12 Replies Latest reply: Jul 29, 2013 3:01 AM by shailesh08

CQ5 as Windows Service with LDAP Authentication

great98 Jul 23, 2013 9:10 AM

CQ5 as Windows Service with LDAP Authentication

1 Introduction

LDAP: Lightweight Directory Access Protocol
Used for accessing centralized directory services.
LDAP is often used to achieve Single Sign On which allows a user to access multiple applications after logging in once.

2 Steps

1. Install LDAP server,

1) Double click the file（Download from apache website first）

ApacheDirectoryStudio-win32-x86_<architecture>-<version>

2) After start the system, Create a new server (CQ5LDAP)

New-New Server

3) Add group and users and save them

Name: Adobe

Suffix: ou=groups, dc=adobe, dc=com)

Name: Adobe2

Suffix: ou=users, dc=adobe, dc=com)

4) Start the server

5) Create a new connection (CQ5LDAP)

Connection name: CQ5LDAP

Hostname: localhost

Port: 10389

6) Fill in the Authentication information

Bind DNor user: uid=admin, ou=system

Bind password: secret

7) Right click the connection name, Import users with LDIF Import

2. Configure repository.xml

Remove or comment the LoginModule element in the repository configuration (repository.xml). The configuration file can be found in the folder crx-quickstart/repository.
Ensure that the file ldap_login.conf is in a folder such as crx-quickstart/conf/ of your CRX installation folder.
Add the following bolded code to repository.xml so that users can login

<SecurityManager class="com.day.crx.core.CRXSecurityManager">

<WorkspaceAccessManager class="org.apache.jackrabbit.core.

security.simple.SimpleWorkspaceAccessManager"/>

<UserManager class="com.day.crx.core.CRXUserManagerImpl">

<param name="usersPath" value="/home/users"/>

<param name="groupsPath" value="/home/groups"/>

<param name="defaultDepth" value="1"/>

</UserManager>

</SecurityManager>

3. Change start.bat and Quickstart.bat

From the command line, start Quickstart with the option:

-Djava.security.auth.login.config=crx-quickstart/conf/ldap_login.conf

For example:

32-bit VM:

java -Djava.security.auth.login.config=crx-quickstart/conf/ldap_login.conf -Xmx384M -jar crx-quickstart-<version>.jar

64-bit VM:

java -Djava.security.auth.login.config=crx-quickstart/conf/ldap_login.conf -XX:MaxPermSize=128m -Xmx512M -jar crx-quickstart-<version>.jar

4. Starting CQ5 as Windows Service

We install CQ5 as a windows service with instsrv.bat located in C:\author\crx-quickstart\opt\helpers.Hence, if we want to use CQ5 service with LDAP. We need to change instsrv.bat and then run instsrv.bat to install CQ5 as a Windows Service.

Replace line 40: set jvm_options=-XX:MaxPermSize=256M

With: set jvm_options=-Djava.security.auth.login.config=C:/author2013/crx-quickstart/conf/ldap_logi n.conf";"-XX:MaxPermSize=256M

5. Start the CQ5 service with CMD or Service of Task Manager

c:>sc start CQ5 (or any service name you installed, say cq5author)

6. Now you can login by LDAP users

1. Re: CQ5 as Windows Service with LDAP Authentication

shailesh08 Jul 23, 2013 11:35 AM (in response to great98)

Hi,
I tried the steps mentioned, but the steps mentioned above are jumped may be because of the different LDAP server. I am using Apache Directory Studio.
And even i could not find any option "import users from LDIF". Can you please guide me what exactly i need to do.

Regards,
Shailesh
Like Show 0 Likes (0)

Actions
2. Re: CQ5 as Windows Service with LDAP Authentication

great98 Jul 23, 2013 12:06 PM (in response to shailesh08)

Please see the screenshot about how to import users.
Like Show 0 Likes (0)

Actions
3. Re: CQ5 as Windows Service with LDAP Authentication

shailesh08 Jul 23, 2013 11:22 PM (in response to great98)

Hi,
Sorry I was not clear about the problem in the msg. I am not able to get what LDIP needs to be entered in the dropdown over here in the screenshot.
Can you even verify the ldap_login.conf file whether is that there is something missing in it.

com.day.crx {
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required
              principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
              host="10.242.135.12"
              port="10389"
     authDn="testuser"
              authPw="intel"
              secure="true"
              userRoot="ou=users,ou=system"
              groupRoot="ou=groups,ou=system"
              groupMembershipAttribute="uniquemember"
              autocreate="create"
              autocreate.user.mail="profile/email"
              autocreate.user.givenname="profile/givenName"
              autocreate.user.sn="profile/familyName"
              autocreate.group.description="profile/aboutMe"
              autocreate.group.mail="profile/email"
              autocreate.group.cn="profile/givenName"
              autocreate.path="direct"
              cache.expiration="600"
              cache.maxsize="100";
};

Thanks & Regards,
Shailesh
Like Show 0 Likes (0)

Actions
4. Re: CQ5 as Windows Service with LDAP Authentication

great98 Jul 24, 2013 8:05 AM (in response to shailesh08)

A file with the LDIF file extension is a LDAP Data Interchange Format file.

