Tuesday, August 1, 2017

EXTERNAL MODULE CONFIGS FOR AEM(LDAP)

In AEM authentication is one of the the important part, we will see few important specifics around OAK External Authentication framework  of which LDAP falls into.

The basic architecture representations of Authentication part build around OAK(Below diagram doesn't have External login module)



JCR Repository.login --> Oak Content Repository.login --> LoginModule.login -->LoginModule.commit 

Previously with jackrabbit, it used to be cumbersome and now it becomes easy with OAK through OSGI configs.
Oak LoginModule configuration all OSGI - no more jaas.conf.

Different Kinds of OAK Login Modules are as follows:
  • AbstractLoginModule
  • LoginModuleImpl(aka default login module)
  • GuestLoginModule
  • TokenLoginModule
  • ExternalLoginModule

With External Login Module implementation digram should look like below as architectural scope:

In the OAK External Module flows something looks as below:


 In the above diagram

IDP : It is nothing but a proxy to authenticate with Third party system(for example LDAP).
         Provide profile information of external users and groups.

API highlights:  ExternalIdentity Provider
                            ExternalIdentity, ExternalGroup, External User
                            ExternalIdentityRef: It contains internal representation of external system. It also contains userInfo
                            SyncHandler: It is Used to Sync Users from IDP. It has two main properties.
                                rep:externalId: String representation of the external Identity Ref.
                                rep:lastSynced: It is used for expiration time tracking

Basic External Login Flows works as below listed:



With AEM 6 all LDAPS are configured via SYSTEM CONSOLE

Three OSGI configs that are required are as follows for LDAP to work is as follows:

1. An LDAP Identity Provider(LIP) 
     -  Used to define how users are retrieved from the LDAP server.
     -  It OSGI config with the  Apache Jackrabbit Oak LDAP Identity Provider can be identified.
2. A Sync Handler
     - It will define how identity Provider Users and groups will be synchronized with the repository.
     - Apache Jackrabbit Oak Default Sync Handler.
3. An External Login Module.
     - Apache jackrabbit Oak External Login Module
     - It holds the the definition of  which Identity Provider and Sync Handler to use.
  We may have scenarios like  where we may need configure multiple LDAP Configs for an AEM
  instance.

In AEM we can configure LDAP over ssl as well. If that is the case, we haver to make sure that SSL and TLS checkboxes are checked in LIP.

 We even can create open SSL certificates. How to create and configure please refer citation link mentioned here.

Debugging is one of the important thing, when we ran into issues or to further understand issues or to trouble shoot. To enable debugging is as follows:

  1. Go to the Web Management Console.
  2. Find "Apache Sling Logging Logger Configuration" and create two loggers with the follwoing options:
  • Log level: Debug
  • Log File logs/ldap.log
  • Message Pattern: {0,date,dd.MM.yyyy HH:mm:ss.SSS} *{4}* [{2}] {3} {5}
  • Logger: org.apache.jackrabbit.oak.security.authentication.ldap
  • Log level: Debug
  • Log File: logs/external.log
  • Message Pattern: {0,date,dd.MM.yyyy HH:mm:ss.SSS} *{4}* [{2}] {3} {5}
  • Logger: org.apache.jackrabbit.oak.spi.security.authentication.external 

Citations:
 https://docs.adobe.com/docs/en/aem/6-3/administer/security/ldap-config.html
http://jackrabbit.apache.org/oak/docs/security/authentication/usersync.html
http://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html
https://seminars.adobeconnect.com/p7th7m234c7/?launcher=false&fcsContent=true&pbMode=normal










Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)