Expand my Community achievements bar.

Groups not syncing from LDAP

Avatar

Level 4
Level 4
2/7/19 10:58:48 PM

Hi,

we have recently changed the naming convention of the groups and now we see that the groups are not syncing from the LDAP, it is throwing warning saying that it is not able to recognize the whither it is a user or a group.

PFB configurations and error as well.

PID = org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider

  BundleLocation = Unbound

  adminPool.lookupOnValidate = false

  adminPool.maxActive = 8

  bind.dn = uid=appaem,ou=applicationids,ou=people,ou=intranet,dc=********,dc=com

  bind.password = XXXXXXXX

  customattributes = []

  group.baseDN = ou=groups,ou=intranet,dc=*******,dc=com

  group.extraFilter = (cn=AEM-EDAM-*-INT)

  group.makeDnPath = false

  group.memberAttribute = uniquemember

  group.nameAttribute = cn

  group.objectclass = [groupOfUniqueNames]

  host.name = ovdtest.******.com

  host.noCertCheck = true

  host.port = 636

  host.ssl = true

  host.tls = false

  provider.name = ovdidp

  searchTimeout = 60s

  service.pid = org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider

  useUidForExtId = false

  user.baseDN = ou=intranet,dc=********,dc=com

  user.extraFilter = (hmdynmemberof=AEM-EDAM-HHA-EVERYONE-INT)

  user.idAttribute = uid

  user.makeDnPath = false

  user.objectclass = [inetorgperson]

  userPool.lookupOnValidate = false

  userPool.maxActive = 8

Error log warning:

08.02.2019 01:03:57.940 *INFO* [qtp382561098-125692] org.apache.jackrabbit.oak.spi.security.authentication.external.impl.jmx.Delegatee synced DefaultSyncedIdentity{id='lid****', ref=ExternalIdentityRef{id='uid=lid****,ou=people,ou=intranet,dc=********,dc=com', providerName='ovdidp'}, isGroup=false, lastSynced=1549605837675}

08.02.2019 01:03:57.947 *WARN* [qtp382561098-125692] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-USERS-INT,ou=groups,ou=intranet,dc=********,dc=com;ovdidp

08.02.2019 01:03:57.947 *WARN* [qtp382561098-125692] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-USERS-INT,ou=groups,ou=intranet,dc=********,dc=com;ovdidp'.

08.02.2019 01:03:57.952 *WARN* [qtp382561098-125692] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-ADMINS-INT,ou=groups,ou=intranet,dc=********,dc=com;ovdidp

08.02.2019 01:03:57.952 *WARN* [qtp382561098-125692] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-ADMINS-INT,ou=groups,ou=intranet,dc=********,dc=com;ovdidp'

Views

2.3K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
3 Replies

Avatar

Level 10
Level 10
2/8/19 8:14:31 AM

Check this snippet for error details -

Entry entry = connection.lookup(ref.getId(), "*");

  if (entry == null) {

  return null;

  } else if (entry.hasObjectClass(config.getUserConfig().getObjectClasses())) {

  return createUser(entry, null);

  } else if (entry.hasObjectClass(config.getGroupConfig().getObjectClasses())) {

  return createGroup(entry, null);

  } else {

  log.warn("referenced identity is neither user or group: {}", ref.getString());

  return null;

  }

source - https://svn.apache.org/repos/asf/jackrabbit/oak/branches/1.0/oak-auth-ldap/src/main/java/org/apache/...

I assume that you would have to create a fresh config with the updated group name.

https://helpx.adobe.com/experience-manager/using/configuring-aem6-apache-directory-service.html

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
2/12/19 3:03:04 AM

I have deleted all the configs and manually recreated all the configurations, but still not able to sync the newly created groups.

I have tried with he property 'group.extraFilter = (cn=AEM-*-INT)', in this scenario, it is giving the below input. I think it is able to sync the other groups, but when the 'group.extraFilter = (cn=AEM-EDAM-*-INT)', it is not able to sync the groups, do you think that there is an issue with groups creation.

12.02.2019 05:52:43.655 *INFO* [qtp1538804081-3219] com.adobe.granite.security.user.internal.audit.AuditGroupAction User 'lid***' was added to the group 'AEM-EHS-WORKFLOWUSERS-INT'

12.02.2019 05:52:43.658 *INFO* [qtp1538804081-3219] com.adobe.granite.security.user.internal.audit.AuditGroupAction User 'lid***' was added to the group 'AEM-EHS-ADMINS-INT'

12.02.2019 05:52:43.659 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-EDITORS-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp

12.02.2019 05:52:43.659 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-EDITORS-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp'.

12.02.2019 05:52:43.660 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-READ-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp

12.02.2019 05:52:43.660 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-READ-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp'.

12.02.2019 05:52:43.661 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=AEM-EDAM-HHA-USERS-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp

12.02.2019 05:52:43.661 *WARN* [qtp1538804081-3219] org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext No external group found for ref 'cn=AEM-EDAM-HHA-USERS-INT,ou=groups,ou=intranet,dc=highmark,dc=com;ovdidp'.

Views

1.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
2/12/19 8:36:47 AM

Not sure, you may want to validate each step of this tutorial against your configurations. That's a better way to rule out any wrong configurations for that group -

GitHub - Adobe-Marketing-Cloud/aem-ldap-tutorial

Configuring LDAP with AEM 6

Views

1.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate