LDAP GROUPS NOT AUTOCREATED IN AEM | Community
Skip to main content
Sunjeet_Gupta
Sunjeet_Gupta
New Participant
October 16, 2015
Solved

LDAP GROUPS NOT AUTOCREATED IN AEM

  • October 16, 2015
  • 3 replies
  • 1362 views

Hi.

Q1: I am using LDAP as a user repository and I have hooked it with an LDAP server. When I login to AEM using LDAP user , the user gets autocreated on AEM, but the groups are not created. Here are the details :

ldap_conf

com.day.crx{
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required 
       principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider" 
       host="127.0.0.1" 
       port="389" 
       secure="false" 
       authDn="cn=Manager,dc=maxcrc,dc=com" 
       authPw="secret" 
       userRoot="ou=Technology,o=xxxxxxxxx,dc=maxcrc,dc=com" 
       groupRoot="ou=Technology,o=xxxxxxxx,dc=maxcrc,dc=com" 
       groupMembershipAttribute="uniquemember" 
       autocreate="create" 
       autocreate.user.mail="profile/email"
           autocreate.user.givenname="profile/givenName"
           autocreate.user.sn="profile/familyName"
       autocreate.group.description="profile/aboutMe"
           autocreate.group.mail="profile/email"
           autocreate.path="direct"
       cache.expiration="600" 
       cache.maxsize="100"
       trust_credentials_attribute="TrustedInfo"
       anonymous_principal="anonymous";
};

AEM Version : 5.6.1

Hot Fixes Installed : 

cq-5.6.1-hotfix-3401

cq-5.6.1-hotfix-3491

cq-5.6.1-hotfix-3471

cq-5.6.1-hotfix-3591

cq-5.6.1-hotfix-3302

 

I want the groups and users created and associated as they are on LDAP( docs says that it is possible , but doesnt happen). 

Q2: I want to associate the LDAP users to the LDAP groups ( after both are auto created ) . There is an option "autocreate.user.membership" that allows to put some pre-existing groups. I dont want that. Possible ?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by chaotic

Hello Sunjeet

Q1) Yes this should be possible. There might be a problem with the configuration. I suggest you set the log-level of the LDAP module to DEBUG, then you get the complete filter which you could paste into a GUI client and see if you really get the groups you expect out of the LDAP server. (check the groupRoot, groupMembershipAttribute and the groupFilter if they match your directory).

 

Q2) There are two mechanisms to add a user to a group. One (your use-case AFAIU) is automatic - once you get the group-import to run, this should work as expected (group-memberships get synchronized from LDAP). The second (autocreate.user.membership) is used to add LDAP users to (pre-existing) CQ groups. 

3 replies

C
chaoticAccepted solution
Employee
October 16, 2015

Hello Sunjeet

Q1) Yes this should be possible. There might be a problem with the configuration. I suggest you set the log-level of the LDAP module to DEBUG, then you get the complete filter which you could paste into a GUI client and see if you really get the groups you expect out of the LDAP server. (check the groupRoot, groupMembershipAttribute and the groupFilter if they match your directory).

 

Q2) There are two mechanisms to add a user to a group. One (your use-case AFAIU) is automatic - once you get the group-import to run, this should work as expected (group-memberships get synchronized from LDAP). The second (autocreate.user.membership) is used to add LDAP users to (pre-existing) CQ groups. 

Sunjeet_Gupta
Sunjeet_GuptaAuthor
New Participant
October 16, 2015

Thanks. 

1. One issue that I could get past was to change the objectClass of the the LDAP groups from groupOfNames to groupOfUniqueNames. That triggered the LDAPEntryResolver to recognize the LDAP group. {  Why is that ??  }

2. After that when I login , strangely, the group is still not created , but if I open the user , I can see the group name under the Groups tab !!

Here are the detailed logs :{ user: kapil.shekhar.raina , group : portaladministrators }

14.01.2014 22:53:51.947 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync changed kapil.shekhar.raina setting lastModified to 20140110075300Z
14.01.2014 22:53:51.947 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync sync user kapil.shekhar.raina finished
14.01.2014 22:53:51.947 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync Syncing group membership of kapil.shekhar.raina for principal uid=kapil.shekhar.raina,ou=Technology,o=Accenture,dc=maxcrc,dc=com
14.01.2014 22:53:51.948 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver search below ou=Technology,o=Accenture,dc=maxcrc,dc=com with filter (&(uniquemember=uid=kapil.shekhar.raina,ou=Technology,o=Accenture,dc=maxcrc,dc=com)(objectclass=groupOfUniqueNames))
14.01.2014 22:53:51.949 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync found group membership LDAP entry cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com
14.01.2014 22:53:51.949 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver read below ou=Technology,o=Accenture,dc=maxcrc,dc=com dn: cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com with filter (objectclass=person)
14.01.2014 22:53:51.950 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver read below ou=Technology,o=Accenture,dc=maxcrc,dc=com dn: cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com with filter (objectclass=groupOfUniqueNames)
14.01.2014 22:53:51.960 *WARN* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.principals.LDAPPrincipalProvider found principal at unexpected location
14.01.2014 22:53:51.961 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync fetching group cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com returned null
14.01.2014 22:53:51.961 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync .fetching group portaladministrators returned null
14.01.2014 22:53:51.968 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync Group portaladministrators for cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com created
14.01.2014 22:53:51.968 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync created authorizable group for cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com
14.01.2014 22:53:51.968 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync Adding group portaladministrators for DN cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com
14.01.2014 22:53:51.968 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync syncing cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com
14.01.2014 22:53:51.969 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync sync group portaladministrators finished
14.01.2014 22:53:51.969 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync Added membership of kapil.shekhar.raina to portaladministrators
14.01.2014 22:53:51.969 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync Syncing group membership of portaladministrators for principal cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com
14.01.2014 22:53:51.969 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver search below ou=Technology,o=Accenture,dc=maxcrc,dc=com with filter (&(uniquemember=cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com)(objectclass=groupOfUniqueNames))
14.01.2014 22:53:51.988 *DEBUG* [0:0:0:0:0:0:0:1 [1389720231891] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPUserSync Synchronized uid=kapil.shekhar.raina,ou=Technology,o=Accenture,dc=maxcrc,dc=com in 71912us
14.01.2014 22:53:52.168 *DEBUG* [0:0:0:0:0:0:0:1 [1389720232122] GET / HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver read below ou=Technology,o=Accenture,dc=maxcrc,dc=com dn: uid=kapil.shekhar.raina,ou=Technology,o=Accenture,dc=maxcrc,dc=com with filter (objectclass=person)
14.01.2014 22:54:35.103 *DEBUG* [0:0:0:0:0:0:0:1 [1389720275076] GET /.cqactions.json HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver search below ou=Technology,o=Accenture,dc=maxcrc,dc=com with filter (&(uniquemember=uid=kapil.shekhar.raina,ou=Technology,o=Accenture,dc=maxcrc,dc=com)(objectclass=groupOfUniqueNames))
14.01.2014 22:54:35.105 *DEBUG* [0:0:0:0:0:0:0:1 [1389720275076] GET /.cqactions.json HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver search below ou=Technology,o=Accenture,dc=maxcrc,dc=com with filter (&(\28|\28uniquemember=cn=portaladministrators,ou=Technology,o=Accenture,dc=maxcrc,dc=com\29\29)(objectclass=groupOfUniqueNames))

 

Thanks

C
chaotic
Employee
October 16, 2015

Hello Sunjeet

 

Q1) That's simply because the groups in your directory server seem to be stored with this special object class (which enforces further restrictions).

 

Q2) Hmm. The log actually looks quite ok to me - and since the group shows up in the groups tab, it must have been created and the user is a member of it (membership is stored on the group). Does it work as expected? How did you check that the group is not there? Maybe there is something wrong with the new UI. Try using the crx-explorer, maybe the group-home-path is different from what one would expect. You could also do a search for 'portaladministrators' there. 

 

Best greetings

Lars

Terms & ConditionsAccessibility statement

Loading footer...