Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory

47,581 views

Published on

Published in: Education

Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory

  1. 1. 1900 – Configuring Domino to Be an LDAP Directory and to Use an LDAP Directory Rob Fox, Paul Godby, & Moacyr Mallemont
  2. 2. Copyright IBM Corporation 2006. All Rights Reserved. <ul><ul><li>This presentation is intended to assist IBM SWG Sales and their business partners in understanding IBM Software marketing tactics, sales tactics, and our direction during 2006. </li></ul></ul><ul><ul><li>This presentation can be used in sales situations except individual charts labeled VENDOR CONFIDENTIAL or IBM CONFIDENTIAL, in which case they should be considered confidential under the practices in place in your firm and under any existing agreements with IBM regarding disclosure of confidential information. </li></ul></ul><ul><ul><li>For questions or to request permission for any other use of the information or distribution of the presentation, please contact any member of the IBM software sales team. </li></ul></ul>
  3. 3. 1900 – part I - Configuring Domino for LDAP By Rob Fox & Paul Godby January 20 th , 2006 – 10:15 am
  4. 4. The Agenda <ul><li>What is LDAP? </li></ul><ul><li>The Anatomy of LDAP </li></ul><ul><li>Identifying the LDAP server and its attributes </li></ul><ul><li>Deciphering the LDAP schema </li></ul><ul><li>Information and Configuration of LDAP for Domino servers </li></ul><ul><li>Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal </li></ul><ul><li>Troubleshooting and Diagnostics </li></ul><ul><li>Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace </li></ul>
  5. 5. Objective <ul><li>The objective of this presentation is to provide you with the following: </li></ul><ul><ul><li>Basic understanding of LDAP </li></ul></ul><ul><ul><li>Understanding of proper usage of LDAP </li></ul></ul><ul><ul><li>How LDAP relates to Lotus Domino </li></ul></ul>
  6. 6. The Agenda <ul><li>What is LDAP? </li></ul><ul><li>The Anatomy of LDAP </li></ul><ul><li>Identifying the LDAP server and its attributes </li></ul><ul><li>Deciphering the LDAP schema </li></ul><ul><li>Information and Configuration of LDAP for Domino server </li></ul><ul><li>Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal </li></ul><ul><li>Troubleshooting and Diagnostics </li></ul><ul><li>Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace </li></ul>
  7. 7. What is LDAP? <ul><li>LDAP stands for Lightweight Directory Assistance Protocol </li></ul><ul><li>Comes from the need of a smaller, less complex version of X.500, another Directory Access protocol (DAP) for directory assistance </li></ul><ul><li>LDAP is much simpler to implement and develop for, and runs on top of TCP/IP unlike X.500 </li></ul><ul><li>The defacto standard for client name lookups to a server used by millions of corporations and billions of users*.. </li></ul><ul><li>*Statistic is made up. Did you know 56% of statistics are made up? </li></ul>
  8. 8. Who made LDAP? (hint – me) <ul><li>A bright young IBM engineer named Rob Fox. Okay, I lied. </li></ul><ul><li>Open Standard defined by Internet Engineering Task Force (IETF) </li></ul><ul><li>Original implementation of LDAP as server was University of Michigan </li></ul><ul><li>Architecture designed to LDAP v3 specification </li></ul><ul><li>Replication and Access Control are not yet standardized in LDAP v3 specification </li></ul><ul><ul><li>LDUP - Lightweight Directory Update Protocol draft </li></ul></ul><ul><ul><li>Access Control - working standard (no acronym) </li></ul></ul>
  9. 9. What do we use LDAP for? <ul><li>Corporations need an “address book” of all names and groups within the company. </li></ul><ul><li>All of these names and groups can be stored on a dedicated server called a “Directory Server” </li></ul><ul><li>LDAP is the standard protocol for name & group lookup on a directory server </li></ul><ul><li>A centralized LDAP Directory Server means all applications have access to one consistent name & address book. </li></ul>
  10. 10. The Agenda <ul><li>What is LDAP? </li></ul><ul><li>The Anatomy of LDAP </li></ul><ul><li>Identifying the LDAP server and its attributes </li></ul><ul><li>Deciphering the LDAP schema </li></ul><ul><li>Information and Configuration of LDAP for Domino server </li></ul><ul><li>Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal </li></ul><ul><li>Troubleshooting and Diagnostics </li></ul><ul><li>Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace </li></ul>
  11. 11. Anatomy of LDAP Connector Database full of Names and Addresses Magic Happy User My LDAP Directory Server Joe Mama Angie Daddy Terd Ferguson Art Major Rob Fox Travis Womack … .
