Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

LDAP Sync doesn't refresh group memberships in AEM when user is removed from LDAP group

Avatar

Level 1

Hi,

I have setup an AEM instance with LDAP to sync users and groups to AEM. Sync is working fine and syncing users and their respective groups as defined in the group filters. I need to remove a user from a synced group in AEM when the user is removed from LDAP group. I have set "Group Expiration Time"  value, but this doesn't seem to work and doesn't remove user from AEM group after specified time. Is there any other configuration needed here?

1 Accepted Solution

Avatar

Correct answer by
Level 10

No other configuration is required. When user is removed from ldap its membership will not be reflected in crx group immediately at that point. The group membership becomes eventually consistent once another user/same user logins after cache expiration.    Cq 5.3 had this issue & you should have hotfix for this. Any latest aem version should not have such problems.

View solution in original post

4 Replies

Avatar

Correct answer by
Level 10

No other configuration is required. When user is removed from ldap its membership will not be reflected in crx group immediately at that point. The group membership becomes eventually consistent once another user/same user logins after cache expiration.    Cq 5.3 had this issue & you should have hotfix for this. Any latest aem version should not have such problems.

Avatar

Level 1

Thanks Sham. This has been resolved now.

Avatar

Level 2

Hi Harshl,

 

  How did you get the Group sync get it work? could you please send me the snapshot of config that you have?

I am attaching mine

 

thanks

pavan

Avatar

Level 2

Please could you update the configuration syou have. How it got fixed. We are having same issues. When LDAP groups is removed the user still exists within AEM with everyone role. How do we delete user when he is not longer in LDAP.