You are viewing limited content. For full access, please sign in.

Question

Question

Migrating windows users to directory server authentication (STS)

Directory Server
Updated August 28, 2021
asked on August 7, 2021

The migration tool says it does not migrate window users, and to simply re-license them.

"Users from identity providers include Windows or LDAP or SAML accounts. The tool does not migrate these users. The administrator will have to re-license these users in Directory Server."

I can give them licenses in directory server so that they can authenticate again, but how do I copy their account so that when they login to forms/web client through directory server authentication they don't lose their original account?

0 0

Replies

replied on August 9, 2021

Windows users are identified in the Laserfiche system by their Active Directory SID, which remains the same. There is no migration of users needed: you simply add the users in LFDS and license them. Their repository settings including rights and group membership, Forms in progress*, audit history, etc. will remain properly associated with them because their unique ID has not changed.

*The white paper describes the steps you should take to handle corner cases involving Forms, since older versions of Forms do not use the AD SID by default. Starting in 10.4, Forms provides a simple UI option to convert users to use their Active Directory SID within the Forms UI.

0 0
replied on August 9, 2021

I am logged into their Named Users page but can not find this UI option to convert to using SIDs. They were not originally a 10.4 system but are now running 10.4.4444

0 0
View 3 previous replies
replied on August 17, 2021 Show version history

Hi Chad,

They may already be using AD SIDs. I believe you can confirm by looking at Forms' cf_users table for S-1-5-... SIDs. You can then export your LFDS user list to see all the AD SIDs present in LFDS and check everything is there.

1 0
replied on August 24, 2021

Still stuck trying to get LDAP connected with LFDS right now.

0 0
replied on August 26, 2021

We are hooked up now and I confirmed the SIDs in the forms database match the export from DS

Once I switch over to DS auth, do I delete the existing LDAP server profile in Admin Console?

We still have to add user accounts in Admin Console all the same even with DS Auth (You basically have to add users in 2 different places), so I am wondering if I still need it in both places.

0 0
replied on August 27, 2021

You will need users in both LFDS and LFS when using AD or LDAP accounts.

Before going further, I have some clarifying questions about the system.

  1. Were all of the AD users added directly into Forms, or were they doing all of their authentication via LFS?
    1. If they used LFS auth for all of these users, were they stored as LDAP users in LFS or as Active Directory users?
  2. What types of users are present in LFS that are not explicitly added to Forms? Some AD, some LDAP, both, neither?
0 0
replied on August 28, 2021

All users were added to LFS via LDAP only, since the server is hosted off site.

No users were added directly to forms (only way I know to do this is using participant licenses)

LFS only has LDAP users and service accounts (IE: Admin, Workflow, Forms)

So I will not remove the LDAP server configuration in Administration Console.

0 0
replied on August 28, 2021

Just tried it and the users can not login. Forms shows their account but they can not login.

In DS the username field is showing the syntax for their Distinguished Name. This is not good, it should be showing their proper username which is displayed correctly in the Administration Console.

At the top of this screenshot is their username and distinguished name from Administration console, however in DS the distinguished name syntax was pulled into the username field.

Both Admin console and DS are hooked up to the exact same server, why would one pull a corrupted username and the other not?

I backed up the RDS server before running this, but still baffled as to why I can not switch back? I must recover the entire RDS server now because of this and the customer will not be able to use these new licenses.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...