Starting in Adobe Experience Manager 6.0, there has been a significant change in the way LDAP Authentication is managed. Rather than using the jaas.conf file of earlier releases, AEM 6.0 comes with Jackrabbit Oak, which has its own LDAP integration. Although the Apache Jackrabbit developers have provided documentation for configuring the system, we felt that it would be helpful if we could provide an example of this configuration.
There are three things we need to configure in Adobe Experience Manager: the LdapIdentityProvider, a DefaultSyncHandler, and an ExternalLoginModule. While in these examples we will be using the Felix Console, we at Axis41 always recommend that all Production OSGi configurations be saved in your source code repository, and become a regular part of your deployment process.
You should take the time to understand all the options in each configuration; however, we will be focusing on the options that you most likely will need to configure.
Apache Jackrabbit Oak LDAP Identity Provider (LdapIdentityProvider)
|provider.name||The “idp.name” we will provide to the ExternalLoginModule|
|host.name||The host where your LDAP server is running|
|bind.dn||The Distinguished Name (DN) to bind to LDAP with|
|bind.password||The username to bind to LDAP with|
|user.baseDN||The LDAP DN that is the base for user accounts that will be allowed to authenticate with AEM|
|user.objectclass||The LDAP objectclass for user objects that will be allowed to authenticate with AEM|
|user.idAttribute||The LDAP attribute that will determine the AEM username|
|group.baseDN||The LDAP DN that is the base for group objects that will be searched by AEM|
Apache Jackrabbit Oak Default Sync Handler (DefaultSyncHandler)
|handler.name||The “sync.handlerName” we will provide to the ExternalLoginModule|
|user.expirationTime||How long after synchronization a user object should be considered valid|
|user.autoMembership||Synchronized users will automatically be added to this group.|
|user.propertyMapping||A String of “key=value” pairs; keys will be the AEM property name, values the LDAP property which will be copied.|
|user.pathPrefix||Location where synced users will be stored; the value will be appended to /home/users.|
|group.pathPrefix||Location where synced groups will be stored; the value will be appended to /home/groups.|
Apache Jackrabbit Oak External Login Module (ExternalLoginModule)
|idp.name||provider.name from the LdapIdentityProvider|
|sync.handlerName||handler.name from the DefaultSyncHandler|
What it looks like after it syncs
One of the things we found to be a surprise was the name Adobe Experience Manager chooses for the node as it syncs the user from LDAP. Here’s a CRXDE Lite view of a set of objects created using the OSGi configs I shared above. You can see the machine-generated name of both the user and group nodes after the sync took place.