• Like
Lotusphere 2006: ID107 - Getting Started with Active Directory Integration
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Lotusphere 2006: ID107 - Getting Started with Active Directory Integration


Bridging the worlds of IBM Lotus Domino and the Active Directory (AD) can be a challenging task. This introductory session examines naming, authentication, authorization, field mapping, performance …

Bridging the worlds of IBM Lotus Domino and the Active Directory (AD) can be a challenging task. This introductory session examines naming, authentication, authorization, field mapping, performance and other functional considerations when Lotus Domino administrators deploy Directory Assistance and ADSync
solutions. In this session we intend to myth-bust ADSync and provide a clearer picture of what it can and, most importantly, cannot do for you. We'll also explore what other synchronization possibilities exist between Lotus Domino and Active Directory, as well as how to leverage the Lotus Domino Directory Assistance feature to bring you that much closer to Lotus Domino and Active Directory harmony.


Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Assume some audience has heard of DA. Balance of presentation is based upon our monitoring of ND and BP forums – more DA than ADSync questions
  • If half the functionality is in the Domino Admin client then…………….. (Ask question on title.)
  • They’ll see it later on, but explicitly point out that Domino registration can only create PEOPLE in AD, but AD can create people or groups in Domino.
  • Target audience: Somewhat familiar with DA and LDAP My value: common problems / inner workings
  • Not interesting for Active Directory deployment scenario Not applicable because running a Notes client requires and ID, and therefore a Domino directory infrastructure Not to be confused with (mention) LDAP connection docs
  • Star = Points to pay attention to DA-AD used mainly for Web authentication/authorization
  • Magic Hat = Details for geeks
  • (Don’t attempt to explain on this slide) Mention next 2 slides are Side notes
  • http://www.awprofessional.com/articles/article.asp?p=26918&rl=1 Investigate migration hierarchies vs. brand new hierarchies
  • Need a sentence defining Name Rule. “ Just use all asterisks”
  • Go through these quickly (will be covered in depth later) SSL Warning – see lab (red lotus security handbook)
  • http://www-12.lotus.com/ldd/doc/domino_notes/Rnext/help6_admin.nsf/f4b82fbb75e942a6852566ac0037f284/fe24903970b82d3585256c1d00394173?OpenDocument
  • sAMAccountName is a new feature in 6.5.6 and 7.0.1 (NOT in 7.0)
  • This slide illustrates how groups (in this case from AD) are used to in Names Lists
  • In subsequent releases, we’ll consider embedding configuration validation/wizards
  • XOR


  • 1. ID107: Getting Started With Active Directory Integration Josh Burchard Ken Lin Lotus Software, IBM Software Group
  • 2. Agenda and Goals  Clarify and correct common misconceptions  Clarify and correct common mistakes  Clarify relevant deployment scenarios Examine ADSync and Directory Assistance for integrating IBM Lotus Domino directory services and Microsoft Active Directory
  • 3. ADSync & Domino  Why this presentation section?  There have been many questions in the IBM Notes and Domino forums about the Domino administration feature, ADSync  There is a lot of confusion about what ADSync is capable of, and what it isn’t  What I hope to give you:  A high-level overview of what of what ADSync is and is not  What ADSync is capable of doing for you  Things to think on when deploying ADSync
  • 4. Terminology  A couple of terms I’ll use throughout this section:  Object-Level  For the scope of this presentation, “object” refers to Domino records (e.g., the Josh Burchard person document) or LDAP entries of type person or group  Field-Level  The Domino fields (e.g., HTTPPassword) / LDAP attributes that comprise person and group objects
  • 5. What ADSync Isn’t Surprise! Despite the name, it’s not a full synchronization tool
  • 6. So What is it Then?  It’s a Microsoft Management Console (MMC) Snap-In that extends and expands on our Notes NT User Manager Add-In  It’s A Domino Administrator client install option  It’s a tool that allows for some synchronization by linking Domino and Active Directory objects.  It’s a way to do general Domino field-level administration from the MMC  It’s a way to do basic Domino object-level administration from the MMC  It’s more useful than simply migrating entries back and forth between a Domino Directory and Active Directory ?