LDIF (Lightweight Directory Interchange Format) is an ASCII file format used to exchange data and enable the synchronization of that data between Lightweight Directory Access Protocol ( LDAP ) server s called Directory System Agents (DSAs). LDAP is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network. An LDAP directory can be distributed among many servers. LDIF is used to synchronize each LDAP directory.

The first step in synchronizing LDAP directories is extracting the full contents of or a portion of the original LDAP directory and formatting the contents into an LDIF file. The LDIF file is then mailed to a directory synchronization robot called DIRBOT. After several different steps, a final LDIF file is compared to the original LDIF file. The update instructions on what records to add, delete, or modify in the original directory are decided. These updates are then used to synchronize all LDAP directories.

If you don't have LDIF file to be imported, it does not matter. You can create entries by LDAP server directly. A .LDIF file is just a file prepared by LDIF editor.

LDIF file examples:
http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrc-admin/html/LDAPConfig 7.html
Like Show 0 Likes (0)

Actions
5. Re: CQ5 as Windows Service with LDAP Authentication

great98 Jul 24, 2013 8:21 AM (in response to shailesh08)

The following is my sample ldap_login.conf, please refer to it. Please note the authPw (888888) must be the same as what you set in LDAP server:

com.day.crx {
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required
              principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
              host="localhost"
                                        port="10389"
                                        authDn="uid=admin,ou=system"
                      authPw="888888"
                                        userRoot="ou=users,dc=adobe,dc=com"
                                        groupRoot="ou=groups,dc=adobe,dc=com"
                                        userFilter="(objectclass=person)"
                                        userIdAttribute="sn"
                                        groupFilter="(objectclass=groupOfUniqueNames)"
                                        groupMembershipAttribute="uniquemember"
                                        groupNameAttribute="cn"
                                        deny_anonymous_access="true"
              autocreate="create"
              autocreate.user.mail="rep:e-mail"
                                        autocreate.user.cn="rep:fullname"
                                        autocreate.group.mail="rep:e-mail"
                                        autocreate.group.cn="rep:fullName"
                                        autocreate.group.localadmin="admin"
                                        autocreate.group.uniquemember="uniquemember"
                                        autocreate.group.description="description"
                                        autocreate.syncdelay="1800"
                              autocreate.lastmodified ="lastmodified"
                              autocreate.path="direct"
              cache.expiration="600"
              cache.maxsize="100";
};
Like Show 0 Likes (0)

Actions
6. Re: CQ5 as Windows Service with LDAP Authentication

shailesh08 Jul 24, 2013 10:25 AM (in response to great98)

com.day.crx {
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required
              principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
              host="192.168.1.8"
              port="10390"
     authDn="uid=testuser,ou=users,ou=system"
              authPw="abc11"
              secure="true"
              userRoot="ou=users,ou=system"
              groupRoot="ou=groups,ou=system"
              groupMembershipAttribute="uniquemember"
              autocreate="create"
              autocreate.user.mail="profile/email"
              autocreate.user.givenname="profile/givenName"
              autocreate.user.sn="profile/familyName"
              autocreate.group.description="profile/aboutMe"
              autocreate.group.mail="profile/email"
              autocreate.group.cn="profile/givenName"
              autocreate.path="direct"
              cache.expiration="600"
              cache.maxsize="100";
};

repository.xml
<?xml version="1.0" encoding="ISO-8859-1"?>













<!DOCTYPE Repository PUBLIC "-//Day Management AG//DTD CRX 2.4//EN"
                            "http://www.day.com/dtd/repository-2.4.dtd">
<Repository>
    
    
    <FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
        <param name="path" value="${rep.home}/repository"/>
    </FileSystem>
    
    <DataStore class="com.day.crx.core.data.ClusterDataStore"/>
    
    <Security appName="com.day.crx">
        
        
        <SecurityManager class="com.day.crx.core.CRXSecurityManager">
            
            <UserManager class="org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserManager">
                <param name="usersPath" value="/home/users"/>
                <param name="groupsPath" value="/home/groups"/>
                <param name="defaultDepth" value="1"/>
                <param name="autoExpandTree" value="true"/>
                <AuthorizableAction class="org.apache.jackrabbit.core.security.user.action.AccessControlAction">
                  <param name="groupPrivilegeNames" value="jcr:read"/>
                  <param name="userPrivilegeNames" value="jcr:all"/>
                </AuthorizableAction>
                
