Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

LDAP Sync Callback

markop93341136
Level 2
Level 2

I am using CQ 6.1, and trying to implement LDAP login for users. I also want some extra logic during sync that will place users into certain groups based on certain parameter.
The thing I found was Callbacks on this page: http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/ldap_authentication.html

Since this is old documentation, and LDAP is not set like this I do not know how to use this, and this is just what I need. In newer documentation how I actually set the ldap (http://docs.adobe.com/docs/en/aem/6-0/administer/security/ldap-config.html) callbacks are not mentioned.

Is there some other way I can do this, and how?

1 Accepted Solution
kalyanar
Correct answer by
Employee
Employee

Hi Please refer to the org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider(http://grepcode.com/file/repo1.maven.org/maven2/org.apache.jackrabbit/oak-auth-ldap/0.17.1/org/apach...) .  Over all though, please refer to http://jackrabbit.apache.org/oak/docs/security/authentication.html for better understanding. When you write a external login module,the synchandler is wht syncs the attributes. Please refer to org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler for synchandler. The key is the getName() in this should return the unique id of the class. http://jackrabbit.apache.org/oak/docs/security/authentication/usersync.html describes how to do this. This name has to be configured in the ExternalLoginModule configuration in osgi at sync.handlerName property. Please let me know if this helps.

View solution in original post

0 Replies
markop93341136
Level 2
Level 2

No this is not clear. I have configured the same parameters on osgi (see image), and the LDAP is working. But it does not mention callbacks or something that I would need to implement.

It mentions writing custom handler or manager, but this seems like an overkill since my LDAP is working already. 
I was thinking maybe extending the existing one, but I cannot find anything mentioning what methods to override or how to really implement this.

kalyanar
Correct answer by
Employee
Employee

Hi Please refer to the org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider(http://grepcode.com/file/repo1.maven.org/maven2/org.apache.jackrabbit/oak-auth-ldap/0.17.1/org/apach...) .  Over all though, please refer to http://jackrabbit.apache.org/oak/docs/security/authentication.html for better understanding. When you write a external login module,the synchandler is wht syncs the attributes. Please refer to org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler for synchandler. The key is the getName() in this should return the unique id of the class. http://jackrabbit.apache.org/oak/docs/security/authentication/usersync.html describes how to do this. This name has to be configured in the ExternalLoginModule configuration in osgi at sync.handlerName property. Please let me know if this helps.

View solution in original post

markop93341136
Level 2
Level 2

No, rewriting the whole Ldap login manager is not an option since it is working.

Finally I have solved the issued by placing an event listener to the /home/users node where users are created, and then a check action if the parameters match, and adding the user to correct group it they match it.

This works, but those callbacks seemed a lot better than implementing this that way.

bsloki
Community Advisor
Community Advisor

Hi,

In AEM 6, LDAP support comes with a new implementation that requires a different type of configuration than with previous versions.

Please raise a support ticket on the same, so that the team will let you know alternative if exists else they can look at the options.

kalyanar
Employee
Employee

Synchandler would do the same. Please post the snippet of what you trying to accomplish with a listener. Let me try.

markop93341136
Level 2
Level 2

I have a basin event listener that does the job

private LdapUserChangeEventListener observer; private Session session; private ObservationManager om; @Reference private SlingRepository repository; private void runNodeObserver() { try { this.session = this.repository.loginAdministrative(null); this.om = this.session.getWorkspace().getObservationManager(); LOG.debug("Adding event listener"); this.observer = new LdapUserChangeEventListener(this.roleMappings, this.repository); this.om.addEventListener(this.observer, Event.PROPERTY_CHANGED | Event.PROPERTY_ADDED, "/home/users", true, null, null, false); } catch (Exception e) { LOG.error(e.getMessage(), e); } } private void closeNodeObserver() { try { LOG.debug("Closing event listener"); this.om.removeEventListener(this.observer); } catch (Exception e) { LOG.error(e.getMessage(), e); } finally { if (this.session != null) { this.session.logout(); this.session = null; } } }