Expand my Community achievements bar.

July 31st AEM Gems Webinar: Elevate your AEM development to master the integration of private GitHub repositories within AEM Cloud Manager.
SOLVED

OpenLDAP as Identity Provider

Avatar

Level 3

Hi all

I am using OpenLdap as IDP.

OpenLdap posixGroup uses the memberUid attribute to identify members, which is just the UID of a user (eg pjones).

OAK LdapIdentityProvider uses the full DN of a user when querying groups for members (eg cn=Peter Jones,ou=users,dc=example,dc=com).

This means user Peter Jones is not be found when querying groups.

Please see SearchRequest filter of  [1] from ldap.log file.

[1]

org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider getDeclaredGroupRefs: using SearchRequest MessageType : SEARCH_REQUEST

Message ID : -1

    SearchRequest

        baseDn : 'ou=groups,dc=example,dc=com'

        filter : '(&(memberUid=cn=Peter Jones,ou=users,dc=example,dc=com)(objectclass=posixGroup))'

        scope : whole subtree

        typesOnly : false

        Size Limit : no limit

        Time Limit : 60000

        Deref Aliases : deref Always

        attributes : 'cn'

How can this be resolved?

1 Accepted Solution

Avatar

Correct answer by
Level 3

Via CLI, created new group in OpenLDAP. This identifies members by DN.

dn: cn=boss,ou=groups,dc=example,dc=com

cn: boss

member: cn=Peter Jones,ou=users,dc=example,dc=com

objectclass: top

objectClass: groupOfNames

Was using PHP admin as LDAP UI, which seemingly only allows for creating posixGroup. Did not see option for creating groupOfNames so I used CLI.

Querying groups for members now returns results.

View solution in original post

1 Reply

Avatar

Correct answer by
Level 3

Via CLI, created new group in OpenLDAP. This identifies members by DN.

dn: cn=boss,ou=groups,dc=example,dc=com

cn: boss

member: cn=Peter Jones,ou=users,dc=example,dc=com

objectclass: top

objectClass: groupOfNames

Was using PHP admin as LDAP UI, which seemingly only allows for creating posixGroup. Did not see option for creating groupOfNames so I used CLI.

Querying groups for members now returns results.