Hi,
I managed to integrate LDAP with CQ 5.6 with autocreate="create". However, I believe the documentation also states that IF we only want to authenticate users, we really do not need the Auto-Creation parameters.
My "autocreate='create'" config looks like
com.day.crx {
com.day.crx.core.CRXLoginModule sufficient;
com.day.crx.security.ldap.LDAPLoginModule required
principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
host="myldap.server.com"
port="389"
secure="false"
authDn="cn=myCN
authPw="mypassword"
userRoot="dc=server,dc=com"
userFilter="(objectclass=person)"
userIdAttribute="samaccountname"
autocreate="create"
autocreate.user.membership="contributor"
autocreate.user.mail="rep:e-mail"
autocreate.user.cn="rep:fullname"
autocreate.path="direct"
cache.expiration="600"
cache.maxsize="100";
};
Theoretically, if I do not want "autocreate", my config should be
com.day.crx {
com.day.crx.core.CRXLoginModule sufficient;
com.day.crx.security.ldap.LDAPLoginModule required
principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
host="myldap.server.com"
port="389"
secure="false"
authDn="cn=myCN
authPw="mypassword"
userRoot="dc=server,dc=com"
userFilter="(objectclass=person)"
userIdAttribute="samaccountname"
cache.expiration="600"
cache.maxsize="100";
};
Assume that I am trying to login as userA. With "autocreate", login is successful. Without "autocreate", login is unsuccesful. The LDAP integration document states that if we set "autocreate=none", token authentication will fail. Therefore, we need to put disableTokenAuth=true. I tried this and my ldap.log file does have "Token Authentication disabled" like messages. However, the authentication attempt will still try to find a token, which never gets created on the server and the error.log keeps throwing "invalid token" errors.
If I disable the token authentication handler via OSGI Configuration, then with my registered authentication handler having only "Day CQ Login Selector" and "HTTP Basic Authentication Handler", login will never be successful. If I further disable "Day CQ Login Selector" and leave only "HTTP Basic Authentication Handler", I find that I can authenticate via AD, access crx/de but can never get to pages like "tools.html" or "projects.html"...
Has anyone managed to get LDAP authentication working with autocreate='none'?
Thank You.
Solved! Go to Solution.
Views
Replies
Total Likes
Voon Siong wrote...
We created users A and B in CQ. We want usersA and B to authenticate via AD. If C attempts to login, he should not be able to access CQ because there is no user account in CQ for C.
There are two parts authentication & authorization. For authentication you have done correctly for authorization to happen need to configure trust_credentials_attribute. Also it is deprecated. Can you please file a daycare to track it so that assigned specialist will provide solution and as well to update the documentation?
Views
Replies
Total Likes
What is your use case? Authoring the content without user in aem?
Views
Replies
Total Likes
We created users A and B in CQ. We want usersA and B to authenticate via AD. If C attempts to login, he should not be able to access CQ because there is no user account in CQ for C.
Views
Replies
Total Likes
Voon Siong wrote...
We created users A and B in CQ. We want usersA and B to authenticate via AD. If C attempts to login, he should not be able to access CQ because there is no user account in CQ for C.
There are two parts authentication & authorization. For authentication you have done correctly for authorization to happen need to configure trust_credentials_attribute. Also it is deprecated. Can you please file a daycare to track it so that assigned specialist will provide solution and as well to update the documentation?
Views
Replies
Total Likes
Hi,
Thank you for your reply. We do have an open ticket with daycare. We have updated it and suggested them to look into the trust_credentials attribute. Can you let us know where this is documented? Maybe we can try configuring the attribute and test it out?
Thank you.
Views
Replies
Total Likes
Views
Likes
Replies