Integrate AEM 6.5 with LDAP using JumpCloud ldap-as-a-service
Recently I had a requirement to evaluate something with LDAP in Adobe Experience Manager, aka AEM. I have AEM 6.5 running on my machine and I just need an LDAP. Without a second thought, I started googling for top open source LDAP software and quickly decided to try OpenLDAP and ApacheDS to see if I can make one of them work on my Windows Home machine. As it turns out, OpenLDAP needs to be built from source, there is no ready to install solution. I turned towards ApacheDS and was able to install but couldn’t make it work. You need to tweak the configs a bit before you can successfully start the server. I know they are great open source products but I didn’t have the time to past the learning curve.
While trying to solve the issues with ApacheDS, I stumbled upon JumpCloud, an ldap in the cloud. Ah! why didn’t I check sooner? Everything is in cloud nowadays. JumpCloud’s free account offers pro and premium features for up to 10 users, and no credit card needed for registration. Perfect! So, this is what I did.
Head over to jumpcloud.com and click on “Get started”. Just enter your email id (it says work email but don’t worry, just use personal). In the next step, fill in your first and last name, select “Cloud-based LDAP or RADIUS Service” and “I need a cloud directory”. Hit next and enter some dummy details about Company. Provide a password and verify your email. That’s it, you will see something like this once you are in
Click on the big plus icon on top-left and select “Manual user entry” to create your first user. We want to be able to connect to this LDAP from our AEM, or any LDAP browser for that matter. To be able to do that we need a special user with the right access. This is how we create him.
Enter anything in the Company Email field, we don’t need it. Scroll down and select “Specify initial password”. Make sure you select “Enable as LDAP Bind DN”. This is what makes him special
Click “Save user” and click on the created user again to verify if JumpCloud LDAP is added under Directories section like below
Technically, at this point, you can use any LDAP browser client like Softerra LDAP Browser to connect to your account. As we are trying to connect this to AEM and login with some LDAP users, let’s create some more users. Keep clicking on the plus sign in the Users section and enter users. Assign a password to them and save. Make sure you are not selecting Enable Bind DN for these users.
I have created three more users and named them Alpha, Bravo and Charlie.
Now head over to Groups section and create a new group.
- Specify a name like AEM Authors
- Click on the Users tab and select all the users except Service user
- Click on Directories tab and select the JumpCloud LDAP option
- Click on “save group” to save the changes
We associated a group with the users so that we can see Group sync in AEM, differentiate these users from users from other systems, and assign selective permissions. Before leaving JumlpCloud console and heading to AEM, capture your organization id from the console. We will need this in our configuration.
You can see your Organization id by clicking on Org settings option on the left rail
Fire up your AEM author, login as admin and open Felix console. That is http://<host>:<port>/system/console/configMgr. Look for “Apache Jackrabbit Oak LDAP Identity Provider” and hit the + icon next to it to configure a new identity provider. This is how it looks.
Following is the text version of the configuration. It will be easy to copy-paste from here if you like
The next configuration you need to create is “Apache Jackrabbit Oak Default Sync Handler”. Hit the plus icon and create the following configuration
Here is the text version
In the above configuration, we are giving User Path Prefix and Group Path Prefix as jcldap which means these users and groups will be created under folder jcldap in crx. This makes it easier to find and organize them. Also, Group auto membership is given as content-authors which makes the synched group or groups be automatically part of content-authors groups (pre-exists in AEM). What we are essentially doing here is giving authoring permissions automatically to users of this account.
The last configuration we need to make before we can test this is “Apache Jackrabbit Oak External Login Module”, which looks like this
That’s it. All the ducks are in a row now. Let’s try to login to AEM using one of the users we created before. Use an incognito window as we have already logged in as admin here to make all the above configurations.
The user got authenticated against our JumpCloud LDAP and able to login successfully. He was also able to open Sites console which means the group sync and association have worked as well. Let’s check them.
That’s all for this post. Try it out and let me know how it worked for you. Please do leave a comment if you had any issues, have any questions, or about anything else you want to see in this post or in the upcoming ones.
