LDAP to ADFS migration
If you are upgrading from an older server version prior to 10.24, you will need to reconfigure and migrate your Active Directory configuration from the old one which used LDAP to the new one which is using Active Directory Federation Services (ADFS) and OpenID Connect (OIDC).
Migration overview
- Configure for Active Directory authentication using the instructions in AD Setup, but skip configuring any AdfsGroupClaims on sites, user profiles or groups.
- Use the Ldap2Adfs utility provided to quickly configure the AdfsGroupClaims based on the exitisting LDAP Name configurations. It must be executed by a user which has access to your Active Directory.
Using the Ldap2Adfs utility
warning
Running Ldap2Adfs will modify your database. Only proceed if you know what you are doing and want to update the adfsGroupClaim values based on previously configured LDAP names.
-
Open a command prompt on your Smartsign server
-
Change directory to the tools folder inside the Smartsign Server 10 folder. The default location is C:\Program Files\Smartsign Server 10\tools.
-
Run Ldap2Adfs, optional parameters are:
-ADBaseDN="dc=example,dc=com"Specify a base path if you have used this in your existing LDAP configuration.-useSID: Use AD Group SID instead of name to identify groups
-
Ldap2Adfs will perform the following:
- Open the database
- Find all sites, user profiles and groups with configured LDAP Names
- Lookup the group in Active Directory using the LDAP Name. If not found using the full path (LDAP Name + ADBaseDN), it will try to find it with just the name (CN).
- If the LDAP Name is found, configure the corresponding AdfsGroupClaim for each
tip
- You can run Ldap2Adfs more than once. It will overwrite the configured AdfsGroupClaim each time.
- It will only modify the AdfsGroupClaim for resources with a configured LDAP Name