LDAP in AEM 6.x

Starting in Adobe Experience Manager 6.0, there has been a significant change in the way LDAP Authentication is managed. Rather than using the jaas.conf file of earlier releases, AEM 6.0 comes with Jackrabbit Oak, which has its own LDAP integration. Although the Apache Jackrabbit developers have provided documentation for configuring the system, we felt that it would be helpfulĀ if we could provide an example of this configuration.

There are three things we need to configure in Adobe Experience Manager: the LdapIdentityProvider, a DefaultSyncHandler, and an ExternalLoginModule. While in these examples we will be using the Felix Console, we at Axis41 always recommend that all Production OSGi configurations be saved in your source code repository, and become a regular part of your deployment process.

You should take the time to understand all the options in each configuration; however, we will be focusing on the options that you most likely will need to configure.

Apache Jackrabbit Oak LDAP Identity Provider (LdapIdentityProvider)


provider.name The “idp.name” we will provide to the ExternalLoginModule
host.name The host where your LDAP server is running
bind.dn The Distinguished Name (DN) to bind to LDAP with
bind.password The username to bind to LDAP with
user.baseDN The LDAP DN that is the base for user accounts that will be allowed to authenticate with AEM
user.objectclass The LDAP objectclass for user objects that will be allowed to authenticate with AEM
user.idAttribute The LDAP attribute that will determine the AEM username
group.baseDN The LDAP DN that is the base for group objects that will be searched by AEM

Apache Jackrabbit Oak Default Sync Handler (DefaultSyncHandler)


handler.name The “sync.handlerName” we will provide to the ExternalLoginModule
user.expirationTime How long after synchronization a user object should be considered valid
user.autoMembership Synchronized users will automatically be added to this group.
user.propertyMapping A String[] of “key=value” pairs; keys will be the AEM property name, values the LDAP property which will be copied.
user.pathPrefix Location where synced users will be stored; the value will be appended to /home/users.
group.pathPrefix Location where synced groups will be stored; the value will be appended to /home/groups.

Apache Jackrabbit Oak External Login Module (ExternalLoginModule)


idp.name provider.name from the LdapIdentityProvider
sync.handlerName handler.name from the DefaultSyncHandler

What it looks like after it syncs

One of the things we found to be a surprise was the name Adobe Experience Manager chooses for the node as it syncs the user from LDAP. Here’s a CRXDE Lite view of a set of objects created using the OSGi configs I shared above. You can see the machine-generated name of both the user and group nodes after the sync took place.