You can configure Adobe Experience Manager (AEM) 6 to synchronize user account information from a third-party LDAP service. By configuring AEM to use a third-party LDAP service, you can authenticate LDAP users when logging into AEM. This article describes how to setup Apache Directory service (a popular open source LDAP service), create a new user, configure AEM 6 to use Apache Directory service, and finally login to AEM with the new user entered into Apache Directory service.
Note: Article tested in AEM 6.2
You’ll need to install AEM 6 or 6.1 to complete this walkthrough. If you do not have a AEM installation up and running If you don’t have then please contactSPPHELP@adobe.com.
- Install ApacheDS
- Create a new entry and user in ApacheDS
- Configure AEM with ApacheDS
- Validate CQ-ApacheDS integration
Install Apache Directory
Download the latest ApacheDS from http://directory.apache.org.Run the installer for your operating system, follow the installation instructions on the download page, and proceed with the default installation settings. Download Apache Directory Studio from the same URL and install it.
Configuring Apache DS/LDAP server
- From the servers tab, click on new.
- Create a server ApacheDS 2.0.0 which you can see in pop-up window.
- Once you will create you will be able to see the server on server tab.
- Right click on the server and click on Run.
- It will ask you for port confirmation click on OK.
Creating Connection in LDAP
- Click on file, the new and the click on LDAP Connection.
- Click on next and mention the below parameters.
- Connection name: ldap
- Hostname: localhost
- Port: 10389
- Encryption Method: No encryption
- Provider: Apache Directory LDAP Client API
3. Click on Check Network Parameter. You should be able to see successful message.
4. Click on next.
- Authentication method: Simple Authentication
- Bind DN or user: uid=admin,ou=system
- Password: secret
Note: this is default admin password for LDAP.
Once you specify the parameters, click on Check Authentication. You should be able to see successful message. Click on finish. You will see below screen once you will click on finish.
Create a new entry in LDAP
- Click on dc=example,dc=com under DIT/Root DSE.
- Right-click on the node dc=example,dc=com and select New Entry. The New Entry wizard appears.
- In the Entry Creation Method pane, select the Create entry from scratch radiobutton Click Next.
4. Find the organizationalUnit object. Select it then click Add.
5. Click Next. On the RDN field enter ou. On the value field enter ‘Groups’. The DN Preview should like below (Distinguished Name (dn), The Parent field should same like below).
6. Do the same for Users
7. Create new entry following same method and users for ou attribute.
8. We’ll place their personal information under the ou=users
9. Let’s start with the ou=users. We’ll be adding new user called ‘prince’. Person using the inetOrgPerson object.
10. The inetOrgPerson object class is a general purpose object class that holds attributes about people.
Creating new user
Select Create entry from scratch. Click Next. Find inetOrgPerson object. Select it then click Add. Now on the RDN field.
- Cn: prince
Click on next and Under the sn attribute, enter ‘shivhare’ (sn stands for Surname).
We need to add a password for this user. Right-click on the same window. Select New Attribute. The Attribute Type window will appear.
On the Attribute type field, enter userPassword: 54321
You will be asked to enter a password. Enter pass as the new password. Make sure that the Select Hash Method is set to SHA.
Now Add the Groups (Authorization Levels)
- Same like above steps we select ‘New Entry’ and ‘Create entry from scratch’.
- In ‘Object Classes’ window we will pick ‘groupOfNames’, Select it then click Add.
- RDN field enter cn. On the value field enter ‘admin’.
- As we pick ‘groupOfNames’ we will have member field and for that value we make double click.
- Then DN edit will come and then browser for the user that we need. Once you will click on finish. It means you have created a user successfully in LDAP.
Configure in AEM
Configure AEM with ApacheDS
To configure AEM 6 to use LDAP, configure these OSGi configuration settings:
- Apache Jackrabbit Oak LDAP Identity Provider – defines how users are retrieved from the LDAP server.
- Apache Jackrabbit Default Sync Handler – defines how the Indetity Provider users and groups will be synchronized.
- Apache Jackrabbit External Login Module – defines which Identity Provider and Sync Handler to use.
Apache Jackrabbit Oak LDAP Identity Provider
Open the Felix Web Console (http://localhost:4502/system/console/configMgr) and search for the Apache Jackrabbit Oak LDAP Identity Provider config and click on the plus ‘+’ button. Add the following values (based on the LDAP settings created in this article).
- LDAP Provider Name – name of the provider. You can specify ldap.
- LDAP Server Hostname – the name of the provider. Localhost is used in this example.
- LDAP Server Port – the port of the LDAP server. 10389 is used in this article.
- Bind DN – DN used for user authentication. uid=admin,ou=system is used.
- Bind Pwd – the corresponding DN password. The value secret is used.
- User base DN – the base DN for user searches. In this example, dc=example,dc=example is specified. (the values entered specified using Apache Directory Studio).
- User Id attribute – name of the user attribute. Specify uid (this was specified in Apache Directory Studio).
When done entering these values, ensure that you click Save. The following illustration shows the Apache Jackrabbit Oak LDAP Identity Provider values.
LDAP Provider Name
Name of the LDAP provider Configuration.
|LDAP Server Hostname||localhost||
Hostname of the LDAP server.
LDAP Server Port
|10389||Port of the LDAP server.|
|Disable certificate checking||FALSE||
DN of the user authentication
Password of the user authentication.(secret)
|Admin pool max active||8||
Max Active size of the Admin connection pool.
User pool max active
|8||Max Active size of the user connection pool.|
User base DN
|dc=example,dc=com||The base DN|
|User object classes||person||
User object class.
|User id attribute||uid||
User extra filter
|Extra LDAP filter to use when searching for users.|
|User DN paths||
Group base DN
|ou=groups||Base DN for groups.|
|Group object classes||groupOfUniqueNames||
Object Classes of groups.
Group name attribute
|cn||Attr. name of the group name.|
Group extra filter
|Group DN paths||
|Group member attribute||uniquemember||
Group attribute that contains the members of a group.
Apache Jackrabbit Oak Default Sync Handler
In the Felix Web console, search for the Apache Jackrabbit Oak Default Sync Handler config and click on the plus ‘+’ button. Specify the Sync Handle Name and User Property Mapping as shown in the illustration and Click Save. In this example, profile/nt:primaryType=”nt:unstructured” and profile/givenName=cn values are used for User Property Mapping values.
User property mapping: profile/nt:primaryType=”nt:unstructured” and profile/givenName=cn
Apache Jackrabbit Oak External Login Module
In the Felix Web console, search for the Apache Jackrabbit Oak External Login Module config and click on the plus ‘+’ button. Enter the Identity Provider Name and Sync Handler Name which created before and Click Save.The following illustration shows this configuration.
Syncronize APACHEDS Users
Although you’ve configured AEM for use with ApacheDS, you’ll not yet be able to log in to AEM as an LDAP user. You’ll need to first log in as administrator, import the LDAP users, and grant them appropriate permissions.
- Go to jmx console (http://localhost:4502/system/console/jmx). Search for External Identity Synchronization Management and click on the row.
- Click on syncAllExternalUsers() to sync all the users manually.
- Click the Invoke button.
- Go to the Users view at http://localhost:4502/useradmin. You will see the LDAP users.
- Click the Permissions tab and give the user appropriate permissions. For this walkthrough, grant all permissions to the user.
- Log out of AEMdobe CQ.
- Log into AEM as sprince (and the password specified using ApacheDS) to validate the AEM LDAP integration. Now you are logged in as an LDAP user.
Now you should be able to successful login.