May 10, 2020
Estimated Post Reading Time ~

Adobe AEM - Ldap configuration

This was for CQ5 but should hold water for later versions.
working ldap sample; for Apache DS
com.day.crx {
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required
              principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
              host="localhost"
              port="10389"
              secure="false"
              authDn="uid=admin,ou=system"
                     authPw="secret"
                  userRoot="o=users,dc=example,dc=com"
                  userRdnAttribute="cn"
                      userIdAttribute="cn"
              groupRoot="o=groups,dc=example,dc=com"
              groupMembershipAttribute="uniqueMember"
              autocreate="create"
              autocreate.user.mail="profile/email"
              autocreate.user.cn="profile/givenName"
              autocreate.user.sn="profile/familyName"
              autocreate.user.membership="contributor"
              autocreate.group.description="profile/aboutMe"
              autocreate.group.mail="profile/email"
              autocreate.group.cn="profile/givenName"
              autocreate.path="direct"
              cache.expiration="600"
              cache.maxsize="100";
};
/**
 * Sample configuration for this login-module:
 *
 * Module-Settings:
 * ----------------
 * principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
 *                           // fully qualified class name of the provider to
 *                           // to be used by this Module
 *
 * syncCallbackClass="<fully qualified class name>"
 *                           // fully qualified name of a class that implements
 *                           // com.day.crx.security.ldap.sync.Callback
 *                           // the methods of the implementing class are called
 *                           // whenever a user or a group is synchronized with
 *                           // CRX.
 *
 * Connection-Settings:
 * --------------------
 * host="ldap.sample.net"    // hostname or IP of the LDAP-Host to connect
 *
 * port="389"                // optional port the LDAP-host listens to
 *                           // defaults to 389
 * secure="false"            // whether ldaps should be used. Defaults to false.
 *
 * authDn="cn=Directory Manager"    // optional DN auf the user, this LoginModule
 *                                  // should bind as. If omitted -> anynoumus
 *
 * authPw="secret"           // passwort to authenticate the bind-user
 *
 * searchTimeout             // Timeout in milliseconds. If the time limit is
 *                           // exceeded, an exception is thrown.
 *                           // defaults to 60000
 *
 * Authentication-Settings:
 * ------------------------
 * For Authentication the module tries to bind the user with the credentials
 * provided. If this is successfull, the users entry and its group-membership
 * is resolved according the following settings:
 *
 * userRoot="O=Company"      // DN all users are searched below
 *                           // defaults to "" but this may not be sup-
 *                           // ported by all servers
 *
 * userFilter="(objectclass=person)"   // LDAP serach-filter to match the entries
 *                                     // below userRoot: defaults to (objectclass=person)
 *
 * userIdAttribute="uid"     // name of the ldap-attribute, that contains
 *                           // the User-ID aka its login-name.
 *                           // defaults to "uid"
 *
 * groupRoot="OU=Groups,O=Company"  // DN all groups are searched below
 *                                  // defaults to "" but this may not be sup-
 *                                  // ported by all servers
 *
 * groupFilter="(objectclass=groupOfUniqueNames)"
 *                           // LDAP serach-filter to match the entries
 *                           // below groupRoot:
 *                           // defaults to (objectclass=groupOfUniqueNames)
 *
 * groupMembershipAttribute="uniquemember"
 *                          // LDAP attribute, which is searched, to build
 *                          // the group-membership relation
 *
 * groupNameAttribute="cn"  // Nameing attribute of the group. Used for
 *                          // display in GUI, defaults to "cn"
 *
 * Auto-Creation:
 * --------------
 * The configuration given above would be sufficient to authenticate and
 * authorize a user stored inside a LDAP server.
 * In some cases, it may be desired to have access to user and group-data from
 * within your repository. E.g as your application wants to notify users via
 * e-mail.
 * In this case, you can configure this LoginModule to create the user within the
 * repository and if needed to keep its data up-to date.
 *
 * autocreate= "create"    // [create|createUser]
 *                         // setting one of this options starts import
 *                         // and synchronization of User and optional Groups.
 *                         // if option createUser is set, only Users are
 *                         // imported
 *
 * autocreate.syncdelay="0"
 *                         // time in seconds the LoginModule checks again
 *                         // if the related LDAP-Entry has changed.
 *                         // this configuration entry is not supported
 *                         // anymore. Use cache.expiration instead.
 *
 * autocreate.path="direct"
 *                        // Rule how, the dn should be converted into a
 *                        // Path, when creating a new node
 *                        // there are two options "direct" and "splitdn"
 *                        // direct: a node with the name of the LDAPEntry's
 *                        // naming attribute is created
 *                        // splitdn: each dn-part is translated into a
 *                        // path-element.
 *                        // defaults to "direct"
 *
 * autocreate.user.membership="<groupIds>"
 *                        // automatically assigns a user to a number of CRX
 *                        // groups when the user is first created or whenever
 *                        // it is synchronized. <groupIds> is a comma separated
 *                        // list of groupIds.
 *
 * autocreate.user.<attributename>="<propertyname>"
 *                        // creates and sets the LDAP-Entries attribute
 *                        // named <attributename> as value of the property
 *                        // named <propertyname>
 *                        // NOTE: fails if the user-nodetype doesn't allow
 *                        // to set a property of the given name
 *
 * autocreate.group.<attributename>="<propertyname>"
 *                        // same as for users but applied to groups
 *
 * Caching
 * --------
 * The LDAPLoginModule caches information at several stages. First a cache
 * is maintained with credentials that were used with successful logins.
 * On subsequent logins the LDAPLoginModule will consult this cache and
 * compare the provided credentials with the ones in the cache. If it finds
 * the provided credentials in the cache it will authenticate the user
 * without acutally connecting to the LDAP server. The number of credentials
 * held in this cache can be configured with "cache.maxsize". Credentials
 * in the cache will expire after a configurable time, which can be set
 * with the parameter "cache.expiration".
 * If the LDAPLoginModule is configured to synchronize users and groups into
 * CRX, then the synchronized user and group information is also goverened
 * by the "cache.expiration" setting. That is, the login module will only
 * synchronize at an interval as defined by that setting.
 *
 * cache.maxsize="1000"   // size of the credentials cache
 *                        // defaults to 1000
 *
 * cache.expiration="600" // amount of time in sec. a Principal is cached
 *                        // defaults to 600
 */


By aem4beginner

No comments:

Post a Comment

If you have any doubts or questions, please let us know.