22:53:51.947 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync changed kapil.shekhar.raina setting lastModified to 20140110075300Z
14.01.2014 22:53:51.947 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync sync user kapil.shekhar.raina finished
14.01.2014 22:53:51.947 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync Syncing group membership of kapil.shekhar.raina for principal uid=kapil.shekhar.raina,ou=Technology,o=Accenture,dc=maxcrc,dc=com
14.01.2014 22:53:51.948 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver search below ou=Technology,o=Accenture,dc=maxcrc,dc=com with filter (&(uniquemember=uid=kapil.shekhar.raina,ou=Technology,o=Accenture,dc=maxcrc,dc=com)(objectclass=groupOfUniqueNames))
14.01.2014 22:53:51.949 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync found group membership LDAP entry cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com
14.01.2014 22:53:51.949 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver read below ou=Technology,o=Accenture,dc=maxcrc,dc=com dn: cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com with filter (objectclass=person)
14.01.2014 22:53:51.950 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver read below ou=Technology,o=Accenture,dc=maxcrc,dc=com dn: cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com with filter (objectclass=groupOfUniqueNames)
14.01.2014 22:53:51.960 *WARN* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.principals.LDAPPrincipalProvider found principal at unexpected location
14.01.2014 22:53:51.961 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync fetching group cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com returned null
14.01.2014 22:53:51.961 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync .fetching group portaladministrators returned null
14.01.2014 22:53:51.968 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync Group portaladministrators for cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com created
14.01.2014 22:53:51.968 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync created authorizable group for cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com
14.01.2014 22:53:51.968 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync Adding group portaladministrators for DN cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com
14.01.2014 22:53:51.968 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync syncing cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com
14.01.2014 22:53:51.969 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync sync group portaladministrators finished
14.01.2014 22:53:51.969 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync Added membership of kapil.shekhar.raina to portaladministrators
14.01.2014 22:53:51.969 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync Syncing group membership of portaladministrators for principal cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com
14.01.2014 22:53:51.969 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver search below ou=Technology,o=Accenture,dc=maxcrc,dc=com with filter (&(uniquemember=cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com)(objectclass=groupOfUniqueNames))
14.01.2014 22:53:51.988 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync Synchronized uid=kapil.shekhar.raina,ou=Technology,o=Accenture,dc=maxcrc,dc=com in 71912us
14.01.2014 22:53:52.168 *DEBUG* [0:0:0:0:0:0:0:1 [1389720232122] GET / HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver read below ou=Technology,o=Accenture,dc=maxcrc,dc=com dn: uid=kapil.shekhar.raina,ou=Technology,o=Accenture,dc=maxcrc,dc=com with filter (objectclass=person)
14.01.2014 22:54:35.103 *DEBUG* [0:0:0:0:0:0:0:1 [1389720275076] GET /.cqactions.json HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver search below ou=Technology,o=Accenture,dc=maxcrc,dc=com with filter (&(uniquemember=uid=kapil.shekhar.raina,ou=Technology,o=Accenture,dc=maxcrc,dc=com)(objectclass=groupOfUniqueNames))
14.01.2014 22:54:35.105 *DEBUG* [0:0:0:0:0:0:0:1 [1389720275076] GET /.cqactions.json HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver search below ou=Technology,o=Accenture,dc=maxcrc,dc=com with filter (&(\28|\28uniquemember=cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com\29\29)(objectclass=groupOfUniqueNames))

 

Thanks

Views

538

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
10/15/15 7:28:47 PM

Hello Sunjeet

 

Q1) That's simply because the groups in your directory server seem to be stored with this special object class (which enforces further restrictions).

 

Q2) Hmm. The log actually looks quite ok to me - and since the group shows up in the groups tab, it must have been created and the user is a member of it (membership is stored on the group). Does it work as expected? How did you check that the group is not there? Maybe there is something wrong with the new UI. Try using the crx-explorer, maybe the group-home-path is different from what one would expect. You could also do a search for 'portaladministrators' there. 

 

Best greetings

Lars

Views

538

Replies

0
Sign in to like this content

Total Likes

Translate
Translate