update

readme.md

@@ -1,26 +1,28 @@
-AEM 6.1 LDAP Authentication Tutorial
-===========================================
+AEM 6.1 External Authentication Tutorial
+========================================
 
-This tutorial goes through the steps to setup and configure a LDAP server and the configure AEM to use example data for authentication.
+This tutorial goes through the steps to setup and configure a LDAP server and the configure AEM to use example data for authentication. 
+
+As a bonus track, we show how to build and configure your own identity provider.
 
 Sections
 --------
 
-1 [Setup Apache Directory Server](tutorial-01-install-ldap.md)  
-2 [Configure LDAP Authentication in AEM](tutorial-02-configure-aem.md)  
-3 [Test LDAP Authentication in AEM](tutorial-03-test.md)
+1 [Setup Apache Directory Server](step-01/tutorial-01-install-ldap.md)  
+2 [Configure LDAP Authentication in AEM](step-02/tutorial-02-configure-aem.md)  
+3 [Test LDAP Authentication in AEM](step-03/tutorial-03-test.md)
 
 Bonus
 -----
 
-4 [Create your own IDP](tutorial-04-example-idp.md)
+4 [Create your own IDP](step-04/tutorial-04-example-idp.md)
 
 Resources
 ---------
-* Example ldiff file: [apache-ds-tutorial.ldif](apache-ds-tutorial.ldif)
+* Example ldif file: [apache-ds-tutorial.ldif](step-01/apache-ds-tutorial.ldif)
 * Package with AEM 6.1 LDAP example configurations: 
-    * First config: [ldap-first-config-pkg.zip](ldap-first-config-pkg.zip)
-    * Config with profile: [ldap-config-with-profile-pkg.zip](ldap-config-with-profile-pkg.zip)
+    * First config: [ldap-first-config-pkg.zip](step-02/ldap-first-config-pkg.zip)
+    * Config with profile: [ldap-config-with-profile-pkg.zip](step-03/ldap-config-with-profile-pkg.zip)
 
 Links
 -----

tutorial-01-install-ldap.md → step-01/tutorial-01-install-ldap.md

@@ -2,75 +2,71 @@ AEM 6.1 LDAP Authentication Tutorial
 ====================================
 
 Step 01 - Install Apache Directory Server
--------------------------------
+-----------------------------------------
 
-In this step we install Apache Directory Server and Studio, create and configure a new LDAP server and load it with example data.
+In this step we install _Apache Directory Server_ and _Apache Directory Studio_, create and configure a new LDAP server and load it with example data.
 
 ### Requirements
 1. Apache Directory Server
 2. Apache Directory Studio
 2. Example data: http://directory.apache.org/apacheds/basic-ug/resources/apache-ds-tutorial.ldif
 
 #### 1. install apache directory server
-folow: http://directory.apache.org/apacheds/basic-ug/1.3-installing-and-starting.html
+Folow: http://directory.apache.org/apacheds/basic-ug/1.3-installing-and-starting.html
 
 #### 2. install apache directory studio
-see: http://directory.apache.org/studio/
+See: http://directory.apache.org/studio/
 
 #### 3. create a new server
 - In directory studio, select the server tab and click the icon for create server.
 - choose some meaningful name and click finish
-![create server](ldap-00-create-server.png)
+![create ldap server](images/ldap-00-create-server.png)
 
 #### 4. configure server
 Doubleclick the newly created server to open its configuration.
 
 - disable anonymous access
 - enable access control
 
-![configure server](ldap-01-configure-server.png)
+![configure server](images/ldap-01-configure-server.png)
 
 - open _Advanced Partions Configuration_
 - delete the _example_ partition
 - create new partition:
     - for id enter: `SevenSeas`
     - for suffix enter: `o=SevenSeas`
 
-![configure server](ldap-02-create-partition.png)
+![create partition](images/ldap-02-create-partition.png)
 
 **Save the configuration !!**
 
 #### 5. start the server
 Click on the "Start" in the servers tab
 
-![configure server](ldap-03-start-server.png)
+![start server](images/ldap-03-start-server.png)
 
 #### 6. create connection
+Right click the server and select _Create a Connection_
 
-right click the server and select _Create a Connection_
+![create connection](images/ldap-04-create-connection.png)
 
-![configure server](ldap-04-create-connection.png)
-
-#### 7. open connection
-
-double click on the newly created connection in order to connect to the server.
+#### 7. connect to server
+Double click on the newly created connection in order to connect to the server.
 
