Documentation

Oak LDAP IdentityProvider fails to sync users and groups in AEMaaCS

Last update: Mon Nov 24 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

The Oak LDAP IdentityProvider in Adobe Experience Manager as a Cloud Service (AEMaaCS) fails to synchronize users and groups from an external Lightweight Directory Access Protocol (LDAP) directory. This results in missing user and group entries, which block proper authorization and provisioning. To resolve the issue, update the LDAP configuration and re-trigger synchronization.

Description description

Environment

Adobe Experience Manager as a Cloud Service (AEMaaCS)

Issue/Symptoms

  • The application fails to synchronize groups from the external LDAP directory.
  • Group entries are not resolved, resulting in missing authorization mappings.
  • User lookups return no matching entries, blocking provisioning and access.

Resolution resolution

Follow these steps to resolve the issue:

  1. Set userConfig.baseDN to the correct LDAP path for user entries. For example: OU=EndUsers,OU=Corporate,OU=Accounts,DC=example,DC=com or DC=example,DC=com.

  2. Review and adjust the userConfig.extraFilter setting:

    • Remove extraFilter if unnecessary.
    • If needed, use a filter based on group membership instead of hard-coded usernames like (memberOfFilterTemplate = "(|(memberOf=CN=Group1,...)(memberOf=CN=Group2,...))").

  3. Set groupConfig.baseDN to the correct LDAP path for group entries. For example: OU=Global,OU=Unmanaged,OU=Groups,DC=example,DC=com.

  4. Configure group settings:

    • Set groupConfig.objectClasses = [ group].
    • Set groupMemberAttribute = member.

  5. Set user.membershipNestingDepth to 1 or higher to enable synchronization of nested group memberships.

  6. Re-run user synchronization through the JMX console or by logging in with a test account.

  7. Confirm that groups appear under /home/groups/<IDP name> and users are assigned correct memberships.

Additional notes:

  • In Active Directory environments:

    • Ensure attributes like sAMAccountName, objectClass, and membership attributes match your directory structure.
    • Groups may not persist under /home/groups/ldap in AEM as a Cloud Service, but still resolve correctly for authorization.

  • Adobe IMS is the supported identity provider for author authentication in AEM as a Cloud Service. Other providers may not stay reliable across updates.

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f