  12. 12. Anatomy of LDAP <ul><li>LDAP consists of attributes, objects and values arranged in a hierarchy. </li></ul><ul><li>Getting access to these objects is generally done by binding to the server and using search filters to find specific information. </li></ul><ul><li>The LDAP structure can be created or modified by hand, or imported via a file called an ‘LDIF file’. </li></ul>
  13. 13. Anatomy of LDAP <ul><li>Objects are generally the people or groups stored in the LDAP directory. </li></ul><ul><li>These are arranged in a hierarchal tree </li></ul><ul><li>Example: cn=us -> o=IBM -> ou=Lexington -> cn=Users -> uid=rfox would tell us that user rfox is in the Lexington group which is part of the IBM organization in the US. </li></ul>
  14. 14. Anatomy of LDAP
  15. 15. Anatomy of LDAP <ul><li>An attribute is a specific item defined in an entry, and a value is what it is.. </li></ul><ul><li>Example: </li></ul><ul><ul><li>givenname=Rob </li></ul></ul><ul><ul><li>sn=Fox </li></ul></ul><ul><ul><li>mail=rob_fox@us.ibm.com </li></ul></ul><ul><ul><li>phonenumber=888-555-1212 </li></ul></ul>
  16. 16. Anatomy of LDAP
  17. 17. Anatomy of LDAP <ul><li>An LDIF is a file that has these objects and attributes already defined in a text format that can be imported into a directory server </li></ul><ul><li>Importing a LDIF is the easiest (and recommended) way to set up your own LDAP server </li></ul><ul><li>For Domino, use the LDIF Domino Upgrade Service in the Administration client to import users </li></ul><ul><ul><li>The final location of the LDIF users in the LDAP tree is determined by the cert ID used while importing </li></ul></ul><ul><ul><li>The service will not process LDIF group entries </li></ul></ul>
  18. 18. Anatomy of LDAP
  19. 19. The Agenda <ul><li>What is LDAP? </li></ul><ul><li>The Anatomy of LDAP </li></ul><ul><li>Identifying the LDAP server and its attributes </li></ul><ul><li>Deciphering the LDAP schema </li></ul><ul><li>Information and Configuration of LDAP for Domino server </li></ul><ul><li>Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal </li></ul><ul><li>Troubleshooting and Diagnostics </li></ul><ul><li>Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace </li></ul>
  20. 20. Talking to an Existing LDAP <ul><li>There are only 3 things you need to consume data from an existing LDAP server: </li></ul><ul><ul><li>Fully qualified DNS name or IP address (and port if it’s not the default of 389) </li></ul></ul><ul><ul><li>Base DN for searching </li></ul></ul><ul><ul><li>Credentials </li></ul></ul><ul><li>Typically customers want to deploy applications and web servers using their existing LDAP in their infrastructure – so lets see how to do that… </li></ul>
  21. 21. Get proper LDAP connection information <ul><li>Get the fully qualified DNS name and port: The name and location of the server, and the port the LDAP service is listening on </li></ul><ul><li>Get the base DN: The first place in the LDAP hierarchy tree to begin looking for names </li></ul><ul><li>Get a sample user name to bind to if necessary: Determine if anonymous binding is allowed, and if the attributes needed are returned when bound anonymously. If a user is needed, determine the format of the name and password to connect to the LDAP server </li></ul><ul><li>Note: Active Directory typically will not list any users or groups if bound to anonymously </li></ul>
  22. 22. The Agenda <ul><li>What is LDAP? </li></ul><ul><li>The Anatomy of LDAP </li></ul><ul><li>Identifying the LDAP server and its attributes </li></ul><ul><li>Deciphering the LDAP schema </li></ul><ul><li>Information and Configuration of LDAP for Domino server </li></ul><ul><li>Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal </li></ul><ul><li>Troubleshooting and Diagnostics </li></ul><ul><li>Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace </li></ul>
  23. 23. The Pieces of an LDAP DN… <ul><li>Here is a standard user full distinguished name: </li></ul><ul><li>uid=wpsadmin,ou=users,dc=lexington,o=ibm </li></ul>
  24. 24. The Pieces of an LDAP DN… <ul><li>user prefix org unit </li></ul><ul><li>uid=wpsadmin,cn=users,ou=lexington,o=ibm </li></ul><ul><li>user suffix base DN </li></ul>
  25. 25. Acquire the proper tools… <ul><li>LDAPSearch utility </li></ul><ul><ul><li>Command-line utility shipped with Domino and Notes </li></ul></ul><ul><li>Softerra LDAP Browser or… </li></ul><ul><li>Softerra LDAP Administrator or… </li></ul><ul><li>Java based LDAP Browser (can import LDIF files) </li></ul><ul><ul><li>Found on Google </li></ul></ul>
  26. 26. Using ldapsearch <ul><li>Can be used to search entries in any LDAP directory </li></ul><ul><li>Connects to a directory server and returns results you specify </li></ul><ul><li>Located in the Domino or Notes program directory </li></ul>
  27. 27. Using ldapsearch <ul><ul><li>Syntax for ldapsearch: </li></ul></ul><ul><ul><li>ldapsearch parameters searchfilter attributes </li></ul></ul><ul><ul><ul><li>-b baseDN for your search </li></ul></ul></ul><ul><ul><ul><li>-D username to bind with </li></ul></ul></ul><ul><ul><ul><li>-w password to bind with </li></ul></ul></ul><ul><ul><ul><li>-h ldap server name </li></ul></ul></ul><ul><ul><ul><li>-p port to query on the ldap server </li></ul></ul></ul>
  28. 28. Using ldapsearch <ul><li>Sample usage of ldapsearch: </li></ul><ul><ul><li>Use an authenticated bind to search under the baseDN cn=users,ou=lexington,o=databeam for a user with the common name of Homer Simpson: </li></ul></ul><ul><ul><li>ldapsearch -h ldapserver.databeam.com -p 389 -D &quot;cn=wpsbind,cn=users,ou=lexington,o=databeam&quot; -w password -b &quot;cn=users,ou=lexington,o=databeam&quot; &quot;cn=Homer Simpson&quot; </li></ul></ul>
  29. 29. Configuring Softerra… <ul><li>Add a profile name </li></ul><ul><li>Add the FQDN of the LDAP server </li></ul><ul><li>Add the base DN desired (or fetch them) </li></ul><ul><li>Add a binding name to verify the correct format of a user </li></ul><ul><li>Note: If you can bind with a long LDAP name, then the application (Sametime, Workplace, etc) can find the user when configuration is complete – bind with users to verify they exist and are in the correct format! </li></ul>
  30. 30. Configuring Softerra…
  31. 31. Configuring Softerra…
  32. 32. Gather information about the LDAP user… <ul><li>Determine if you want to log in with ‘cn’ or ‘uid’ or another attribute. </li></ul><ul><li>Make sure an objectclass such as ‘inetOrgPerson’ exists. </li></ul><ul><li>Determine the email attribute – typically ‘mail’. </li></ul><ul><li>Look for a unique identifier – IDS5.1 user ‘ibm-appuuid’, Domino 6.5.4+ user ‘dominoUNID’ </li></ul><ul><li>Most importantly – right click on the name to get the long LDAP name, for example: </li></ul><ul><li>uid=wpsadmin,cn=users,dc=ibm,dc=com </li></ul>
  33. 33. Gather information about the LDAP user…
  34. 34. Gather information aboot the LDAP group… <ul><li>Determine what attribute designates the name of the group – typically ‘cn’ </li></ul><ul><li>Determine the objectclass of the group – typically ‘groupOfUniqueNames’ or ‘groupOfNames’ </li></ul><ul><li>Determine the member attribute name – typically ‘uniquemember’ or ‘member’ </li></ul><ul><li>Make sure a unique identifier exists like ‘ibm-appuuid’ </li></ul><ul><li>Again importantly: Right click on the name to get the long LDAP name (full DN): </li></ul><ul><li>cn=wpsadmins,cn=group,dc=ibm,dc=com </li></ul>
  35. 35. Gather information about the LDAP user…
