How to Integrate LDAP with AEM ?

 AEM - LDAP Integration

LDAP (the Lightweight Directory Access Protocol) is used for accessing centralised directory services. 


You can achieve below vital things with LDAP integration

  1. The User accounts can be synchronised between LDAP server and the AEM repository. 
  2. The AEM uses LDAP authentication  to authenticate users, with credentials being passed to the LDAP server for validation. 
  3. To improve performance, successfully validated credentials can be cached by repository, with an expire timeout.
  4. This helps reduce the effort required to manage user accounts as they can be accessed by the multiple applications. 
  5. When a user/account is removed from LDAP server validation is no longer granted & access to the AEM is denied. 

The following are the AEM steps for integrating the LDAP and using it as your Single Sign On (SSO) source of truth for authenticating AEM Users.

In order to have LDAP working with AEM, you need to create three OSGi configurations:

  1. An LDAP Identity Provider (IDP).
  2. A Sync Handler.
  3. An External Login Module.

1- LDAP Identity Provider (IDP)

The LDAP Identity Provider is used to define how users are retrieved from the LDAP server. 

  1. Open system console config manager  ( /system/console/configMgr) 
  2. Search for Apache Jackrabbit Oak LDAP Identity Provider
  3. Create a new LDAP Identify Provider using plus sign. 
  4. Use most of the out of the box configuration except for the following values
    1. LDAP Provider name - name of the LDAP provider
    2. LDAP Server Hostname - Host Name of Provider.
    3. LDAP Server Port   - Port of LDAP Server. check with LDAP admin if not sure. 
    4. Bind DN    - DN that is used for bind. for example enter value as uid=admin,ou=system
    5. Bind Pwd   - Corresponding DN password
    6. User base DN - Base DN for user searches, Enter value as dc=example,dc=com
    7. User id attribute - name of user attribute. Enter value as uid

2- AEM Sync Handler

The synchronization handler will define how the Identity Provider users and groups will be synchronized with the repository. 

  1. It is located under the Apache Jackrabbit Oak Default Sync Handler name in the system/console/configmgr console.
  2. Create the external login module with the following OSGi configurations:

    1. Sync Handler Name: Name of the sync configuration.

    2. User auto membership: List of groups that a synced user is added to automatically

    3. Rest all value are self explanatory in config , you can leave default or add as per the need.

3- Configure the external login module

The external login module is the bridge between the login, the idp and the sync handler.

  • open the Felix Configuration Manager and search for the "External Login Module" factory config and click on the plus + button
    • JAAS Ranking 50
    • JAAS Control Flag SUFFICIENT
    • JAAS Realm
    • Identity Provider Name ldap
    • Sync Handler Name default

4- Verify the JAAS console

The external login module should now show up in the JAAS console:

Debugging LDAP issues

Add the below loggers in the logger configuration with log level as debug.

1) logs/ldap.log : org.apache.jackrabbit.oak.security.authentication.ldap
2) logs/external.log : org.apache.jackrabbit.oak.spi.security.authentication.external 


References - 

  • https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-for-Adobe-CQ.html
  • https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/ldap-config.html?lang=en

Comments

Popular Posts

AEM Security Headers

Configure/Decoding AEM AuditLogs

How to WhiteList IP through AEM Dispatcher ?