Note: This applies to customer that move to a new Domain. DocuShare users that previously authenticated to the old Domain or AD Server are no longer able to authenticate because all the Users on the network were moved to the new domain.
Note: This solution does not transfer\move the LDAP Groups to the new Domain.
Note: How To Move All Groups to A New Domain
Solution
To move all users to a new domain:
1. Backup DocuShare documents and database.
Note: Search How To Backup DocuShare in the Knowledge base for detailed information on how to back up DocuShare.
2. Add the new Domain.
To add the new domain:
a. From Admin Home, click the [+] symbol next to Account Management.
b. Click the Domains link. The Domains page displays.
c. In the Domain Name field of the Add column, enter the name of the external domain as it exists on the LDAP server.
d. In the Authentication and Directory Services field, select LDAP, LDAP.
e. In the Relative Authentication Locator field, enter one or more attribute pairs to define the path to the LDAP directory that contains the user and group accounts. Example: cn=users, dc=marketing, dc=california, dc=acme, dc=com
f. In the Relative Directory Service Locator field, enter the same values as in the Relative Authentication Locator field.
Note: if users are scattered all over the place, use the most common point dc=california, dc=acme, dc=com and enable the subtree search functionality.
Note: The LDAP Server Info box is to be used when a separate ldap server is to be used that is not part of the current ldap configuration.
Note: DocuShare supports only LDAP for authentication and directory services, therefore the values of the two fields are the same.
g. Click Add to add this external domain to your local login menu.
Note: If you were to run List Users or List Groups on this domain, the domain would be empty. You will need to populate the new external domain with the user and group accounts. These accounts must already exist on the LDAP Server; you cannot use DocuShare to create new accounts on the LDAP server.
3. Make any changes necessary in the LDAP Configuration Page.
To verify the settings or make changes to the LDAP Configuration Page:
a. Log into DocuShare as admin.
b. Click the Admin Home link on the navigation bar.
c. Click the [+] symbol next to Account Management.
d. Click the [+] symbol next to LDAP Accounts.
e. Click the Configuration link. The Configuration page displays.
f. In the Host(s) field, enter either the Host Name, IP Address or the DNS name of your LDAP/Active Directory Server.
Note: A Fully Qualified Distinguished Name (FQDN) is preferred, but an IP address will do if a FQDN is not available.
Note: If applicable, use a space to separate multiple LDAP server entries. Defining multiple host names is for redundancy use only. Each multiple LDAP host defined must have identical DITs.
g. In the Port field, enter the port number that is used by the LDAP server, if the number is not the default port 389.
h. If applicable, select use SSL and in the SSL field enter the port number you want to user for an SSL connection, if the number is not the default port number 636.
Note: If ssl is to be used, the server certificate must be added to the dstruststore using the keytool.
i. In the DIT Root field, enter the Directory Tree Information (DIT) root for the namespace that you created on your LDAP server. Example: dc=California, dc=acme, dc=com
j. From the Server Type menu, select Active Directory or SunOne/iPlanet/NDS Directory
k. The User RDN Key field will be automatically pre-filled with cn or uid depending on the Server Type selected in the previous step.
Note: If you require the User RDN Key when SunOne/iPlanet/NDS Directory is selected you will need to manually enter cn= in the field. If the = sign is missing the setting will not stick.
l. In the System Agent field, select Agent.
Note: Most Active Directory servers require either an Agent or a Service account login.
m. In the DN field, enter the distinguished name of the agent account. Example: cn=dsagent, cn=users, dc=marketing, dc=california, dc=acme, dc=com
n. In the Password field, enter the password for the agent account that you entered in the DN field.
o. Click the Apply button to save the information you entered in the LDAP Configuration page.
Note: If you proceed to the next step (testing the LDAP Connection) without applying the changes and you have SunOne/iPlanet/NDS Directory selected with cn= as the RDN key the selection will not be saved properly, it will revert back to uid.
4. TEST ONLY -This will not add the User if you cancel. Test the new Domain by adding an LDAP User and clicking the GO button to see if the new user appears in the list of Users to add. Then click the Cancel button
Note: Do not add the user
5. Once tested, go back to Domains and select Delete on the old Domain. The admin will be prompted to Transfer Users and Groups to the other Domain(s)
6. Select the new Domain. All users from the deleted Domain will be moved to the selected Domain.
7. Test logging in with an LDAP user.
Note: If LDAP Groups are used to assigned permissions to an object then users part of that group loses access to the object after the migration. To transfer\move the LDAP Groups to the new Domain, contact DocuShare Support.
Solution Updated: November 26th, 2012
Solution ID: 797