Expand my Community achievements bar.

SOLVED

ldap_login.conf LDAPLoginModule question

Avatar

Level 1

I'm running CQ 5.4 and successfully integrated with AD via LDAP with the following settings:

com.day.crx.core.CRXLoginModule sufficient;
com.day.crx.security.ldap.LDAPLoginModule required
userRoot="CN=ABC,OU=hello,DC=world"

As long as the user is a member of the ABC group, he can sign in and their user is then created in the CRX. If I then remove the user from ABC group, however, they can still login. I understand that CRXLoginModule is set to sufficient, but I thought LDAPLoginModule takes precedence due to "required" setting. Of course, once I delete the user in the CRX, the user can no longer login.

Is this normal behavior, or should a user not be able to login?

Thanks.

1 Accepted Solution

Avatar

Correct answer by
Employee

Yes it’s expected. An LDAP user should be able to login during a time specified in ldap config file as cache.expiration. After a cache expiration it will fail to login.

A good practice is to force an LDAP Synchronization through /crx/config/index.jsp

View solution in original post

4 Replies

Avatar

Level 1

Hi ICQuestions,

Just to elaborate more on the following two entries in JAAS config file

com.day.crx.core.CRXLoginModule sufficient;
com.day.crx.security.ldap.LDAPLoginModule required

sufficient - If the CRXLoginModule succeeds then the overall login succeeds, and control returns to the application. If the login fails then it continues to execute the other login modules in the list which is LDAPLoginModule.

Now suppose user is not present in CRX then LDAPLoginModule will be asked to authenticate the user directly from LDAP.

Since LDAPLoginModule is given a flag "required" which means - LDAPLoginModule must authenticate the user. But if it fails, the authentication nonetheless continues with the other login modules in the list (if any) and there is none other, so it fails globally.

Suppose now LDAPLoginModule is successfully able to authenticate the user from LDAP then it will sync it back to CRX if configured that way in JAAS config file.

Apart from this a cache of successful logins is maintained whose size and duration is configured by

1.    cache.expiration (this controls how long successful logins stays in cache) WeakHashMap and LRUMap based implementation under the hood.

2.    cache.maxsize(how many)

Now considering your case where you have deleted the user from CRX, CRXLoginModule will fail this time and the LDAPLoginModule will authenticate the user either directly from "cache" or from LDAP iself.

consider providing "optional" flag to CRXLoginModule and make the cache.expiration as 1(second).

Then try to login again after deleting user from CRX. you will see login will succeed, as now onwards LDAPLoginModule is consulted every time irrespective of what.

So you should be able to authenticate with your current settings even if you deleted the user from CRX.

Hope this is helpful.

Thanks,

Rakesh

Avatar

Level 10

Here is a tutorial that walks readers through hooking up Adobe CQ with Apache Directory Service:

http://helpx.adobe.com/adobe-cq/using/configuring-cq-apache-directory-service.html

Avatar

Correct answer by
Employee

Yes it’s expected. An LDAP user should be able to login during a time specified in ldap config file as cache.expiration. After a cache expiration it will fail to login.

A good practice is to force an LDAP Synchronization through /crx/config/index.jsp

Avatar

Level 1

Disable caching

cache.expiration="0"

You may also want to only authenticate users that are a member of a security group, rather than re-arrange your whole AD structure.

userIdAttribute="sAMAccountName"

userFilter="(&(ObjectCategory=person)(memberOf=CN=OurProject,OU=DL\ and\ Support\ accounts,OU=GBLCM,OU=EMEA,DC=ef,DC=com))"

Note you must escape spaces. Quoting won't work.