LDAP (the Lightweight Directory Access Protocol) is used for accessing centralized directory services. This helps reduce the effort required to manage user accounts as they can be accessed by multiple applications. One such LDAP server is Active Directory. LDAP is often used to achieve Single Sign On which allows a user to access multiple applications after logging in once.
User accounts can be synchronized between the LDAP server and CRX, with LDAP account details being saved in the CRX repository. This allows the accounts to be assigned to CRX groups for allocating the required permissions and privileges.
CRX uses LDAP authentication to authenticate such users, with credentials being passed to the LDAP server for validation, which is required before allowing access to CRX. To improve performance, successfully validated credentials can be cached by CRX; with an expiry timeout to ensure that revalidation does occur after an appropriate period.
When an account is removed from the LDAP server validation is no longer granted and so access to CRX is denied. Details of LDAP accounts that are saved in CRX can also be purged from CRX.
Use of such accounts is transparent to your users, they see no difference between user and group accounts created from LDAP and those created solely in CRX.
In AEM 6, LDAP support comes with a new implementation that requires a different type of configuration than with previous versions.
All LDAP configurations are now available as OSGi configurations. They can be configured via the Web Management console at:
In order to have LDAP working with AEM, you need to create three OSGi configurations:
- An LDAP Identity Provider (IDP).
- A Sync Handler.
- An External Login Module.