Configuring LDAP

Symptoms

LDAP authentication is required to authenticate users stored in a (central) LDAP directory such as Active Directory. There is no configuration to be found in the Sling Management Console.

Cause

LDAP authentication needs to be enabled and configured on a repository level, thus is handled directly by CRX and not CQ5 itself.

Resolution

CQ5.3 with CRX2.1 LDAP Configuration

For documentation on how to configure ldap integration for CQ5.3, go here

CQ5.4 or CQ5.3 with CRX2.2 LDAP Configuration

For documentation on how to configure ldap integration for CRX2.2, go here

CQ5.2.X LDAP Configuration

Please refer to the corresponding section [1] on our documentation site.

Please note: when passing the JVM option, please configure an absolute path to the ldap_login.conf file:

java -Djava.security.auth.login.config=/opt/day/cq5/crx-quickstart/server/etc/ldap_login.conf -jar cq-quickstart.jar

If you are using the crx-quickstart/server/start to start your server then you can set the following environment variables:

CQ_JVM_JAAS=1
CQ_JVM_JAAS_CONFIG=crx-quickstart/server/etc/ldap_login.conf

Sample ldap configurations

CQ5.2.X Configuration for use with Active Directory

This Configuration uses CQ Groups (i.e. groups would not be synchronized from Active Directory):

com.day.crx {
    com.day.crx.security.authentication.CRXLoginModule sufficient;
    com.day.crx.security.ldap.LDAPLoginModule required
    principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
    principal_provider.name="ldap"
    host="ldapserverhostname" port="389"
    authDn="dc=testldap,dc=com"
    authPw="test"
    userRoot="ou=CQ,ou=Users,dc=testldap,dc=com
    authentication.mode="user"
    userIdAttribute="sAMAccountName"
    deny_anonymous_access="true"
    autocreate="create"
    autocreate.syncdelay="1800"
    autocreate.lastmodified ="lastmodified"
    autocreate.user.mail="rep:e-mail"
    autocreate.user.cn="rep:fullname"
    autocreate.path="splitdn"
    cacheMaxSize="10000"
    cache.expiration="600"
    cache.maxsize="100";
};

CQ5.3 with CRX 2.1 (and Hotfix 2.1.0.4 installed) for use with Active Directory

Active Directory setup with Group and User synchronization to use with CQ5.3/CRX2.1 with CRX hotfix 2.1.0.4 installed. To disallow group synchronization, set the groupRoot property to an empty, existing OU.

com.day.crx {
    com.day.crx.security.ldap.LDAPLoginModule required
    restore-login-identity="false"
    principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
    principal_provider.name="ldap"
    host="ldapserverhostname" port="389"
    authDn="dc=testldap,dc=com"
    authPw="test"
    userRoot="ou=CQ,ou=Users,dc=testldap,dc=com"
    authDn="CN=CQAdmin,OU=Users,dc=testldap,dc=com"
    authPw="test"
    bindDn="dc=testldap,dc=us"
    groupMembershipAttribute="member"
    groupRoot="ou=CQ,ou=Groups,dc=testldap,dc=com"
    groupFilter="(objectclass=group)"
    searchTimeout="100"
    userIdAttribute="sAMAccountname"
    deny_anonymous_access="true"
    autocreate="create"
    autocreate.lastmodified="whenChanged"
    autocreate.user.mail="email"
    autocreate.user.sn="cq:last-name"
    autocreate.user.givenName="cq:first-name"
    autocreate.user.description="aboutMe"
    autocreate.user.cn="rep:fullname"
    autocreate.group.cn="rep:fullname"
    autocreate.group.givenName="cq:first-name"
    autocreate.group.mail="email"
    autocreate.group.description = "aboutMe"
    autocreate.group.localadmin="admin"
    autocreate.path="splitdn"
    autocreate.syncdelay="1800"
    cache.expiration="600"
    cache.maxsize="100";
    com.day.crx.core.CRXLoginModule required;
};

CQ5.4 and CQ5.5 for use with Active Directory

Active Directory setup with Group and User synchronization to use with CQ5.4. To disallow group synchronization, set the groupRoot property to an empty, existing OU.

com.day.crx {
  com.day.crx.core.CRXLoginModule sufficient
    trust_credentials_attribute="TrustedInfo";
  com.day.crx.security.ldap.LDAPLoginModule required
    principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
    principal_provider.name="ldapDirectory"
    trust_credentials_attribute="TrustedInfo"
    host="ldap-server-hostname"
    port="389"
    authDn="CN=Admin,OU=Users,DC=test,DC=com"
    authPw="xxxxxxxxx"
    userRoot="OU=Users,DC=test,DC=com"
    userIdAttribute="sAMAccountName"
    groupRoot="OU=Groups,DC=test,DC=com"
    groupMembershipAttribute="member"
    autocreate="create"
    autocreate.path="none"
    autocreate.user.cn="rep:fullname"
    autocreate.user.mail="profile/email"
    autocreate.user.sn="profile/familyName"
    autocreate.user.givenName="profile/givenName"
    autocreate.group.cn="rep:fullname"
    autocreate.group.mail="profile/email"
    cache.expiration="7200"
    cache.maxsize="1000"
    userFilter="(objectClass=person)"
    groupFilter="(objectClass=group)";
};

Applies to

CQ 5.1, CQ 5.2.X,
[1] LDAP configuration

 Adobe

Få hjälp snabbare och enklare

Ny användare?

Adobe MAX 2024

Adobe MAX
Kreativitetskonferensen

14–16 okt i Miami Beach och online

Adobe MAX

Kreativitetskonferensen

14–16 okt i Miami Beach och online

Adobe MAX 2024

Adobe MAX
Kreativitetskonferensen

14–16 okt i Miami Beach och online

Adobe MAX

Kreativitetskonferensen

14–16 okt i Miami Beach och online