  36. 36. The Agenda <ul><li>What is LDAP? </li></ul><ul><li>The Anatomy of LDAP </li></ul><ul><li>Identifying the LDAP server and its attributes </li></ul><ul><li>Deciphering the LDAP schema </li></ul><ul><li>Information and Configuration of LDAP for Domino server </li></ul><ul><li>Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal </li></ul><ul><li>Troubleshooting and Diagnostics </li></ul><ul><li>Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace </li></ul>
  37. 37. Configure Domino to use a remote LDAP directory <ul><li>Directory Assistance allows you to lookup information in a directory other than the local primary Domino directory </li></ul><ul><ul><li>Domino Directory, Extended Directory Catalog, LDAP </li></ul></ul><ul><li>Create a Directory Assistance document in the Directory Assistance database (often named da.nsf) </li></ul><ul><li>The Active Directory Domino Upgrade Service (AD DUS) can be used in conjunction with the Active Directory Synchronization (AdSync) to maintain the same set of users in AD and Domino </li></ul>
  38. 38. Directory Assistance example
  39. 39. Domino 7 LDAP service improvements <ul><li>Improved performance </li></ul><ul><ul><li>LDAP server thread pooling </li></ul></ul><ul><ul><li>DA LDAP miss caching </li></ul></ul><ul><li>DDM LDAP server health monitoring </li></ul><ul><li>Addition of aliases </li></ul><ul><li>Support of universal Notes Ids (UNID) </li></ul><ul><ul><li>New “dominoUNID” operational attribute </li></ul></ul><ul><li>Enhanced LDAP search </li></ul><ul><ul><li>Now work with IBM Workplace products that use the WebSphere Member Manager (WMM) service to access user/group objects. </li></ul></ul>
  40. 40. Starting the Domino LDAP service <ul><li>The LDAP task runs automatically on the admin server for the primary Domino directory </li></ul><ul><li>To start automatically: </li></ul><ul><ul><li>Edit the “ServerTasks” setting in Notes.ini to include LDAP </li></ul></ul><ul><li>To start manually: </li></ul><ul><ul><li>Enter “Load LDAP” on the Domino console </li></ul></ul>
  41. 41. Enable/Disable write access to the directory <ul><li>By default, the LDAP service does not allow write access </li></ul><ul><li>To Enable write access: </li></ul><ul><ul><li>Open the directory using the Domino Admin Client </li></ul></ul><ul><ul><li>Select the Servers  Configuration view </li></ul></ul><ul><ul><li>Open the Configuration Settings document for the domain </li></ul></ul><ul><ul><ul><ul><li>Create this document if it does not exist </li></ul></ul></ul></ul><ul><ul><li>On the LDAP tab, set “Allow LDAP users write access” to Yes </li></ul></ul><ul><ul><li>Restart each server in the domain running the LDAP service </li></ul></ul>
  42. 42. The Agenda <ul><li>What is LDAP? </li></ul><ul><li>The Anatomy of LDAP </li></ul><ul><li>Identifying the LDAP server and its attributes </li></ul><ul><li>Deciphering the LDAP schema </li></ul><ul><li>Information and Configuration of LDAP for Domino server </li></ul><ul><li>Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal </li></ul><ul><li>Troubleshooting and Diagnostics </li></ul><ul><li>Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace </li></ul>
  43. 43. Using Domino as your LDAP server for Lotus Workplace… <ul><li>Add a ‘wpsadmin/domain’ user and ‘wpsadmins/domain’ group with manger access to the Domino directory – make sure the username and groupname field include the ‘/domain’ or they will NOT show up in Domino. </li></ul><ul><li>Configure the wpconfig.properties file as before except do NOT fill out the LDAPSuffix (base DN) – rather, use the user and group suffix fields. If there is an ou, put that in front like ‘ou=lexington,o=databeam’. </li></ul>
