Hyland

I went through quite a few calls with support trying to get the multiple LDAP set up, and they kept concentrating on the lack of certs in the cert folder specified in inow, even though we have never had to have a cert in that folder for Perceptive to work.  They eventually told me that they couldn't help because we had a non-standard setup, which I still don't believe.

I read back through the documentation and found the instructions that told me I needed a group for each domain.  Once I set them up and added both to the inow.ini, I was able to authenticate users from either domain.  If I only had one group specified, Perceptive would only try to authenticate users to LDAP, and not even look at LDAP2.

LDAP.ImageNow.Groups=

LDAP2.ImageNow.Groups=

It is like Perceptive looks to see if there are entries on these lines before even considering that the second LDAP setup exists.

I am referencing step 4 in this article: https://community.hyland.com/tskb/000011680-imagenow-how-to-configure-perceptive-content-to-authenti...

Ah that makes sense. @Chris Bennett  - I was thinking you were referring to Windows domains and using domain authentication. For LDAP auth with multiple directories we can map a user to the directory in two ways. We can use a Perceptive Content group and map users to the different directories based on group membership. We can also map users directly to the directory to use by specifying the users in LDAP.ImageNow.Users with a delimiter separating them.

It sounds like you are using User Replication agent. You could leverage User Rep to put users into groups used by LDAP auth. You would have to have a group defined in the LDAP directory that could be used but that group could be used to sync with Content via User Rep.

We do have scripting methods that could be used to add users to groups too but you would have to be able to identify the users in some way. If you had a list of which users need to be in the certain groups a script could be used to do that.

I would recommend looking into User Rep though since it would be close to real time and automatic so that you don't have to run a script against some data that you would have manually create.

 We have an odd setup here where group membership is controlled by the owners of the documents.  There are 60 different departments who have groups in Peoplesoft that they add users to, and then Peoplesoft replicates that group membership to AD, then replication agent pushes that group membership to PC.  Nobody has access to each other's groups, or any global groups that we would add.  This keeps us from having to give permissions in AD and Perceptive management consoles to end users.  With this distributed group management, we don't have a way to know when a user is added in order to add them to an AD group to have replication agent handle it.

My idea for a workaround for this would be to have a script that somehow identified new users (maybe look for users that aren't in one of the global groups) and then add them to one of the groups based on their other group membership as assigned by the departments.  So, if they are in a group from one of the LDAP2 departments (since they will have a lot fewer groups) add them to that global group.  If they are not in one of those groups, add them to the LDAP group. Then, have that script run on a schedule, like replication agent.

We thought about just listing all of the groups on the LDAP.ImageNow.Groups= line, but we have hundreds of groups and thousands of users on the LDAP side.  Currently, there are only several groups on the LDAP2 side, but that list will grow, and every time the department that manages Perceptive added a new group to either, we would have to also add it to the groups list.  That didn't seem efficient. 

Can iScripts run queries against the database to identify users and group memberships?  I guess my problem is I don't know what I don't know.