AD-auth when moving to a new domain

Hi,

This might have been answered in a previous thread already, but I was not able to find one when searching.

We are currently in the test-phase of migrating our installation (we only use Service) to a new domain internally with new domain users (although they will retain their current usernames).

Because of this the link between our SO and AD-users will break and need to be reestablished, but it doesn't seem to be any quick or easy way to do this other than manually go through each user in Admin and link it to its new AD-user.

If so, this will be extremely cumbersome for us to accomplish as we have around 400 users.

 

I came across this FAQ which explains how the linking is done in the DB:

https://community.superoffice.com/en/search/#/faq/112944

And I am wondering if we simply can update the SID for each SO-user directly in the DB by following step 4 and 5 at the bottom?

Will SO/Service "understand" this?

If so, are there any other fields or values in the DB we need to update at the same time? For example in the Credentials-table?

 

Any help is greatly appreciated!

Thanks!

RE: AD-auth when moving to a new domain

Any input here?

We would really like to avoid manually remapping each user.

Av: Markus Moripen 3. nov 2020

RE: AD-auth when moving to a new domain

Hi Markus,

Dont think you are able to update this in database as you have some encryptedChecks you cannot reproduce.

But if you are onsite you should be able to use API to remap users, you can find some inspiration on this topic. For online access to UserAgent is restricted. 

Av: Michel Krohn-Dale 6. nov 2020

RE: AD-auth when moving to a new domain

Hello,

Note that you can use the UserAgent in CRMScript, Both Online and OnSite. I would suggest you export from AD a file containing the email address and AD SID. Then load this into CRMScript and remap the users.

Example script:

NSUserAgent userAgent;

// get active directory credential mapping by getting all credential types and finding the ActiveDirectory one
NSCredentialType[] credentialTypes = userAgent.GetCredentialTypes();

NSCredentialType activeDirectoryCredentialType;

for (Integer i; i < credentialTypes.length(); i++)
{
		NSCredentialType credentialType = credentialTypes[i];

		// if not AD credential type, add back to credentials array
		if (credentialType.GetType().equalsIgnoreCase("ActiveDirectory") == true)
		{
				activeDirectoryCredentialType = credentialType;
				break;
		}
}

// mapping for user - AD Sid, using email address as key
Struct NewUserMapping 
{
	String email;
   	String ADSid;
};

// all mappings
NewUserMapping[] userMappings;

// read mappings from some file, like csv


// manual mappings to demonstrate
NewUserMapping userMapping;

userMapping.email = "dummy@dummy.nl";
userMapping.ADSid = "1-2-3-4";

userMappings.pushBack(userMapping);


// get SID based on email
String getSidForEmail(String email)
{
    for (Integer i; i < userMappings.length(); i++)
    {
        NewUserMapping userMapping = userMappings[i];

      	if (userMapping.email.equalsIgnoreCase(email) == true)
        {
             return userMapping.ADSid;
        }
    }	
  
    return "";
}

// get all non retired associates
SearchEngine seAssociates;
seAssociates.addField("associate.associate_id");

// not retired
seAssociates.addCriteria("associate.deleted", "OperatorEquals", "0");

// employee
seAssociates.addCriteria("associate.type", "OperatorEquals", "0");

seAssociates.addCriteria("associate.person_id", "OperatorGt", "0");

for (seAssociates.execute(); !seAssociates.eof(); seAssociates.next())
{	
    Integer associateId = seAssociates.getField("associate.associate_id").toInteger();
  
    NSUser user = userAgent.GetUser(associateId);
	
    printLine("Processing user '" + user.GetUserName() + "'");
  
    // new credentials array, empty, so will remove the existing ones
    NSCredential[] newCredentials;
  
  
    NSPerson userPerson = user.GetPerson();
    String userEmail = userPerson.GetEmail();
  
    if (userEmail.isEmpty() == true || userEmail.isNull() == true)
    {
      	printLine("User does not have an email address, skip");
      	continue;
    }
  
    String userADSid = getSidForEmail(userEmail);
  
    if (userADSid.isEmpty() == true || userADSid.isNull() == true)
    {
      	printLine("Could not find SID for user with email '" + userEmail + "'");
        continue;
    }
  
    NSCredential newADCredential;
  
    newADCredential.SetType(activeDirectoryCredentialType);
    newADCredential.SetValue(userADSid);
    newADCredential.SetDisplayValue(userEmail);
  
    newCredentials.pushBack(newADCredential);

    user.SetCredentials(newCredentials);
    
    // NOTE: CREATE A BACKUP BEFORE YOU RUN THIS!!!
    //user = userAgent.SaveUser(user);

    printLine("Set new AD credential for user '" + user.GetUserName() + "'");
}
Av: David Hollegien 6. nov 2020

RE: AD-auth when moving to a new domain

Thank you, both!

I was able to sort this out using UserAgent and the script above helped a lot.

Av: Markus Moripen 27. nov 2020