Windows and LDAP Authentication

Laserfiche provides support for Windows or LDAP authentication: allowing a user to log in to a Laserfiche repository based on Windows or LDAP credentials. Windows Active Directory users can log in by selecting the Use Windows Authentication option. LDAP users can log in by typing the common name of the LDAP user they want to log in as, followed by the at (@) symbol and the Server Profile name for the LDAP server the user belongs to (e.g., "John Smith@MyCompany").

Note: LDAP accounts are supported for Laserfiche Rio and Laserfiche Avante installations only. Windows accounts may be used with any Laserfiche edition.

First, you will need to add the Windows domain or LDAP directory group to Laserfiche, as described in the Windows Accounts and LDAP Accounts topics. Once the group has been added, it can be opened and modified like any other Laserfiche user or group. You can set rights on the group, grant security tags, and configure auditing in the group's Properties dialog, just as you would for a Laserfiche user or group. Additionally, you can add a Windows domain or LDAP directory group to a Laserfiche group, and the domain or directory group will inherit security from the Laserfiche group to which it belongs.

Tip: Keep in mind that when properly configured, Laserfiche security will rarely need to be modified to account for personnel changes in your organization.

Windows and LDAP users and groups' authentication statuses

When you add Windows or LDAP users and groups to Laserfiche, you can specify their authentication status: Trusted, Denied, or Inherited. You can also change a user's authentication status by opening the user properties in the desktop Administration Console or the web client management page. To allow the users in a Windows or LDAP group access to the repository, make sure the group is added as a Trusted account or inherits Trusted status from another group of which it is a member. This will allow all users in that group to log in to the repository. (Note that a user's specific Trusted or Denied status will always take precedence over the status of the groups to which it belongs. A user who has been given the Denied status will not be able to log in, even if his or her group is given the Trusted status. You can use this to specifically deny access to one or more members in the group if you would like the rest of the group to have access.)

• Trusted authentication means that the user will be able to log in to the repository. This does not imply any access to the contents of the repository: if the user has no other rights, they will be able to open the repository, but will see no entries or information. Note that, if the user belongs to a group that has been denied authentication, they will not be able to log in regardless of this setting.
• Denied authentication means that the user will not be able to log in to the repository. Even if the user belongs to a group that has been granted trusted authentication, they will be prevented from logging in.
• Inherited authentication means that the user will inherit authentication status from the Windows or LDAP group or groups to which they belong. If at least one group that the user belongs to has been granted Trusted authentication, and no groups have been denied authentication, the user will be able to log in. If one or more groups that the user belongs to have been denied authentication, the user will also be denied. If the user does not belong to any groups that have been trusted or denied, they will not be allowed to log in; at least one trusted authentication is necessary.

You can also configure authentication on the Everyone group. These settings will be inherited by every Windows or LDAP user or group added to the repository. The Everyone group's default authentication status is Not Set, which means that no authentication status will be inherited from Everyone by Windows and LDAP users and groups in the repository. If you set authentication for Everyone to Trusted, all Windows or LDAP accounts on the domain or directory server will be able to log in, unless they or their parent groups are explicitly denied authentication. If you set authentication for Everyone to Denied, no Windows accounts will be able to log in, even if they have been specifically granted trusted access.

Tip: To quickly allow all Windows users on your domain to log in to your repository, you can set the Everyone group to trusted authentication. You can still prevent specific users and groups from logging in by adding those users and groups to Laserfiche and then setting their authentication to denied.