You are viewing limited content. For full access, please sign in.

Question

Question

I am trying to set up Active Directory Sync but it's not working.

asked on June 7, 2016 Show version history

I am using Laserfiche 10 with Directory Server and I have set up a server for Identity Provider and I have added an AD group to get all the users licensed.  I set the Active Directory Sync Poll Interval to 1 hour.  We have made changes to the group (more than an hour ago) and I am not seeing the changes to the group.  Is there something else I need to do/change?  I also noticed if I look at the individual users they are set to be "Exempt from the sync rules" - which seems to be the default - is that right?

 

Thanks for your help.

Sandy

0 0

Replies

replied on June 7, 2016

Any users manually added to LFDS will default to "Exempt" on the principle that if you added them by hand they're somehow special (because if they weren't you'd let the AD Sync deal with adding them and their licenses).

You can uncheck the box and the next sync will process them according to the rules. You can also test the sync by triggering it manually from the Identity Providers page.

0 0
replied on June 7, 2016

Thanks, Miruna - I will try the manual sync tomorrow.  There is one AD group that contains all of the users for LF.  I added this group which created all the individual users which had the Exempt checked - I didn't add any of the users manually.  Unless I did something else wrong.  Is there an easy way to delete all the users and start again?  Otherwise I'll have to edit 85 users to un-check the exempt.

Thanks,
Sandy

0 0
replied on June 8, 2016

Good morning Miruna,  I did figure out how to affect multiple users at a time and was able to turn off Exempt from all users.  I manually ran the sync but didn't see a change.  Customer is verifying now if the changes to the group were actually made.  As long as you think I did everything correctly with regard to adding the group.  I think I should be set.  As always thanks for your help.

Sandy

0 0
replied on June 8, 2016

No problem. One thing to keep in mind is that the rules are cumulative and processed from the top to the bottom.

0 0
replied on June 8, 2016

I ended up deleting all the users then registering the AD group.  The user list was different - not sure why manually running the sync didn't work.  Just to confirm if someone is removed from the AD group they will be removed from Laserfiche at the next sync, correct?

Thanks

Sandy

replied on June 8, 2016

I ended up deleting all the users then registering the AD group.  The user list was different - not sure why manually running the sync didn't work.  Just to confirm if someone is removed from the AD group they will be removed from Laserfiche at the next sync, correct?

Thanks

Sandy

0 0
replied on June 8, 2016

At this time, users deleted from AD are not removed from LFDS, though they're license is unassigned.

1 0
replied on June 9, 2016

Got it thanks!

0 0
replied on October 18, 2019

Hi, Miruna

Does the "users deleted from AD are not removed from LFDS, though they're license is unassigned" situation you outline above still exist or has it been addressed with a more recent version of LFDS?

Thank you!

Rob

1 0
replied on October 22, 2019

I would also like to know if this is still the case.

0 0
replied on October 22, 2019 Show version history

As of 10.3.1, there is an option under the settings page to change the behavior for deleted users:

When this setting is "Yes", users deleted in active directory will be removed from LFDS on the next sync.

 

A note about the setting below that:

This controls whether or not users in the AD Tombstone (sort of like the AD recycle bin) are counted as "deleted" for the purposes of removing users from LFDS. 

  • When the tombstone setting is off, user deletion in LFDS is delayed by the AD tombstone lifetime (60 or 180 days by default).
  • When the tombstone setting is on, users deleted in AD are deleted in LFDS the next time sync occurs.

 

Finally, note that this setting only applies to deleting users in LFDS --- this means that licenses are freed up upon user deletion in AD regardless of whether you want take the cautionary step of waiting for the user to be fully deleted from AD.

1 0
replied on October 23, 2019

Would you please update the help files to reflect this information?

1 0
replied on October 29, 2019

Hi, Brianna

Thank you for the detailed reply! I have sent an update to the customer who asked about this.

Rob

0 0
replied on October 29, 2019 Show version history

Glad it was helpful!

Drew, I have filed a change request (reference #203532) to get the help files on AD group sync updated with this information.

0 0
replied on June 8, 2016

I ended up deleting all the users then registering the AD group.  The user list was different - not sure why manually running the sync didn't work.  Just to confirm if someone is removed from the AD group they will be removed from Laserfiche at the next sync, correct?

Thanks

Sandy

replied on July 18, 2016

Miruna,  I have had similar issue where adding users in Active Directory doesn't sync them over in the expected interval.  I did try manually synching them and I got a synchronization failed after the initial synchronization started message.  Thoughts?

What is current version of Directory Server?  We are on 10.0.0.222

0 0
replied on July 18, 2016

Please have your reseller open a support case and attach the event logs.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.