Article summary

Summary

Discusses how to configure AEM 6.4 to work with an LDAP service. In this article, Apache Directory Service is used.

To read this use case for AEM 6.0, see Configuring Adobe Experience Manager 6 to use Apache Directory Service.

If you are interested in learning how to configure LDAP with AEM 5.x, see Configuring Adobe CQ with Apache Directory Service.

Digital Marketing Solution(s) Adobe Experience Manager, Apache Directory Service
Audience
Administrator
Required Skills
LDAP,AEM
Version Adobe Experience Manager 6.4

Note:

For general information related to AEM-LDAP integration, refer to Configuring LDAP with AEM 6.

Introduction

You can configure Adobe Experience Manager 6.4 to  synchronize user account information from a third-party LDAP service. By configuring Experience Manager to use a third-party LDAP service, you can authenticate LDAP users when logging into Experience Manager. This article describes how to setup Apache Directory Server (ApacheDS, a popular open source LDAP service), create a new user, configure Experience Manager to use ApacheDS, and finally login to Experience Manager with the new user entered into Apache Directory service.

 

AEMLDAP
A user logging into Experience Manager with ApacheDS User Credentials

Prerequisites

You'll need to install Experience Manager 6.4 to complete this walkthrough. If you do not have an Experience Manager installation up and running, we recommend that you install the AEM QuickStart. Refer to this documentation page for more information.

Overview

You'll perform the following broad steps during the course of this walkthrough:

  1. Install ApacheDS
  2. Create a new user in ApacheDS
  3. Configure Experience Manager with ApacheDS
  4. ValidateExperience Manager/ApacheDS integration

Install Apache Directory

  1. Download the latest ApacheDS from http://directory.apache.org.
  2. Run the installer for your operating system, follow the installation instructions on the download page, and proceed with the default installation settings.
  3. Download Apache Directory Studio from the same URL and install it. 

Create a new user in ApacheDS

Add some user data to ApacheDS that you can later use to authenticate with Experience Manager. You can use different mechanisms, such as Java API, Eclipse plug-in, or LDAP client tools like Apache Directory Studio, to populate ApacheDS with data. In this walkthrough, Apache Directory Studio is used to add LDAP user data.

Create an ApacheDS user

To follow with this article, create an LDAP user named Lam. Place this user under dc=example, dc=com, as shown in the following illustration. 

LDAPUser1
An LDAP user shown in Apache Directory Studio

Note:

uid is a manatory property in order to use LDAP users,

  1. Start Apache Directory Studio.
  2. Click LDAP> New Connection and enter the following values:
  • Connection Name: ldap
  • Host: localhost
  • Port: 10389
  • Encryption: no encryption
  • Authenticaion method: simple authentication
  • User DN: uid=admin,ou=system
  • Password: secret
  1. Click Finish.
  2. Under Root, create an entity dc=example,dc=com.
  3. From dc=example,dc=com, select New, New Entity.
  4. Select Create entity from scratch
  5. From the left pane, select person and uidObject
  6. Specify the following LDAP attributes.
LDAPUser
Enter these values

9. Add any other LDAP attributes you want and click Finish. Once done, you see the following values shown in the illustration at the start of this section. 

Tip: For more information about using Apache Directory Studio, see Apache Directory Studio.

Note:

If you encounter an error while adding the new user, evaluate the exception message. For example, if you specify an invalid password value (for example, the value of cn), an exception occurs. 

Configure Experience Manager to use ApacheDS

To configure Experience Manager to use ApacheDS, configure these configuration settings:

  • Apache Jackrabbit Oak LDAP Identity Provider -  defines how users are retrieved from the LDAP server
  • Apache Jackrabbit Default Sync Handler - defines how the Indetity Provider users and groups will be synchronized
  • Apache Jackrabbit External Login Module - defines which Identity Provider and Sync Handler to use

Apache Jackrabbit Oak LDAP Identity Provider

Open the Felix Web Console (http://localhost:4502/system/console/configMgr) and search for the Apache Jackrabbit Oak LDAP Identity Provider config and click on the plus ‘+’ button. Add the following values (based on the LDAP settings created in this article).

  • LDAP Provider Name - name of the provider. You can specify ldap
  • LDAP Server Hostname - the name of the provider. Localhost is used in this example. 
  • LDAP Server Port - the port of the LDAP server. 10389 is used in this article. 
  • Bind DN - DN used for user authentication. uid=admin,ou=system is used.
  • Bind Pwd - the corresponding DN password. The value secret is used. 
  • User base DN - the base DN for user searches. In this example, dc=example,dc=com is specified. (the values entered specified using Apache Directory Studio). 
  • User Id attribute - name of the user attribute. Specify uid (this was specified in Apache Directory Studio). 

When done entering these values, ensure that you click Save. The following illustration shows the Apache Jackrabbit Oak LDAP Identity Provider values.

LDAP3
Apache Jackrabbit Oak LDAP Identity Provider values

Note:

Group attributes are not used in this example. However, you can add group attributes is required. 

Apache Jackrabbit Oak Default Sync Handler

In the Felix Web console, search for the Apache Jackrabbit Oak Default Sync Handler config and click on the plus ‘+’ button. Specify the Sync Handle Name and User Property Mapping as shown in the illustration and Click Save.

In this example, profile/nt:primaryType="nt:unstructured" and profile/givenName=cn values are used for User Property Mapping values. 

 

Default Sync Handler
Default Sync Handler values

Apache Jackrabbit Oak External Login Module

In the Felix Web console, search for the Apache Jackrabbit Oak External Login Module config and click on the plus ‘+’ button. Enter the Identity Provider Name and Sync Handler Name which created before and Click Save.

The following illustration shows this configuration. 

loginMod
Apache Jackrabbit Oak External Login Module

Synchronize ApacheDS users

Although you've configured Experience Manager for use with ApacheDS, you cannot  log in to it as an LDAP user. First log in as administrator, import the LDAP users, and grant them appropriate permissions.

Note:

Before performing the steps in this section, log in to Experience Manager as the LDAP user. The log in attempt will result in an error; however, the LDAP user is imported into Experience Manager.

1. Log into AEM as an administrator.

2. Go to jmx console (http://localhost:4502/system/console/jmx). Search for External Identity Synchronization Management and click on the row.

3. Click on syncAllExternalUsers() to sync all the users manually.

4. Click the Invoke button. 

LDAP4
syncAllExternalUsers operation

5. Go to the Users view at http://localhost:4502/useradmin. You will see the LDAP user named Lam, as shown in this illustration. 

Lam
LDAP users shown in Experience Manager

6. Click the Permissions tab and give the user appropriate permissions. For this walkthrough, grant all permissions to the user.

7. Log out of Experience Manager.

8. Log into AEM as Lam (and the password specified using ApacheDS) to validate the AEM LDAP integration. Now you are logged in as an LDAP user. 

LDAP5
LDAP user logged into AEM

See also

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy