We have integrated AD with CQ for authentication purpose (JAAS config, LDAPLoginModule).
We are registering user from our website and storing them directly on AD (using day ldap client APIs - day-commons-ldapclient-1.1.6.jar). Now the problem is that the created user are disabled by default, to overcome this we have set an attribute "userAccountControl" while registering.
This solved the disable issue, but another issue is that user can not login unless his/her password is being reset from AD admin interface.
The password is set in "userPassword" attribute and AD is not treating this as a password so it enable the flag for reset password mechanism.
There is another attribute which needs to be set for this and is called "unicodePwd", but to set this the connection should be encrypted(at least 128 bit SSL/TLS) and LDAPS should be used and not LDAP.
Please refer the MS article at http://msdn.microsoft.com/en-us/library/cc223248%28v=prot.10%29.aspx
So the question is that can it be achieved with with LDAP protocol itself, if not then how big is the effort to go via LDAPS approach.
Has anybody achieved something similar and throw some light?
Any pointer will be helpful.
Thanks in Advance,
From what I understand, you are attempting to synchronize your users from CQ into your active directory instance. To me, it sounds like you should really get LDAPS set up, as opposed to attempting to work aroud it.
Here is a link to the part of the document Day wrote on how to configure LDAP for CQ5:
Additionally, if you take a look at the forum topic I posted about this very problem, there is a nice list of resources for what you are trying to do: http://forums.adobe.com/thread/1068151?tstart=0
Hope that helps! Good luck!