This document provides an overview of using Active Directory Integration (ADI) with IBM Lotus Domino. It begins by clarifying common misconceptions about ADI and examining the ADSync and Directory Assistance tools. ADSync allows for some limited synchronization between Domino and Active Directory objects but is not a full synchronization tool. Directory Assistance enables using secondary directories like Active Directory for user authentication and authorization for Notes and web clients. The document reviews setting up and testing Directory Assistance by configuring the DA.nsf database and verifying the LDAP connection and startup. It also provides background on how user authorization works between the directories.
2. Agenda and Goals
Clarify and correct common misconceptions
Clarify and correct common mistakes
Clarify relevant deployment scenarios
Examine ADSync and Directory Assistance
for integrating IBM Lotus Domino directory
services and Microsoft Active Directory
3. ADSync & Domino
Why this presentation section?
There have been many questions in the IBM Notes and Domino forums
about the Domino administration feature, ADSync
There is a lot of confusion about what ADSync is capable of, and what it isn’t
What I hope to give you:
A high-level overview of what of what ADSync is and is not
What ADSync is capable of doing for you
Things to think on when deploying ADSync
4. Terminology
A couple of terms I’ll use throughout this section:
Object-Level
For the scope of this presentation, “object” refers to Domino records (e.g.,
the Josh Burchard person document) or LDAP entries of type person or
group
Field-Level
The Domino fields (e.g., HTTPPassword) / LDAP attributes that comprise
person and group objects
6. So What is it Then?
It’s a Microsoft Management Console (MMC) Snap-In that
extends and expands on our Notes NT User Manager Add-In
It’s A Domino Administrator client install option
It’s a tool that allows for some synchronization by linking Domino
and Active Directory objects.
It’s a way to do general Domino field-level administration from the
MMC
It’s a way to do basic Domino object-level administration from the
MMC
It’s more useful than simply migrating entries back and forth
between a Domino Directory and Active Directory
?
7. So What is it? (cont.)
It’s only part of the Active Directory administration picture:
ADSync, along with the Domino Administrator client, can work together to
perform limited, manual, synchronization of objects
Domino
Active
Directory
AdminClient
ADSync
objects
& fields
objects
only
8. Where does ADSync Live?
ADSyn
c
buttons
Contain
er for
ADSync
popup
menu
ADSync is a Snap-In to the Microsoft Management Console’s
“Users and Computers” dialog that provides embedded Domino
functionality
9. What can you do with these tools?
Adds people to Active Directory or NT via the “Person
Registration Advanced Pane” and links them to their respective
Domino object
Imports people and groups from Active Directory or NT via
“Person Registration Migrate” (Domino Upgrade Service) and
links them to their respective Domino object
You can add, delete, rename people in NT or Active Directory via
the Domino Administrator client
You can migrate people and groups to Domino from NT or Active
Directory via the Domino Administrator client
10. What can you do with these tools?
You can create new people and groups in Active Directory and at
the same time (or later, if you wish) register the people, or add the
groups to Domino via ADSync
You can link people and groups that already exist in Active
Directory and Domino via ADSync
You can delete groups in NT or Active Directory via the Domino
Administrator client
You can synchronize changes made to an Active Directory object
with the object it’s linked to in Domino
11. Be Aware! (Prereqs and Planning Needed)
Prerequisites:
Install the Domino Administrator client with the W2000 Sync Services option
The preferred way of running ADSync is from Windows 2000 Professional or
Windows XP Professional with the Microsoft AdminPak
Planning:
You can perform ADSync operations on more than one Domino server, but it
is not recommended
Domino registration operations are limited to the primary Domino Directory,
no secondary directories
To perform Active Directory object level operations (like delete and rename)
from the Domino Admin client, the objects must have been previously linked
You must have created a Domino policy when adding people in Active
Directory and then registering them in Domino. This provides a way for
Domino to specify default values for the fields that aren’t mapped from AD
(e.g. Roaming user)
12. Some Common Misconceptions
We never do field-level manipulation from Domino to Active
Directory, only from Active Directory to Domino
During Domino person registration, ADSync can set a common
password for Active Directory, Domino HTTP and the Notes ID
If you reset the common password via ADSync, the AD and
Domino HTTP password will be made the same but the Notes ID
password will not be modified. Even using Notes Single Logon
will require a manual Notes ID password change
Since Domino field values never get applied to AD fields, the AD
e-mail address needs to be manually set to the Domino e-mail
address
ADSync configuration settings are not shared across
Administrator client machines
13. Some Common Misconceptions (cont.)
ADSync only synchronizes Active Directory changes made via the
MMC. In general, these are manual changes made by
administrators. Programmatic changes are not recognized
Changing a field in Active Directory prompts an automatic
synchronization to occur which overwrites the corresponding
Domino field
No scheduling of synchronizations
Synchronizing an Active Directory group will not register its
members as people in Domino. It is only a field level
synchronization operation that translates group members names
Renaming a group via ADSync does not create all of the
necessary Administration Process requests, e.g. replacing the old
name with the new in Domino database ACLs
14. Points to Take Away
ADSync requires careful planning beforehand, and careful
management once in use because:
It can’t provide a perfect password-sync solution, even when used with Notes
Single Logon
Only manual MMC changes (not programmatic ones) kick off an auto-sync,
which may leave orphaned objects or other directory anomalies
There exists only one-way field-level synchronization: from Active Directory to
Domino
AdminP will not propagate Active Directory name changes to ACLs
There are other alternatives that IBM provides!
15. Directory Assistance
What is it?
How is it used by Notes and Web clients?
How is it set up?
What additional background information is useful?
What are the common problems and solutions?
16. What is Directory Assistance?
Directory of secondary directories
Domino server feature enabling customers to use secondary
Domino or LDAP (e.g., Active Directory) directories for:
Internet Authentication
Notes and Internet Group Membership Lookups for Database
Authorization
Notes Mail Address Resolution
Type ahead (type/pause/complete)
Select Addresses dialog
F9 / Comma Address completion
Lookup User Attributes
Email address
MailFile
Etc.
17. Notes Client Database Access
YesYesNAMELookup
YesYesF9 name
completion
NoYesSelect Addresses
dialog
NoYesType ahead
Not
applicable
YesAuthorization
Not
applicable
YesAuthentication
Name in LDAP
secondary
(e.g., AD)
Name in
secondary Domino
directory
18. Web Client Database Access
(non-DWA)
YesYesNAMELookup
Not
Applicable
Not
Applicable
F9 name
completion
NoYesSelect Addresses
dialog
NoNoType ahead
YesYesAuthorization
YesYesAuthentication
Name in LDAP
secondary
(e.g., AD)
Name in
secondary Domino
directory
19. DA
Backgrounder: Directory Interfaces
NSF/NIF API
e.g., NSFDbOpen,
NIFFindByName
NAME API
e.g., NAMELookup
LDAP Server
Names.nsfNames2.nsf
Active Directo
(bk2000)
NSF AppNAMELookup AppLDAP App
Chased LDAP
Referral
Domino Server
(klin0)
LDAP GwyNSF/NIF
directory data flow
LDAP Ref
XOR
Referral
Directory
Services
Not used in
our examples
NRPC NRPC
NSF/NIF/FT
LDAP
20. DA Setup: Modify Server Document
1.Enter name of
DA database
that we will
create next -
21. DA Setup: Create DA.nsf Database
2. da.nsf
matches Server
doc setting
1. Use
Directory
Assistance
da50.ntf (Show
advanced
22. DA Setup: Basics Tab
1. Change
Domain type from
Notes (default) to
LDAP
2. Any unique
admin-friendly
name
3. Select types of
directory
applications
4. Change Group
Authorization
from No (default)
to Yes to allow
Active Directory
5. Leave nested
group expansion
Yes to recognize
6. Leave Enabled
set to YesNot covered - see
23. Backgrounder: Database Authorization
DA permits only one secondary directory where Group Authorization is
set to Yes
If you have both a secondary Active Directory and other Domino secondaries, make
the primary an Extended Directory Catalog
Use fully qualified Notes names (slashes) in database ACLs – not
abbreviated names – not LDAP names!
cn=MDN Admin/cn=Users/dc=bk/dc=notesdev/dc=ibm/dc=com
cn=Administrators/cn=Builtin/dc=bk/dc=notesdev/dc=ibm/dc=com
Review setting for File / Database / Access Control / Advanced /
Maximum Internet name and password
24. Backgrounder: Notes & AD Directory Organization
dc=bk,dc=notesdev,dc=ibm,dc=com
cn=Builtin cn=Computers cn=Users
cn=Administrators cn=Users cn=Beth Keach cn=MDN Admin
ctive Directory
cn=Enterprise Admins
Note
possi
ble
use of
DCs
(root)
LocalDomainAdmins o=IBM LDAP Server Dev
ou=Westford
cn=Josh Burchard cn=Ken Lin
otes/Domino
person
group
container
25. DA Setup: Naming Contexts Tab
Leave N.C.1
with all
asterisks
(because
Change
Trusted for
Credentials
26. DA Setup: LDAP Tab
hostn
amesLDAP
bind
DN
for
Searc
hes
passw
ordLDAP
base
DN for
searc
h
SSL
not
cover
ed in
Change
to
27. DA Setup: Hostname
DNS name or IP address (v6 also) of one or more replicated Active
Directory servers
Obtain by asking your AD administrator
Alternate discovery methods:
Query DNS SRV for _ldap._tcp.domainname using nslookup.exe (registered by
Windows 2003-based domain controllers)
Run an auto-discovery tool on your subnet
28. DA Setup: Optional Authentication
Credential
Use LDAP “Bind” distinguished name of a single AD user who can
search desired AD entries
Use LDAP naming (attribute = value and commas)
Optionally protect clear text Passwords using normal “Encrypting
documents using secret keys” procedure
29. DA Setup: Base DN for Search
dc=bk,dc=notesdev,dc=ibm,dc=com
cn=Builtin cn=Computers cn=Users
cn=Administrators cn=Users cn=Beth Keach cn=MDN Admin cn=Enterprise Admins
Proba
bly
what
you
LDAP searches require filter, base, and scope
Locate top of desired tree (e.g., root DSE’s defaultNamingContext)
30. DA Setup: Authentication Filter
Base:
dc=bk,dc=notesd
ev,dc=ibm,dc=co
m
Filter: ( |
(cn=bkeach)
search
DN: cn=Beth
Keach,cn=Users,
. . .
suc
ces
LDAP Gwy AD
Nameresolutionuthentication
Beth
authenticates
while
opening
http://klin0/mail/klin.nsf
using
Windows
username
bindDN: cn=Beth
Keach,cn=User
s, . . . Password:
6.5.
6
7.0.
1
More name
variations
lower security
31. Backgrounder: NamesList
NamesList (Effective Access) is composed of
Names and aliases
Groups
=Beth Keach,cn=Users, …
cn=Enterprise Admins,cn=Users, …
cn=Adminstrators,cn=Builtin, …
cn=Domain Adminstrators,cn=Builtin, …
a member of
Grant AD
admins
(including
Beth) access
to
http://klin0/mail/
34. [C:Notes] ldapsearch.exe
-h bk2000.notesdev.ibm.com
–p 389
-D “cn=mdn admin,cn=users,dc=bk,
dc=notesdev,dc=ibm,dc=com”
-w “rosebud”
-b “dc=bk,dc=notesdev,dc=ibm,dc=com”
-s subtree
“(cn=Administrators)”
Test DA: LDAP Connection
hostn
ame
LDAP
bind
DN
passw
ordLDAP
base
DN for
searc
Find an
entry
port
Test DA LDAP Configuration settings using ldapsearch tool
35. Test DA: Verify Startup
> SHOW XDIR
DomainName DirectoryType ClientProtocol Replica/LDAP Server
---------- -------------- -------------- -------------------
1 KLIN0 Primary-Notes Notes & LDAP names.nsf
2 BK2000 Secondary-LDAP Notes & LDAP [bk2000.notesdev.ibm.com]:389
Success
01/05/2006 07:12:54 PM Error attempting to access the Directory
*[bk2000.notesdev.ibm.com]:389 (no available alternatives), error is
LDAP Server is NOT available.
> SHOW XDIR
DomainName DirectoryType ClientProtocol Replica/LDAP Server
---------- ------------- -------------- -------------------
1 KLIN0 Primary-Notes Notes & LDAP names.nsf
Port or Bind DN / Password Failure
36. Monitor DA: WebAuth_Verbose_Trace=1
NAMELookup::<NAMEVerifyLDAPPassword>>
BIND LDAP host='[bk2000.notesdev.ibm.com]:389' w/ user='CN=Beth Keach
/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com'
WebAuth> VERIFY password
essful Name ResolutionWebAuth> LOOKUP in view $Users (user=‘bkeach' org='')
NAMELookup::<LDAP GW> Searching for name=‘bkeach' in LDAP
server='[bk2000.notesdev.ibm.com]‘
NAMELookup::<LDAP GW> Base: dc=bk,dc=notesdev,dc=ibm,dc=com
NAMELookup::<LDAP GW> Scope: 2
NAMELookup::<LDAP GW> Filter: (|(cn=bkeach)
(sAMAccountName=bkeach)(uid=bkeach)(mail=bkeach))
. . .
NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Beth Keach
/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com'
cessful Authentication
37. NAMELookup::<LDAP GW> Searching for name='CN=Beth Keach/CN=Users
/DC=bk/DC=notesdev/DC=ibm/DC=com' in LDAP server=
'[bk2000.notesdev.ibm.com]‘
NAMELookup::<LDAP GW> Base: CN=Beth Keach,CN=Users,
DC=bk,DC=notesdev,DC=ibm,DC=com
NAMELookup::<LDAP GW> Scope: 0
NAMELookup::<LDAP GW> Filter: (objectClass=*)
NAMELookup::<LDAP GW> Attrs: memberOf
. . .
NAMELookup::<LDAP GW> SEARCH returned '2' match(es).
NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Enterprise
Admins/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com'
NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Domain
Administrators/CN=Builtin/DC=bk/DC=notesdev/DC=ibm/DC=com‘
Etc.
sful 6.5.5 NamesList Generation
Monitor DA: WebAuth_Verbose_Trace=1
38. DA: Points to Take Away
Allows AD users to access Domino databases with web clients
Setup:
Specify AD users or groups in Domino database ACLs as Notes names
Group Authorization – Yes
Trusted for Credentials – Yes
Optional Authentication Credential – Must supply an LDAP name
Base DN for Search – Must supply an LDAP name
Type of Search Filter to use – Active Directory
Testing and Monitoring:
ldapsearch command line tool
Show XDIR server console command
WebAuth_Verbose_Trace=1 Notes.ini setting
39. IBM Tivoli Directory Integrator
General purpose data synchronization toolkit / engine
Change Propagation
Built-in connectors perform I/O with popular data sources (e.g., LDAP, NSF)
Built-in event handlers wait for and react to specific event (e.g., AD change,
LDAP changelog detection)
Administrators code assembly lines using connectors and/or event handlers to
transform and propagate information
Password Change Propagation
Separately installable plug-in entities capture AD password and Domino HTTP
password changes, updates other directories with new password
ITDI Compared with ADSync
ITDI change-triggered or batch execution vs. ADSync is manual only
ITDI is flexible (you provide programming) vs. ADSync is limited
ITDI assembly lines coded using JavaScript or Java
40. Summary
Use ADSync when
You want to allow Active Directory users to access Domino databases using
the Notes or Web clients
You want Active Directory administrators to handle most people and group
administration for your Domino domain
You don’t mind not having the most up-to-date directory entries
Use Directory Assistance when
You want to allow Active Directory users to access Domino databases using
Web clients
You do not want to continually maintain and sync directory content
Consider IBM Tivoli Directory Integrator when
Your synchronization requirements are more advanced
41. References
IBM Redbooks | Using LDAP for Directory Integration
ADSync
IBM Redbooks | Active Directory Synchronization with Lotus ADSync
http://www.redbooks.ibm.com
Administering the Domino System – Using Domino with Windows
Synchronization Tools
Directory Assistance
Administering the Domino System – Setting Up Directory Assistance
Single sign-on in a Multi-directory World
http://www-128.ibm.com/developerworks/lotus/library/sso1/
Google “Domino Directory FAQ”
Editor's Notes
Assume some audience has heard of DA. Balance of presentation is based upon our monitoring of ND and BP forums – more DA than ADSync questions
If half the functionality is in the Domino Admin client then…………….. (Ask question on title.)
They’ll see it later on, but explicitly point out that Domino registration can only create PEOPLE in AD, but AD can create people or groups in Domino.
Target audience: Somewhat familiar with DA and LDAP My value: common problems / inner workings
Not interesting for Active Directory deployment scenario Not applicable because running a Notes client requires and ID, and therefore a Domino directory infrastructure Not to be confused with (mention) LDAP connection docs
Star = Points to pay attention to DA-AD used mainly for Web authentication/authorization
Magic Hat = Details for geeks
(Don’t attempt to explain on this slide) Mention next 2 slides are Side notes
http://www.awprofessional.com/articles/article.asp?p=26918&rl=1 Investigate migration hierarchies vs. brand new hierarchies
Need a sentence defining Name Rule. “ Just use all asterisks”
Go through these quickly (will be covered in depth later) SSL Warning – see lab (red lotus security handbook)