You are viewing limited content. For full access, please sign in.

Question

Question

Directory Server failing to assign licenses on Rules

Directory Server Version 12
Updated December 10
asked on November 26 Show version history

I updated LFDS to 12.0.2510.26 last night and I was still able to login via my AD credentials. Today, I have users who are unable to login and I found that they don't have licenses assigned and an extra 30 available licenses. The AD groups are nested with only the main Full or Participant groups used in the rules. It's inconsistent - there are nested groups where some work and some don't.

  • If I manually assign a license to a user, the license is removed on the next sync.
  • Removing the group assignment, Sync, add the group, and Sync again doesn't help.
0 0

Answer

SELECTED ANSWER
replied on December 5

Nested AD security groups seem to have stopped working in LFDS sync rules. I moved all users from the nested groups into the parent groups to repair the licensing issue and reduce the number of rules needed.

0 0

Replies

replied on November 26

I'm not sure if you are being affected by the new Active Directory Group Sync option in the latest version of LFDS, but here is an explanation of it from the changelog:

New Active Directory Group Sync option

An alternate AD GS is now available for certain scenarios. Specifically, the new module supports (1) pushes changes from AD GS to the Forms server rather than waiting for the full Forms sync and (2) a different approach to failed user/group sync. This new approach will skip users that fail to sync, which may result in unexpected license assignments or missing licenses but ensures that sync will complete if other users are able to sync without issue, rather than rolling back to the last known good state.

0 0
View 1 previous reply
replied on December 1

I'd also recommend checking the Directory Server event logs. The original/default AD GS method is all-or-nothing so if it fails for any reason (e.g., there are 31 users to license and only 30 licenses), there are no changes to license allocation.

0 0
replied on December 2 Show version history

Maybe I need to dig some more, but I haven't seen LFDS additions push to Forms yet. EDIT: I just found the setting to enable the new ADGS. I'll take a look at that.

It looks like this is somehow a nested group issue. I added all the child security groups directly in the listing of rules in LFDS, synced, and every user received their appropriate license. When I disable the child group rules and leave only the parent ones active, the licenses are removed. Some users in the nested groups are licensed, but the vast majority no longer have a license. Before adding the child groups under Rules I removed the parent ones, then placed them at the end of their respective groupings (Child Participants, Parent Participant, Child Full, Parent Full).

With every user properly licensed I still have 9 Full and 5 Participant licenses available, so it shouldn't be a lack of available licenses causing the issue. We've been using the nested group structure for months without any issue until now.

1 0
replied on December 9

I checked with our Dev team and they said:

  1. The original AD GS method should not have changed
  2. The new AD GS was tested with tested groups to a depth of 5

 

Do you experience the issue with the new AD GS?

0 0
replied on December 10

I actually think I've been unable to use the new method, unless I misunderstand how it works. When I enable it and perform a sync it keeps running for 10+ minutes, compared to under 30 seconds with it disabled. Restart the service, disable that setting, and sync is back to normal.

I thought the main change was that as a user is changed in LFDS, it's also changed in Forms instead of requiring a separate sync. Does it also do a constant poll of AD looking for changes instead of on the selected time interval?

 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...