Configuring LDAP with AEM 6 configuring-ldap-with-aem
LDAP (the L ightweight D irectory A ccess P rotocol) is used for accessing centralized directory services. It helps reduce the effort required to manage user accounts as they can be accessed by multiple applications. One such LDAP server is Active Directory. LDAP is often used to achieve Single Sign On which allows a user to access multiple applications after logging in once.
User accounts can be synchronized between the LDAP server and the repository, with LDAP account details being saved in the repository. This functionality allows the accounts to be assigned to repository groups for allocating the required permissions and privileges.
The repository uses LDAP authentication to authenticate such users, with credentials being passed to the LDAP server for validation, which is required before allowing access to the repository. To improve performance, successfully validated credentials can be cached by the repository, with an expiry timeout to ensure that revalidation does occur after an appropriate period.
When an account is removed from the LDAP server, validation is no longer granted and access to the repository is denied. Details of LDAP accounts that are saved in the repository can also be purged.
Use of such accounts is transparent to your users. That is, they see no difference between user and group accounts created from LDAP, and accounts created solely in the repository.
In AEM 6, LDAP support comes with a new implementation that requires a different type of configuration than with previous versions.
All LDAP configurations are now available as OSGi configurations. They can be configured via the Web Management console at:https://serveraddress:4502/system/console/configMgr
To have LDAP working with AEM, you must create three OSGi configurations:
- An LDAP Identity Provider (IDP).
- A Sync Handler.
- An External Login Module.
Configuring The LDAP Identity Provider configuring-the-ldap-identity-provider
The LDAP Identity Provider is used to define how users are retrieved from the LDAP server.
It can be found in the management console under the Apache Jackrabbit Oak LDAP Identity Provider name.
The following configuration options are available for the LDAP Identity Provider:
Configuring The Synchronization Handler configuring-the-synchronization-handler
The synchronization handler defines how the Identity Provider users and groups are synchronized with the repository.
It is located under the Apache Jackrabbit Oak Default Sync Handler name in the management console.
The following configurations options are available for the Synchronization Handler:
The external login module the-external-login-module
The external login module is located under the Apache Jackrabbit Oak External Login Module under the management console.
Its job is to define which Identity Provider and Sync Handler to use, effectively binding the two modules.
The following configuration options are available:
Configure LDAP over SSL configure-ldap-over-ssl
AEM 6 can be configured to authenticate with LDAP over SSL by following the below procedure:
-
Check the Use SSL or Use TLS checkboxes when configuring the LDAP Identity Provider.
-
Configure the Sync Handler and the External Login module according to your setup.
-
Install the SSL certificates in your Java™ VM, if needed. This installation can be done by using keytool:
keytool -import -alias localCA -file <certificate location> -keystore <keystore location>
-
Test the connection to the LDAP server.
Creating SSL certificates creating-ssl-certificates
Self-signed certificates can be used when configuring AEM to authenticate with LDAP via SSL. Below is an example of a working procedure for generating certificates for use with AEM.
-
Make sure you have an SSL library installed and working. This procedure uses OpenSSL as an example.
-
Create a customized OpenSSL configuration (cnf) file. This configuration can be done by copying the default **openssl.cnf **configuration file and customizing it. On UNIX® systems, it is at
/usr/lib/ssl/openssl.cnf
-
Proceed to creating the CA root key by running the below command in a terminal:
code language-none openssl genpkey -algorithm [public key algorithm] -out certificatefile.key -pkeyopt [public key algorithm option]
-
Next, create a self-signed certificate:
openssl req -new -x509 -days [number of days for certification] -key certificatefile.key -out root-ca.crt -config CA/openssl.cnf
-
To make sure that everything is in order, inspect the newly generated certificate:
openssl x509 -noout -text -in root-ca.crt
-
Make sure that all folders specified in the certificate configuration (.cnf) file exist. If not, create them.
-
Create a random seed, by running, for example:
openssl rand -out private/.rand 8192
-
Move the created .pem files to the locations configured in the .cnf file.
-
Finally, add the certificate to the Java™ keystore.
Enabling debug logging enabling-debug-logging
Debug logging can be enabled for both the LDAP Identity Provider and the External Login Module to troubleshoot connection issues.
To enable debug logging, you must do the following:
- Go to the Web Management Console.
- Find “Apache Sling Logging Logger Configuration” and create two loggers with the following options:
-
Log level: Debug
-
Log File logs/ldap.log
-
Message Pattern: {0,date,
dd.MM.yyyy
HH:mm:ss.SSS
} *{4}* {2} -
Logger: org.apache.jackrabbit.oak.security.authentication.ldap
-
Log level: Debug
-
Log File: logs/external.log
-
Message Pattern: {0,date,
dd.MM.yyyy
HH:mm:ss.SSS
} *{4}* {2} -
Logger: org.apache.jackrabbit.oak.spi.security.authentication.external
A Word on Group Affiliation a-word-on-group-affiliation
Users synchronized through LDAP can be part of different groups in AEM. These groups can be external LDAP groups that are added to AEM as part of the synchronization process. However, they can also be groups that are added separately and are not part of the original LDAP group affiliation scheme.
Usually, these groups are added by a local AEM administrator or by any other identity provider.
If a user is removed from a group on the LDAP server, the change is reflected on the AEM side on synchronization. However, all the other group affiliations of the user that were not added by LDAP remain in place.
AEM detects and handles the purging of users from external groups by using the rep:externalId
property. This property is added automatically to any user or group that is synchronized by the Synchronization Handler and it contains information on the originating identity provider.
See Apache Oak documentation on User and Group Synchronization.
Known issues known-issues
If you plan on using LDAP over SSL, make sure the certificates that you are using are created without the Netscape comment option. If this option is enabled, authentication fails with an SSL Handshake error.