,

How to synchronize LDAP users and groups in AEM

In this post, we are going to synchronize users/groups account information, by configuring AEM 6.1 to use a third-party LDAP service. After the synchronization, we have the accounts detail information saved in the repository. Also, the groups information comes from the service or adding from the AEM configuration, to allocate the required permissions and privileges.

To demonstrate part of this integration we have two big steps.

 

LDAP server side 

The First one is creating the LDAP server side, with users and groups, I will recommend you to use Apache Directory Service, here (http://directory.apache.org), you can Download and install the latest Apache DS version, which helps you to create users/groups in a fast way, like importing a “.ldif” file with the Users/Groups information, here is an example: (http://directory.apache.org/apacheds/basic-ug/resources/apache-ds-tutorial.ldif).

The image below represents one example of LDAP server side with Apache DS.

 

AEM Configuration

Now it is time to focus on AEM, here we have to set up three main configurations and use an integrated AEM tool.

2.1) Configure LDAP identity provider  

Configure the LDAP IDP. This is the piece that connects to the LDAP server.

Go to: http://localhost:4502/system/console/configMgr and search for “LDAP identity provider”, click on the plus + button.

 

Input the follow information and save:

NAME VALUE DESCRIPTION
LDAP Provider Name ldap Name of the LDAP provider Configuration.
LDAP Server Hostname localhost Hostname of the LDAP server.
LDAP Server Port 10389 Port of the LDAP server.
Use SSL false SSL
Use TLS false TLS
Disable certificate checking false Certification validation.
Bind DN uid=admin,ou=system DN of the user authentication
Bind Password secret Password of the user authentication.(secret)
Search Timeout 60s Search timeout.
Admin pool max active 8 Max Active size of the Admin connection pool.
User pool max active 8 Max Active size of the user connection pool.
User base DN ou=people,o=SevenSeas The base DN
User object classes person User object class.
User id attribute uid User Id
User extra filter Extra LDAP filter to use when searching for users.
User DN paths false
Group base DN ou=groups,o=SevenSeas Base DN for groups.
Group object classes groupOfUniqueNames Object Classes of groups.
Group name attribute cn Attr. name of the group name.
Group extra filter
Group DN paths false
Group member attribute uniquemember Group attribute that contains the members of a group.

2.2) Configure Default Sync Handler   

The sync handler is responsible for synchronizing the external users with the local repository.

Go to: http://localhost:4502/system/console/configMgr and search for “Default Sync Handler”, click on the plus + button.

 

Enter the follow information and save:

NAME VALUE DESCRIPTION
Sync Handler Name default Name of the sync configuration. Reference for the Login Module.
User Expiration Time 1h Duration until a synced user gets expired.
User auto membership contributor List of existing AEM groups added automatically.
User property mapping [
“rep:fullname\=cn”,
“profile/nt:primaryType\=\”nt:unstructured\””,
“profile/givenName\=givenname”,
“profile/familyName\=sn”
]
List mapping definition of local properties from external ones. eg: ‘profile/email=mail’.Use double quotes for fixed values. eg: ‘profile/nt:primaryType=”nt:unstructured” (user.propertyMapping)
User Path Prefix /ldap_seven_seas The path prefix used when creating new users
User Membership Expiration 1h
User membership nesting depth 1 Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry.
Group Expiration Time 1d Duration until a synced group expires
Group auto membership
Group property mapping
Group Path Prefix /ldap_seven_seas The path prefix used when creating new groups inside.

2.3) Configure Login Module  

The external login module is the bridge between the login, the IDP, and the Sync Handler.

Go to: http://localhost:4502/system/console/configMgr and search for “External Login Module”, click on the plus + button.

 

Enter the follow information and save:

NAME VALUE DESCRIPTION
JAAS Ranking 50
JAAS Control Flag SUFFICIENT
JAAS Realm
Identity Provider Name ldap Name of the identity provider
Sync Handler Name default Name of Sync Handler.

 

Verify the JAAS console if the new external login module shows up. Go to http://localhost:4502/system/console/jaas .

 

2.4) Using JMX console to sync more user  

Oak comes with a default JMX MBean that allows you to control the sync handler.

Go to: http://localhost:4502/system/console/jmx and search for “External Identity”. Click on it.

 

After it is open click on “syncAllExternalUsers()” and finally click on invoke.

 

Finally, if we go to “http://localhost:4502/useradmin” and search for “seven”, we can see all the users and groups created.

You can also update the user permissions here:

Then we can test it by logging out AEM instance. And trying to login with a recently created user.

 

2.5) CRX results

If we go to: http://localhost:4502/crx/de/index.jsp we can see some changes.

New configurations nodes under “apps/system/config/”:

 

New Groups Nodes under “/home/groups/ldap_seven_seas”:

 

New Users Nodes under “/home/users/ldap_seven_seas”:

 

 

So now that we have all the users/groups information of the LDAP server side in our AEM instance, we could update some permission to the user in AEM if so wished to, and we could login to the system with these users.

Last tips to conclude, if you are developing and update data in the LDAP Server but don’t see it reflected in AEM, try to delete the user/groups nodes from the AEM instance in /home/users/… or /home/groups/.. created, and run again the “syncAllExternalUsers()” JAAS tool.

I hope this post help to get a better image of this type of integration, please feel free to leave a comment below.

 

federico-rodriguez by Federico Rodriguez

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *