Article summary

Summary

Discusses how to configure AEM 6.x to work with an LDAP service. In this article, Apache Directory Service is used.

A special thank you to Lokesh, a top AEM community member, for contributing towards this AEM community article.

If you are interested in learning how to configure LDAP with AEM 5.x, see Configuring Adobe CQ with Apache Directory Service.

Digital Marketing Solution(s) Adobe Experience Manager (Adobe CQ), Apache Directory Service
Audience
Administrator
Required Skills
LDAP,AEM
Tested On Adobe Experience Manager 6, 6.1

________________________________________________________________

For general information related to AEM-LDAP integration, refer to this documentation.
________________________________________________________________

Introduction

You can configure Adobe Experience Manager (AEM) 6 to  synchronize user account information from a third-party LDAP service. By configuring AEM to use a third-party LDAP service, you can authenticate LDAP users when logging into AEM. This article describes how to setup Apache Directory service (a popular open source LDAP service), create a new user, configure AEM 6 to use Apache Directory service, and finally login to AEM with the new user entered into Apache Directory service.

 

AEMLDAP
A user logging into AEM with ApacheDS user credentials

Prerequisites

You'll need to install AEM 6 or 6.1 to complete this walkthrough. If you do not have a AEM installation up and running, we recommend that you install the AEM QuickStart. Refer to this documentation page for more information.

If you're configuring AEM with your organization's existing ApacheDS infrastructure, you can skip directly to Interface CQ with ApacheDS. However, for the purpose of this walkthrough, we'll set up ApacheDS from scratch. 

Overview

You'll perform the following broad steps during the course of this walkthrough:

  1. Install ApacheDS
  2. Create a new user in ApacheDS
  3. Configure AEM with ApacheDS
  4. Validate CQ-ApacheDS integration

Install Apache Directory

  1. Download the latest ApacheDS from http://directory.apache.org.
  2. Run the installer for your operating system, follow the installation instructions on the download page, and proceed with the default installation settings.
  3. Download Apache Directory Studio from the same URL and install it. 

Create a new user in ApacheDS

Let's add some user data to ApacheDS that we can later use to authenticate with AEM. You can use different mechanisms, such as Java API, Eclipse plug-in, or LDAP client tools like Apache Directory Studio, to populate ApacheDS with data. In this walkthrough, we will use Apache Directory Studio to add LDAP user data.

Adding a user to ApacheDS

To follow along with this AEM article, create an LDAP user named bella. Place this user under dc=example, dc=com, as shown in the following illustration. 

LDAP_User
An LDAP user shown in Apache Directory Studio

Note:

uid is a manatory property in order to use LDAP users,

  1. Start Apache Directory Studio.
  2. Click LDAP> New Connection and enter the following values:
  • Connection Name: ldap
  • Host: localhost
  • Port: 10389
  • Encryption: no encryption
  • Authenticaion method: simple authentication
  • User DN: uid=admin,ou=system
  • Password: secret
  1. Click Finish.
  2. Under Root, create an entity dc=example,dc=com.
  3. From dc=example,dc=com, select New, New Entity.
  4. Select Create entity from scratch
  5. From the left pane, select person and uidObject
  6. Specify the following LDAP attributes.
userProps
Adding a new user

9. Add any other LDAP attributes you want and click Finish. 

Tip: For more information about using Apache Directory Studio, see http://directory.apache.org/studio/.

Note:

If you encounter an error while adding the new user, evaluate the exception message. For example, if you specify an invalid password value (for example, the value of cn), an exception occurs. 

Configure AEM with ApacheDS

To configure AEM 6 to use LDAP, configure these OSGi configuration settings:

  • Apache Jackrabbit Oak LDAP Identity Provider -  defines how users are retrieved from the LDAP server
  • Apache Jackrabbit Default Sync Handler - defines how the Indetity Provider users and groups will be synchronized
  • Apache Jackrabbit External Login Module - defines which Identity Provider and Sync Handler to use

Apache Jackrabbit Oak LDAP Identity Provider

Open the Felix Web Console (http://localhost:4502/system/console/configMgr) and search for the Apache Jackrabbit Oak LDAP Identity Provider config and click on the plus ‘+’ button. Add the following values (based on the LDAP settings created in this article).

  • LDAP Provider Name - name of the provider. You can specify ldap
  • LDAP Server Hostname - the name of the provider. Localhost is used in this example. 
  • LDAP Server Port - the port of the LDAP server. 10389 is used in this article. 
  • Bind DN - DN used for user authentication. uid=admin,ou=system is used.
  • Bind Pwd - the corresponding DN password. The value secret is used. 
  • User base DN - the base DN for user searches. In this example, dc=example,dc=example is specified. (the values entered specified using Apache Directory Studio). 
  • User Id attribute - name of the user attribute. Specify uid (this was specified in Apache Directory Studio). 

When done entering these values, ensure that you click Save. The following illustration shows the Apache Jackrabbit Oak LDAP Identity Provider values.

LDAP_Provider
Apache Jackrabbit Oak LDAP Identity Provider values

Note:

Group attributes are not used in this example. However, you can add group attributes is required. 

Apache Jackrabbit Oak Default Sync Handler

In the Felix Web console, search for the Apache Jackrabbit Oak Default Sync Handler config and click on the plus ‘+’ button. Specify the Sync Handle Name and User Property Mapping as shown in the illustration and Click Save.

In this example, profile/nt:primaryType="nt:unstructured" and profile/givenName=cn values are used for User Property Mapping values. 

 

Default Sync Handler
Default Sync Handler values

Apache Jackrabbit Oak External Login Module

In the Felix Web console, search for the Apache Jackrabbit Oak External Login Module config and click on the plus ‘+’ button. Enter the Identity Provider Name and Sync Handler Name which created before and Click Save.

The following illustration shows this configuration. 

loginMod
Apache Jackrabbit Oak External Login Module

Synchronize ApacheDS users

Although you've configured AEM for use with ApacheDS, you'll not yet be able to log in to AEM as an LDAP user. You'll need to first log in as administrator, import the LDAP users, and grant them appropriate permissions.

Note:

Before performing the steps in this section, log in to Experience Manager as the LDAP user. The log in attempt will result in an error; however, the LDAP user is imported into Experience Manager.

1. Log into AEM as an administrator.

2. Go to jmx console (http://localhost:4502/system/console/jmx). Search for External Identity Synchronization Management and click on the row.

3. Click on syncAllExternalUsers() to sync all the users manually.

4. Click the Invoke button. 

Invoke
syncAllExternalUsers operation

5. Go to the Users view at http://localhost:4502/useradmin. You will see the LDAP users, as shown in this illustration. 

Users
LDAP users shown in AEM

6. Click the Permissions tab and give the user appropriate permissions. For this walkthrough, grant all permissions to the user.

7. Log out of AEMdobe CQ.

8. Log into AEM as bella (and the password specified using ApacheDS) to validate the AEM LDAP integration. Now you are logged in as an LDAP user. 

UserLogin
LDAP user logged into AEM

Configuring Logging

When workgin with AEM and LDAP, it is always better to configure LDAP related logging.

  1. Open Config Manager (http://localhost:4502/system/console/configMgr) in the Felix console
  2. Search for Apache Sling Logging Logger Configuration. Add new logger.
  3. Aadd `org.apache.jackrabbit.oak.spi.security.authentication.external`, `org.apache.jackrabbit.oak.security.authentication.ldap`.
  4. Click Save.

logger
Apache Sling Logging Logger Configuration

See also

Congratulations, you have just configured AEM to use Apache Directory Service. Please refer to the AEM community page for other articles that discuss how to build AEM services/applications.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy