DocumentationAEM 6.4Administering Guide

User Synchronization user-synchronization

Last update: Wed May 03 2023 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Admin
CAUTION
AEM 6.4 has reached the end of extended support and this documentation is no longer updated. For further details, see our technical support periods. Find the supported versions here.

Introduction introduction

When the deployment is a publish farm, members need to be able to log in and see their data on any publish node.

Users and user groups (user data) created in the publish environment are not needed in the author environment.

Most user data created in the author environment is intended to remain in the author environment and not be copied to publish instances.

Registration and modifications made on one publish instance need to be synchronized with other publish instances in order for them to have access to the same user data.

As of AEM 6.1, when user synchronization is enabled, user data is automatically synchronized across the publish instances in the farm and are not created on author.

Sling Distribution sling-distribution

The user data, along with their ACLs, are stored in the Oak Core, the layer below Oak JCR, and are accessed using the Oak API. With infrequent updates, it is reasonable for user data to be synchronized with other publish instances using Sling Content Distribution (Sling distribution).

The benefits of user sync using Sling distribution, compared to traditional replication are :

  • users, user profiles and user groups created on publish are not created on author

  • Sling distribution sets properties in jcr events, making it possible to act within publish-side event listeners without concern for infinite replication loops

  • Sling distribution only sends user data to non-originating publish instances, eliminating unnecessary traffic

  • ACLs set in the user node are included in the sychronization

NOTE
If sessions are required, it is recommended to either use an SSO solution or use sticky session and have customers log in if they get switched to another publsher.
CAUTION
Synchronization of the *administrators *group is not supported, even when user sync is enabled. Instead, a failure to ‘import the diff’ will be logged in the error log.
Therefore, when the deployment is a publish farm, if a user is added to or removed from the *administrators *group, the modification must be manually made on each publish instance.

Enable User Sync enable-user-sync

NOTE
By default, user sync is disabled.
Enabling user sync involves modifying existing OSGi configurations.
No new configurations should be added as a result of enabling user sync.

User sync relies on the author environment to manage the user data distributions, even though the user data is not created on author. Much, but not all, of the configuration takes place in the author environment and each step clearly identifies whether it is to be performed on author or publish.

Following are the steps necessary to enable user synchronization, followed by a Troubleshooting section:

Prerequisites prerequisites

  1. If users and user groups have already been created on one publisher, it is recommended to manually sync the user data to all publishers prior to configuring and enabling user sync.

    Once user sync is enabled, only newly created users and groups are syncrhonized.

  2. Ensure the latest code has been installed:

1. Apache Sling Distribution Agent - Sync Agents Factory apache-sling-distribution-agent-sync-agents-factory

Enable user sync

  • on author

    • sign in with administrator privileges

    • access the Web Console

    • locate Apache Sling Distribution Agent - Sync Agents Factory

      • select the existing configuration to open for edit (pencil icon)

        Verify name: socialpubsync

      • select the Enabled checkbox

      • select Save

chlimage_1-387

2. Create Authorized User createauthuser

Configure permissions
This authorized user will be used in step 3 to configure Sling distribution on author.

CAUTION
A new user must be created.
  • The default user assigned is admin.
  • Do not use *communities-user-admin *user*.*

How to Add ACL addacls

  • access CRXDE Lite

  • select /home node

  • in right pane, select the Access Control tab

  • select the + button to add an ACL entry

    • Principal: search for user created for user sync
    • Type: Allow
    • Privileges: jcr:all
    • Restrictions rep */activities/*
    • select OK

  • select Save All

chlimage_1-388

See also

3. Adobe Granite Distribution - Encrypted Password Transport Secret Provider adobegraniteencpasswrd

Configure permissions

Once an authorized user, a member of the **administrators**user group, has been created on all publish instances, that authorized user must be identified on author as having permission to sync user data from author to publish.

  • on author

    • sign in with administrator privileges

    • access the Web Console

    • locate com.adobe.granite.distribution.core.impl.CryptoDistributionTransportSecretProvider.name

    • select the existing configuration to open for edit (pencil icon)

      Verify property name : socialpubsync-publishUser

    • set the username and password to the authorized user created on publish in step 2

      • for example, usersync-admin

chlimage_1-389

4. Apache Sling Distribution Agent - Queue Agents Factory apache-sling-distribution-agent-queue-agents-factory

Enable user sync

  • on publish :

    • sign in with administrator privileges

    • access the Web Console

    • locate Apache Sling Distribution Agent - Queue Agents Factory

      • select the existing configuration to open for edit (pencil icon)

        Verify Name : socialpubsync-reverse

      • select the Enabled checkbox

      • select Save

    • repeat for each publish instance

chlimage_1-390

5. Adobe Granite Distribution - Diff Observer Factory diffobserver

Enable group sync

  • on each publish instance :

    • sign in with administrator privileges

    • access the Web Console

    • locate Adobe Granite Distribution - Diff Observer Factory

      • select the existing configuration to open for edit (pencil icon)

        Verify agent name : socialpubsync-reverse

      • select the Enabled checkbox

      • select Save

chlimage_1-391

6. Apache Sling Distribution Trigger - Scheduled Triggers Factory apache-sling-distribution-trigger-scheduled-triggers-factory