 #### 8. import ldif
-
 Import the example data:
 
 - right click on the _o=SevenSeas_ node
-- select import -> ldiff
+- select: _Import_ -> _LDIF Import..._
 
-![configure server](ldap-05-import-ldiff.png)
+![import ldif](images/ldap-05-import-ldiff.png)
 
 - choose the `apache-ds-tutorial.ldif` file and click _Finish_
 
-![configure server](ldap-06-select-ldiff.png)
+![ldif import dialog](images/ldap-06-select-ldiff.png)
 
 #### 9. browse structure
+You can verify the newly imported entries by browsing the structure below the  _o=SevenSeas_ node.
 
-you can verify the newly imported entries
-
-![configure server](ldap-07-browse-structure.png)
+![browse seven seas](images/ldap-07-browse-structure.png)
 

tutorial-02-configure-aem.md → step-02/tutorial-02-configure-aem.md

@@ -6,6 +6,8 @@ Step 02 - Configure LDAP Authentication in AEM
 
 In this step we configure AEM 6.1 to use our newly created LDAP server for login.
 
+**!** If you want to fast forward, here's the [ldap-first-config-pkg.zip](ldap-first-config-pkg.zip) package with the resuling configuration of this step.
+
 ### Requirements
 1. LDAP Server with example data (preferably from previous step 01)
 2. Running vanilla AEM 6.1 installation
@@ -16,15 +18,16 @@ It is always advisable to configure LDAP related logging during initial setup.
 - open [Sling Log Support](http://localhost:4502/system/console/slinglog) in the Felix console
 - add `org.apache.jackrabbit.oak.spi.security.authentication.external` as category for controlling the logging of the external login module and sync handler
 - add `org.apache.jackrabbit.oak.security.authentication.ldap` as category for controlling the logging of the LDAP identity provider.
+- optionally, add `org.apache.directory` as a category for very lowlevel logging of the ldap client calls.
 
-![image](aem-00-setup-logging.png)
+![setup logging](images/aem-00-setup-logging.png)
 
 #### 2. configure LDAP identity provider
 Now we configure the LDAP idp. this is the piece that connects to the LDAP server.
 
 - open the [Felix Configuration Manager](http://localhost:4502/system/console/configMgr) and search for the _"ldap identity provider"_ factory config and click on the plus **+** button.
 
-![image](aem-01-find-ldap-idp.png)
+![create idp config](images/aem-01-find-ldap-idp.png)
 
 Enter the following information:
 
@@ -55,14 +58,14 @@ Enter the following information:
 
 And save the config.
 
-![image](aem-02-configure-ldap-idp.png)
+![configure ldap idp](images/aem-02-configure-ldap-idp.png)
 
 #### 3. configure Default Sync Handler
 The sync handler is responsible to synchronize the external users with the local repository.
 
 - open the [Felix Configuration Manager](http://localhost:4502/system/console/configMgr) and search for the _"Default Sync Handler"_ factory config and click on the plus **+** button.
 
-![image](aem-03-find-synchandler.png)
+![create sync config](images/aem-03-find-synchandler.png)
 
 Enter the following information:
 
@@ -82,14 +85,14 @@ Enter the following information:
 
 And save the config
 
-![image](aem-04-configure-synchandler.png)
+![sync config](images/aem-04-configure-synchandler.png)
 
 #### 4. configure the external login module
 The external login module is the bridge between the login, the idp and the sync handler.
 
 - open the [Felix Configuration Manager](http://localhost:4502/system/console/configMgr) and search for the _"External Login Module"_ factory config and click on the plus **+** button.
 
-![image](aem-05-find-loginmodule.png)
+![create login module](images/aem-05-find-loginmodule.png)
 
 Enter the following information:
 
@@ -103,14 +106,14 @@ Enter the following information:
 
 And save the config
 
-![image](aem-06-configure-loginmodule.png)
+![configure loginmodule](images/aem-06-configure-loginmodule.png)
 
 #### 5. verify the JAAS console
 The external login module should now show up in the JAAS console:
 
 - open the [Felix JAAS Console](http://localhost:4502/system/console/jaas)
 
-![image](aem-07-jaas-console.png)
+![jaas console](images/aem-07-jaas-console.png)
 
 
 

tutorial-03-test.md → step-03/tutorial-03-test.md

@@ -6,6 +6,9 @@ Step 03 - Test that it works!
 
 In this step we verify that the LDAP authentication works and if the users are synced properly.
 
+**!** If you want to fast forward, here's the [ldap-config-with-profile-pkg.zip](ldap-config-with-profile-pkg.zip) package with the resuling configuration of this step.
+
+
 ### Requirements
 1. LDAP Server with example data (from step 01)
 2. AEM 6.1 installation with configured LDAP authentication (from step 02)
@@ -24,14 +27,14 @@ Looking at the users and groups should show the user _William Bush_ and his grou
 - open the [AEM useradmin](http://localhost:4502/useradmin)
 - search for `seven`
 
-![image](test-01-useradmin.png)
+![useradmin](images/test-01-useradmin.png)
 
-If you look at the log files, you should see something like here: [log-snip-01.md](log-snip-01.md)
+If you look at the log files, you should see something like this here: [log-snip-01.md](log-snip-01.md)
 
 #### 2. add more config for first- and givenname
-as you can see in the AEM user admin, the fields for _First Name_ and _Last Name_ are empty, because the useradmin reads the `profile/givenName` and `profile/familyName`.
+As you can see in the AEM user admin, the fields for _First Name_ and _Last Name_ are empty, because the AEM useradmin uses the `profile/givenName` and `profile/familyName` properties.
 
