You are viewing limited content. For full access, please sign in.

Question

Question

Forms DS Authentication does not sync all users unless manually added to a group

Forms Directory Server
Updated October 19, 2023
asked on January 23, 2023 Show version history

When you switch to DS Authentication in the forms config it has an extra required step to create a group which permits users to access forms. In the past it would simply sync all full licensed users.

So you must create a DS group with some name, for example Forms Users.

But when you add your AD group to the DS group you must create, like so

It just acts as if they are not a member and full licensed users never have any access to forms. The only way to fix this is for an administrator to manually go to the account generated in DS after AD sync and add them to this DS group.

Of which they forget, open a support ticket stating it is broken, and we need to troubleshoot the entire thing again just to find this configuration is broken.

I think we have had 10 repeat instances now where we get a ticket like this, only to find the same issue every time.

Anyone who has a full license in Laserfiche should have access to Forms, based on the defined access rights for the AD group in the forms administration page. This all works properly before switching to AD Auth where we must create an AD group and AD membership is not accounting for members of a group of that group.

0 0

Answer

SELECTED ANSWER
replied on January 23, 2023

Hi Chad,

 

Depending on your version, this may be the expected behavior. There have been improvements released in the past year or so.

Specifically:

  1. The Forms side may not properly display their licensed status, but users are correctly granted their license on login. Can the users still log in?
  2. Directory Server only provides AD group membership as users log in, not during group sync. This means that you must either use the new Forms features (below) to handle Windows group security that you want to apply in advance, or you must manually add the Windows AD members to a Directory Server group as you described

 

As of Forms 11 update 2, there are two enhancements that alleviates security management for Windows users:

  1. Option to allow all users to log in to Forms (on the Forms Configuration Page)
  2. Ability to add Windows groups to Teams in Forms for security management within Forms:

 

If you have use cases that are not addressed by the recent Forms updates, I'd like to hear about it: this was a pain point for many customers until the changes were released, so I want to make sure we address the majority of scenarios.

0 0
replied on January 23, 2023

Regarding #1.

It is very possible that before any new employee ever needs to login to Forms they are assigned to a task or team beforehand. It is always the administrator reporting that their account is missing as they go to do this step, so I bet the new employee never does login and allow the account to be created. I didn't realize having them log in would fix this, however it does not work like this in DS, you can see the account right away after sync, so that is a disjointed experience.

#2. This option to allow everyone might solve the problem as it turns off the need to create a DS group which started the whole issue in the first place. I don't yet have this option as they are on 10.4.5, but I can look into updating them to 11.

As for the access control feature existing at all. If a user does not have a "Basic User" role assigned under Forms Administration, they would not have any access to forms even with a full license. This means you must define access by group within the Forms Administration window regardless, so the idea of requiring access by group in the configurator appears to be a complete duplicate of what is already existing in the administration page. The difference is that the administration page does not have the requirement that they login first, it shows their account as soon as the sync happens.

 

 

1 0

Replies

replied on October 19, 2023

Just the idea that it is required all users log in to Forms prior to team creation and form task assignments, has to be one of the silliest things I've heard in recent memory. Literally no other software I use, which sync with AD, do things this way; with good reason.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...