In this post, we are going to synchronize users/groups account information, by configuring AEM 6.1 to use a third-party LDAP service. After the synchronization, we have the accounts detail information saved in the repository. Also, the groups information comes from the service or adding from the AEM configuration, to allocate the required permissions and privileges.
To demonstrate part of this integration we have two big steps.
LDAP server side
The first one is creating the LDAP server side, with users and groups, I will recommend you to use Apache Directory Service, here (http://directory.apache.org), you can Download and install the latest Apache DS version, which helps you to create users/groups in a fast way, like importing a “.ldif” file with the Users/Groups information, here is an example: (http://directory.apache.org/apacheds/basic-ug/resources/apache-ds-tutorial.ldif).
The image below represents one example of LDAP server side with Apache DS.
AEM Configuration
Now it is time to focus on AEM, here we have to set up three main configurations and use an integrated AEM tool.
2.1) Configure LDAP identity provider
Configure the LDAP IDP. This is the piece that connects to the LDAP server.
Go to: http://localhost:4502/system/console/configMgr and search for “LDAP identity provider”, click on the plus + button.
Input the follow information and save:
NAME
|
VALUE
|
DESCRIPTION
|
LDAP Provider Name
|
ldap
|
Name of the LDAP provider Configuration.
|
LDAP Server Hostname
|
localhost
|
Hostname of the LDAP server.
|
LDAP Server Port
|
10389
|
Port of the LDAP server.
|
Use SSL
|
FALSE
|
SSL
|
Use TLS
|
FALSE
|
TLS
|
Disable certificate checking
|
FALSE
|
Certification validation.
|
Bind DN
|
uid=admin,ou=system
|
DN of the user authentication
|
Bind Password
|
secret
|
Password of the user authentication.(secret)
|
Search Timeout
|
60s
|
Search timeout.
|
Admin pool max active
|
8
|
Max Active size of the Admin connection pool.
|
User pool max active
|
8
|
Max Active size of the user connection pool.
|
User base DN
|
ou=people,o=SevenSeas
|
The base DN
|
User object classes
|
person
|
User object class.
|
User id attribute
|
uid
|
User Id
|
User extra filter
|
Extra LDAP filter to use when searching for users.
| |
User DN paths
|
FALSE
| |
Group base DN
|
ou=groups,o=SevenSeas
|
Base DN for groups.
|
Group object classes
|
groupOfUniqueNames
|
Object Classes of groups.
|
Group name attribute
|
cn
|
Attr. name of the group name.
|
Group extra filter
| ||
Group DN paths
|
FALSE
| |
Group member attribute
|
uniquemember
|
Group attribute that contains the members of a group.
|
2.2) Configure Default Sync Handler
The sync handler is responsible for synchronizing the external users with the local repository.
Go to: http://localhost:4502/system/console/configMgr and search for “Default Sync Handler”, click on the plus + button.
Enter the follow information and save:
NAME
|
VALUE
|
DESCRIPTION
|
Sync Handler Name
|
default
|
Name of the sync configuration. Reference for the Login Module.
|
User Expiration Time
|
1h
|
Duration until a synced user gets expired.
|
User auto membership
|
contributor
|
List of existing AEM groups added automatically.
|
User property mapping
|
[
|
List mapping definition of local properties from external ones. eg: ‘profile/email=mail’.Use double quotes for fixed values. eg: ‘profile/nt:primaryType=”nt:unstructured” (user.propertyMapping)
|
“rep:fullname\=cn”,
| ||
“profile/nt:primaryType\=\”nt:unstructured\””,
| ||
“profile/givenName\=givenname”,
| ||
“profile/familyName\=sn”
| ||
]
| ||
User Path Prefix
|
/ldap_seven_seas
|
The path prefix used when creating new users
|
User Membership Expiration
|
1h
| |
User membership nesting depth
|
1
|
Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry.
|
Group Expiration Time
|
1d
|
Duration until a synced group expires
|
Group auto membership
| ||
Group property mapping
| ||
Group Path Prefix
|
/ldap_seven_seas
|
The path prefix used when creating new groups inside.
|
2.3) Configure Login Module
The external login module is the bridge between the login, the IDP, and the Sync Handler.
Go to: http://localhost:4502/system/console/configMgr and search for “External Login Module”, click on the plus + button.
Enter the follow information and save:
The external login module is the bridge between the login, the IDP, and the Sync Handler.
Go to: http://localhost:4502/system/console/configMgr and search for “External Login Module”, click on the plus + button.
Enter the follow information and save:
NAME
|
VALUE
|
DESCRIPTION
|
JAAS Ranking
|
50
| |
JAAS Control Flag
|
SUFFICIENT
| |
JAAS Realm
| ||
Identity Provider Name
|
ldap
|
Name of the identity provider
|
Sync Handler Name
|
default
|
Name of Sync Handler.
|
Verify the JAAS console if the new external login module shows up. Go to http://localhost:4502/system/console/jaas .
2.4) Using JMX console to sync more user
Oak comes with a default JMX MBean that allows you to control the sync handler.
Go to: http://localhost:4502/system/console/jmx and search for “External Identity”. Click on it.
After it is open click on “syncAllExternalUsers()” and finally click on invoke.
Finally, if we go to “http://localhost:4502/useradmin” and search for “seven”, we can see all the users and groups created.
You can also update the user permissions here:
Then we can test it by logging out AEM instance. And trying to login with a recently created user.
2.5) CRX results
If we go to: http://localhost:4502/crx/de/index.jsp we can see some changes.
New configurations nodes under “apps/system/config/”:
New Groups Nodes under “/home/groups/ldap_seven_seas”:
New Users Nodes under “/home/users/ldap_seven_seas”:
So now that we have all the users/groups information of the LDAP server side in our AEM instance, we could update some permission to the user in AEM if so wished to, and we could login to the system with these users.
Last tips to conclude, if you are developing and update data in the LDAP Server but don’t see it reflected in AEM, try to delete the user/groups nodes from the AEM instance in /home/users/… or /home/groups/.. created, and run again the “syncAllExternalUsers()” JAAS tool.
2.4) Using JMX console to sync more user
Oak comes with a default JMX MBean that allows you to control the sync handler.
Go to: http://localhost:4502/system/console/jmx and search for “External Identity”. Click on it.
After it is open click on “syncAllExternalUsers()” and finally click on invoke.
Finally, if we go to “http://localhost:4502/useradmin” and search for “seven”, we can see all the users and groups created.
You can also update the user permissions here:
Then we can test it by logging out AEM instance. And trying to login with a recently created user.
2.5) CRX results
If we go to: http://localhost:4502/crx/de/index.jsp we can see some changes.
New configurations nodes under “apps/system/config/”:
New Groups Nodes under “/home/groups/ldap_seven_seas”:
New Users Nodes under “/home/users/ldap_seven_seas”:
So now that we have all the users/groups information of the LDAP server side in our AEM instance, we could update some permission to the user in AEM if so wished to, and we could login to the system with these users.
Last tips to conclude, if you are developing and update data in the LDAP Server but don’t see it reflected in AEM, try to delete the user/groups nodes from the AEM instance in /home/users/… or /home/groups/.. created, and run again the “syncAllExternalUsers()” JAAS tool.
No comments:
Post a Comment
If you have any doubts or questions, please let us know.