You are viewing limited content. For full access, please sign in.

Question

Question

Rio with LFDS on 2 domains without a trust

asked on September 14, 2021 Show version history

Ok gang.  Here is the scenario.  

These are separate branches of the same company.  They have separate domains, DCs and users. 

Lets call them BranchA and BranchB

DomainA, DomainB...no trust in place.  They are not subdomains of a common primary domain, they are DomainA.local and DomainB.local with totally separate DCs.

The envisioned scenario is:

They want one LFDS so certain employees could have access to either repository and only tie up 1 license.  I believe I can only achieve this, since there is no domain trust, by using all Laserfiche Users in LFDS, with the understanding that passwords would be different from AD Users.

All other respective LFDS users would only have access to their repository.  We can handle that with rights and privileges in Admin Console for each repo.

So, let's say:

     BranchA\User1 is allowed to access both repos.

     BranchB\User1 is only allowed to access the BranchB repo.

 

In LFDS:

Create BranchA Organization

     Create BranchA groups and users

     Create BranchB Organization

Create BranchB groups and users

 

In Admin Console:

BranchA has a repo server on LFS.BranchA.local.

     Under Laserfiche Directory Accounts, we add \BranchA\User1 and set rights and privileges

BranchB has a repo server on LFS.BranchB.local.

     Under Laserfiche Directory Accounts, we add \BranchA\User1 and set rights and privileges

     Under Laserfiche Directory Accounts, we add \BranchB\User1 and set rights and privileges

 

This is all with the understanding that the LFS.BranchA.local and LFS.BranchB.local servers will both be able to access the LFDS server. 

 

We would use either DNS redirects or HOSTS entries on the LFS servers and the LFDS server so they can resolve the FQDN/IP of the servers on the other domain.

 

In theory, all of this should work as expected (I think), which brings me to a few questions.

 

1. Can domain locked licensing work here?   These are VMs that we would want to use domain locked licenses on typically, but can LFDS handle 2 different primary domains for authenticating and licensing?

2. Would it matter which domain the Windows LFDS server was bound to?

3. Are there any ports other than TCP 5048, 5049 between each of the LFS servers (and Forms, etc) and the LFDS server that would need to be opened?

 

Thanks,
Jason

 

 

 

 

0 0

Replies

replied on September 15, 2021

Hi Jason,

Firstly, I must point out that LFS needs to be on a domain with trust to the LFDS domain. This is because LFS uses Windows authentication in order to communicate with LFDS. So the plan of having a repo on an untrusted domain (with relation to LFDS) will not work.

Second, if the above issue is addressed, there are more options than just using Laserfiche Users for user authentication such as SAML authentication or adding the untrusted domain as an LDAP identity provider.

With regards to your questions:

  1. Domain locked licensing can be used (if the licensing team is willing to issue a license including both domains) but this is not needed for authentication on two domains. It would simply allow you to license LFDS and/or end applications on either domain without having to use the machines' hardware fingerprints.
  2. Considering both domains have no trust, the system seems symmetrical and it wouldn't matter where LFDS was as long as it can communicate with LFS.
  3. You can refer to our ports whitepaper here: https://support.laserfiche.com/resources/3490/default-network-ports-for-laserfiche-products
0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.