如何在CQ 6中通过LDAP通过目录对用户进行身份验证

Question

The Problem: We have CQ integrated with the external portal, the portal sends user information ie username and authorization token (passsword) in the request headers, this request is for the CQ Publish instance AEM version 6.0. We have to validate the user against client provided LDAP. How we can achieve this ?

Things tried so far : Followed the AEM 6 Docs to configure and connect to LDAP. Next tried login with the directory provided user in CQ, CQ tries to connect and query the user via LDAP request (provided in the config) and fetches and creates the corresponding user in crx, so that the user details are cached and LDAP requests are not fired for the same user when he/she tries to login again. However this user created in CQ has no information for the password ie no password fetched in ldap request and updated in crx. So the authentication to CQ fails. In short after adding configuration CQ connects directories via LDAP, fetches user details, but doesn't fetches password of that user and this causes authentication to be failed.

Looking for best way to do this. Any alternative approaches are welcome. See below configurations added.

LdapIdentityProvider searchTimeout="60s"
host.name="***"
group.makeDnPath=B"false"
user.baseDN="ou\=people,dc\=***,dc\=com"
group.objectclass=["groupOfUniqueNames"]
user.objectclass=["person","**","**"]
host.noCertCheck=B"false"
user.makeDnPath=B"false"
bind.dn="uid\=***,ou\=***,ou\=***,dc\=***,dc\=com"
group.baseDN="ou\=groups,o\=example,dc\=com"
group.extraFilter=""
user.extraFilter=""
host.port=I"389"
bind.password="***"
group.nameAttribute="cn"
host.ssl=B"false"
provider.name="***"
host.tls=B"false"
user.idAttribute="uid"
group.memberAttribute="uniquemember"

ExternalLoginModuleFactory 
jaas.controlFlag="SUFFICIENT"
jaas.ranking=I"50"
sync.handlerName="***"
jaas.realmName=""
idp.name="***"

DefaultSyncHandler
group.pathPrefix=""
group.expirationTime="1d"
user.membershipExpTime="1h"
user.pathPrefix=""
user.propertyMapping=["rep:email\=mail","rep:fullName\=cn","profile/email\=mail","profile/familyName\=sn","profile/givenName\=gn"]
handler.name="qaldapsync"
user.autoMembership=[""]
user.expirationTime="1h"
group.propertyMapping=["description\=description","rep:email\=mail","rep:fullname\=cn"]
user.membershipNestingDepth=I"0"
group.autoMembership=[""]

Answer 1

The authentication always goes against the LDAP system and not to the AEM. So it is normal that the password is not synced.

If I get you right you did successfully connect the LDAP to AEM and did the synchronization but complain about not synchronizing the password? As mentioned above this is not how you normally do it and I recommend to leave the password and so the authentication to the LDAP server. But if you really need the password to be synced to you can try to add it to the user.propertyMapping: rep:password=userPassword.

The downside would be that a user deleted in LDAP or changed the password in LDAP could still use his old account and password to login in AEM. So this would be a big security issue.

Additional Hint: The groups will only be synced if you configure user.membershipNestingDepth at least with "1".