Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

LiveCycle LDAP to AEM/LDAP and multiple directories/OUs

Avatar

Level 7

 

We are attempting to duplicate LDAP settings in LiveCycle to AEM OSGI platform.  

The first and basic question is . . . if we have multiple OUs, do we set up multiple "Apache Jackrabbit Oak LDAP Identity Providers".  The next presumption is that we would need to configure one "Apache Jackrabbit Oak Default Sync Handlers" for each Identity provider.  

 

Next, with the "Apache Jackrabbit Oak External Login Module", do we configure one for each ldap.name?  In LiveCycle, we only 1 for LDAP authentication and another for SPNEGO - SSO.  We need to duplicate this for SSO, too.  The JAAS realm information seems to be elusive too - just defaults? 

 

Any helpful hints or documentation would be wonderful.

 

This is what I am reading . . . https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/ldap-config.htm...

 

 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @crich2784 ,

 

For your first question - if we have multiple OUs, do we set up multiple "Apache Jackrabbit Oak LDAP Identity Providers" - In this case, you can search for the user in the parent OU.

For example: 

ou=students, ou=dept1, o=myorg and ou=students, ou=dept2, o=myorg, then search the user in myorg 

 

2nd question, 

we would need to configure one "Apache Jackrabbit Oak Default Sync Handlers" for each Identity provider - So Sync handlers will sync the users.It depends on your use case how you want to map users and groups.For example groups could be different in different providers.In my previous experience, we had 1 provider and so we had 1 sync handler.

 

Apache Jackrabbit Oak External Login Module will define the mapping between provider and sync handler as in which sync handler will be used for which provider.So this will be clear, once you have sorted out above 2.

 

Please note, this is based on my previous experience in using LDAP with AEM. Can you please explain your use case in more detail, in case you need more clarification.

 

Thanks,

Chitra

View solution in original post

1 Reply

Avatar

Correct answer by
Community Advisor

Hi @crich2784 ,

 

For your first question - if we have multiple OUs, do we set up multiple "Apache Jackrabbit Oak LDAP Identity Providers" - In this case, you can search for the user in the parent OU.

For example: 

ou=students, ou=dept1, o=myorg and ou=students, ou=dept2, o=myorg, then search the user in myorg 

 

2nd question, 

we would need to configure one "Apache Jackrabbit Oak Default Sync Handlers" for each Identity provider - So Sync handlers will sync the users.It depends on your use case how you want to map users and groups.For example groups could be different in different providers.In my previous experience, we had 1 provider and so we had 1 sync handler.

 

Apache Jackrabbit Oak External Login Module will define the mapping between provider and sync handler as in which sync handler will be used for which provider.So this will be clear, once you have sorted out above 2.

 

Please note, this is based on my previous experience in using LDAP with AEM. Can you please explain your use case in more detail, in case you need more clarification.

 

Thanks,

Chitra