1. user needs and problems
The current user has MS Active Directory Server (AD) as a unified user management platform. Ad maintains user authentication and basic user information for multiple applications, including adding, renaming, deleting, modifying information, and maintaining user groups.
The IBM Lotus Domino platform is a popular office automation (OA) platform for enterprises to quickly establish office automation software systems that meet enterprise requirements and management ideas. The Domino platform also contains a user directory system that complies with international standards and provides enterprise-level user directories and certification services.
Ad is an existing unified user directory system. Domino is the most advanced and widely used OA development platform. How can we make the two well integrated? How can we unify user management? In the OA system, how does one meet the additional requirements for user information and permission management beyond the scope of AD management?
2. Solution
Here we propose two solutions for you to choose from. Each solution has its own advantages and disadvantages and can be selected and used in different situations.
2.1. solution 1
In the first solution, we use Lotus Domino active directory synchronization (adsync) to manage and synchronize Domino User Directories in a unified manner.
Adsync allows administrators to synchronize Domino Directory and Active Directory users and groups. Administrators can register and synchronize attributes and passwords, and perform the same operation in Domino Directory when renaming and deleting users and groups in Active Directory, and vice versa. Its features include container ing and property ing between two directories, as well as the policies used when registering users.
2.1.1. Working Principle and Applicability
Adsync is a component of lotus note administrator. It provides a component that is integrated with the Windows console. It provides an integrated operation environment that allows users to register a user name in the Domino Directory while creating an ad user. When registering a user, provide the user verification word, user organization unit, and user password to complete the user's re-registration in Domino. Because adsync is a component of MMC (Microsoft Management Console) and is not a background service of windows, all user information (such as password and personnel information) that is not modified by MMC) it is not automatically synchronized to the Domino Directory and must be manually released for synchronization.
One of the most difficult problems when using adsync is to fully understand which side can perform what operations; that is, which operations can be performed by Active Directory and which operations can be performed by the domino Administrator client. However, if the information in table 1 is used, the above content is easy to understand. The first column in the table contains tasks, and the last two columns indicate whether the tasks are operated on the original platform.
Operation |
From Active Directory Platform |
From the Lotus Domino Platform |
Registered User |
Yes |
Yes |
Rename the user created in Active Directory |
Only Active Directory users can be renamed. |
Only Active Directory users can be renamed. |
Rename the user created in Lotus Domino |
Yes |
Yes |
Synchronize user data |
Yes |
No |
Delete a user |
Yes |
Yes |
Create Group |
Yes |
No |
Rename a group |
Yes |
No |
Synchronize group data |
Use the member relationships defined in Active Directory to override the Domino Directory members Field |
No |
Delete Group |
No |
Yes |
Batch import existing user passwords |
No |
No |
Table 1. quick access to the above table from the adsync operations initiated by Active Directory and Lotus Domino, you will find that you can create and delete users from either side, but user registration depends on the location of the created users. In Active Directory, user data can be easily synchronized between systems, but not on Lotus Domino. Finally, creating a group is only an Active Directory task. Therefore, you must be familiar with this table when using adsync in your environment.
Use the synchronize with Domino button of the Active Directory users and computers tool to synchronize the adsync password. A password change initiated by pressing CTRL + ALT + DEL does not trigger synchronization. To synchronize the passwords of Active Directory and notes HTTP, highlight the user in the Active Directory users and computers tool and click synchronize with Domino.
Adsync is an MMC management unit designed to simplify the work of system administrators. However, it does not provide any programming options to simplify the creation and/or synchronization of users or groups.
2.2. solution 2
The second solution is to use ad as an external LDAP, and Domino uses it as an additional authentication center to complete authentication. The user directory provided by Domino completes authorization and stores additional information.
2.2.1. Working Principle and Applicability
In Domino, you can enable the "directory authentication ance" external directory service to connect to and use the external LDAP directory for external personnel authentication and information query. "Directory Maintenance ance" is a server that can be used to find information in a directory other than the Domino Directory of the local host. This internal and external authentication method is adopted. When the user fails the domino authentication, the user will automatically go to the ad for authentication. That is to say, the password of the same user name in AD and Domino can also pass authentication. However, different expressions of the user name in AD and Domino may cause incorrect access to the ACL and user name in Domino.