            </UserManager>
            
        </SecurityManager>

        
        <AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager"></AccessManager>
        
        <LoginModule class="com.day.crx.core.CRXLoginModule">
            <param name="anonymousId" value="anonymous"/>
            <param name="adminId" value="admin"/>
            <param name="disableNTLMAuth" value="true"/>
            <param name="tokenExpiration" value="43200000"/>
            
        </LoginModule>
    </Security>
    
    <Workspaces rootPath="${rep.home}/workspaces" defaultWorkspace="crx.default" maxIdleTime="5"/>
    
    <Workspace name="${wsp.name}" simpleLocking="true">
        
        <FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
            <param name="path" value="${wsp.home}"/>
        </FileSystem>
        
        <PersistenceManager class="com.day.crx.persistence.tar.TarPersistenceManager"/>
        
        <SearchIndex class="com.day.crx.query.lucene.LuceneHandler">
            <param name="path" value="${wsp.home}/index"/>
            <param name="resultFetchSize" value="50"/>
        </SearchIndex>
        
        <WorkspaceSecurity>
            <AccessControlProvider class="org.apache.jackrabbit.core.security.authorization.acl.ACLProvider">
                <param name="omit-default-permission" value="true"/>
            </AccessControlProvider>
        </WorkspaceSecurity>
        
        <Import>
            <ProtectedItemImporter class="org.apache.jackrabbit.core.xml.AccessControlImporter"/>
            <ProtectedItemImporter class="org.apache.jackrabbit.core.security.user.UserImporter">
                <param name="importBehavior" value="besteffort"/>
            </ProtectedItemImporter>
        </Import>
    </Workspace>
    
    <Versioning rootPath="${rep.home}/version">
        
        <FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
            <param name="path" value="${rep.home}/version"/>
        </FileSystem>
        
        <PersistenceManager class="com.day.crx.persistence.tar.TarPersistenceManager"/>
    </Versioning>
    
    <SearchIndex class="com.day.crx.query.lucene.LuceneHandler">
        <param name="path" value="${rep.home}/repository/index"/>
    </SearchIndex>
    
    <Cluster>
        <Journal class="com.day.crx.persistence.tar.TarJournal"/>
    </Cluster>
    
    <Modules>
        
    </Modules>
</Repository>

Hi,
I am still not able to login using the user i created in LDAP server. I have verified by using the jxplorer and the LDAP server is working fine as whatever user I am creating in jxplorer it is propagation and getting saved in the LDAP server.

By looking into the screenshot seeing above if you find anything that is missing, please do let me know.

Thanks & Regards,
Shailesh
Like Show 0 Likes (0)

Actions
7. Re: CQ5 as Windows Service with LDAP Authentication

great98 Jul 24, 2013 10:36 AM (in response to shailesh08)

1) comment out the following in your repository.xml:


2) Add the following bolded code to repository.xml so that users can login
    <SecurityManager class="com.day.crx.core.CRXSecurityManager">
        <WorkspaceAccessManager class="org.apache.jackrabbit.core.
               security.simple.SimpleWorkspaceAccessManager"/>
        <UserManager class="com.day.crx.core.CRXUserManagerImpl">
            <param name="usersPath" value="/home/users"/>
            <param name="groupsPath" value="/home/groups"/>
            <param name="defaultDepth" value="1"/>
        </UserManager>
    </SecurityManager>

yours:

     <SecurityManager class="com.day.crx.core.CRXSecurityManager">
            
        <WorkspaceAccessManager class="org.apache.jackrabbit.core.
               security.simple.SimpleWorkspaceAccessManager"/>

            <UserManager class="org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserM anager">
                <param name="usersPath" value="/home/users"/>
                <param name="groupsPath" value="/home/groups"/>
                <param name="defaultDepth" value="1"/>
                <param name="autoExpandTree" value="true"/>
                <AuthorizableAction class="org.apache.jackrabbit.core.security.user.action.AccessControlA ction">
                  <param name="groupPrivilegeNames" value="jcr:read"/>
                  <param name="userPrivilegeNames" value="jcr:all"/>
                </AuthorizableAction>
                
            </UserManager>
            
        </SecurityManager>
Like Show 0 Likes (0)

Actions
8. Re: CQ5 as Windows Service with LDAP Authentication

shailesh08 Jul 24, 2013 11:37 AM (in response to great98)

Hi,
Still not able to login.., "User Name and Password do not match".

