Symptoms

LDAP authentication is required to authenticate users stored in a (central) LDAP directory such as Active Directory. There is no configuration to be found in the Sling Management Console.

Cause

LDAP authentication needs to be enabled and configured on a repository level, thus is handled directly by CRX and not CQ5 itself.

Resolution

CQ5.3 with CRX2.1 LDAP Configuration

For documentation on how to configure ldap integration for CQ5.3, go here

CQ5.4 or CQ5.3 with CRX2.2 LDAP Configuration

For documentation on how to configure ldap integration for CRX2.2, go here

CQ5.2.X LDAP Configuration

Please refer to the corresponding section [1] on our documentation site.

Please note: when passing the JVM option, please configure an absolute path to the ldap_login.conf file:

java -Djava.security.auth.login.config=/opt/day/cq5/crx-quickstart/server/etc/ldap_login.conf -jar cq-quickstart.jar

If you are using the crx-quickstart/server/start to start your server then you can set the following environment variables:

CQ_JVM_JAAS=1
CQ_JVM_JAAS_CONFIG=crx-quickstart/server/etc/ldap_login.conf

Sample ldap configurations

CQ5.2.X Configuration for use with Active Directory

This Configuration uses CQ Groups (i.e. groups would not be synchronized from Active Directory):

com.day.crx {
    com.day.crx.security.authentication.CRXLoginModule sufficient;
    com.day.crx.security.ldap.LDAPLoginModule required
    principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
    principal_provider.name="ldap"
    host="ldapserverhostname" port="389"
    authDn="dc=testldap,dc=com"
    authPw="test"
    userRoot="ou=CQ,ou=Users,dc=testldap,dc=com
    authentication.mode="user"
    userIdAttribute="sAMAccountName"
    deny_anonymous_access="true"
    autocreate="create"
    autocreate.syncdelay="1800"
    autocreate.lastmodified ="lastmodified"
    autocreate.user.mail="rep:e-mail"
    autocreate.user.cn="rep:fullname"
    autocreate.path="splitdn"
    cacheMaxSize="10000"
    cache.expiration="600"
    cache.maxsize="100";
};

CQ5.3 with CRX 2.1 (and Hotfix 2.1.0.4 installed) for use with Active Directory

Active Directory setup with Group and User synchronization to use with CQ5.3/CRX2.1 with CRX hotfix 2.1.0.4 installed. To disallow group synchronization, set the groupRoot property to an empty, existing OU.

com.day.crx {
    com.day.crx.security.ldap.LDAPLoginModule required
    restore-login-identity="false"
    principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
    principal_provider.name="ldap"
    host="ldapserverhostname" port="389"
    authDn="dc=testldap,dc=com"
    authPw="test"
    userRoot="ou=CQ,ou=Users,dc=testldap,dc=com"
    authDn="CN=CQAdmin,OU=Users,dc=testldap,dc=com"
    authPw="test"
    bindDn="dc=testldap,dc=us"
    groupMembershipAttribute="member"
    groupRoot="ou=CQ,ou=Groups,dc=testldap,dc=com"
    groupFilter="(objectclass=group)"
    searchTimeout="100"
    userIdAttribute="sAMAccountname"
    deny_anonymous_access="true"
    autocreate="create"
    autocreate.lastmodified="whenChanged"
    autocreate.user.mail="email"
    autocreate.user.sn="cq:last-name"
    autocreate.user.givenName="cq:first-name"
    autocreate.user.description="aboutMe"
    autocreate.user.cn="rep:fullname"
    autocreate.group.cn="rep:fullname"
    autocreate.group.givenName="cq:first-name"
    autocreate.group.mail="email"
    autocreate.group.description = "aboutMe"
    autocreate.group.localadmin="admin"
    autocreate.path="splitdn"
    autocreate.syncdelay="1800"
    cache.expiration="600"
    cache.maxsize="100";
    com.day.crx.core.CRXLoginModule required;
};

CQ5.4 and CQ5.5 for use with Active Directory

Active Directory setup with Group and User synchronization to use with CQ5.4. To disallow group synchronization, set the groupRoot property to an empty, existing OU.

com.day.crx {
  com.day.crx.core.CRXLoginModule sufficient
    trust_credentials_attribute="TrustedInfo";
  com.day.crx.security.ldap.LDAPLoginModule required
    principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
    principal_provider.name="ldapDirectory"
    trust_credentials_attribute="TrustedInfo"
    host="ldap-server-hostname"
    port="389"
    authDn="CN=Admin,OU=Users,DC=test,DC=com"
    authPw="xxxxxxxxx"
    userRoot="OU=Users,DC=test,DC=com"
    userIdAttribute="sAMAccountName"
    groupRoot="OU=Groups,DC=test,DC=com"
    groupMembershipAttribute="member"
    autocreate="create"
    autocreate.path="none"
    autocreate.user.cn="rep:fullname"
    autocreate.user.mail="profile/email"
    autocreate.user.sn="profile/familyName"
    autocreate.user.givenName="profile/givenName"
    autocreate.group.cn="rep:fullname"
    autocreate.group.mail="profile/email"
    cache.expiration="7200"
    cache.maxsize="1000"
    userFilter="(objectClass=person)"
    groupFilter="(objectClass=group)";
};

Applies to

CQ 5.1, CQ 5.2.X,
[1] LDAP configuration

此産品由 Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License 授權  Creative Commons 條款未涵蓋 Twitter™ 與 Facebook 文章。

法律說明   |   線上隱私權政策