I found the issue. I’m not certain if it is a bug, or if it is working as intended.
The problem is that I was creating a ContentRepository ( oak.createContentRepository(), and then creating a JCR Repository, which also calls oak.createContentRepository(). Nothing indicates that there are now 2 ContentRepository instances, but the second instance apparently causes duplicate indexing. Jim From: Jim Tully <jim.tu...@target.com<mailto:jim.tu...@target.com>> Date: Thursday, October 16, 2014 at 9:06 PM To: "oak-dev@jackrabbit.apache.org<mailto:oak-dev@jackrabbit.apache.org>" <oak-dev@jackrabbit.apache.org<mailto:oak-dev@jackrabbit.apache.org>> Subject: Re: LDAP synchronization Follow up: jaas configuration: jackrabbit.oak { org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl sufficient; org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule required sync.handlerName="default" idp.name="ldap"; }; LDAP connection works, and LDAP user is returned. It looks to me like the user / group is being indexed twice. I am trying to get user / group synchronization working in Oak without OSGI. So far I have limited my experiments to the Main class in Oak-Run. I define and register the EIP and Synch managers (with real values): //Define IDP: LdapProviderConfig cfg = new LdapProviderConfig() .setName("ldap") .setHostname(“server.company.com") .setPort(636) .setBindDN(“binddn") .setBindPassword(“pwd") .setGroupMemberAttribute("member") .setSearchTimeout(10000) .setUseSSL(true); cfg.getUserConfig() .setIdAttribute("displayname") .setBaseDN(“baseDN") .setObjectClasses("person"); cfg.getGroupConfig() .setBaseDN(“groupDN") .setObjectClasses("group"); LdapIdentityProvider ldapIDP = new LdapIdentityProvider(cfg); //Register IDP Whiteboard whiteBoard = oak.getWhiteboard(); whiteBoard.register(ExternalIdentityProvider.class, ldapIDP, Collections.<String, Object>emptyMap()); //Define Sync properties DefaultSyncConfig syncConfig = new DefaultSyncConfig(); Map<String, String> mapping = new HashMap<String, String>(); mapping.put("rep:externalId","displayname"); mapping.put("profile/name", "msds-phoneticdisplayname"); mapping.put("profile/email", "mail"); syncConfig.user().setPropertyMapping(mapping); syncConfig.user().setMembershipNestingDepth(1); //Register IDP whiteBoard.register(SyncHandler.class, new DefaultSyncHandler(syncConfig), Collections.<String, Object>emptyMap()); whiteBoard.register(SyncManager.class, new SyncManagerImpl(whiteBoard), Collections.emptyMap()); whiteBoard.register(ExternalIdentityProviderManager.class, new ExternalIDPManagerImpl(whiteBoard), Collections.emptyMap()); … Jcr = new Jcr(oak); ContentRepository repository = oak.createContentRepository(); ContentSession session = repository.login(new SimpleCredentials(“user”,"pwd".toCharArray()), null); This always fails with 50 error messages: 19:36:37.491 [qtp636034979-27] WARN o.a.j.o.s.s.a.e.i.ExternalLoginModule - User synchronization failed during commit: org.apache.jackrabbit.oak.api.CommitFailedException: OakConstraint0030: Uniqueness constraint violated at path [/] for one of the property in [rep:principalName] having value CN%3D54645098%2COU%3DEmployees%2COU%3DPeople%2CDC%3Dcorp%2CDC%3Dtarget%2CDC%3Dcom. (attempt 1/50) Thinking this was related to Oak, I tried to login to the JCR repository. This threw a null pointer exception in ExternalLoginModule at this line: if(!sId.getExternalIdRef().getProviderName().equals(idp.getName())) { Where getProviderName() returned null. Any pointers would be appreciated. Jim Tully