(Optional) modify polling interval

By default, author will poll for changes every 30 seconds. To alter this interval :

  • on author

    • sign in with administrator privileges

    • access the Web Console

    • locate Apache Sling Distribution Trigger - Scheduled Triggers Factory

      • select the existing configuration to open for edit (pencil icon)

        • Verify Name : socialpubsync-scheduled-trigger

      • set the Interval in Seconds to the desired interval

      • select Save

chlimage_1-392

Configure for Multiple Publish Instances configure-for-multiple-publish-instances

The default configuration is for a single publish instance. As the reason for enabling user sync is to synchronize multiple publish instances, such as for a publish farm, the additional publish instances will need to be added to the Sync Agents Factory.

7. Apache Sling Distribution Agent - Sync Agents Factory apache-sling-distribution-agent-sync-agents-factory-1

Add Publish Instances :

  • on author

chlimage_1-393

  • Exporter Endpoints
    There should be an exporter endpoint for each publisher. For example, if there are 2 publishers, localhost:4503 and 4504, there should be 2 entries:

    • http://localhost:4503/libs/sling/distribution/services/exporters/socialpubsync-reverse
    • http://localhost:4504/libs/sling/distribution/services/exporters/socialpubsync-reverse

  • Importer Endpoints
    There should be an importer endpoint for each publisher. For example, if there are 2 publishers, localhost:4503 and 4504, there should be 2 entries:

    • http://localhost:4503/libs/sling/distribution/services/importers/socialpubsync
    • http://localhost:4504/libs/sling/distribution/services/importers/socialpubsync

  • select Save

8. AEM Communities User Sync Listener aem-communities-user-sync-listener

(Optional) Sync additional JCR nodes

If there is custom data that is desired to be synchronized across multiple publish instances, then:

  • on each publish instance:

chlimage_1-394

  • Node Types

    This is the list of node types that will synchronize. Any node type other than sling:Folder needs to be listed here (sling:folder is handled separately).

    Default list of node types to synchronize:

    • rep:User
    • nt:unstructured
    • nt:resource

  • Ignorable Properties

    This is the list of properties that will be ignored if any change is detected. Changes to these properties might get synchronized as a side effect of other changes (since synchronization is always at the node level), but changes to these properties will not by themselves trigger synchronization.

    Default property to ignore:

    • cq:lastModified

  • Ignorable Nodes

    Subpaths that will be entirely ignored during synchronization. Nothing under these subpaths will be synchronized at any time.

    Default nodes to ignore:

    • .tokens
    • system

  • Distributed Folders

    Most sling:Folders are ignored because synchronization is not necessary. The few exceptions are listed here.

    Default folders to synchronize

    • segments/scoring
    • social/relationships
    • activities

9. Unique Sling ID unique-sling-id

CAUTION
If the Sling ID matches between two or more publish instances then user group sync will fail.

If the Sling ID is the same for multiple publish instances in a publish farm, then user groups will not be synchronized.

To validate that all Sling ID values differ, on each publish instance :

  1. browse to http://<host>:<port>/system/console/status-slingsettings
  2. check the value of Sling ID

chlimage_1-395

If the Sling ID of a publish instance matches the Sling ID of any other publish instance, then:

  1. stop one of the publish instances that has a matching Sling ID

  2. in the crx-quickstart/launchpad/felix directory

    • search for and delete the file named sling.id.file

      • for example, on a Linux system:

        rm -i $(find . -type f -name sling.id.file)

      • for example, on a Windows system:

        use windows explorer and search for *sling.id.file*

  3. start the publish instance

    • on startup it will be assigned a new Sling ID

  4. validate that the Sling ID is now unique

Repeat these steps until all publish instances have an unique Sling ID.

Vault Package Builder Factory vault-package-builder-factory

In order for updates to sync properly, it is necessary to modify the vault package builder for user sync :

  • on each AEM publish instance

  • access the Web Console

  • locate the Apache Sling Distribution Packaging - Vault Package Builder Factor

    • Builder name: socialpubsync-vlt

  • select the edit icon

  • add two Package Filters :

    • /home/users|-.*/.tokens
    • /home/users|-.*/rep:cache

  • policy handling :

    • to overwrite existing rep:policy nodes with new ones, add a third Package Filter :

      • /home/users|+.*/rep:policy

    • to prevent policies from being distributed, set

      • Acl Handling : IGNORE

chlimage_1-396

What Happens When … what-happens-when

User Self-Registers or Edits Profile on Publish user-self-registers-or-edits-profile-on-publish

By design, users and profiles created in the publish environment (self-registration) do not appear in the author environment.

When the topology is a publish farm and user sync has been correctly configured, the *user *and user profile is synchronized across the publish farm using Sling distribution.

Users or User Groups are Created Using Security Console users-or-user-groups-are-created-using-security-console

By design, user data created in the publish environment does not appear in the author environment and vice versa.

When the User Administration and Security console is used to add new users in the publish environment, user sync will synchronize the new users and their group membership to other publish instances, if necessary. User sync will also synchronize user groups created through the security console.

