How to synchronize LDAP users and groups in AEM

In this post, we are going to synchronize users/groups account information, by configuring AEM 6.1 to use a third-party LDAP service. After the synchronization, we have the accounts detail information saved in the repository. Also, the groups information comes from the service or adding from the AEM configuration, to allocate the required permissions and privileges.

To demonstrate part of this integration we have two big steps.


LDAP server side 

The First one is creating the LDAP server side, with users and groups, I will recommend you to use Apache Directory Service, here (http://directory.apache.org), you can Download and install the latest Apache DS version, which helps you to create users/groups in a fast way, like importing a “.ldif” file with the Users/Groups information, here is an example: (http://directory.apache.org/apacheds/basic-ug/resources/apache-ds-tutorial.ldif).

The image below represents one example of LDAP server side with Apache DS.


AEM Configuration

Now it is time to focus on AEM, here we have to set up three main configurations and use an integrated AEM tool.

2.1) Configure LDAP identity provider  

Configure the LDAP IDP. This is the piece that connects to the LDAP server.

Go to: http://localhost:4502/system/console/configMgr and search for “LDAP identity provider”, click on the plus + button.


Input the follow information and save:

LDAP Provider Name ldap Name of the LDAP provider Configuration.
LDAP Server Hostname localhost Hostname of the LDAP server.
LDAP Server Port 10389 Port of the LDAP server.
Use SSL false SSL
Use TLS false TLS
Disable certificate checking false Certification validation.
Bind DN uid=admin,ou=system DN of the user authentication
Bind Password secret Password of the user authentication.(secret)
Search Timeout 60s Search timeout.
Admin pool max active 8 Max Active size of the Admin connection pool.
User pool max active 8 Max Active size of the user connection pool.
User base DN ou=people,o=SevenSeas The base DN
User object classes person User object class.
User id attribute uid User Id
User extra filter Extra LDAP filter to use when searching for users.
User DN paths false
Group base DN ou=groups,o=SevenSeas Base DN for groups.
Group object classes groupOfUniqueNames Object Classes of groups.
Group name attribute cn Attr. name of the group name.
Group extra filter
Group DN paths false
Group member attribute uniquemember Group attribute that contains the members of a group.

2.2) Configure Default Sync Handler   

The sync handler is responsible for synchronizing the external users with the local repository.

Go to: http://localhost:4502/system/console/configMgr and search for “Default Sync Handler”, click on the plus + button.


Enter the follow information and save:

Sync Handler Name default Name of the sync configuration. Reference for the Login Module.
User Expiration Time 1h Duration until a synced user gets expired.
User auto membership contributor List of existing AEM groups added automatically.
User property mapping [
List mapping definition of local properties from external ones. eg: ‘profile/email=mail’.Use double quotes for fixed values. eg: ‘profile/nt:primaryType=”nt:unstructured” (user.propertyMapping)
User Path Prefix /ldap_seven_seas The path prefix used when creating new users
User Membership Expiration 1h
User membership nesting depth 1 Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry.
Group Expiration Time 1d Duration until a synced group expires
Group auto membership
Group property mapping
Group Path Prefix /ldap_seven_seas The path prefix used when creating new groups inside.

2.3) Configure Login Module  

The external login module is the bridge between the login, the IDP, and the Sync Handler.

Go to: http://localhost:4502/system/console/configMgr and search for “External Login Module”, click on the plus + button.


Enter the follow information and save:

JAAS Ranking 50
JAAS Realm
Identity Provider Name ldap Name of the identity provider
Sync Handler Name default Name of Sync Handler.


Verify the JAAS console if the new external login module shows up. Go to http://localhost:4502/system/console/jaas .


2.4) Using JMX console to sync more user  

Oak comes with a default JMX MBean that allows you to control the sync handler.

Go to: http://localhost:4502/system/console/jmx and search for “External Identity”. Click on it.


After it is open click on “syncAllExternalUsers()” and finally click on invoke.


Finally, if we go to “http://localhost:4502/useradmin” and search for “seven”, we can see all the users and groups created.

You can also update the user permissions here:

Then we can test it by logging out AEM instance. And trying to login with a recently created user.


2.5) CRX results

If we go to: http://localhost:4502/crx/de/index.jsp we can see some changes.

New configurations nodes under “apps/system/config/”:


New Groups Nodes under “/home/groups/ldap_seven_seas”:


New Users Nodes under “/home/users/ldap_seven_seas”:



So now that we have all the users/groups information of the LDAP server side in our AEM instance, we could update some permission to the user in AEM if so wished to, and we could login to the system with these users.

Last tips to conclude, if you are developing and update data in the LDAP Server but don’t see it reflected in AEM, try to delete the user/groups nodes from the AEM instance in /home/users/… or /home/groups/.. created, and run again the “syncAllExternalUsers()” JAAS tool.

I hope this post help to get a better image of this type of integration, please feel free to leave a comment below.


federico-rodriguez by Federico Rodriguez

9 replies
  1. Luis Rodriguez
    Luis Rodriguez says:

    Hello Federico. Thank you for your post. We are currently using AEM to support our websites. There are 40,000+ users that get in synch with our publish servers. As part of regular business, some of these user accounts will get removed or inactivated on the LDAP server. However, these are not getting deleted on AEM after that happens. Do you know of any configurations or solutions for this scenario?

  2. Mike
    Mike says:

    Good article. Mind if I ask a few questions?
    Have you done this at a large scale? We have an LDAP instance that has over 500k users (internal employees and agencies plus customers) and around 50k groups.
    If you remove a user from a group, does it remove them from your AEM instance? We noticed it did not in our environment.
    We noticed due to our size that every sync increased the TarMK repo pretty significantly as it updates the timestamp each sync. That update times 150k active users in our publish grows our repo quite a lot forcing offline compactions.
    Have you done this for only Author or do you do this for publish as well?

    One note on your permissions section, I would recommend doing permissions at the group level instead of the user level. For larger environments, user level perms can get unmanageable and impact performance.


Trackbacks & Pingbacks

  1. […] Most large enterprise organizations have their own user management system for their employees. So it is no surprise when they purchase AEM that they likely don’t want to manually put everyone into AEM’s user system. Now some projects I have been part of actually did this, but we are talking about a user count of about 15-20 authors, editors, or moderators. So the question is what do you do about getting the users into AEM and supplying them with the proper permissions to accomplish their content authoring needs? Synchronize the account data and map them to an appropriate group with the correct permissions. Federico Rodriguez, from Conexio Group, talks about how to do just that in his blog post “How to synchronize LDAP users and groups in AEM”. […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *