AEM LDAP INTEGRATION

INTEGRATE AEM WITH LDAP

 

You can configure Adobe Experience Manager (AEM) 6 to  synchronize user account information from a third-party LDAP service. By configuring AEM to use a third-party LDAP service, you can authenticate LDAP users when logging into AEM. This article describes how to setup Apache Directory service (a popular open source LDAP service), create a new user, configure AEM 6 to use Apache Directory service, and finally login to AEM with the new user entered into Apache Directory service.

Note: Article tested in AEM 6.2

Prerequisites

You’ll need to install AEM 6 or 6.1 to complete this walkthrough. If you do not have a AEM installation up and running If you don’t have then please contactSPPHELP@adobe.com.

Overview

You’ll perform the following broad steps during the course of this walkthrough:
  1. Install ApacheDS
  2. Create a new entry and user in ApacheDS
  3. Configure AEM with ApacheDS
  4. Validate CQ-ApacheDS integration

Install Apache Directory

Download the latest ApacheDS from http://directory.apache.org.Run the installer for your operating system, follow the installation instructions on the download page, and proceed with the default installation settings. Download Apache Directory Studio from the same URL and install it.

Configuring Apache DS/LDAP server

  1. From the servers tab, click on new.
  2. Create a server ApacheDS 2.0.0 which you can see in pop-up window.
  3. Once you will create you will be able to see the server on server tab.
  4. Right click on the server and click on Run.
  5. It will ask you for port confirmation click on OK.

server-connection

Creating Connection in LDAP

  1. Click on file, the new and the click on LDAP Connection.
  2. Click on next and mention the below parameters.
  • Connection name: ldap
  • Hostname: localhost
  • Port: 10389
  • Encryption Method: No encryption
  • Provider: Apache Directory LDAP Client API

3. Click on Check Network Parameter. You should be able to see successful message.

4. Click on next.

  • Authentication method: Simple Authentication
  • Bind DN or user: uid=admin,ou=system
  • Password: secret

Note: this is default admin password for LDAP.

Once you specify the parameters, click on Check Authentication. You should be able to see successful message. Click on finish. You will see below screen once you will click on finish.

successfull-connection-create

Create a new entry in LDAP

  1. Click on dc=example,dc=com under DIT/Root DSE.
  2. Right-click on the node dc=example,dc=com and select New Entry. The New Entry wizard appears.
  3. In the Entry Creation Method pane, select the Create entry from scratch radiobutton Click Next.

create-new-entry

 

creation-method

4. Find the organizationalUnit object. Select it then click Add.

finding-unit

5. Click Next. On the RDN field enter ou. On the value field enter ‘Groups’. The DN Preview should like below (Distinguished Name (dn), The Parent field should same like below).

DN-compare

6. Do the same for Users

7. Create new entry following same method and users for ou attribute.

8. We’ll place their personal information under the ou=users

9. Let’s start with the ou=users. We’ll be adding new user called ‘prince’. Person using the inetOrgPerson object.

10. The inetOrgPerson[1] object class is a general purpose object class that holds attributes about people.

Creating new user

Select Create entry from scratch. Click Next. Find inetOrgPerson object. Select it then click Add. Now on the RDN field.

create-new-user

  • Cn: prince

cn-prince

Click on next and Under the sn attribute, enter ‘shivhare’ (sn stands for Surname).

We need to add a password for this user. Right-click on the same window. Select New Attribute. The Attribute Type window will appear.

On the Attribute type field, enter userPassword: 54321
You will be asked to enter a password. Enter pass as the new password. Make sure that the Select Hash Method is set to SHA.

set-password

Now Add the Groups (Authorization Levels)

  • Same like above steps we select ‘New Entry’ and ‘Create entry from scratch’.
  • In ‘Object Classes’ window we will pick ‘groupOfNames’, Select it then click Add.
  • RDN field enter cn. On the value field enter ‘admin’.

RDN-field

  • As we pick ‘groupOfNames’ we will have member field and for that value we make double click.
  • Then DN edit will come and then browser for the user that we need. Once you will click on finish. It means you have created a user successfully in LDAP.

Configure in AEM

Configure AEM with ApacheDS

To configure AEM 6 to use LDAP, configure these OSGi configuration settings:

  • Apache Jackrabbit Oak LDAP Identity Provider – defines how users are retrieved from the LDAP server.
  • Apache Jackrabbit Default Sync Handler – defines how the Indetity Provider users and groups will be synchronized.
  • Apache Jackrabbit External Login Module – defines which Identity Provider and Sync Handler to use.

Apache Jackrabbit Oak LDAP Identity Provider

Open the Felix Web Console (http://localhost:4502/system/console/configMgr) and search for the Apache Jackrabbit Oak LDAP Identity Provider config and click on the plus ‘+’ button. Add the following values (based on the LDAP settings created in this article).

  • LDAP Provider Name – name of the provider. You can specify ldap.
  • LDAP Server Hostname – the name of the provider. Localhost is used in this example.
  • LDAP Server Port – the port of the LDAP server. 10389 is used in this article.
  • Bind DN – DN used for user authentication. uid=admin,ou=system is used.
  • Bind Pwd – the corresponding DN password. The value secret is used.
  • User base DN – the base DN for user searches. In this example, dc=example,dc=example is specified. (the values entered specified using Apache Directory Studio).
  • User Id attribute – name of the user attribute. Specify uid (this was specified in Apache Directory Studio).

When done entering these values, ensure that you click Save. The following illustration shows the Apache Jackrabbit Oak LDAP Identity Provider values.

jackrabbit-oak-LDAP

 

NAME

VALUE DESCRIPTION

LDAP Provider Name

ldap

Name of the LDAP provider Configuration.

LDAP Server Hostname localhost

Hostname of the LDAP server.

LDAP Server Port

10389 Port of the LDAP server.
Use SSL FALSE

SSL

Use TLS

FALSE TLS
Disable certificate checking FALSE

Certification validation.

Bind DN uid=admin,ou=system

DN of the user authentication

Bind Password secret

Password of the user authentication.(secret)

Search Timeout

60s Search timeout.
Admin pool max active 8

Max Active size of the Admin connection pool.

User pool max active

8 Max Active size of the user connection pool.

User base DN

dc=example,dc=com The base DN
User object classes person

User object class.

User id attribute uid

User Id

User extra filter

Extra LDAP filter to use when searching for users.
User DN paths

FALSE

Group base DN

ou=groups Base DN for groups.
Group object classes groupOfUniqueNames

Object Classes of groups.

Group name attribute

cn Attr. name of the group name.

Group extra filter

Group DN paths

FALSE

Group member attribute uniquemember

Group attribute that contains the members of a group.

Apache Jackrabbit Oak Default Sync Handler

In the Felix Web console, search for the Apache Jackrabbit Oak Default Sync Handler config and click on the plus ‘+’ button. Specify the Sync Handle Name and User Property Mapping as shown in  the illustration and Click Save. In this example, profile/nt:primaryType=”nt:unstructured” and profile/givenName=cn values are used for User Property Mapping values.

oak-LDAP-sync-handler

User property mapping: profile/nt:primaryType=”nt:unstructured” and profile/givenName=cn

Apache Jackrabbit Oak External Login Module

In the Felix Web console, search for the Apache Jackrabbit Oak External Login Module config and click on the plus ‘+’ button. Enter the Identity Provider Name and Sync Handler Name which created before and Click Save.The following illustration shows this configuration.

oak-login-module

Syncronize APACHEDS Users

Although you’ve configured AEM for use with ApacheDS, you’ll not yet be able to log in to AEM as an LDAP user. You’ll need to first log in as administrator, import the LDAP users, and grant them appropriate permissions.

  • Go to jmx console (http://localhost:4502/system/console/jmx). Search for External Identity Synchronization Management and click on the row.
  • Click on syncAllExternalUsers() to sync all the users manually.
  • Click the Invoke button.

sync-users

  • Go to the Users view at http://localhost:4502/useradmin. You will see the LDAP users.
  • Click the Permissions tab and give the user appropriate permissions. For this walkthrough, grant all permissions to the user.
  • Log out of AEMdobe CQ.
  • Log into AEM as sprince (and the password specified using ApacheDS) to validate the AEM LDAP integration. Now you are logged in as an LDAP user.

login

Now you should be able to successful login.

login-aem

 

13 thoughts on “INTEGRATE AEM WITH LDAP

  1. Hi Prince,
    This is really a very useful article.

    Let me point out a few areas of improvement:

    1. “Right-click on the node dc=example,dc=com and select New Entry. The New Entry wizard appears.”
    It should be New –> New Entry.

    2. Click on file, the new and the click on LDAP Connection.
    It should be File -> New -> LDAP Browser -> LDAP Connection.

    3. Click Next. On the RDN field enter ou. On the value field enter ‘Groups’. The DN Preview should like below (Distinguished Name (dn), The Parent field should same like below).
    The DN Preview is not available there to compare with.

    4. Do the same for Users.
    It should be Press the + sign to create a blank row below.
    On the RDN field enter ou. On the value field enter ‘Users’.

    5. Do the same for Users Create new entry following same method and users for ou attribute.
    Are these two steps the same and same as my point#4 above?

    I followed up this article up to this point and here are my observations.
    Once you clarify the above points, I will be able to progress.

    Highly appreciate all your work.

    Thanks,
    Rama.

     
    1. Hi Rama,

      Thank you for your kind appreciation.

      1. “Right-click on the node dc=example,dc=com and select New Entry. The New Entry wizard appears.”
      It should be New –> New Entry.

      -> once you will create a connection successful. you will see a structure.
      + DIT
      – Root DSE(5)
      – dc=example,dc=com

      click on dc=example,dc=com then you need to create a entry.

      2. Click on file, the new and the click on LDAP Connection.
      It should be File -> New -> LDAP Browser -> LDAP Connection.

      -> you need to click on File -> New -> LDAP Connection. you will be configuation pop-up window.

      3. Click Next. On the RDN field enter ou. On the value field enter ‘Groups’. The DN Preview should like below (Distinguished Name (dn), The Parent field should same like below).
      The DN Preview is not available there to compare with.

      -> I have added a image to compare. Thanks for highlighting.

      4. Do the same for Users.
      It should be Press the + sign to create a blank row below.
      On the RDN field enter ou. On the value field enter ‘Users’.

      -> same process which you did for “Groups” need to do for Users. please see point no. 7, 8, 9, 10.

      5. Do the same for Users Create new entry following same method and users for ou attribute.
      Are these two steps the same and same as my point#4 above?

      -> Please refer ans. 4.

      Regards,
      Prince

       
  2. Hi Prince,
    I continued to work on your exercise and got stuck up at creation of user prince:
    Here are some more observations/questions so far:

    1. “Install Apache Directory: There are many installables @ http://directory.apache.org/.”

    apacheds-2.0.0-M23, ApacheDirectoryStudio-2.0.0.v20161101-M12-win32.win32.x86_64, etc.

    Better to be specific: It should be ApacheDirectoryStudio-2.0.0.v20161101-M12-win32.win32.x86_64.

    2. “Configuring Apache DS/LDAP server: From the servers tab, click on new.”

    In the Left Nav, there is a button “LDAP Servers”. Click it.
    Right click. New -> New Server ctrl+E.
    Select Apache Software Foundation -> ApacheDS 2.0.0.
    Click Finish button.

    3. “Creating Connection in LDAP: Click on file, the new and the click on LDAP Connection.”

    File -> New -> LDAP Browser -> LDAP Connection.

    4. Qn: Bind DN or user: uid=admin,ou=system: Is this the account using which LDAP Server will be

    connected by AEM?

    5. DC = Domain Component

    6. “Right-click on the node dc=example,dc=com and select New Entry.”
    Right-click on the node dc=example,dc=com and select New -> New Entry.

    7. After “Distinguished Name” dialog box, hit Next and Finish buttons.

    8. Qn: ou=Groups; ou=Users? Does the case of g and u have to Upper or Lower?
    You mentioned Groups and users.

    9. For Users also After “Distinguished Name” dialog box, hit Next and Finish buttons.

    10. For creation of user “Prince”:
    Right click “ou=Users”, select New –> New Entry.
    Select “Create entry from scratch” radio button and hit Next button.
    Select “Organizational Unit” from the left pane and hit “Add” button to transfer it to the right pane.
    Hit the “Next” button.
    Enter “cn” in the RDN field and “Prince” in the text field after “=” sign.

    Here is where I am stuck. The message is
    “According to the schema attribute cn is not allowed. Attribute ou has an empty value, please insert a valid value. ”
    Not able to attach screen shot.

    11. cn = Common Name

    Appreciate your patience.
    My idea is that people not having any knowledge on LDAP and its terminology should be able to execute this exercise.

    Thanks,
    Rama.

     
    1. Hi Rama,

      For point no 10, I see that you have done a mistake by selecting the Object class when creating the new entry for creating user.

      –> Whenever if you want to create a user then Object class must be “inetOrgPerson” -> Add and you need to add RDN as “ou” and = will be “Username” and “cn” will not be used here.

      And in New Entry, DN Preview will be “ou=venky,ou=users,dc=example,dc=com”

      Please let me know, if you able to do else we will have the connect session to resolve the issue. I have done it and it worked like Charm!!

      Hope this helps!

      Thanks,
      Ratna.

       
  3. Hi Prince,

    In the next few days I am going to demonstrate this integration to my co workers and so I want to complete it from my side today itself.
    So, kindly reply to my above latest set of questions ASAP.
    Please ignore points 5 and 11, as they are additional information that I thought would be useful to the readers.

    Thanks,
    Rama.

     
    1. Hi Rama,

      For point no 10, I see that you have done a mistake by selecting the Object class when creating the new entry for creating user.

      –> Whenever if you want to create a user then Object class must be “inetOrgPerson” -> Add and you need to add RDN as “ou” and = will be “Username” and “cn” will not be used here.

      And in New Entry, DN Preview will be “ou=venky,ou=users,dc=example,dc=com”

      Please let me know, if you able to do else we will have the connect session to resolve the issue. I have done it and it worked like Charm!!

      Hope this helps!

      Thanks,
      Ratna.

       
  4. Hi Ratna,

    I am not able to follow you.
    Kindly let me know when we could have the Connect session.
    I assure you that it would not be very long.

    Thanks,
    Rama.

     
    1. Hi Ratna,

      Please suggest your free slots for a Connect session.
      I will pick up one of them.
      Appreciate your support.

      Thanks,
      Rama.

       

Leave a Reply

Your email address will not be published. Required fields are marked *