You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Possible Bug: LFDS AD Synchronization Rules

Laserfiche Version 12 Directory Server Self-Hosted Administration
Updated November 6
posted on November 3

I have been using the same AD groups for all of my LFDS synchronization rules for years. Some of these AD groups contain groups as members, and the LFDS rules used to work for assigning licenses to these sub-group members.

After the most recent update to LFDS, the rules no longer picked up these sub-group members. I was able to work around it by converting the AD group to a dynamic group and adding membership rules to "include group members" for each group instead of just adding the group as a member.

Has anyone else experienced this? Is it a known bug?

0 0
replied on November 4 Show version history

I can reproduce that only if the specified account (specified in Identity Provider configuration tab) doesn't have the permission to access some of the groups.

With an account with proper permissions, LFDS can import nested group with at least 5 depths.

Checking logs file under "C:\ProgramData\Laserfiche\LFDS\Logs\LFDS.log"

searching for "callerMethod": "GetAllMembers2", Identify the problematic groups, and check the permission settings.

 

And tested the following account with login.

testaccount -> grouplevel3 -> grouplevel2 -> grouplevel1,

add grouplevel1 to a LFDS group "Forms group"

and on the /LFDSSTS/ClaimsTest page,

it shows all the groups: grouplevel1,grouplevel2,grouplevel3, Forms group as expected.

0 0
replied on November 6

I have doubts that it is a permissions issue as I'm using a service account that hasn't been changed.

I don't recall having issues with adding nested groups to LFDS groups. I was specifically talking about nested groups in synchronization rules — assigning licensing only. My error logs don't go back far enough for me to review any errors that might've occurred since I've already resolved the error state.

0 0
replied on November 4

This might be related. We had Forms configured to allows users who are a member of the LFDS group "Forms Users" and the member of that group was an AD group. Suddenly everyone could no longer access forms and only if we directly added them to the LFDS group could they access it. Since this caused a major interruption and we did not understand what caused it we changed forms to allow everyone access at all times.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...