  • 7. So What is it? (cont.)  It’s only part of the Active Directory administration picture:  ADSync, along with the Domino Administrator client, can work together to perform limited, manual, synchronization of objects Domino Active Directory AdminClient ADSync objects & fields objects only
  • 8. Where does ADSync Live? ADSyn c buttons Contain er for ADSync popup menu  ADSync is a Snap-In to the Microsoft Management Console’s “Users and Computers” dialog that provides embedded Domino functionality
  • 9. What can you do with these tools?  Adds people to Active Directory or NT via the “Person Registration Advanced Pane” and links them to their respective Domino object  Imports people and groups from Active Directory or NT via “Person Registration Migrate” (Domino Upgrade Service) and links them to their respective Domino object  You can add, delete, rename people in NT or Active Directory via the Domino Administrator client  You can migrate people and groups to Domino from NT or Active Directory via the Domino Administrator client
  • 10. What can you do with these tools?  You can create new people and groups in Active Directory and at the same time (or later, if you wish) register the people, or add the groups to Domino via ADSync  You can link people and groups that already exist in Active Directory and Domino via ADSync  You can delete groups in NT or Active Directory via the Domino Administrator client  You can synchronize changes made to an Active Directory object with the object it’s linked to in Domino
  • 11. Be Aware! (Prereqs and Planning Needed)  Prerequisites:  Install the Domino Administrator client with the W2000 Sync Services option  The preferred way of running ADSync is from Windows 2000 Professional or Windows XP Professional with the Microsoft AdminPak  Planning:  You can perform ADSync operations on more than one Domino server, but it is not recommended  Domino registration operations are limited to the primary Domino Directory, no secondary directories  To perform Active Directory object level operations (like delete and rename) from the Domino Admin client, the objects must have been previously linked  You must have created a Domino policy when adding people in Active Directory and then registering them in Domino. This provides a way for Domino to specify default values for the fields that aren’t mapped from AD (e.g. Roaming user)
  • 12. Some Common Misconceptions  We never do field-level manipulation from Domino to Active Directory, only from Active Directory to Domino  During Domino person registration, ADSync can set a common password for Active Directory, Domino HTTP and the Notes ID  If you reset the common password via ADSync, the AD and Domino HTTP password will be made the same but the Notes ID password will not be modified. Even using Notes Single Logon will require a manual Notes ID password change  Since Domino field values never get applied to AD fields, the AD e-mail address needs to be manually set to the Domino e-mail address  ADSync configuration settings are not shared across Administrator client machines
  • 13. Some Common Misconceptions (cont.)  ADSync only synchronizes Active Directory changes made via the MMC. In general, these are manual changes made by administrators. Programmatic changes are not recognized  Changing a field in Active Directory prompts an automatic synchronization to occur which overwrites the corresponding Domino field  No scheduling of synchronizations  Synchronizing an Active Directory group will not register its members as people in Domino. It is only a field level synchronization operation that translates group members names  Renaming a group via ADSync does not create all of the necessary Administration Process requests, e.g. replacing the old name with the new in Domino database ACLs
  • 14. Points to Take Away  ADSync requires careful planning beforehand, and careful management once in use because:  It can’t provide a perfect password-sync solution, even when used with Notes Single Logon  Only manual MMC changes (not programmatic ones) kick off an auto-sync, which may leave orphaned objects or other directory anomalies  There exists only one-way field-level synchronization: from Active Directory to Domino  AdminP will not propagate Active Directory name changes to ACLs  There are other alternatives that IBM provides!
  • 15. Directory Assistance  What is it?  How is it used by Notes and Web clients?  How is it set up?  What additional background information is useful?  What are the common problems and solutions?
  • 16. What is Directory Assistance? Directory of secondary directories Domino server feature enabling customers to use secondary Domino or LDAP (e.g., Active Directory) directories for:  Internet Authentication  Notes and Internet Group Membership Lookups for Database Authorization  Notes Mail Address Resolution  Type ahead (type/pause/complete)  Select Addresses dialog  F9 / Comma Address completion  Lookup User Attributes  Email address  MailFile  Etc.
  • 17. Notes Client Database Access YesYesNAMELookup YesYesF9 name completion NoYesSelect Addresses dialog NoYesType ahead Not applicable YesAuthorization Not applicable YesAuthentication Name in LDAP secondary (e.g., AD) Name in secondary Domino directory
  • 18. Web Client Database Access (non-DWA) YesYesNAMELookup Not Applicable Not Applicable F9 name completion NoYesSelect Addresses dialog NoNoType ahead YesYesAuthorization YesYesAuthentication Name in LDAP secondary (e.g., AD) Name in secondary Domino directory
  • 19. DA Backgrounder: Directory Interfaces NSF/NIF API e.g., NSFDbOpen, NIFFindByName NAME API e.g., NAMELookup LDAP Server Names.nsfNames2.nsf Active Directo (bk2000) NSF AppNAMELookup AppLDAP App Chased LDAP Referral Domino Server (klin0) LDAP GwyNSF/NIF directory data flow LDAP Ref XOR Referral Directory Services Not used in our examples NRPC NRPC NSF/NIF/FT LDAP
  • 20. DA Setup: Modify Server Document 1.Enter name of DA database that we will create next -
  • 21. DA Setup: Create DA.nsf Database 2. da.nsf matches Server doc setting 1. Use Directory Assistance da50.ntf (Show advanced
  • 22. DA Setup: Basics Tab 1. Change Domain type from Notes (default) to LDAP 2. Any unique admin-friendly name 3. Select types of directory applications 4. Change Group Authorization from No (default) to Yes to allow Active Directory 5. Leave nested group expansion Yes to recognize 6. Leave Enabled set to YesNot covered - see
  • 23. Backgrounder: Database Authorization  DA permits only one secondary directory where Group Authorization is set to Yes  If you have both a secondary Active Directory and other Domino secondaries, make the primary an Extended Directory Catalog  Use fully qualified Notes names (slashes) in database ACLs – not abbreviated names – not LDAP names!  cn=MDN Admin/cn=Users/dc=bk/dc=notesdev/dc=ibm/dc=com  cn=Administrators/cn=Builtin/dc=bk/dc=notesdev/dc=ibm/dc=com  Review setting for File / Database / Access Control / Advanced / Maximum Internet name and password
  • 24. Backgrounder: Notes & AD Directory Organization dc=bk,dc=notesdev,dc=ibm,dc=com cn=Builtin cn=Computers cn=Users cn=Administrators cn=Users cn=Beth Keach cn=MDN Admin ctive Directory cn=Enterprise Admins Note possi ble use of DCs (root) LocalDomainAdmins o=IBM LDAP Server Dev ou=Westford cn=Josh Burchard cn=Ken Lin otes/Domino person group container
  • 25. DA Setup: Naming Contexts Tab Leave N.C.1 with all asterisks (because Change Trusted for Credentials
  • 26. DA Setup: LDAP Tab hostn amesLDAP bind DN for Searc hes passw ordLDAP base DN for searc h SSL not cover ed in Change to
  • 27. DA Setup: Hostname  DNS name or IP address (v6 also) of one or more replicated Active Directory servers  Obtain by asking your AD administrator  Alternate discovery methods:  Query DNS SRV for _ldap._tcp.domainname using nslookup.exe (registered by Windows 2003-based domain controllers)  Run an auto-discovery tool on your subnet
  • 28. DA Setup: Optional Authentication Credential  Use LDAP “Bind” distinguished name of a single AD user who can search desired AD entries  Use LDAP naming (attribute = value and commas)  Optionally protect clear text Passwords using normal “Encrypting documents using secret keys” procedure
