How to Synchronize User with LDAP

Search
CQ User Guide

On this page

Applies to: CRX CRX 2.3

某些 Creative Cloud 应用程序、服务和功能在中国不可用。

Problem

When an individual user (not yet registered in CRX) attempts to login, CRX authenticates against LDAP and if authentication is successful then that user is synchronized with CRX. So, How to force synchronization of LDAP users with CRX so that rights can be assigned before the user first tries to login?

Resolution

From CQ 5.5 service pack update [1] onwards the CRX that provides the ldap functionality is an OSGi service. The LDAP is registered in the OSGi Service Registry as MBean service. This MBean is available in the JMX Console which exposes the ldap attributes and operations. The operation that can be performed are listed at [0]. Some of the ways to achieve synchronization of the user are

  • Manual synchronization of users using felix console
  • Using CURL
  • Creating JMX client that uses LDAP MBean

Manual synchronization of users using felix console

  • Open the felix jmx console and log in as admin at http://<host>:<port>/system/console/jmx
  • Click on domain com.adobe.granite.ldap and it displays list of attributes and operations that can be performed. 
  • Click on operations and pops up with small window to supply parameter (if required). Ex:- syncUser operation, supply the DN of the single user (cn=user001,ou=users,dc=day,dc=com) to be synchronized
  • Click Invoke to transfer appropriate details from the ldap directory server to CRX.

Using CURL

  • List Orphaned Users
    curl -u <UID>:<PASSWORD> -X POST http://<HOST>:<PORT>/system/console/jmx/com.adobe.granite.ldap:host=<ldaphost>,port=<ldapport>,type=Tools/op/listOrphanedUsers/
  • Sync All Users
    curl -u <UID>:<PASSWORD> -X POST http://<HOST>:<PORT>/system/console/jmx/com.adobe.granite.ldap:host=<ldaphost>,port=<ldapport>,type=Tools/op/syncAllUsers/
  • Sync User
    curl -u <UID>:<PASSWORD> -X POST --data user=<cn=user001,ou=users,dc=day,dc=com> http://<HOST>:<PORT>/system/console/jmx/com.adobe.granite.ldap:host=<ldaphost>,port=<ldapport>,type=Tools/op/syncUser/java.lang.String
  • Sync User List
    Ex:-  To sync 2 users user007 & user008 on my localhost
    curl -u <UID>:<PASSWORD> -X POST --data userlist=%5B%22cn%3Duser007%2Cou%3Dusers%2Cdc%3Dday%2Cdc%3Dcom%22%2C%22cn%3Duser008%2Cou%3Dusers%2Cdc%3Dday%2Cdc%3Dcom%22%5D http://localhost:4502/system/console/jmx/com.adobe.granite.ldap%3Ahost%3Dlocalhost%2Cport%3D389%2Ctype%3DTools/op/syncUserList/%5BLjava.lang.String%3B
  • Purge Users
    curl -u <UID>:<PASSWORD> -X POST http://<HOST>:<PORT>/system/console/jmx/com.adobe.granite.ldap:host=<ldaphost>,port=<ldapport>,type=Tools/op/purgeUsers/
  • Sync Users
    curl -u <UID>:<PASSWORD> -X POST http://<HOST>:<PORT>/system/console/jmx/com.adobe.granite.ldap:host=<ldaphost>,port=<ldapport>,type=Tools/op/syncUsers/

Create JMX client that uses LDAP MBean

Below is Sample jmx client code that prints list of Orphaned Users

import javax.management.DynamicMBean;
import java.util.Hashtable;

import javax.management.MBeanServerConnection;
import javax.management.MBeanServerInvocationHandler;
import javax.management.ObjectName;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;

public class LDAPSampleClient {

    public static void main(String[] args) throws Exception{
        String userid = "admin";
        String password = "admin";
        String serverUrl = "service:jmx:rmi:///jndi/rmi://localhost:9000/jmxrmi";
        String OBJECT_NAME = "com.adobe.granite.ldap:host=localhost,port=389,type=Tools";
        String[] buffer = new String[] { userid, password };
        Hashtable<String, String[]> attributes = new Hashtable<String, String[]>();
        attributes.put("jmx.remote.credentials", (String[]) buffer);        
        MBeanServerConnection server = (MBeanServerConnection) JMXConnectorFactory.connect(new JMXServiceURL(serverUrl), attributes).getMBeanServerConnection();
        ObjectName name = new ObjectName(OBJECT_NAME);
        LDAPUserMBean ldap = (LDAPUserMBean) MBeanServerInvocationHandler.newProxyInstance(server, name, LDAPUserMBean.class,false);
        for(String user : ldap.listOrphanedUsers()) {
            System.out.println(user);
        }
    }

    public static interface LDAPUserMBean extends DynamicMBean {
        public String[] listOrphanedUsers();
        public String[] syncUsers(String[] users);
        public void syncAllUsers();
        public void syncUser(String user);
        public void syncOrphanedUsers();
        public void purgeOrphanedUsers();
    }
    
}

[0]

  • List Orphaned Users :- Retrieves a list of users not present in the LDAP directory anymore.
  • Sync All Users :- Updates all local user informations based on the LDAP directory.
  • Sync User :- Updates the local user information for a specific LDAP entry.
  • Sync User List :- Updates the local user information for a list of LDAP entries.
  • Purge Users :- Removes the local user information for all users removed from the LDAP server.
  • Sync Users :- Updates the local user information for the list defined in the orphaned.users attribute.

[1]   http://dev.day.com/packageshare/packages/public/day/cq550/update/cq-update-pkg.html


Note:- If you have taken out LDAP config OR LDAP is not configured, Then Mbean will not be visible in the JMX console.

Applies to

CRX 2.3