Symptoms
LDAP authentication is required to authenticate users stored in a (central) LDAP directory such as Active Directory. There is no configuration to be found in the Sling Management Console.
Cause
LDAP authentication needs to be enabled and configured on a repository level, thus is handled directly by CRX and not CQ5 itself.
Resolution
CQ5.3 with CRX2.1 LDAP Configuration
For documentation on how to configure ldap integration for CQ5.3, go here
CQ5.4 or CQ5.3 with CRX2.2 LDAP Configuration
For documentation on how to configure ldap integration for CRX2.2, go here
CQ5.2.X LDAP Configuration
Please refer to the corresponding section [1] on our documentation site.
Please note: when passing the JVM option, please configure an absolute path to the ldap_login.conf
file:
java -Djava.security.auth.login.config=/opt/day/cq5/crx-quickstart/server/etc/ldap_login.conf -jar cq-quickstart.jar
If you are using the crx-quickstart/server/start
to start your server then you can set the following environment variables:
CQ_JVM_JAAS=1
CQ_JVM_JAAS_CONFIG=crx-quickstart/server/etc/ldap_login.conf
Sample ldap configurations
CQ5.2.X Configuration for use with Active DirectoryThis Configuration uses CQ Groups (i.e. groups would not be synchronized from Active Directory):
com.day.crx {
com.day.crx.security.authentication.CRXLoginModule sufficient;
com.day.crx.security.ldap.LDAPLoginModule required
principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
principal_provider.name="ldap"
host="ldapserverhostname" port="389"
authDn="dc=testldap,dc=com"
authPw="test"
userRoot="ou=CQ,ou=Users,dc=testldap,dc=com
authentication.mode="user"
userIdAttribute="sAMAccountName"
deny_anonymous_access="true"
autocreate="create"
autocreate.syncdelay="1800"
autocreate.lastmodified ="lastmodified"
autocreate.user.mail="rep:e-mail"
autocreate.user.cn="rep:fullname"
autocreate.path="splitdn"
cacheMaxSize="10000"
cache.expiration="600"
cache.maxsize="100";
};
Active Directory setup with Group and User synchronization to use with CQ5.3/CRX2.1 with CRX hotfix 2.1.0.4 installed. To disallow group synchronization, set the groupRoot property to an empty, existing OU.
com.day.crx {
com.day.crx.security.ldap.LDAPLoginModule required
restore-login-identity="false"
principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
principal_provider.name="ldap"
host="ldapserverhostname" port="389"
authDn="dc=testldap,dc=com"
authPw="test"
userRoot="ou=CQ,ou=Users,dc=testldap,dc=com"
authDn="CN=CQAdmin,OU=Users,dc=testldap,dc=com"
authPw="test"
bindDn="dc=testldap,dc=us"
groupMembershipAttribute="member"
groupRoot="ou=CQ,ou=Groups,dc=testldap,dc=com"
groupFilter="(objectclass=group)"
searchTimeout="100"
userIdAttribute="sAMAccountname"
deny_anonymous_access="true"
autocreate="create"
autocreate.lastmodified="whenChanged"
autocreate.user.mail="email"
autocreate.user.sn="cq:last-name"
autocreate.user.givenName="cq:first-name"
autocreate.user.description="aboutMe"
autocreate.user.cn="rep:fullname"
autocreate.group.cn="rep:fullname"
autocreate.group.givenName="cq:first-name"
autocreate.group.mail="email"
autocreate.group.description = "aboutMe"
autocreate.group.localadmin="admin"
autocreate.path="splitdn"
autocreate.syncdelay="1800"
cache.expiration="600"
cache.maxsize="100";
com.day.crx.core.CRXLoginModule required;
};
CQ5.4 and CQ5.5 for use with Active Directory
Active Directory setup with Group and User synchronization to use with CQ5.4. To disallow group synchronization, set the groupRoot property to an empty, existing OU.
com.day.crx {
com.day.crx.core.CRXLoginModule sufficient
trust_credentials_attribute="TrustedInfo";
com.day.crx.security.ldap.LDAPLoginModule required
principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
principal_provider.name="ldapDirectory"
trust_credentials_attribute="TrustedInfo"
host="ldap-server-hostname"
port="389"
authDn="CN=Admin,OU=Users,DC=test,DC=com"
authPw="xxxxxxxxx"
userRoot="OU=Users,DC=test,DC=com"
userIdAttribute="sAMAccountName"
groupRoot="OU=Groups,DC=test,DC=com"
groupMembershipAttribute="member"
autocreate="create"
autocreate.path="none"
autocreate.user.cn="rep:fullname"
autocreate.user.mail="profile/email"
autocreate.user.sn="profile/familyName"
autocreate.user.givenName="profile/givenName"
autocreate.group.cn="rep:fullname"
autocreate.group.mail="profile/email"
cache.expiration="7200"
cache.maxsize="1000"
userFilter="(objectClass=person)"
groupFilter="(objectClass=group)";
};
Applies to
CQ 5.1, CQ 5.2.X,
[1] LDAP configuration