  • 29. DA Setup: Base DN for Search dc=bk,dc=notesdev,dc=ibm,dc=com cn=Builtin cn=Computers cn=Users cn=Administrators cn=Users cn=Beth Keach cn=MDN Admin cn=Enterprise Admins Proba bly what you  LDAP searches require filter, base, and scope  Locate top of desired tree (e.g., root DSE’s defaultNamingContext)
  • 30. DA Setup: Authentication Filter Base: dc=bk,dc=notesd ev,dc=ibm,dc=co m Filter: ( | (cn=bkeach) search DN: cn=Beth Keach,cn=Users, . . . suc ces LDAP Gwy AD Nameresolutionuthentication Beth authenticates while opening http://klin0/mail/klin.nsf using Windows username bindDN: cn=Beth Keach,cn=User s, . . . Password: 6.5. 6 7.0. 1 More name variations lower security
  • 31. Backgrounder: NamesList NamesList (Effective Access) is composed of  Names and aliases  Groups =Beth Keach,cn=Users, … cn=Enterprise Admins,cn=Users, … cn=Adminstrators,cn=Builtin, … cn=Domain Adminstrators,cn=Builtin, … a member of Grant AD admins (including Beth) access to http://klin0/mail/
  • 32. DA Setup: 6.5.4 Authorization Filter Base: dc=bk,dc=notesdev,dc=ibm,dc=com Filter: (&(objectclass=group) (member=cn=Beth Keach,dc=Users, . . .)) DN: cn=Domain Adminstrators,cn=Builtin, . . . DN: cn=Enterprise Admins,cn=Users, . . . DAP Gwy AD Base: dc=bk,dc=notesdev,dc=ibm,dc=com Filter: (&(objectclass=group) (member=cn=Domain Administrators,cn=Builtin, . . .)) (no such object) Base: dc=bk,dc=notesdev,dc=ibm,dc=com Filter: (&(objectclass=group) (member=cn=Enterprise Admins,dc=Users, . . .)) DN: cn=Administrators,cn =Builtin, . . .
  • 33. DA Setup: 6.5.5 Authorization Filter DN: cn=Beth Keach,cn=Users, . . . memberOf: cn=Domain Adminstrators,cn=Builtin, . . . memberOf: cn=Enterprise Admins,cn=Users, . . . DAP Gwy AD Base: cn=Domain Administrators,cn=Builtin, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf DN: cn=Domain Adminstrators,cn=Builtin, . . . Base: cn=Enterprise Admins,cn=Users, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf DN: cn=Enterprise Admins,cn=Users, . . . memberOf: cn=Administrators, cn=Builtin, . . . Base: cn=Administrators, Base: cn=Beth Keach,dc=Users, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf Big Perfo rman ce Impr ovem ent
  • 34. [C:Notes] ldapsearch.exe -h bk2000.notesdev.ibm.com –p 389 -D “cn=mdn admin,cn=users,dc=bk, dc=notesdev,dc=ibm,dc=com” -w “rosebud” -b “dc=bk,dc=notesdev,dc=ibm,dc=com” -s subtree “(cn=Administrators)” Test DA: LDAP Connection hostn ame LDAP bind DN passw ordLDAP base DN for searc Find an entry port  Test DA LDAP Configuration settings using ldapsearch tool
  • 35. Test DA: Verify Startup > SHOW XDIR DomainName DirectoryType ClientProtocol Replica/LDAP Server ---------- -------------- -------------- ------------------- 1 KLIN0 Primary-Notes Notes & LDAP names.nsf 2 BK2000 Secondary-LDAP Notes & LDAP [bk2000.notesdev.ibm.com]:389 Success 01/05/2006 07:12:54 PM Error attempting to access the Directory *[bk2000.notesdev.ibm.com]:389 (no available alternatives), error is LDAP Server is NOT available. > SHOW XDIR DomainName DirectoryType ClientProtocol Replica/LDAP Server ---------- ------------- -------------- ------------------- 1 KLIN0 Primary-Notes Notes & LDAP names.nsf Port or Bind DN / Password Failure
