April 25, 2020
Estimated Post Reading Time ~

How to Synchronize LDAP Users and Groups In AEM


In this post, we are going to synchronize users/groups account information, by configuring AEM 6.1 to use a third-party LDAP service. After the synchronization, we have the accounts detail information saved in the repository. Also, the groups information comes from the service or adding from the AEM configuration, to allocate the required permissions and privileges.

To demonstrate part of this integration we have two big steps.

LDAP server side
The first one is creating the LDAP server side, with users and groups, I will recommend you to use Apache Directory Service, here (http://directory.apache.org), you can Download and install the latest Apache DS version, which helps you to create users/groups in a fast way, like importing a “.ldif” file with the Users/Groups information, here is an example: (http://directory.apache.org/apacheds/basic-ug/resources/apache-ds-tutorial.ldif).

The image below represents one example of LDAP server side with Apache DS.

AEM Configuration
Now it is time to focus on AEM, here we have to set up three main configurations and use an integrated AEM tool.

2.1) Configure LDAP identity provider
Configure the LDAP IDP. This is the piece that connects to the LDAP server.

Go to: http://localhost:4502/system/console/configMgr and search for “LDAP identity provider”, click on the plus + button.

Input the follow information and save:
NAME
VALUE
DESCRIPTION
LDAP Provider Name
ldap
Name of the LDAP provider Configuration.
LDAP Server Hostname
localhost
Hostname of the LDAP server.
LDAP Server Port
10389
Port of the LDAP server.
Use SSL
FALSE
SSL
Use TLS
FALSE
TLS
Disable certificate checking
FALSE
Certification validation.
Bind DN
uid=admin,ou=system
DN of the user authentication
Bind Password
secret
Password of the user authentication.(secret)
Search Timeout
60s
Search timeout.
Admin pool max active
8
Max Active size of the Admin connection pool.
User pool max active
8
Max Active size of the user connection pool.
User base DN
ou=people,o=SevenSeas
The base DN
User object classes
person
User object class.
User id attribute
uid
User Id
User extra filter

Extra LDAP filter to use when searching for users.
User DN paths
FALSE

Group base DN
ou=groups,o=SevenSeas
Base DN for groups.
Group object classes
groupOfUniqueNames
Object Classes of groups.
Group name attribute
cn
Attr. name of the group name.
Group extra filter


Group DN paths
FALSE

Group member attribute
uniquemember
Group attribute that contains the members of a group.

2.2) Configure Default Sync Handler
The sync handler is responsible for synchronizing the external users with the local repository.

Go to: http://localhost:4502/system/console/configMgr and search for “Default Sync Handler”, click on the plus + button.

Enter the follow information and save:
NAME
VALUE
DESCRIPTION
Sync Handler Name
default
Name of the sync configuration. Reference for the Login Module.
User Expiration Time
1h
Duration until a synced user gets expired.
User auto membership
contributor
List of existing AEM groups added automatically.
User property mapping
[
List mapping definition of local properties from external ones. eg: ‘profile/email=mail’.Use double quotes for fixed values. eg: ‘profile/nt:primaryType=”nt:unstructured” (user.propertyMapping)
“rep:fullname\=cn”,
“profile/nt:primaryType\=\”nt:unstructured\””,
“profile/givenName\=givenname”,
“profile/familyName\=sn”
]
User Path Prefix
/ldap_seven_seas
The path prefix used when creating new users
User Membership Expiration
1h

User membership nesting depth
1
Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry.
Group Expiration Time
1d
Duration until a synced group expires
Group auto membership


Group property mapping


Group Path Prefix
/ldap_seven_seas
The path prefix used when creating new groups inside.

2.3) Configure Login Module
The external login module is the bridge between the login, the IDP, and the Sync Handler.

Go to: http://localhost:4502/system/console/configMgr and search for “External Login Module”, click on the plus + button.

Enter the follow information and save:
NAME
VALUE
DESCRIPTION
JAAS Ranking
50

JAAS Control Flag
SUFFICIENT

JAAS Realm


Identity Provider Name
ldap
Name of the identity provider
Sync Handler Name
default
Name of Sync Handler.

Verify the JAAS console if the new external login module shows up. Go to http://localhost:4502/system/console/jaas .



2.4) Using JMX console to sync more user
Oak comes with a default JMX MBean that allows you to control the sync handler.

Go to: http://localhost:4502/system/console/jmx and search for “External Identity”. Click on it.

After it is open click on “syncAllExternalUsers()” and finally click on invoke.

Finally, if we go to “http://localhost:4502/useradmin” and search for “seven”, we can see all the users and groups created.



You can also update the user permissions here:



Then we can test it by logging out AEM instance. And trying to login with a recently created user.



2.5) CRX results
If we go to: http://localhost:4502/crx/de/index.jsp we can see some changes.

New configurations nodes under “apps/system/config/”:

New Groups Nodes under “/home/groups/ldap_seven_seas”:

New Users Nodes under “/home/users/ldap_seven_seas”:

So now that we have all the users/groups information of the LDAP server side in our AEM instance, we could update some permission to the user in AEM if so wished to, and we could login to the system with these users.

Last tips to conclude, if you are developing and update data in the LDAP Server but don’t see it reflected in AEM, try to delete the user/groups nodes from the AEM instance in /home/users/… or /home/groups/.. created, and run again the “syncAllExternalUsers()” JAAS tool.


By aem4beginner

No comments:

Post a Comment

If you have any doubts or questions, please let us know.