  44. 44. Using Domino as your LDAP server for Lotus Workplace… <ul><li>Domino servers below 6.5.4 MUST do the following: </li></ul><ul><ul><li>Create a field called ‘dominoUNID’ in the Person, Group and Certifier forms with the computed text value of: </li></ul></ul><ul><li>@Text(@DocumentUniqueID) </li></ul><ul><ul><li>Create an agent to open/close/save all documents in the Domino Directory so the new field is computed and populated – verify the field shows up in LDAP by reloading the schema. </li></ul></ul>
  45. 45. Using Domino as your LDAP server for Lotus Workplace… <ul><li>Edit <WP_root>sharedappwmmwmm.xml and <WP_root>wmmwmmLDAPServerAttributes.xml </li></ul><ul><li>to use Domino attributes (including the one you just created) so WebSphere Member Manager will recognize users. </li></ul><ul><li>Change the WAS Admin user search filter and user id map: </li></ul><ul><li>User search filter: (&(|(cn=%v)(mail=%v)(uid=%v))(objectclass=inetOrgPerson)) </li></ul><ul><li>User ID map: *:uid </li></ul><ul><li>Restart all services and servers.. It should work! (heh, yeah right) </li></ul>
  46. 46. The Agenda <ul><li>What is LDAP? </li></ul><ul><li>The Anatomy of LDAP </li></ul><ul><li>Identifying the LDAP server and its attributes </li></ul><ul><li>Deciphering the LDAP schema </li></ul><ul><li>Information and Configuration of LDAP for Domino server </li></ul><ul><li>Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal </li></ul><ul><li>Troubleshooting and Diagnostics </li></ul><ul><li>Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace </li></ul>
  47. 47. Troubleshooting… <ul><li>Q.) It doesn’t work. </li></ul><ul><li>A.) Sorry, works for me. </li></ul><ul><li>Q.) No Seriously… I followed all the steps for setting up Directory Assistance to an external LDAP directory, but user authentication still fails. </li></ul><ul><li>A.) Domino will check the local directory for a username BEFORE using Directory Assistance to check the external directory. Make sure the name you are trying to authenticate with does not exist in the local Domino Directory. </li></ul>
  48. 48. Troubleshooting… <ul><li>Q.) Help! When using Domino as my LDAP server the searches are very slow! </li></ul><ul><li>A.) Create a full-text index for the directory. If it’s still slow, limit the number of entries returned or create a timeout. </li></ul><ul><li>Q.) My searches against my Domino LDAP server do not return a CN value. My “co-workers” configured that part…not me. What did they do wrong? </li></ul><ul><li>A.) They likely added users to the directory without using Notes registration. You will have to add the common name as a second value in the FullName field of the Person documents. </li></ul>
  49. 49. The Agenda <ul><li>What is LDAP? </li></ul><ul><li>The Anatomy of LDAP </li></ul><ul><li>Identifying the LDAP server and its attributes </li></ul><ul><li>Deciphering the LDAP schema </li></ul><ul><li>Information and Configuration of LDAP for Domino server </li></ul><ul><li>Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal </li></ul><ul><li>Troubleshooting and Diagnostics </li></ul><ul><li>Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace </li></ul>
  50. 50. Bonus Level - Applying Our LDAP Experience in the Real World <ul><li>In the “real world” companies take their many applications and point to their LDAP server </li></ul><ul><li>Having a centralized LDAP reduces management of multiple directories such as new passwords, name changes, department updates, etc </li></ul><ul><li>Many IBM products can hook into an existing LDAP directory for authentication, user information, etc.. </li></ul>
  51. 51. Bonus Level - Applying Our LDAP Experience in the Real World <ul><li>IBM Lotus Web Conferencing and Instant Messaging (Sametime) </li></ul><ul><li>IBM Lotus Team Spaces (QuickPlace) </li></ul><ul><li>IBM WebSphere Portal </li></ul><ul><li>IBM Lotus Workplace </li></ul><ul><li>These products use LDAP for user authentication, authorization and mapping of names to specific application needs </li></ul>
