Adobe Experience Manager Sites & More

kabelol26243436 · 2/9/18

Hi all

I am using OpenLdap as IDP.

OpenLdap posixGroup uses the memberUid attribute to identify members, which is just the UID of a user (eg pjones).

OAK LdapIdentityProvider uses the full DN of a user when querying groups for members (eg cn=Peter Jones,ou=users,dc=example,dc=com).

This means user Peter Jones is not be found when querying groups.

Please see SearchRequest filter of [1] from ldap.log file.

[1]

org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider getDeclaredGroupRefs: using SearchRequest MessageType : SEARCH_REQUEST

Message ID : -1

SearchRequest

baseDn : 'ou=groups,dc=example,dc=com'

filter : '(&(memberUid=cn=Peter Jones,ou=users,dc=example,dc=com)(objectclass=posixGroup))'

scope : whole subtree

typesOnly : false

Size Limit : no limit

Time Limit : 60000

Deref Aliases : deref Always

attributes : 'cn'

How can this be resolved?

kabelol26243436 · 2/10/18

Via CLI, created new group in OpenLDAP. This identifies members by DN.

dn: cn=boss,ou=groups,dc=example,dc=com

cn: boss

member: cn=Peter Jones,ou=users,dc=example,dc=com

objectclass: top

objectClass: groupOfNames

Was using PHP admin as LDAP UI, which seemingly only allows for creating posixGroup. Did not see option for creating groupOfNames so I used CLI.

Querying groups for members now returns results.

View solution in original post

kabelol26243436 · 2/10/18

Via CLI, created new group in OpenLDAP. This identifies members by DN.

dn: cn=boss,ou=groups,dc=example,dc=com

cn: boss

member: cn=Peter Jones,ou=users,dc=example,dc=com

objectclass: top

objectClass: groupOfNames

Was using PHP admin as LDAP UI, which seemingly only allows for creating posixGroup. Did not see option for creating groupOfNames so I used CLI.

Querying groups for members now returns results.

Adobe Experience Manager Sites & More

OpenLDAP as Identity Provider

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe