Download the version of oak-run that matches your Oak version installed in AEM.

Download the attached setRepExternalId.groovy.

Upload both oak-run and the groovy script to your AEM server.

Stop AEM.

To open the oak-run console, run the following command . (Replace crx-quickstart/repository/segmentstore with the path to your AEM instance's repository/segmenstore).

Run the following commands in the console. (Replace the ldap parameter to match the name of your LDAP Identity Provider OSGi configuration. For example, if your IDP name is configured in the OSGi configuration as ldap, then change that name in the jsp also.  

As a result it runs a dry run with the output as all LDAP users and groups on AEM displaying the rep: externalId and rep: authorizableId are set.  

If you are satisfied with the output, then move to the next step.

Run the command from step 6 again, but this time, add the parameter false to the end. It applies the changes. (Once again ensure to change ldap to match your configuration name instead).

Go to http://aem-host:port/crx/de/index.jsp and log in as admin.

Browse to /oak: index.

Set property reindex=true on the following indexes if they exist:

• /oak:index/externalId
• /oak:index/authorizableId
• /oak:index/authorizables

Click Save All.

Indexing causes the system to hang until it is done. 

Monitor the logs until it is completed.
As a result, the users can log in to the system.