  52. 52. Bonus Level - Applying Our LDAP Experience in the Real World <ul><li>To get some hands on experience, we are going to configure IBM WebSphere Portal to use an existing LDAP server. </li></ul><ul><li>This procedure is exactly the same for configuring IBM Lotus Workplace. </li></ul><ul><li>These same principles apply to other applications such as Sametime and QuickPlace. </li></ul>
  53. 53. Bonus Level - Configure wpconfig.properties file… <ul><li>Located C:WebSpherePortalServerconfig </li></ul><ul><li>The LDAP section is at the bottom – we simply map the attributes and data we discovered with Softerra to the fields in the file </li></ul><ul><li>Once wpconfig.properties is verified (twice) to be correct, in that same directory we run this script: </li></ul><ul><li>WPSconfig enable-ldap-security > enablesecurity.log </li></ul><ul><li>‘ server1’ is the only server that should be running – stop ‘WebSphere_Portal’ and ‘LotusWorkplace_Server’ before running the script – run this to see what is up: </li></ul><ul><li>serverStatus –all –username wpsadmin –password password </li></ul><ul><li>Activity is logged to this file (tail –f to see it) – do a search to make sure no ‘FAILED’ messages appeared </li></ul>
  54. 54. Bonus Level - Configure wpconfig.properties file…
  55. 55. Bonus Level - Configure wpconfig.properties file… <ul><li>The ‘cn=root’ user is the administrator of the LDAP server with read/write access. </li></ul><ul><li>The ‘wpsadmin’ user that was added should read/write access as well – they can be used as the Wps.LDAPAdminUId instead. </li></ul><ul><li>Notice which entries use a short name and a long name. </li></ul><ul><li>The ‘wpsadmins’ group is not checked when the script is run – VERIFY with Softerra it exists! </li></ul><ul><li>If you see any BUILD FAILED messages in the enablesecurity.log file, examine the fields in the previous slide again and rerun the script – there should be NO ‘BUILD FAILED’ scripts. </li></ul><ul><li>If you see SQL errors you may need to delete rows and read them with the DB2 Command Center if said tables with errors have primary keys in them. </li></ul>
  56. 56. Bonus Level - Verify ‘wpsadmin’ and ‘wpsadmins’ exist properly… <ul><li>Now is a good time to make sure the ‘wpsadmin’ user exists, the ‘wpsadmins’ group exists, and ‘wpsadmin’ exists in the ‘wpsadmins’ group. If your LDAP browser doesn’t show these two entries properly, DON’T PROCEED until they do! </li></ul>
  57. 57. Bonus Level - Hoping it works… <ul><li>The script shouldn’t take that long to run.. Either ‘tail –f’ the enablesecurity.log or entertain yourself in other productive ways: </li></ul>
  58. 58. Bonus Level - It works! (Da Da Da Dah!) <ul><li>Stop all servers (including IBM HTTP) and restart all servers. Log into Portal: </li></ul><ul><ul><li>http://nameofserver.domain.com/wps/portal </li></ul></ul><ul><li>or log into Workplace: </li></ul><ul><ul><li>http://nameofserver.domain.com/lwp/workplace </li></ul></ul><ul><li>verify the Web Conferences and Team Spaces places work properly </li></ul>
  59. 59. What you (should have) learned <ul><li>You now have the following information at your disposal thanks to this presentation: </li></ul><ul><ul><li>Basic understanding of LDAP, how it works, how it is put together and how to configure it </li></ul></ul><ul><ul><li>Understanding of proper usage of LDAP including where and how to find names, and understand an LDAP schema </li></ul></ul><ul><ul><li>How LDAP relates to our product suite and how to map attributes from an existing LDAP for client consumption and how to customize Domino into an LDAP server for the IBM product suite </li></ul></ul>
  60. 60. Thanks a million.
