You are viewing limited content. For full access, please sign in.

Question

Question

Active Directory user groups in LFDS groups - LFDS 10.2.0.210

Directory Server
Updated August 24, 2018
asked on February 20, 2018

My interpretation of the Rio 10.2 Deployment Guide was that if we had AD groups populated with our laserfiche users, and have a rule in LFDS to synchronize from AD and assign a license.  Then I could create an LFDS group and add the AD group as a member then all the users would belong to that LFDS group.

 

I finding that I'm having to assign LFDS group membership to the individual users in order to grant access to forms.

 

Do I have something setup wrong or is my interpretation incorrect?

 

0 0

Replies

replied on February 20, 2018

Hi Craig,

Your interpretation is correct. I would suggest the following steps.

1. Make sure that the windows group you used for AD sync is added to an LFDS group.

2. Check the group type in your AD. It's possible that the group you used is a distribution group.

AD sync allows you to use distribution group to pull users in. But during login, only security groups will be used for security check. 

We've made an improvement in LFDS 10.3 so that you can only add security groups to an LFDS group. 

 

If it still doesn't work, please open a support case.

 

Thanks,

Rufei

0 0
replied on February 21, 2018

I've had the system administrator check the AD groups and they are Domain Local Security Groups.  Should they be Global or Universal instead?

 

 

0 0
replied on February 23, 2018

Domain local groups should be ok if everything is in the same domain. If you're working with multiple domains, universal groups are recommended. 

0 0
replied on February 26, 2018

Here is the reply from the customer's System Administrator:

The problem is that we have users in two separate trusted domains.  You can only place/include users from “trusted” domains into Domain local groups.  I have even tried to nest the groups accordingly: Global -> Universal -> Domain (the Microsoft standard).  I still can’t add users from other trusted domains into the universal group.

 

Microsoft definition:

A universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. 

 

Note: The yyyy.org and zzzz.local are separate domains, yes, but in different forests.  The domain local is the only one that can cross-forest, not universal security group.

 

Is there another option you want to explore?

 

 

  1. One way we might be able to get this to work is if we could authenticate to O365/Azure, since both accounts are present in our tenant.  Warning, though, the account suffixes are yyyy.com and zzzz.net. 

 

  1. Still another option, and I think the easiest to implement, is to utilize Azure Active Directory Services.  Laserfiche would need to be joined to yyyy.net domain in Azure.  Not a problem since Laserfiche is already built there.  Groups could be created there and authentication would be a snap.
0 0
replied on August 24, 2018

Hi:

Even though the Windows groups I used for the Active Directory sync have been added to the LFDS groups of the same name, I seem to be having problems with getting any groups to be imported, and therefore seen, within my Forms test environment.  I also had a look at the group type for one of the AD groups I set up, and I changed it from a Global to Universal security group (synchronizing my changes first to Directory Server, and then to my Forms test environment), but the one specified group I had modified still did not show up as a group under Named Users within System Security.

Might there be anything else I could check, with respect to this group, to ensure the group can be seen and used within my Forms test environment?

Thanks to anyone who has any suggestions on this! laugh

Marty Gaffney - Network Technician
Town of Okotoks

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...