You are viewing limited content. For full access, please sign in.

Question

Question

How to add and remove license from an AD account using LF Directory Server 10

Directory Server Licensing Version 10 Administration
Updated April 6, 2017
asked on April 3, 2017

Hi,

Our LF environment for users is exclusively AD groups based. We are trying to keep our licenses in check but we are struggling.

When we have users leave, we remove them from AD groups, however this does not automatically revoke the license only restrict LF repository access. Likewise, if we add new users to an AD group, when they login for the first time, if a license is available it is not allocated until admins add the user as a named user on Directory Server and allocate a license.

We migrated from LF License Manager 8.3, we were under the impression that a move to Directory Server will resolve our license management based on AD but it seems not the case ... or are we doing something wrong?

Thanks.

0 0

Answer

SELECTED ANSWER
replied on April 4, 2017

The way AD sync works, is it gets the list of members of all the groups listed in the rules, it calculates what type of license they should have by processing the rules (top down, in case there are multiple rules that apply to the same user), then applies the calculated license changes. If you have more users than licenses, the sync fails as the Directory Server has no way of guessing which users it should skip.

One way you can do this if you have groups where you don't want all users to get licenses is, instead of sync-ing those groups, to create a "LF licenses" group and add the domain users to that one. Then set the synchronization rule on just that one group.

0 0

Replies

replied on April 3, 2017

Have you looked into Active Directory synchronization? This feature was available in License Manager 8.3 as well.

0 0
replied on April 3, 2017

Yes, the sync switch is on for all the names domains. Is there a time lag?

0 0
replied on April 3, 2017

Do you have enough user licenses to cover all the users in your domain?

2 0
replied on April 3, 2017 Show version history

To add to what Miruna said: if your synchronization results in insufficient licenses, the entire sync will be cancelled---including removing licenses from users. This the the most common reason for synchronization to fail.

I recommend checking your event viewer for failure events regarding the synchronization.

Finally, you said the sync switch is on, but I want to double-check: (1) have you set up  rules for each AD group on the same page where you turned on the sync switch, and (2) where these users added via synchronization initially?

By default, AD sync does not affect users that are added manually. You need to toggle the switch "Exempt from AD sync rules" to off for manually added users if you switch from manual add to AD sync.

1 0
replied on April 3, 2017

Ok when you say enough licenses to cover domain I assume you mean those groups listed in the rules? If this is the case then no I don't we have as we have more users in those groups than licenses as some are managers and never login but are in that group. If this is the issue looks like need to clear AD first. I assume we can keep licenses in place and clear down groups below license limit then sync? Thanks.

0 0
View 1 previous reply
SELECTED ANSWER
replied on April 4, 2017

The way AD sync works, is it gets the list of members of all the groups listed in the rules, it calculates what type of license they should have by processing the rules (top down, in case there are multiple rules that apply to the same user), then applies the calculated license changes. If you have more users than licenses, the sync fails as the Directory Server has no way of guessing which users it should skip.

One way you can do this if you have groups where you don't want all users to get licenses is, instead of sync-ing those groups, to create a "LF licenses" group and add the domain users to that one. Then set the synchronization rule on just that one group.

0 0
replied on April 5, 2017

Thank you ... I see that working. Although a query I have is that, if the repository uses AD groups that are not listed in Directory Server will access still be available?

0 0
replied on April 5, 2017

Granting repository access to an AD group and using an AD group for license synchronization are separate, but a user needs both access and a license to log in.

That said, it doesn't matter whether the AD group that grants the user access is the same as the AD group used to assign the license

Example:

  • AD Group DepartmentA has User1, User2, and User3.
  • AD Group LFLicensed has User1, User2, and User4.

 

In LFDS, you use AD sync with the group LfLicensed to grant Full Named User licenses to the whole group.

In the admin console, you trust the group DepartmentA for login.

End results:

  • User1, User2 can log in because they have both a license and repository login access
  • User3 cannot login because they have no license in LFDS
  • User4 cannot login because they are not allowed repository login in the admin console
0 0
replied on April 6, 2017

Thanks for this. I discussed the options with Infrastructure guys and they are saying that although this would work it does mean that they would have to maintain two sets of groups. We have a total of 9 AD groups for repository. This way we would have 11 (need two as we have full and retrieval license). Bottom line is that they have asked me to clean up the users in the current groups and let sync work on them.

nonetheless thank you for you assistance - at least we know what we have to do!

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...