We will illustrate the overall implementation ideas.
Assume that there is a user named test1 in both ad and Domino. The unique ID of this user in AD is Cn = test1, Cn = users, Dc = IBM, Dc = com; the unique identifier in Domino is Cn = test1, O = IBM.
First, you use test1 and password to log on to the Domino system. If the username and password match the username and password in the Domino Directory, the system returns Cn = test1, O = IBM (test1/IBM) after verification ). If the username and password do not match the username and password in the Domino Directory, Domino verifies the password through directory authentication ance to the ad. If the user name and password do not match the user name and password in the Active Directory, the system returns Cn = test1, Cn = users, Dc = IBM, Dc = com after verification. Because Cn = test1, Cn = users, Dc = IBM, Dc = com will be different from the original username in Domino, resulting in an ACL error, you need to use directory
Revoke ance replaces the pre-stored Domino user information (CN = test1, O = IBM) in AD With Cn = test1, Cn = users, Dc = IBM, Dc = com. In the end, it returns Cn = test1, O = IBM (test1/IBM) that meets the requirements of Domino ). The advantage of this solution is that we don't have to worry about user authentication issues in AD and Domino. For Domino applications, we can flexibly control user information and organizational structure in Domino, ad synchronization can be completed through LDAP-standard operations with strong controllability. However, you need to set an attribute of ad to a domino user and an LDAP synchronization program.
2.2.2. Installation and Setup
Before configuring the Domino server, we need to register users in the Active Directory to the Domino Directory. This process can be performed using adsync, Lotus administrator batch user registration in solution 1, or LDAP operations. Here, we manually register the users of CN = test1, Cn = users, Dc = Hongyi, Dc = com, Dc = cn in ad to Domino, in Domino, the user is Cn = test1, O = Hongyi (test1/Hongyi ). Add the username in Domino to ad. In this example, we use the ad "Description" field to store the domino user name. We have a unified user name in both ad and Domino. Next we need to enable Domino to automatically help us get the user name and return it to our application. Follow these two steps: create a directory Federation service configuration; configure the Domino server documentation to enable directory
Balance service.
Create directory Federation service configuration
Open the Notes client to create the directory compliance database.
1. Click "file"-> "Database"-> "new"
2. input the file name "da. NSF, select a server, such as "server/Hongyi", select the database template "directory compliance (7)" to open the Created directory compliance database and create configuration documents.
1. Select "file" and "Open Server" from Domino administrator, select the server that has been set to use the "Directory Service" database, and click "OK ".
2. Click the "Configure" tab and click "add directory service ".
3. In the "Basic" tab, enter the following fields:
Domain |
Input |
Network domain type |
Select LDAP. |
Network domain name |
The name of the selected network domain name, such as hongyi.com.cn. |
Company Name |
(Optional) |
Search Order |
(Optional) |
Make this network domain applicable |
Select either of the following two options:
• The "Notes clients and Internet authentication/authorization" directory can be used for Notes Mail Addressing, Internet client authentication (including LDAP Client Authentication), or searching for group members during database authorization.
• When LDAP search fails in all the domino directories, the "LDAP Client" enables the server running the LDAP service to allow the LDAP client to access this LDAP directory.
|
Group authorization |
Select one of the following options:
• "Yes", which allows you to search for group members in the LDAP directory during database authorization. • "No" (default). You are not allowed to search for group members in this directory during database authorization. Select "yes" for only one directory (notes or LDAP) configured in the "Directory Service" database ". You do not need to enable the "trusted for credentials" rule. If yes is selected, select: • "Yes" (default) to search for nested groups (members of groups listed in the database ACL ). • "No": Only search for group members listed in the database ACL, instead of group members nested in those groups.
|
Enable |
Select Yes to enable directory service for the LDAP directory. |
Attributes used for SSO token name (mapped to ltpa _ usernm) |
Enter the directory property name, which should be returned when the ltpa_usernm domain is required. This value can be used as the user name in any SSO token generated by Domino. |
4. Click the "Naming Context (Rules)" tab and fill in the following fields for each rule to be defined for this directory. By default, the All-Star rule is enabled when "trusted for credentials" is set to "no.
