You are viewing limited content. For full access, please sign in.

Question

Question

Migration steps for moving from repository users to LFDS users

Directory Server
Updated July 29, 2019
asked on April 27, 2017 Show version history

One of our customers has all of their user accounts configured as repository named users. The reason is that they have Forms and WA on their DMZ, and thus Active Directory login is not an (easy) option. We wanted users to be able to log into LF both from outside the network (through the DMZ) and from inside using the same credentials, so we set them up as repository named users. This was back in version 9, with License Manager 8.3.

Fast-forward to today, Laserfiche Directory Server can now manage Laserfiche accounts (i.e. username/password accounts). If my understanding is correct, this pretty much eliminates the need for repository named users, right? So the logical thing to do would be to migrate those accounts from the LF server to LFDS.

The question is how. Here are the steps I came up with after reading some help files and clicking random buttons:

  1. Take away the ~70 user licenses we have allocated to the LF Server. This will free up 70 full licenses.
  2. Start creating the user accounts in LFDS, making sure the username matches the username in the LF repository.
  3. Go to LF Forms Configuration and change the authentication from LF Server to LFDS.
  4. Everything works?

 

EDIT: I just noticed the Admin Console has a (new?) "Laserfiche Directory Accounts" section, and this is its tie-in to accounts in LFDS. Does this mean that, after steps 1-3 above, we need to manually migrate the settings and attributes of the repository named users to their counterparts under Laserfiche Directory Accounts? Or can we just do an XML export from one section and import it to the other?

1 0

Replies

replied on July 28, 2017

Hi Ege,

That is correct – if all your users have AD accounts, then there is no need to have repository-named users. Your steps are also correct, but here’s some additional information to go along with them:

1. Generate a new server license from LFDS once you upgrade to LFDS. More details are located on this Help Files page. You’ll want to do this before getting into user configuration.

2. Some clarification is needed here. Let’s say you have a pre-existing repository user named John Gordon. If you create an LFDS user (“directory account”) named John Gordon and leave the pre-existing repository user, then when John tries to log in Laserfiche will attempt to use the repository user account (even if you’ve removed its license). So, you shouldn’t have LFDS users with duplicate names in repository users once you’re ready to go live. Also, it effectively doesn’t matter what you name the LFDS users – those are new accounts.

As they are new accounts, they do need to be made from scratch – so passwords, attributes, etc. Yes, you can certainly export attributes from the repository user and import that XML to the new LFDS user. Another option is creating these LFDS users from a CSV script – more information here.

The good news is that you can retain your repository groups’ settings. In the Laserfiche Directory Accounts node in the Admin Console, you’d create an LFDS group there (with a different name) and then add that account to the corresponding repository group.

3. This KB article has the information you need. There’s a database change you need to perform in order to change authentication from the LF Server to LFDS. Also, in Forms security is applied to the LFDS group; the bottom of the article addresses this.

1 0
View 3 previous replies
replied on July 31, 2017 Show version history

Thanks Tanya.

We actually don't have any AD users. While some employees have AD accounts, we ended up not being able to use it because the customer's primary Forms server is located on a DMZ, which has a completely separate domain, and Laserfiche doesn't provide (or, didn't at the time, back in License Manager days) an easy way to leverage Active Directory in those situations. That's why we set up all users with repository accounts, supplemented by Forms Participants managed by the primary Forms Server.

So we basically have ~50 repository accounts, plus 25 Forms Participant accounts that are tied to the DMZ Forms Server. Forms configuration is pointing to the Laserfiche Server and grabbing the repository account info from there.

The customer has since acquired some Employee Participant licenses. Their desire is to "upgrade" the Forms Participant users into Employee Participants so that they can log into the repository. Since the Forms Participants are currently defined at the Forms level, we first need to migrate those to LFDS by changing the User Authentication setting in Forms Config to point to LFDS - Miruna in another post said Forms handles that migration automatically. However, once we do this, Forms would stop looking at the Laserfiche repository for the repository accounts, so we need to migrate those to LFDS as well. And that will involve, based on what you said, doing a huge amount of manual work. You mention a CSV option, which is great – except you can't export user lists from the Admin Console as a CSV. The only option is XML.

The worst part is that it doesn't stop there. After migrating the users, my understanding is that we also need to manually reassign the Forms User Tasks that are currently assigned to the repository users, since their existing accounts (in Forms) will become invalid. That seems to be a manual process too, and has to be done on a process-by-process basis, as there is no place where you can view ALL user tasks associated with a particular user and reassign them en masse, as far as I can tell.

So we're in quite a bit of a mess here.

1 0
replied on August 1, 2017

To elaborate on the step involving exporting users as a CSV file, you can do so by right-clicking the appropriate users node > Export List:

This allows you to export your repository users with the following columns: User Name, Description, User Password, Feature Rights, Privileges, Account Status, Retrieval Only, Domain Authentication, Last Login, Last Logout, Named User

Regarding the Employee Participants, because these will be new users, what you outlined is correct.
 

0 0
replied on August 1, 2017

Regular text or unicode text?

0 0
replied on August 2, 2017

Both are options:

0 0
replied on April 25, 2019

Good Day,

Is there any other resolution to this yet? 
Importing the CSV file from LF Repo into AD does not work.

 

0 0
replied on July 29, 2019

Ruan,

 

CSV import of users into Active Directory is an entirely different thing. This post is describing csv import into Laserfiche Directory Server.
For AD Manipulation you should look at this:
https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...