Download the version of oak-run that matches your Oak version installed in AEM.
After upgrading from CQ5.x or AEM6.0 to AEM 6.0 SP3, 6.1, or 6.2, the existing LDAP users can no longer log in to AEM.
It is a known issue as the properties on the LDAP connected user nodes have changed.
Either delete the existing LDAP users and let them get re-synced automatically or pursue the following instructions:
Download the attached setRepExternalId.groovy.
Upload both oak-run and the groovy script to your AEM server.
To open the oak-run console, run the following command . (Replace crx-quickstart/repository/segmentstore with the path to your AEM instance's repository/segmenstore).
java -Xmx2048m -jar oak-run-*.jar console crx-quickstart/repository/segmentstore
Run the following commands in the console. (Replace the ldap parameter to match the name of your LDAP Identity Provider OSGi configuration. For example, if your IDP name is configured in the OSGi configuration as ldap, then change that name in the jsp also.
:load setRepExternalId.groovy new FixLDAPUsers().setRepUserProps(session, "/home", "ldap")
As a result it runs a dry run with the output as all LDAP users and groups on AEM displaying the rep: externalId and rep: authorizableId are set.
If you are satisfied with the output, then move to the next step.
Run the command from step 6 again, but this time, add the parameter false to the end. It applies the changes. (Once again ensure to change ldap to match your configuration name instead).
:load setRepExternalId.groovy new FixLDAPUsers().setRepUserProps(session, "/home", "ldap", false)
Go to http://aem-host:port/crx/de/index.jsp and log in as admin.
Browse to /oak: index.
Set property reindex=true on the following indexes if they exist:
Click Save All.
Indexing causes the system to hang until it is done.
Monitor the logs until it is completed.
As a result, the users can log in to the system.