You are viewing limited content. For full access, please sign in.

Question

Question

LDAP Group Synchronization - Participant Users

Forms
Updated November 15, 2017
asked on August 16, 2017

Hello

My client has created an AD group for participant users. We would like users from this participant group to be allocated participant licenses. We have 98 participant licenses available for allocation. I have created an LDAP Server Profile with the DN of this AD group and can see the group in the Participant list. Currently we only have this group showing in the list of participants. I have also allocated a license to this group (I am shown a message stating that users from this group will be assigned a license). I have clicked on the Synchronization button, however I do not see any participant users from this group showing (imported) in the participant list. In the participant license allocation stat, I get 0/98 allocated. At this point I assumed that perhaps Forms will allocate a license when users from this group will login for the first time. However, this does not seem to be the case at present - when a user from this group tries to log in, a message stating "invalid username/password" is shown. Surprised, I added this user as a named user (imported as a windows account) in the repo, and then tried to login using the same username and password I had entered previously, and was able to successfully login. This confirms to me that the username/password combination is definitely correct. So the question then is why, when a user from this AD group tries to login they are denied access to Forms as a participant? For the record, we have tried logging in as a few users from this group and none of our attempts have been successful so far.

We are using Forms v10.2. In the Forms config page, I have set the domain and Active Directory server details as well.

From all I have read so far it seems like allowing access (as a participant user) from an AD group started from v10 of Forms? In which case I am wondering why this may not be working for me. Any hints/suggestions will be much appreciated.

Thanks!

 

0 0

Answer

SELECTED ANSWER
replied on August 17, 2017 Show version history

Thanks Jason. We are not using LFDS and users have been trying to login with their email address and domain password.

I have found the solution. Synching directly with a LDAP group (so the group is the only object available in the forms participant list) does not bring in (import) the users automatically. The "assign license to a LDAP group" function only works if the users from that group are already available as participants in Forms (but not necessarily allocated a participant license of course). So for example, if we synch to an OU (which imports all users and groups from this OU) and then assign license to one of the groups, at this point Forms finds all members of this group who are in the participant list and automatically assigns a license to them.

In contrast, in the Laserfiche repository, if we import a windows (or LDAP) group and nominate to assign a named user license to members of this group, then Laserfiche automatically creates the user and assigns a license when they login for the first time.

I wish Forms participants LDAP function worked the same way as the Laserfiche repository group. Our client is using multiple OU's with over 15k objects all up. Their LF users are spread across these OU's and amount to only a total of 100. They cannot create a separate OU just for Laserfiche for security reasons (which I can understand - why the need to create a separate OU just for LF participant to work anyway). It would have been great if LF Forms could import users from a group - makes management easier and it's a cleaner approach.

 

0 0

Replies

replied on August 16, 2017 Show version history

A few of questions.

  1. Are you using Repository Authentication or LFDS Authentication in Forms
  2. If you are using Repository Authentication, do any users appear in the list of participants in Forms?
  3. Are the Participant Users attempting to log in using their AD credentials?

 

If you are using Repository Authentication, Participant users must log in with their UPN (usually matches email address) and Windows password not their Windows username, and it will use LDAP groups, not AD groups.

The AD group/Participant user related changes in newer versions of Forms relate to LFDS Authentication only, and not Repository Authentication.

0 0
SELECTED ANSWER
replied on August 17, 2017 Show version history

Thanks Jason. We are not using LFDS and users have been trying to login with their email address and domain password.

I have found the solution. Synching directly with a LDAP group (so the group is the only object available in the forms participant list) does not bring in (import) the users automatically. The "assign license to a LDAP group" function only works if the users from that group are already available as participants in Forms (but not necessarily allocated a participant license of course). So for example, if we synch to an OU (which imports all users and groups from this OU) and then assign license to one of the groups, at this point Forms finds all members of this group who are in the participant list and automatically assigns a license to them.

In contrast, in the Laserfiche repository, if we import a windows (or LDAP) group and nominate to assign a named user license to members of this group, then Laserfiche automatically creates the user and assigns a license when they login for the first time.

I wish Forms participants LDAP function worked the same way as the Laserfiche repository group. Our client is using multiple OU's with over 15k objects all up. Their LF users are spread across these OU's and amount to only a total of 100. They cannot create a separate OU just for Laserfiche for security reasons (which I can understand - why the need to create a separate OU just for LF participant to work anyway). It would have been great if LF Forms could import users from a group - makes management easier and it's a cleaner approach.

 

0 0
replied on August 17, 2017 Show version history

Glad you found your issue.

If you have the option, I would highly recommend you look into the possibility of switching over to LFDS Authentication (once on the most recent version of LFDS and Forms).

LFDS Authentication allows participant license assignment via AD groups, inherently prevents double licensing for AD users, and allows every user to log in with AD credentials regardless of the license type.

Additionally, the latest LFDS version includes "auto sign on" for Windows users.

We switched to LFDS authentication relatively recently and it is infinitely easier to manage than repository authentication.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...