  • 36. Monitor DA: WebAuth_Verbose_Trace=1 NAMELookup::<NAMEVerifyLDAPPassword>> BIND LDAP host='[bk2000.notesdev.ibm.com]:389' w/ user='CN=Beth Keach /CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com' WebAuth> VERIFY password essful Name ResolutionWebAuth> LOOKUP in view $Users (user=‘bkeach' org='') NAMELookup::<LDAP GW> Searching for name=‘bkeach' in LDAP server='[bk2000.notesdev.ibm.com]‘ NAMELookup::<LDAP GW> Base: dc=bk,dc=notesdev,dc=ibm,dc=com NAMELookup::<LDAP GW> Scope: 2 NAMELookup::<LDAP GW> Filter: (|(cn=bkeach) (sAMAccountName=bkeach)(uid=bkeach)(mail=bkeach)) . . . NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Beth Keach /CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com' cessful Authentication
  • 37. NAMELookup::<LDAP GW> Searching for name='CN=Beth Keach/CN=Users /DC=bk/DC=notesdev/DC=ibm/DC=com' in LDAP server= '[bk2000.notesdev.ibm.com]‘ NAMELookup::<LDAP GW> Base: CN=Beth Keach,CN=Users, DC=bk,DC=notesdev,DC=ibm,DC=com NAMELookup::<LDAP GW> Scope: 0 NAMELookup::<LDAP GW> Filter: (objectClass=*) NAMELookup::<LDAP GW> Attrs: memberOf . . . NAMELookup::<LDAP GW> SEARCH returned '2' match(es). NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Enterprise Admins/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com' NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Domain Administrators/CN=Builtin/DC=bk/DC=notesdev/DC=ibm/DC=com‘ Etc. sful 6.5.5 NamesList Generation Monitor DA: WebAuth_Verbose_Trace=1
  • 38. DA: Points to Take Away  Allows AD users to access Domino databases with web clients  Setup:  Specify AD users or groups in Domino database ACLs as Notes names  Group Authorization – Yes  Trusted for Credentials – Yes  Optional Authentication Credential – Must supply an LDAP name  Base DN for Search – Must supply an LDAP name  Type of Search Filter to use – Active Directory  Testing and Monitoring:  ldapsearch command line tool  Show XDIR server console command  WebAuth_Verbose_Trace=1 Notes.ini setting
  • 39. IBM Tivoli Directory Integrator  General purpose data synchronization toolkit / engine  Change Propagation  Built-in connectors perform I/O with popular data sources (e.g., LDAP, NSF)  Built-in event handlers wait for and react to specific event (e.g., AD change, LDAP changelog detection)  Administrators code assembly lines using connectors and/or event handlers to transform and propagate information  Password Change Propagation  Separately installable plug-in entities capture AD password and Domino HTTP password changes, updates other directories with new password  ITDI Compared with ADSync  ITDI change-triggered or batch execution vs. ADSync is manual only  ITDI is flexible (you provide programming) vs. ADSync is limited  ITDI assembly lines coded using JavaScript or Java
  • 40. Summary  Use ADSync when  You want to allow Active Directory users to access Domino databases using the Notes or Web clients  You want Active Directory administrators to handle most people and group administration for your Domino domain  You don’t mind not having the most up-to-date directory entries  Use Directory Assistance when  You want to allow Active Directory users to access Domino databases using Web clients  You do not want to continually maintain and sync directory content  Consider IBM Tivoli Directory Integrator when  Your synchronization requirements are more advanced
  • 41. References  IBM Redbooks | Using LDAP for Directory Integration  ADSync  IBM Redbooks | Active Directory Synchronization with Lotus ADSync http://www.redbooks.ibm.com  Administering the Domino System – Using Domino with Windows Synchronization Tools  Directory Assistance  Administering the Domino System – Setting Up Directory Assistance  Single sign-on in a Multi-directory World http://www-128.ibm.com/developerworks/lotus/library/sso1/  Google “Domino Directory FAQ”