HOW TO SYNCHRONIZE AEM WITH LDAP USERS AND GROUPS

           

HOW TO SYNCHRONIZE AEM WITH LDAP USERS AND GROUPS

* LDAP (the Lightweight Directory Access Protocol) is used for accessing centralized directory services. This helps reduce the effort required to manage user accounts as they can be accessed by multiple applications. One such LDAP server is Active Directory. LDAP is often used to achieve Single Sign On which allows a user to access multiple applications after logging in once.

* User accounts can be synchronized between the LDAP server and the repository, with LDAP account details being saved in the repository. This allows the accounts to be assigned to repository groups for allocating the required permissions and privileges.

* The repository uses LDAP authentication to authenticate such users, with credentials being passed to the LDAP server for validation, which is required before allowing access to the repository. To improve performance, successfully validated credentials can be cached by the repository, with an expiry timeout to ensure that revalidation does occur after an appropriate period.

* When an account is removed from the LDAP server validation is no longer granted and so access to the repository is denied. Details of LDAP accounts that are saved in the repository can also be purged.

Use of such accounts is transparent to your users, they see no difference between user and group accounts created from LDAP and those created solely in the repository.

* In AEM 6, LDAP support comes with a new implementation that requires a different type of configuration than with previous versions.

LDAP server side 

The First one is creating the LDAP server side, with users and groups, I will recommend you to use Apache Directory Service, here (http://directory.apache.org), you can Download and install the latest Apache DS version, which helps you to create users/groups in a fast way, like importing a “.ldif” file with the Users/Groups information, here is an example: (http://directory.apache.org/apacheds/basic-ug/resources/apache-ds-tutorial.ldif).

The image below represents one example of LDAP server side with Apache DS.

AEM Configuration

Now it is time to focus on AEM, here we have to set up three main configurations and use an integrated AEM tool.

2.1) Configure LDAP identity provider  

Configure the LDAP IDP. This is the piece that connects to the LDAP server.

Go to: http://localhost:4502/system/console/configMgr and search for “LDAP identity provider”, click on the plus + button.

2.2) Configure Default Sync Handler   

The sync handler is responsible for synchronizing the external users with the local repository.

Go to: http://localhost:4502/system/console/configMgr and search for “Default Sync Handler”, click on the plus + button.

Enter the follow information and save:

2.3) Configure Login Module  

The external login module is the bridge between the login, the IDP, and the Sync Handler.

Go to: http://localhost:4502/system/console/configMgr and search for “External Login Module”, click on the plus + button.

Verify the JAAS console if the new external login module shows up. Go to http://localhost:4502/system/console/jaas

2.4) Using JMX console to sync more user  

Oak comes with a default JMX MBean that allows you to control the sync handler.

Go to: http://localhost:4502/system/console/jmx and search for “External Identity”. Click on it.

After it is open click on “syncAllExternalUsers()” and finally click on invoke.

Finally, if we go to “http://localhost:4502/useradmin” and search for “seven”, we can see all the users and groups created.

You can also update the user permissions here:

Then we can test it by logging out AEM instance. And trying to login with a recently created user.

2.5) CRX results

If we go to: http://localhost:4502/crx/de/index.jsp we can see some changes.

New configurations nodes under “apps/system/config/”:

New Groups Nodes under “/home/groups/ldap_seven_seas”:

New Users Nodes under “/home/users/ldap_seven_seas”:

So now that we have all the users/groups information of the LDAP server side in our AEM instance, we could update some permission to the user in AEM if so wished to, and we could login to the system with these users.

Last tips to conclude, if you are developing and update data in the LDAP Server but don’t see it reflected in AEM, try to delete the user/groups nodes from the AEM instance in /home/users/… or /home/groups/.. created, and run again the “syncAllExternalUsers()” JAAS tool.

Thanks For Your Time...