It would be great to be able to test the connection with an Identity Provider in LFDS. If a simple Test button could be added to the Identity Provider-> General tab that would be great.
There is a test button on the Rules tab
The Test button on the Rules tab is what I use. Not sure offhand if you have to have at least one sync Rule configured for it to actually check the IdP connection.
Yeah, we are not using AD Sync for any of our 10 identity providers.
Looks like the Test button requires "Enable Active Directory synchronization" = "Yes" but you don't actually need any Rules configured. You can toggle it on, select "Test", and toggle it right back off.
That is good to know, thank you for checking on that. Could the Test button be copied over to the General tab so turning on Sync isn't necessary? I wouldn't have thought to go to the Rules tab to test the connection to my IDP.
The "Test" button is specifically checking running the group sync rules. This coincidentally involves connecting to the IDP as Step 1. It just doesn't commit the results of the group sync test. Makes it not quite as simple as "copying the button over".
LFDS won't let you add an IDP it can't establish a connection to in the first place though. Try adding a new AD provider with host "example.com" and it'll fail. Is there some specific case you're trying to troubleshoot where an IDP connection test button is more useful than event logs with messages like "LDAP query to $DomainController timed out"?
[Side note: LFDS group sync essentially works by rebuilding the licensing state of all in-scope users in a temp table and after it finishes running through all the rules with no errors, overwrites the current active user table with the contents of the temp table.]
We have Laserfiche users all around the world in various domains. Because of how large we are there are times when we don't know about a merging of a domain or a decommissioning of a domain controller that Directory Server was already configured to use. When we have issues being able to add a new account from one of these IDPs it would be helpful to test if LFDS is able to communicate with it before contacting IT for help. There is also no guarantee that we won't continue to add additional domains from different business acquisitions, etc.
If that's your scenario, I think you might be better off writing a small custom (near-)continuous monitoring utility that proactively alerts you when, say, a DC the server was previously connected to disappears. Having it be continuous and proactive seems useful because if a DC goes offline or an entire domain disappears, that's likely going to affect more than your ability to add a user.
There are definitely third party infrastructure monitoring tools you can configure for specific connectivity checks.
A very simple version could be a PowerShell script running every X minutes as a Windows Scheduled Task. Something like (pseudocode):
$domainHostsAndDCs = "example.com","dc1.example.com","dc2.example.com"
$ldapPort= 389
$ldapsPort = 636
foreach ($idpEndpoint in $domainHostsAndDCs) {
$ldapTest = Test-NetConnection -Computer $idpEndpoint -Port $ldapPort
$ldapsTest = Test-NetConnection -Computer $idpEndpoint -Port $ldapPort
if ($ldapTest.TcpTestSucceeded -ne $true) {
Write-Host "TCP connection to $idpEndpoint on LDAP port $ldapPort failed"
}
if ($ldapTest.TcpTestSucceeded -ne $true) {
Write-Host "TCP connection to $idpEndpoint on LDAPS port $ldapsPort failed"
}
}
Have it send an email alert with any failed results.