  61. 61. 1900 – part II – Linux Desktop Authentication Using Domino LDAP Moacyr Mallemont – IT Specialist Lotus/IBM Software Group
  62. 62. Session Objectives <ul><li>Provide an overview (step-by-step) on how to configure the Domino LDAP service to allow Linux desktop authentication. </li></ul><ul><li>Show how easy is to integrate Domino and Linux and have an end-to-end Domino solution running on Linux </li></ul>
  63. 63. Agenda <ul><li>Requirements </li></ul><ul><li>PAM configuration </li></ul><ul><li>Extending the Domino LDAP Schema </li></ul><ul><li>Enabling the Domino LDAP service as the default Linux directory </li></ul><ul><li>Authenticating </li></ul><ul><li>Setting up Domino to allow password changes from Linux prompt </li></ul><ul><li>Troubleshooting </li></ul>
  64. 64. Requirements <ul><li>Default domino installation on a linux system (we used Domino 6.5.4 and RedHat AS 2.1) </li></ul><ul><li>Domino Administrator and Designer </li></ul><ul><li>Download and compile pam_ldap and nss_ldap on the Linux desktop client </li></ul><ul><li>Knowledge on how to compile linux applications (it is really easy :) </li></ul>
  65. 65. PAM Configuration – What is pam and nss?
  66. 66. PAM Configuration - Compiling
  67. 67. PAM Configuration – Making a ldap search
  68. 68. PAM Configuration – Making a ldap search
  69. 69. PAM Configuration – setting up ldap.conf file
  70. 70. PAM Configuration – Setting up ldap.secrets file
  71. 71. Extending the Domino LDAP Schema – “LDAP POSIX Account” subform
  72. 72. Extending the Domino LDAP Schema – Creating the fields
  73. 73. Extending the Domino LDAP Schema – Insert the subform in the form “$PersonExtensibleSchema”
  74. 74. Extending the Domino LDAP Schema – Reload the LDAP Schema
  75. 75. Extending the Domino LDAP Schema - Verify the new fields in the LDAP Schema
  76. 76. Extending the Domino LDAP Schema - Verify the new fields in the LDAP Schema
  77. 77. Enabling the Domino LDAP service as the default Linux Directory – User Information Config
  78. 78. Enabling the Domino LDAP service as the default Linux Directory – Authentication Config
  79. 79. Enabling the Domino LDAP service as the default Linux Directory – Authenticating a Domino user!
  80. 80. Enabling the Domino LDAP service as the default Linux Directory – Creating home directories
  81. 81. Enabling the Domino LDAP service as the default Linux Directory – the “id” command
  82. 82. Setting up Lotus Domino to allow password change for LDAP users – Configuration Document and rights in the NAB ACL
  83. 83. Setting up Lotus Domino to allow password change for LDAP users – “Allow LDAP users write=yes”
  84. 84. Setting up Lotus Domino to allow password change for LDAP users - Advanced ACL
  85. 85. Setting up Lotus Domino to allow password change for LDAP users – Changing an user password from the Linux prompt
  86. 86. Troubleshooting <ul><li>Ldapsearch </li></ul><ul><ul><li>If you can’t run the suggested searches in this presentation, don’t go ahead to the next step. Try to understand what is going on! </li></ul></ul><ul><li>Password change from Linux Desktop </li></ul><ul><ul><li>If password change does not work, verify user rights in the NAB ACL, and the ldap.conf & ldap.secrets files. </li></ul></ul><ul><li>User root cannot login anymore! </li></ul><ul><ul><li>Use single user mode (in rescue) and clean every entry in the /etc/nsswitch.conf that has ldap references. </li></ul></ul><ul><ul><li>While configuring and testing you can let “some” root sessions open that will allow you to fix your system. </li></ul></ul>
  87. 87. Summary <ul><li>It can be very easy to integrate domino with other systems </li></ul><ul><li>Domino uses and make use of open standards and protocols, that’s why it is so flexible! </li></ul><ul><li>This is just another example on how Domino can be used to reduce the TCO of IT Solutions </li></ul><ul><li>There are more complete solutions that should be evaluated as Tivoli solutions that are much more complete and can do much more </li></ul><ul><li>If you already has Domino, your investments are preserved and extended - start integrating today! </li></ul>
  88. 88. Resources <ul><li>http://www.padl.com/Contents/OpenSourceSoftware.html </li></ul><ul><li>http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-ldap-extrafunctionality.html </li></ul><ul><li>http://www.ibm.com/dominolinux </li></ul><ul><li>http://www-306.ibm.com/software/tivoli/solutions/security/ </li></ul>
  89. 89. Questions?

×