During the Q&A session with Roy Fielding and product management at Ignite Chicago, nicely written-up by CMS Wire's Irina Guseva, I have received a couple of questions related to user/group/permission management in CQ5/CRX instances configured for LDAP authentication. While all the requested functionality is in the product, and the respective configuration and UI options are described in the LDAP documentation, I realized that we were missing a more generic overview of what the LDAP integration shipped with our products can actually do.
I asked our documentation team to have a look at this, and they quickly provided an extended introduction and overview of LDAP integration. Please have a look at LDAP Authentication on docs.day.com, and leave comments there if you are still missing some information.
Some of the questions hopefully answered by the new introduction include:
- Q: (How) can I synchronize users/groups sourced from LDAP / Active directory with my CQ5 / CRX instance? A: Users and their groups (including configurable filtering and metadata matching) are automatically synchronized to your repository upon user's login. Additionally, you have the ability to manually synchronize user profiles (without forcing users to authenticate).
- Q: How can I assign CMS permissions to the users coming from LDAP? A: We usually recommend assigning LDAP groups to CMS-managed groups (in CQ5), and then managing permissions for the CQ5 groups. LDAP groups usually reflect organizational structure, whereas CQ5 groups usually reflect CMS usage structure.
- Q: Is it possible to do group matching from an AD group to the same group in CQ? A: As explained above, LDAP-sourced groups in CQ5 usually reflect the orgchart, and the CQ5-managed groups (like author, contributor, etc) reflect the CMS usage. You can have LDAP-sourced users belong to CQ5 CMS groups by assigning their LDAP groups to be members of the CQ5 groups.
- Q: How can I assign permissions - the way you describe above - without forcing my users to log in to the system (what I call the "bootstraping problem"). A: use a few LDAP user names to manually synchronize their profiles. This will pull the necessary LDAP groups to CQ5, and will allow for assigning them to respective CQ5 "CMS" groups, which will give the LDAP users their CMS-side rights.
Thanks to Hal Danziger, (@halwebguy) CTO at New York Media for asking the questions. I also received a similar question from someone from University of Cincinnati, but could not find the person's name afterwards, sorry.