Is there anything else that could be there
Regards,
Shailesh
Like Show 0 Likes (0)

Actions
9. Re: CQ5 as Windows Service with LDAP Authentication

great98 Jul 24, 2013 12:20 PM (in response to shailesh08)

If it is password problem, you can try to reset password for the user with Apache Directory Studio (LDAP server):
Like Show 0 Likes (0)

Actions
10. Re: CQ5 as Windows Service with LDAP Authentication

shailesh08 Jul 25, 2013 4:46 AM (in response to great98)

Hi,
My instance stopped working after I modified the repository.xml as threaded in the chain above. The two changes made were:-
1. added <SecurityManager class="com.day.crx.core.CRXSecurityManager">
        <WorkspaceAccessManager class="org.apache.jackrabbit.core.
               security.simple.SimpleWorkspaceAccessManager"/>
        <UserManager class="com.day.crx.core.CRXUserManagerImpl">
            <param name="usersPath" value="/home/users"/>
            <param name="groupsPath" value="/home/groups"/>
            <param name="defaultDepth" value="1"/>
        </UserManager>
    </SecurityManager>

2. commented <LoginModule class="com.day.crx.core.CRXLoginModule">
            <param name="anonymousId" value="anonymous"/>
            <param name="adminId" value="admin"/>
            <param name="disableNTLMAuth" value="true"/>
            <param name="tokenExpiration" value="43200000"/>

        </LoginModule>

As I commented the first one and uncommented the second one in repository.xml my instance started working., before that I was getting
Service Unavailable
AuthenticationSupport service missing. Cannot authenticate request.

Is there anything else that could be done for this authentication part.?
Thanks & Regards,
Shailesh
Like Show 0 Likes (0)

Actions
11. Re: CQ5 as Windows Service with LDAP Authentication

great98 Jul 25, 2013 7:23 AM (in response to shailesh08)

Please use this correct ldap_login.conf as main reference, your authDn is not right, should be authDn="uid=admin,ou=system":

com.day.crx {
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required
              principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
              host="localhost"
                                        port="10389"
                                        authDn="uid=admin,ou=system"
                      authPw="888888"
                                        userRoot="ou=users,dc=adobe,dc=com"
                                        groupRoot="ou=groups,dc=adobe,dc=com"
                                        userFilter="(objectclass=person)"
                                        userIdAttribute="sn"
                                        groupFilter="(objectclass=groupOfUniqueNames)"
                                        groupMembershipAttribute="uniquemember"
                                        groupNameAttribute="cn"
                                        deny_anonymous_access="true"
              autocreate="create"
              autocreate.user.mail="rep:e-mail"
                                        autocreate.user.cn="rep:fullname"
                                        autocreate.group.mail="rep:e-mail"
                                        autocreate.group.cn="rep:fullName"
                                        autocreate.group.localadmin="admin"
                                        autocreate.group.uniquemember="uniquemember"
                                        autocreate.group.description="description"
                                        autocreate.syncdelay="1800"
                              autocreate.lastmodified ="lastmodified"
                              autocreate.path="direct"
              cache.expiration="600"
              cache.maxsize="100";
};

Other steps ,please refer to the following URL carefully:

http://helpx.adobe.com/cq/kb/LdapConfig.html
http://dev.day.com/docs/en/crx/current/administering/ldap_authentication.html
Like Show 0 Likes (0)

Actions
12. Re: CQ5 as Windows Service with LDAP Authentication

shailesh08 Jul 29, 2013 3:01 AM (in response to great98)

Hi,
The links shared tells us the same things as we were trying before.
I tried every combination possible in repository.xml
1. LoginModule removed with org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserManager present. -503 error
2. LoginModule present with with org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserManager present. - able to open instance
3. LoginModule removed with com.day.crx.core.CRXUserManagerImpl presnt. -503 error
4. LoginModule present with com.day.crx.core.CRXUserManagerImpl present. -503 error
5. LoginModule present with com.day.crx.core.CRXUserManagerImpl & org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserManager presnt. -503 error
6. LoginModule removed with com.day.crx.core.CRXUserManagerImpl & org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserManager present. -503 error

The ldap_login.confg used is
com.day.crx {
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required
              principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
              host="10.242.135.208"
              port="10390"
   authDn="uid=admin,ou=system"
              authPw="admin"
   userFilter="(objectclass=person)"
              userIdAttribute="uid"
              groupFilter="(objectclass=groupOfUniqueNames)"
              groupMembershipAttribute="uniquemember"
              groupNameAttribute="cn"
              deny_anonymous_access="true"
              secure="true"
              userRoot="ou=users,ou=system"
              groupRoot="ou=groups,ou=system"
              groupMembershipAttribute="uniquemember"
              autocreate="create"
              autocreate.user.mail="profile/email"
              autocreate.user.givenname="profile/givenName"
              autocreate.user.sn="profile/familyName"
              autocreate.group.description="profile/aboutMe"
              autocreate.group.mail="profile/email"
              autocreate.group.cn="profile/givenName"
              autocreate.path="direct"
              cache.expiration="600"
              cache.maxsize="100";
};

Can you please verify if the authDn and the authPwd is correct or is there any mistake that I am commiting. Or there is something else which is causing the problem..

Thanks & Regards,
Shailesh
Like Show 0 Likes (0)

Actions