Domain |
Input |
N. C .# |
Describes the naming context (Rules) of the user name in the LDAP directory ). |
Enable |
Select one of the following options:
• "Yes" to enable rules • "No" (default): disables a rule.
|
Trusted for credentials |
Select one of the following options:
• "Yes", the server can use the certificate in the LDAP directory to verify the private name in the directory corresponding to this rule for Internet-to-client. • "NO" (default): prevents the server from using this directory to verify the private name of the Internet client corresponding to this rule.
|
5. On the "LDAP" tab, enter the following fields:
Domain |
Input |
Host Name |
The Host Name of the remote LDAP directory server, such as ldap.acme.com. The Domino server uses this host name to connect to the remote LDAP directory server, or points the LDAP client to the LDAP directory. |
Basic DN for search |
Search criteria (if required by the LDAP directory server ). |
Channel Encryption |
Select one of the following options:
• SSL (default): SSL is used when the Domino server is connected to the remote LDAP directory server. • "NONE": SSL is prohibited. If you use remote LDAP for client authentication or search for group members for database authorization, keep the SSL option in the channel encryption field. If SSL is selected, make the selection in the following domains: • "Accept expired SSL verification words" • "SSL protocol version" • "Verify the server name using the verification word of the remote server"
|
Port |
The port number used by the Domino server to connect to the remote LDAP directory server.
• If "SSL" is selected in the "channel encryption" domain, the default port is 636. • If "NONE" is selected in the channel encryption domain, the default port is 389. If the LDAP directory server does not use these default ports, manually enter different port numbers.
|
Timeout |
The maximum time (in seconds) that can be used to search for a remote LDAP directory. The default value is 60 seconds.
If the remote LDAP directory server has a timeout setting, the lower setting takes precedence.
|
Maximum number of items returned |
The LDAP directory server can return the maximum number of items for the name searched by the Domino server. If the LDAP directory server has a maximum value setting, the setting with a smaller value takes precedence. If the LDAP directory server times out, the number of names found until the specified time point is returned. The default value is 100. |
Alias anti-reference during search |
Select one of the following options to control the non-correlated scope of aliases when searching remote LDAP directories:
• "Never" • "Only for subordinate entries" • "Only for search base entries" • "Always" (default) If no alias is used in the LDAP directory, selecting "never" can improve the search performance.
|
Preferred email format |
If you set the directory service to allow the Notes user to send emails to users in the LDAP directory, you should use this option to specify the address format of the directory in the Notes mail. Select one of the following options:
• "Notes email address"-for example, John Doe/Acme @ Acme is generally used only when the LDAP directory is the Domino Directory.
• Internet mail address (default)-for example, jdoe@acme.com
|
Properties used for notes proprietary Names |
If the Domino server uses the remote LDAP directory for client authentication or database authorization, You can map the user's LDAP directory proprietary name to the corresponding notes proprietary name.
Here we enter the domino User Identifier in AD, for example, Cn = test1, O = Hongyi
|
Type of the search filter to be used |
Select one of the following options to control which LDAP search filter is used when searching a directory (Standard LDAP applies in most cases ):
• "Standard LDAP" (default) • "Active Directory" "Custom"
|
6. Click Save and close ".
Configure the Domino server document
1. Open the domino configuration document in notes.
2. Enter "da. nsf" created in the previous step in "Basic"-> "Directory Maintenance Database Name.
3. Save the document.
4. Restart the server.
Now the configuration has been successfully configured and verified with the Active Directory. At this time, both the Active Directory password and the domino password can be successfully logged on to Domino (B/S ), at the same time, Domino can always obtain a user name format that meets the database authorization requirements.