You are viewing limited content. For full access, please sign in.

Question

Question

LFDS behavior change request - when sync rule contains more users than available licenses

asked on January 9, 2017 Show version history

Hi,

One of my Customer has a synchronization rule setup to automatically add users and assing licenses to them. Everything has been working fine up to now but..., they just added 15 new users in the AD group but only 14 licenses remained available in LFDS.

The actual LFDS V10.1 behavior that happened is this way...

-All automatic sync are failing. A log in the Event viewer is happening.

-None of the users are added to the Users list in LFDS

-When I manually sync, I get a message "Synchronization failed"

 

It was not very easy to determine the cause of this failure because the event log was not very clear.

 

Can Laserfiche modify this behavior by creating all users anyway in LFDS (even if it created more users that it is licensed for) and assign all available licenses to users up to the point where none is available and leave some users with no licenses assigned?

This new behavior would at least show the number of unassigned license to be at "0".

Can Laserfiche implement an email notification to predetermined administrators if this situation is ever happening? this would help Customer to know when this is happening.

2 0

Replies

replied on January 9, 2017 Show version history

We're definitely working to improve error handling for synchronization. We have one bug targeted for the next major release that includes more user-friendly information in the errors (SCR 145728 for reference). We're also considering how we can make specific sync issues more prominent.

However, the behavior where sync completely stops is necessary due to the complex options available for synchronization.

For example, let's say you have rules to grant Sales full licenses, sales interns (a sub-group of Sales in AD)  Participants, and IT full licenses. You have two new interns, so you're short 2 participant licenses.

In this case, if we assigned licenses without checking if you could fulfill all the rules, two interns get full licenses that aren't replaced by their Participant licenses, and suddenly two members of IT have no license. We can't guess at intentions, only parse rules.

As such, the goal of the "only assign if there are sufficient licenses" behavior is to prevent strange partial rule fulfillment that would be equally difficult to troubleshoot, with the added potential cause major issues for existing users.

As a general rule, if synchronization was succeeding and now is failing, unless you are having system outages, the most likely cause by far is insufficient licenses.

2 0
replied on January 9, 2017

I had the same problem and it was difficult to troubleshoot.  I think this is a great suggestion.

1 0
replied on January 10, 2017

Thanks Brianna for this added description.  I have not yet had to setup such complex license attribution like you are describing so it's good to know.  I do understand your point.

Nice to know Laserfiche will be improving in this area.

0 0
replied on June 15, 2018

Hi Brianna,

 

I have a large RIO customer using 3 AD groups to assign their Full licenses.

The group assignments are done by their helpdesk which have no knowledge of the affect to LF if numbers exceed.

An error is generated in Event log.At the same time an email notification could be sent to alert them to revise the group membership.

 

many thanks

 

0 0
replied on June 18, 2018

I've used this work around using Event Viewer to create a notification;

In Windows Event Viewer display the "licenses block 00000000 fail" error and choose Attach Task to this Event.

Open Notepad and create the Powershell script below saved with PS1 extension (modify with own message, smtp server, sender and receiver)

 

Script begin>>
Send-MailMessage -To x@x.com -Subject "Laserfiche Full licenses exceeded" -Body 

"The following AD groups have more than xxx users

ADGroup1
ADGroup2
ADGroup3" -SmtpServer smtp.x.com -From LFNotify@x.com
<<Script end

 

The Task Action is configured as follows

Run Program: Powershell.exe
Parameters:  -ExecutionPolicy Bypass C:\myscript.ps1

The script can be modified to notify for any Laserfiche event.
Hope this helps others with same issue

1 0
replied on July 26, 2018

Adding another vote. I had the same problem and it was difficult to troubleshoot.  I think this is a great suggestion.  The Default behavior of failing all rules when one fails is a big problem.  The error should clearly identify the identity provider and rule that is failing.

0 0
replied 22 hours ago

Where does LFDS read the information (Table, log, ?) to display the success or Failure of the identity Provider Synchronization?

0 0
replied 15 hours ago Show version history

The following information applies to LFDS 10.2+

There are two ways that the UI shows that synchronization failed.

If you manually attempt to synchronize, there should be two notifications at the top. If it fails, it looks like this:

 

You can also view the status of the last sync:

 

You can also go to the event viewer for more information. That's what Warren's email script looks at.

The specific log:
Application and Service Logs -> Laserfiche -> Directory Server -> Server -> Operational logs

 

There are two events:

The failure event ID should be 2, and the type is "Laserfiche.LicenseManager.InsufficientLicensesException"

The more informative event has ID 22, and will look something like this:

The request for the resource 'Full license (9bba0d89-9a13-455f-ada9-83cf071d46b9)' could not be fulfilled. (Requested: '145'; Available: '25')

in that case, it means that I have AD sync rules that try to assign 145 Full licenses, but I only have 25 Full licenses available.

Note: the "25 available" refers to either (1) the total number of user licenses in your master license or (2) if using the "Organizations" feature, the number allocated to that organization. It does not take into account licenses already assigned to users, devices, or applications.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.