AEM 6.0+ LDAP Integration: The LDAP Approach to User Management
Every growing company needs to decide how to handle user data and permissions for the different applications that employees need to interact with. One of the best ways to keep consistent information across all the systems in the network, is to use an LDAP (Lightweight Directory Access Protocol) to store the data in a centralized location. Along with integrating it into as many systems as possible, the information stored in an LDAP can be used to improve the user management process. AEM 6 changed the implementation, which added quite a few new configurations, and even more customization possibilities.
Changing the LDAP Settings
When upgrading from 5.6.1 or below, the first thing you will need to do is reconfigure the LDAP settings because the integration process has changed. The first noticeable change is where the configurations are stored and changed. Before version 6, you needed to have an ldap_login.conf file under crx-quickstart/conf/ which contained the configurations for your LDAP implementation.
Each of these configuration sections contains a number of options; some have been in previous versions of AEM, and some are new. For example, in the LDAP identity provider configuration, one of the new options is the added support for TLS security, in addition to SSL support from previous versions. It gives users some flexibility to decide what security layer they want to use. Another new feature is the inclusion of an extra LDAP filter on both the users and the groups, allowing the user manager even more control over how the data from the LDAP is used within AEM.
Optimizing Synchronization in the LDAP
The synchronization handler also contains a few new choices that can be very useful for user and group management. One of the biggest additions is the expiration option that exists for both users and groups. Now, when importing users or groups from the LDAP, the duration in which they are synced can be defined; which can be useful if they only need to have access to the system for a specific amount of time. Along with the basic expiration option, there is also a field that allows a manager to define how long a user is a member of a specific group.
Modifying the Login Module
The final configuration, external login, has all new settings that allow the other options to come together to configure the LDAP. This includes the options to set which modules need to be used. It also contains some options related to JAAS (Java Authentication and Authorization Service) to modify some of the behavior of the login module, such as control flag or ranking.
User management can be a difficult task at any company, especially if you have a number of different systems that you use. When utilized properly, LDAP can help ease that pain point. Adobe has also made it even easier in AEM 6.0+ with their LDAP integration rework and improvements. Try out LDAP and see how it can improve the efficiency and security of your system, while making it easier to customize for your specific needs.
Need help implementing or optimizing your Adobe Experience Manager platform? We can help. Contact us today to speak with your team of experts.