Troubleshooting troubleshooting

How to Take User Sync Offline how-to-take-user-sync-offline

To take user sync offine, in order to remove a publisher or manually sync data, the distribution queue must be empty and quiet.

To check the state of the distribution queue:

  • on author:

    • using CRXDE Lite

      • look for entries in /var/sling/distribution/packages

        • folder nodes named with the pattern distrpackage_*

    • using Package Manager

      • look for pending packages (not yet installed)

        • named with the pattern socialpubsync-vlt*
        • created by communities-user-admin

When the distribution queue is empty, disable user sync :

Once tasks are completed, to re-enable user sync :

User Sync Diagnostics user-sync-diagnostics

User Sync Diagnostics is a tool that checks the configuration and attempts to identify any problems.

On author, simply navigate from the main console through Tools, Operations, Diagnosis, User Sync Diagnostics.

Simply entering the User Sync Diagnostics console will display the results.

This is what is displayed when User Synchronization has not been enabled :

chlimage_1-397

How To Run Diagnostics for Publishers how-to-run-diagnostics-for-publishers

When the diagnoistic is run from the author environment, the pass/fail results will include an [INFO] section displaying the list of configured publish instances for confirmation.

Included in the list is an URL for each publish instance that will run the diagnostics for that instance. The url param syncUser is appended to the diagnostics URL with its value set to the authorized sync user created in Step 2.

Note : before launching the URL, the authorized sync user must already be signed into that publish instance.

chlimage_1-398

Configuration Improperly Added improperconfig

When user sync fails to work, the most common problem is that additional configurations were added. Instead, the *existing *default configuration should have been edited.

Following are views of how the edited, default configurations should appear in the Web Console. If more than the one instance appears, the added configuration should be removed.

(author) One Apache Sling Distribution Agent - Sync Agents Factory author-one-apache-sling-distribution-agent-sync-agents-factory

chlimage_1-399

(author) One Adobe Granite Distribution - Encrypted Password Transport Secret Provider author-one-adobe-granite-distribution-encrypted-password-transport-secret-provider

chlimage_1-400

(publish) One Apache Sling Distribution Agent - Queue Agents Factory publish-one-apache-sling-distribution-agent-queue-agents-factory

chlimage_1-401

(publish) One Adobe Granite Distribution - Diff Observer Factory publish-one-adobe-granite-distribution-diff-observer-factory

chlimage_1-402

(author) One Apache Sling Distribution Trigger - Scheduled Triggers Factory author-one-apache-sling-distribution-trigger-scheduled-triggers-factory

chlimage_1-403

Modify Operation Exception During Response Processing modify-operation-exception-during-response-processing

If the following is visible in the log :

org.apache.sling.servlets.post.impl.operations.ModifyOperation Exception during response processing.

java.lang.IllegalStateException: This tree does not exist

Then verify that the section 2. Create Authorized User was properly followed.

This section describes creating an authorized user, who exists on all publish instances, and identifying them in the ‘Secret Provider’ OSGi config on author. By default, the user is admin.

The authorized user should be made a member of the administrators user group and permissions for that group should not be altered.

The authorized user should explicitly have the following privileges and restriction on all publish instances :

path
jcr:all
rep:glob
/home
X
*/activities/*
/home/users
X
*/activities/*
/home/groups
X
*/activities/*

As a member of the administrators group, the authorized user should have the following privileges on all publish instances :

path
jcr:all
jcr:read
rep:write
/etc/packages/sling/distribution
X
/libs/sling/distribution
X
/var
X
/var/eventing
X
X
/var/sling/distribution
X
X

User Group Sync Failed user-group-sync-failed

If the Sling ID matches between two or more publish instances then user group sync will fail.

See section 9. Unique Sling ID

Manually Syncing Users and User Groups manually-syncing-users-and-user-groups

To configure or enable user sync, go to step 1: Apache Sling Distribution Agent - Sync Agents Factory

When a Publisher Becomes Unavailable when-a-publisher-becomes-unavailable

When a publish instance becomes unavailable, it should not be removed if it will be back online in the future. Changes will queue up for the publisher, and once it is back online, the changes will be processed.

If the publish instance will never be back online, if it is offline permanently, then it must be removed because the queue buildup will result in noticeable disk space usage in the author environment.

When a publisher is down, the author log will have exceptions similar to :

28.01.2016 15:57:48.475 ERROR
 [pool-12-thread-34-org_apache_sling_distribution_queue_socialpubsync_endpoint1
 (org/apache/sling/distribution/queue/socialpubsync/endpoint1)]
 org.apache.sling.distribution.agent.impl.SimpleDistributionAgent [agent][socialpubsync] could not deliver package distrpackage_1454014575838_a2b45ec8-0400-42f3-bed8-ae09b66381cb
 org.apache.sling.distribution.packaging.DistributionPackageImportException: failed in importing package ...

How To Remove a Publisher how-to-remove-a-publisher

To remove a publisher from the Apache Sling Distribution Agent - Sync Agents Factory, the distribution queue must be empty and quiet.

recommendation-more-help
5ce3024a-cbea-458b-8b2f-f9b8dda516e8