-so let's alter the config so that this information is populated as well.
+So let's alter the config so that this information is populated as well.
 
 - open the [Felix Configuration Manager](http://localhost:4502/system/console/configMgr) and search for the _"Default Sync Handler"_ factory config and click on the first confg to edit it
 
@@ -46,31 +49,30 @@ Enter the following information:
 | User Expiration Time          | `10s`
 | User property mapping         | `rep:fullname=cn` <br> `profile/nt:primaryType="nt:unstructured"` <br> `profile/givenName=givenname` <br> `profile/familyName=sn` |
 
-![image](test-02-newconfig.png)
+![new config](images/test-02-newconfig.png)
 
 And save the config.
 
-Now if you logout and login again with `wbush` the user should be resynced.
+Now, if you logout and login again with `wbush` the user should be resynced.
 
-![image](test-03-useradmin-withprops.png)
+![useradmin](images/test-03-useradmin-withprops.png)
 
 #### 3. use JMX console to sync more users
-
 Oak comes with a default JMX mbean that allows you to control the sync handler. 
 
 - open the [Felix JMX Console](http://localhost:4502/system/console/jmx) and search for the _"External Identity"_ bean and select it
 
-![image](test-04-jmx-console.png)
+![jmx console](images/test-04-jmx-console.png)
 
-![image](test-05-jmx-synchandler.png)
+![jmx synchandler](images/test-05-jmx-synchandler.png)
 
-- click on `syncAllExternalUsers()` and then on `invoke`. this will collect all the users from the IDP and sync them with the repository. you will see an `add` op property for all newly added users, and an `upd` for the updated ones.
+- click on `syncAllExternalUsers()` and then on `invoke`. this will collect all the users from the IDP and sync them with the repository. you will see an `add` _op_ property for all newly added users, and an `upd` for the updated ones.
 
-![image](test-06-jmx-syncexternalusers.png)
+![sync users](images/test-06-jmx-syncexternalusers.png)
 
 checking back the user admin shows the newly imported users and groups
 
-![image](test-07-useradmin-more.png)
+![useradmin](images/test-07-useradmin-more.png)
 
 
 

step-04/authorizables.json

@@ -0,0 +1,65 @@
+{
+	"enterprise": {
+		"id": "enterprise",
+		"members": ["kirk", "spock", "mccoy"]
+	},
+	"kirk": {
+		"id": "kirk",
+		"fullname": "James T. Kirk",
+		"givenname": "James T.",
+		"familyname": "Kirk",
+		"email": "kirk@seven_skies.example.com",
+		"password": "pass",
+		"groups": ["enterprise"]
+	},
+	"spock": {
+		"id": "spock",
+		"fullname": "Spock",
+		"givenname": "Spock",
+		"familyname": "",
+		"email": "spock@seven_skies.example.com",
+		"password": "pass",
+		"groups": ["enterprise"]
+	},
+	"mccoy": {
+		"id": "mcccoy",
+		"fullname": "Leonard McCoy",
+		"givenname": "Leonard",
+		"familyname": "McCoy",
+		"email": "mccoy@seven_skies.example.com",
+		"password": "pass",
+		"groups": ["enterprise"]
+	},
+
+	"voyager": {
+		"id": "voyager",
+		"members": ["janeway", "chakotay", "tuvok"]
+	},
+	"janeway": {
+		"id": "janeway",
+		"fullname": "Kathryn Janeway",
+		"givenname": "Kathryn",
+		"familyname": "Janeway",
+		"email": "janeway@seven_skies.example.com",
+		"password": "pass",
+		"groups": ["voyager"]
+	},
+	"chakotay": {
+		"id": "chakotay",
+		"fullname": "Chakotay",
+		"givenname": "Chakotay",
+		"familyname": "",
+		"email": "chakotay@seven_skies.example.com",
+		"password": "pass",
+		"groups": ["voyager"]
+	},
+	"tuvok": {
+		"id": "tuvok",
+		"fullname": "Tuvok",
+		"givenname": "Tuvok",
+		"familyname": "",
+		"email": "tuvok@seven_skies.example.com",
+		"password": "pass",
+		"groups": ["voyager"]
+	}
+}