Expand my Community achievements bar.

Radically easy to access on brand approved content for distribution and omnichannel performant delivery. AEM Assets Content Hub and Dynamic Media with OpenAPI capabilities is now GA.
SOLVED

LDAP integration with AEM 5.6

Avatar

Level 4

Hi,

I managed to integrate LDAP with CQ 5.6 with autocreate="create".  However, I believe the documentation also states that IF we only want to authenticate users, we really do not need the Auto-Creation parameters.

My "autocreate='create'" config looks like

com.day.crx {
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required
              principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
              host="myldap.server.com"
              port="389"
              secure="false"
              authDn="cn=myCN 
              authPw="mypassword"
              userRoot="dc=server,dc=com"
              userFilter="(objectclass=person)" 
              userIdAttribute="samaccountname" 
              autocreate="create"
              autocreate.user.membership="contributor"
              autocreate.user.mail="rep:e-mail"
              autocreate.user.cn="rep:fullname"
              autocreate.path="direct"
              cache.expiration="600"
              cache.maxsize="100";
};

Theoretically, if I do not want "autocreate", my config should be 

com.day.crx {
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required
              principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
              host="myldap.server.com"
              port="389"
              secure="false"
              authDn="cn=myCN 
              authPw="mypassword"
              userRoot="dc=server,dc=com"
              userFilter="(objectclass=person)" 
              userIdAttribute="samaccountname" 
              cache.expiration="600"
              cache.maxsize="100";
};

Assume that I am trying to login as userA.  With "autocreate", login is successful.  Without "autocreate", login is unsuccesful.  The LDAP integration document states that if we set "autocreate=none", token authentication will fail.  Therefore, we need to put disableTokenAuth=true.  I tried this and my ldap.log file does have "Token Authentication disabled" like messages.  However, the authentication attempt will still try to find a token, which never gets created on the server and the error.log keeps throwing "invalid token" errors.

If I disable the token authentication handler via OSGI Configuration, then with my registered authentication handler having only "Day CQ Login Selector" and "HTTP Basic Authentication Handler", login will never be successful.  If I further disable "Day CQ Login Selector" and leave only "HTTP Basic Authentication Handler", I find that I can authenticate via AD, access crx/de but can never get to pages like "tools.html" or "projects.html"...

Has anyone managed to get LDAP authentication working with autocreate='none'?

Thank You.

1 Accepted Solution

Avatar

Correct answer by
Level 10

Voon Siong wrote...

We created users A and B in CQ.  We want usersA and B to authenticate via AD.  If C attempts to login, he should not be able to access CQ because there is no user account in CQ for C.

 

There are two parts authentication & authorization.  For authentication you have done correctly for authorization to happen need to configure  trust_credentials_attribute. Also it is deprecated.   Can you please file a daycare to track it so that assigned specialist will provide solution and as well to update the documentation?

View solution in original post

4 Replies

Avatar

Level 10

What is your use case?   Authoring the content without user in aem?

Avatar

Level 4

We created users A and B in CQ.  We want usersA and B to authenticate via AD.  If C attempts to login, he should not be able to access CQ because there is no user account in CQ for C.

Avatar

Correct answer by
Level 10

Voon Siong wrote...

We created users A and B in CQ.  We want usersA and B to authenticate via AD.  If C attempts to login, he should not be able to access CQ because there is no user account in CQ for C.

 

There are two parts authentication & authorization.  For authentication you have done correctly for authorization to happen need to configure  trust_credentials_attribute. Also it is deprecated.   Can you please file a daycare to track it so that assigned specialist will provide solution and as well to update the documentation?

Avatar

Level 4

Hi,

Thank you for your reply.  We do have an open ticket with daycare.  We have updated it and suggested them to look into the trust_credentials attribute.  Can you let us know where this is documented?  Maybe we can try configuring the attribute and test it out?

Thank you.