Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

LDAP Sync Callback

Avatar

Former Community Member

I am using CQ 6.1, and trying to implement LDAP login for users. I also want some extra logic during sync that will place users into certain groups based on certain parameter.
The thing I found was Callbacks on this page: http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/ldap_authentication.html

Since this is old documentation, and LDAP is not set like this I do not know how to use this, and this is just what I need. In newer documentation how I actually set the ldap (http://docs.adobe.com/docs/en/aem/6-0/administer/security/ldap-config.html) callbacks are not mentioned.

Is there some other way I can do this, and how?

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi Please refer to the org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider(http://grepcode.com/file/repo1.maven.org/maven2/org.apache.jackrabbit/oak-auth-ldap/0.17.1/org/apach...) .  Over all though, please refer to http://jackrabbit.apache.org/oak/docs/security/authentication.html for better understanding. When you write a external login module,the synchandler is wht syncs the attributes. Please refer to org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler for synchandler. The key is the getName() in this should return the unique id of the class. http://jackrabbit.apache.org/oak/docs/security/authentication/usersync.html describes how to do this. This name has to be configured in the ExternalLoginModule configuration in osgi at sync.handlerName property. Please let me know if this helps.

View solution in original post

7 Replies

Avatar

Former Community Member

No this is not clear. I have configured the same parameters on osgi (see image), and the LDAP is working. But it does not mention callbacks or something that I would need to implement.

It mentions writing custom handler or manager, but this seems like an overkill since my LDAP is working already. 
I was thinking maybe extending the existing one, but I cannot find anything mentioning what methods to override or how to really implement this.

Avatar

Correct answer by
Employee

Hi Please refer to the org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider(http://grepcode.com/file/repo1.maven.org/maven2/org.apache.jackrabbit/oak-auth-ldap/0.17.1/org/apach...) .  Over all though, please refer to http://jackrabbit.apache.org/oak/docs/security/authentication.html for better understanding. When you write a external login module,the synchandler is wht syncs the attributes. Please refer to org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler for synchandler. The key is the getName() in this should return the unique id of the class. http://jackrabbit.apache.org/oak/docs/security/authentication/usersync.html describes how to do this. This name has to be configured in the ExternalLoginModule configuration in osgi at sync.handlerName property. Please let me know if this helps.

Avatar

Former Community Member

No, rewriting the whole Ldap login manager is not an option since it is working.

Finally I have solved the issued by placing an event listener to the /home/users node where users are created, and then a check action if the parameters match, and adding the user to correct group it they match it.

This works, but those callbacks seemed a lot better than implementing this that way.

Avatar

Level 10

Hi,

In AEM 6, LDAP support comes with a new implementation that requires a different type of configuration than with previous versions.

Please raise a support ticket on the same, so that the team will let you know alternative if exists else they can look at the options.

Avatar

Employee

Synchandler would do the same. Please post the snippet of what you trying to accomplish with a listener. Let me try.

Avatar

Former Community Member

I have a basin event listener that does the job

private LdapUserChangeEventListener observer; private Session session; private ObservationManager om; @Reference private SlingRepository repository; private void runNodeObserver() { try { this.session = this.repository.loginAdministrative(null); this.om = this.session.getWorkspace().getObservationManager(); LOG.debug("Adding event listener"); this.observer = new LdapUserChangeEventListener(this.roleMappings, this.repository); this.om.addEventListener(this.observer, Event.PROPERTY_CHANGED | Event.PROPERTY_ADDED, "/home/users", true, null, null, false); } catch (Exception e) { LOG.error(e.getMessage(), e); } } private void closeNodeObserver() { try { LOG.debug("Closing event listener"); this.om.removeEventListener(this.observer); } catch (Exception e) { LOG.error(e.getMessage(), e); } finally { if (this.session != null) { this.session.logout(); this.session = null; } } }