Configuring LDAP with AEM 6
- Topics:
- Administering
CREATED FOR:
- Admin
LDAP (the L ightweight D irectory A ccess P rotocol) is used for accessing centralized directory services. This helps reduce the effort required to manage user accounts as they can be accessed by multiple applications. One such LDAP server is Active Directory. LDAP is often used to achieve Single Sign On which allows a user to access multiple applications after logging in once.
User accounts can be synchronized between the LDAP server and the repository, with LDAP account details being saved in the repository. This allows the accounts to be assigned to repository groups for allocating the required permissions and privileges.
The repository uses LDAP authentication to authenticate such users, with credentials being passed to the LDAP server for validation, which is required before allowing access to the repository. To improve performance, successfully validated credentials can be cached by the repository, with an expiry timeout to ensure that revalidation does occur after an appropriate period.
When an account is removed from the LDAP server validation is no longer granted and so access to the repository is denied. Details of LDAP accounts that are saved in the repository can also be purged.
Use of such accounts is transparent to your users, they see no difference between user and group accounts created from LDAP and those created solely in the repository.
In AEM 6, LDAP support comes with a new implementation that requires a different type of configuration than with previous versions.
All LDAP configurations are now available as OSGi configurations. They can be configured via the Web Management console at:https://serveraddress:4502/system/console/configMgr
In order to have LDAP working with AEM, you need to create three OSGi configurations:
- An LDAP Identity Provider (IDP).
- A Sync Handler.
- An External Login Module.
Configuring The LDAP Identity Provider
The LDAP Identity Provider is used to define how users are retrieved from the LDAP server.
It can be found in the management console under the Apache Jackrabbit Oak LDAP Identity Provider name.
The following configuration options are available for the LDAP Identity Provider:
LDAP Provider Name | Name of this LDAP provider configuration. |
LDAP Server Hostname | Hostname of the LDAP server |
LDAP Server Port | Port of the LDAP server |
Use SSL | Indicates if an SSL (LDAPs) connection should be used. |
Use TLS | Indicates if TLS should be started on connections. |
Disable certificate checking | Indicates if server certificate validation should be disabled. |
Bind DN | DN of the user for authentication. If this is left empty, an anonymous bind will be performed. |
Bind Password | Password of the user for authentication |
Search timeout | Time until a search times out |
Admin pool max active | The maximum active size of the admin connection pool. |
User pool max active | The maximum active size of the user connection pool. |
User base DN | The DN for user searches |
User object classes | The list of object classes an user entry must contain. |
User id attribute | Name of the attribute that contains the user id. |
User extra filter | Extra LDAP filter to use when searching for users. The final filter is formatted like: '(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)' (user.extraFilter) |
User DN paths | Controls if the DN should be used for calculating a portion of the intermediate path. |
Group base DN | The base DN for group searches. |
Group object classes | The list of object classes a group entry must contain. |
Group name attribute | Name of the attribute that contains the group name. |
Group extra filter | Extra LDAP filter to use when searching for groups. The final filter isformatted like: '(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)' |
Group DN paths | Controls if the DN should be used for calculating a portion of the intermediate path. |
Group member attribute | Group attribute that contains the member(s) of a group. |
Configuring The Synchronization Handler
The synchronization handler will define how the Indentity Provider users and groups will be synchronized with the repository.
It is located under the Apache Jackrabbit Oak Default Sync Handler name in the management console.
The following configurations options are available for the Synchronization Handler:
Sync Handler Name | Name of the sync configuration. |
User Expiration Time | Duration until a synced user gets expired. |
User auto membership | List of groups that a synced user is added to automatically. |
User property mapping | List mapping definition of local properties from external ones. |
User Path Prefix | The path prefix used when creating new users. |
User Membership Expiration | Time after which membership expires. |
User membership nesting depth | Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry. |
Group Expiration Time | Duration until a synced group expires. |
Group auto membership | List of groups that a synced group is added to automatically. |
Group property mapping | List mapping definition of local properties from external ones. |
Group path prefix | The path prefix used when creating new groups. |
The external login module
The external login module is located under the Apache Jackrabbit Oak External Login Module under the management console.
Its job is to define which Identity Provider and Sync Handler to use, effectively binding the two modules.
The following configuration options are available:
JAAS Ranking | Specifying the ranking (i.e. sort order) of this login module entry. The entries are sorted in a descending order (i.e. higher value ranked configurations come first). |
---|---|
JAAS Control Flag | Property specifying whether or not a LoginModule is REQUIRED, REQUISITE, SUFFICIENT or OPTIONAL.Refer to the JAAS configuration documentation for more details around the meaning of these flags. |
JAAS Realm | The realm name (or application name) against which the LoginModule is be registered. If no realm name is provided then LoginModule is registered with a default realm as configured in the Felix JAAS configuration. |
Identity Provider Name | Name of the identity provider. |
Sync Handler Name | Name of the sync handler. |
Configure LDAP over SSL
AEM 6 can be configured to authenticate with LDAP over SSL by following the below procedure:
-
Check the Use SSL or Use TLS checkboxes when configuring the LDAP Identity Provider.
-
Configure the Sync Handler and the External Login module according to your setup.
-
Install the SSL certificates in your Java VM if needed. This can be done by using keytool:
keytool -import -alias localCA -file <certificate location> -keystore <keystore location>
-
Test the connection to the LDAP server.
Creating SSL certificates
Self signed certificates can be used when configuring AEM to authenticate with LDAP via SSL. Below is an example of a working procedure for generating certificates for use with AEM.
-
Make sure you have a SSL library installed and working. This procedure will use OpenSSL as an example.
-
Create a customized OpenSSL configuration (cnf) file. This can be done by copying the default **openssl.cnf **configuration file and customizing it. On UNIX systems, it is usually located at
/usr/lib/ssl/openssl.cnf
-
Proceed to creating the CA root key by running the below command in a terminal:
openssl genpkey -algorithm [public key algorithm] -out certificatefile.key -pkeyopt [public key algorithm option]
-
Next, create a new self signed certificate:
openssl req -new -x509 -days [number of days for certification] -key certificatefile.key -out root-ca.crt -config CA/openssl.cnf
-
Inspect the newly generated certificate to make sure everything is in order:
openssl x509 -noout -text -in root-ca.crt
-
Make sure that all folders specified in the certificate configuration (.cnf) file exist. If not, create them.
-
Create a random seed, by running, for example:
openssl rand -out private/.rand 8192
-
Move the created .pem files to the locations configured in the .cnf file.
-
Finally, add the certificate to the Java keystore.
Enabling debug logging
Debug logging can be enabled for both the LDAP Identity Provider and the External Login Module in order to troubleshoot connection issues.
In order to enable debug logging, you need to:
- Go to the Web Management Console.
- Find “Apache Sling Logging Logger Configuration” and create two loggers with the follwoing options:
-
Log level: Debug
-
Log File logs/ldap.log
-
Message Pattern: {0,date,dd.MM.yyyy HH
ss.SSS} *{4}* {2}
-
Logger: org.apache.jackrabbit.oak.security.authentication.ldap
-
Log level: Debug
-
Log File: logs/external.log
-
Message Pattern: {0,date,dd.MM.yyyy HH
ss.SSS} *{4}* {2}
-
Logger: org.apache.jackrabbit.oak.spi.security.authentication.external
A Word on Group Affiliation
Users synchronized through LDAP can be part of different groups in AEM. These groups can be external LDAP groups that will be added to AEM as part of the synchronization process, but they can also be groups that are added separately and are not part of the original LDAP group affiliation scheme.
In most cases, these can be groups that are added by a local AEM administrator or by any other identity provider.
If a user is removed from a group on the LDAP server, the change will also be reflected on the AEM side upon synchronization. However, all the other group affiliations of the user that were not added by LDAP will remain in place.
AEM detects and handles the purging of users from external groups by making use of the rep:externalId
property. This property is added automatically to any user or group that is synchronized by the Synchronization Handler and it contains information on the originating identity provider.
For more information, see Apache Oak documentation on User and Group Synchronization.
Known issues
If you plan on using LDAP over SSL, make sure the certificates you are using are created without the Netscape comment option. If this option is enabled, authentication will fail with a SSL Handshake error.
Experience Manager
- Administering User Guide overview
- Sites Features
- Website Administration
- Reusing Content: Multi Site Manager and Live Copy
- Live Copy Overview Console
- Configuring Live Copy Synchronization
- Creating and Synchronizing Live Copies
- MSM Rollout Conflicts
- MSM Best Practices
- Translating Content for Multilingual Sites
- Managing Translation Projects
- Identifying Content to Translate
- Preparing Content for Translation
- Creating a Language Root Using the Classic UI
- Connecting to Microsoft Translator
- Configuring the Translation Integration Framework
- Language Copy Wizard
- Translation Enhancements
- Translation Best Practices
- Configurations and the Configuration Browser
- AEM FAQs
- Operations
- Dashboards
- Operations Dashboard
- Backup and Restore
- Data Store Garbage Collection
- Monitoring Server Resources Using the JMX Console
- Working with Logs
- Configure the Rich Text Editor
- Configure the Video component
- The Bulk Editor
- Configuring Email Notification
- Configuring RTE for Producing Accessible Sites
- The Link Checker
- Troubleshooting AEM
- Audit Log Maintenance in AEM 6
- Editor
- Managing Access to Workflows
- Using cURL with AEM
- Configuring Undo for Page Editing
- Proxy Server Tool (proxy.jar)
- Configuring for AEM Apps
- Administering Workflows
- Configuring Search Forms
- Tools Consoles
- Reporting
- Administering Workflow Instances
- Configuring Layout Container and Layout Mode
- Enabling Access to Classic UI
- Starting Workflows
- Configure the Rich Text Editor plug-ins
- Admin Consoles
- Security
- User Administration and Security
- User, Group and Access Rights Administration
- Security Checklist
- OWASP Top 10
- Running AEM in Production Ready Mode
- Identity Management
- Adobe IMS Authentication and Admin Console Support for AEM Managed Services
- Creating a Closed User Group
- Mitigating serialization issues in AEM
- User Synchronization
- Encapsulated Token Support
- Single Sign On
- How to Audit User Management Operations in AEM
- SSL By Default
- SAML 2.0 Authentication Handler
- Closed User Groups in AEM
- Granite Operations - User and Group Administration
- Enabling CRXDE Lite in AEM
- Configuring LDAP with AEM 6
- Configure the Admin Password on Installation
- Service Users in AEM
- Encryption Support for Configuration Properties
- Handling GDPR Requests for the AEM Foundation
- Content Disposition Filter
- Personalization
- eCommerce
- Integration
- Integrating with Third-Party Services
- Integrating with Salesforce
- Integrating with Adobe Target
- Integrating with Adobe Analytics
- Connecting to Adobe Analytics and Creating Frameworks
- Configuring Link Tracking for Adobe Analytics
- Mapping Component Data with Adobe Analytics Properties
- Configuring Video Tracking for Adobe Analytics
- HTTP2 Delivery of Content FAQ
- Troubleshooting your Adobe Campaign Integration
- SharePoint Connector Licenses, Copyright Notices, and Disclaimers
- SharePoint Connector
- DHTML Viewer End-of-Life FAQs
- Integrating with Adobe Campaign Classic
- Related Community Articles
- Integrating with Adobe Campaign Standard
- Flash Viewers End-of-Life Notice
- Integrating with Adobe Creative Cloud
- Integrating with Adobe Dynamic Tag Management
- Opting Into Adobe Analytics and Adobe Target
- AEM Portals and Portlets
- Integrating with Dynamic Media Classic
- Troubleshooting Integration Issues
- Integrating with BrightEdge Content Optimizer
- Best Practices for Email Templates
- Catalog Producer
- Integrating with Silverpop Engage
- Integrating with Adobe Campaign
- Integrating with ExactTarget
- Analytics with External Providers
- Integrating with the Adobe Marketing Cloud
- Manually Configuring the Integration with Adobe Target
- Prerequisites for Integrating with Adobe Target
- Adobe Classifications
- Solutions Integration
- Target Integration with Experience Fragments
- Best Practices
- Content Management