Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

External Users Accessing Connections


Published on

From IBM Connected 2015

Connections 5 introduces us to a new model of access - the external user. Originally designed to have limited rights within your Connections environment, the security surrounding external user access is deliberately very restrictive.  To achieve appropriate access for the external user, we must tell Connections how to identity an external user by flagging either an LDAP attribute or a new LDAP source.  In this session we’ll discuss the options for external user configuration, how to manage registration and passwords as well as how everyone in your Connections world can work together.

Published in: Software
  • Be the first to comment

External Users Accessing Connections

  1. 1. BTE201: Working With External Users in IBM Connections Gabriella Davis Technical Director - The Turtle Partnership
  2. 2. Let’s talk about me for a minute ▪ Admin of all things and especially quite complicated things where the fun is – Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connections and things that they talk to ▪ Stubborn and relentless problem solver ▪ Lives in London about half of the time ▪ ▪ twitter: gabturtle
  3. 3. Notices and Disclaimers Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo,, BrassRing®, Connections™, Domino®, Global Business Services®, Global Technology Services®, SmartCloud®, Social Business®, Kenexa®, Notes®, PartnerWorld®, Prove It!®, PureSystems®, Sametime®, Verse™, Watson™, WebSphere®, Worklight®, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at:
  4. 4. Why do external users need to be configured differently?
  5. 5. How Does It Work - The Brief Version
  6. 6. What Can An External Person Do? ▪ Be a full member of a Community that allows external users ▪ Share Files with others as well as Download files shared with you ▪ See Activity Streams that they are invited into ▪ Edit Their Profile ▪ View business cards of anyone who has shared content with them
  7. 7. What Can’t An External Person Do? ▪ See Any Public Content ▪ Create a community ▪ Follow people ▪ See or search the company directory ▪ Use type-ahead to find people ▪ See recommended content or people ▪ Access the Profiles menu ▪ Access other user profiles ▪ See @Mentions for them
  8. 8. ▪ An existing Community can’t become a Community that allows external users ▪ Once created as either internal or allowing external user access - a Community cannot be changed ▪ Only internal users with a specific role can invite and share with external users ▪ Communites with external users must be restricted
  9. 9. This isn’t a bad thing In general an external user is limited to participating in a restricted community they are invited into
  10. 10. Let’s set things up or … here comes the technical bit
  11. 11. Internal vs External User Directories ▪ Who am I talking to? Who am I sharing with? ▪ There needs to be a simple way of identifying internal vs external users ▪ We need to tell Connections how to identify an internal and external user ▪ There are three ways to do this – They all involve using TDI scripts
  12. 12. A Quick Catch Up On TDI ▪ To enable external users, the Profile DB must be used as a Directory ▪ TDISOL found in the Connections install directory – Updated on Fix Central ▪ Files we change for External users – – – sync_all_dns
  13. 13. Separate LDAP Branch or Server ▪ In – mode={func_mode_visitor_branch} – displayName={func_decorate_displayName_if_visitor} – displayNameLdapAttr=cn – decorateVisitorDisplayName= - External User ▪ In – source_ldap_url_visitor_confirm – source_ldap_search_base_visitor_confirm* – source_ldap_search_filter_visitor_confirm
  14. 14. Separate LDAP Branch or Server ▪ In – mode={func_mode_visitor_branch} – displayName={func_decorate_displayName_if_visitor} – displayNameLdapAttr=cn – decorateVisitorDisplayName= - External User ▪ In – source_ldap_url_visitor_confirm – source_ldap_search_base_visitor_confirm – source_ldap_search_filter_visitor_confirm
  15. 15. Separate LDAP Steps ▪ Ensure the External directory is also configured as a Federated Repository in WAS – otherwise your external users can’t authenticate ▪ source_ldap_search_base_visitor_confirm must not be empty ▪ In mapdb_repos_from_source add sync_source_url_enforce=true so TDI doesn’t remove one directory’s entries
  16. 16. LDAP Attribute ▪ This is a bit easier but needs careful managing ▪ In mapdb_repos_from_source assign an LDAP attribute so that mode=“external” – displayName={func_decorate_displayName_if_visitor} – displayNameLdapAttr=cn – decorateVisitorDisplayName= - External User
  17. 17. LDAP Attribute As A Function ▪ Instead of mapping an LDAP attribute containing “external” to the mode= entry you can use a javascript function – The function must compute to the word ‘external’ for external users – It must be placed in profiles_functions.js file
  18. 18. Whatever Method You Choose sync_all_dns.bat when done .. on failure check the logs ibmdi.log and SyncUpdates.log
  19. 19. Exployee-Extended Role ▪ Not all internal users / employees can invite external users - they must have the special Connections role – “Employee-Extended ▪ The only way to get this role is to be assigned it via wsadmin
  20. 20. Assigning Roles ▪ From /profiles/dmgr01/bin directory ▪ wsadmin.bat/sh -lang jython -username <wasadmin> -password <password> ▪ execfile(“”) ▪ ProfilesService.setRole(“, EMPLOYEE_EXTENDED)
  21. 21. Securing the Perimeter
  22. 22. Directory Decisions ▪ How will external users register ▪ Who will have rights to invite external users ▪ Password quality
  23. 23. Anonymous Access ▪ Disable Anonymous access for all applications ▪ Edit each application’s “security role to user group mapping” – Ensure “reader” is not set to “Everyone”
  24. 24. Public Files ▪ External users can’t see public files – or can they? ▪ If you use a caching proxy then the public cache will contain information external users shouldn’t see – Disable public caching in LotusConnections-config.mxl using 
 <genericProperty name="publicCacheEnabled">false</genericProperty>
  25. 25. Working with Libraries ▪ With CCM installed the URL /dm can provide access to any public Libraries – External users shouldn’t see public ANYTHING ▪ Ensure the /dm URL is blocked from public interfaces
  26. 26. Desktop Plugin ▪ When using Connections, the interface constantly warns you if you are going to share with internal users ▪ The desktop plugin doesn’t do that ▪ This quote from the documentation 
 says it all – “In addition, some operations 
 might result in unexpected errors” !
  27. 27. Internal and External (Visitor) Views or.. Spot What’s Missing
  28. 28. Internal - Homepage
  29. 29. Visitor Homepage
  30. 30. Internal Community Page
  31. 31. Visitor Community Page
  32. 32. Internal - My Profile
  33. 33. Visitor My Profile
  34. 34. You can do this but not that ▪ As A Visitor… – You can add tags but not see existing tag lists – You can view partial business cards but not full profiles – You can search for content but that only finds things that are shared with you – You can share files but only with the Communities you are part of, not with people directly
  35. 35. ▪ All of this is good - it keeps your environment secure ▪ It protects your users from accidentally sharing something unintended ▪ It doesn’t give up any information the external user doesn’t already know ▪ Some things are a bit buggy but hopefully being fixed
  36. 36. Questions? ▪ Gab Davis - Technical Director ▪ The Turtle Partnership ▪ ▪ GabriellaDavis on Skype ▪ gabturtle on twitter
  37. 37. Engage Online ▪ SocialBiz User Group – Join the epicenter of Notes and Collaboration user groups ▪ Social Business Insights blog – Read and engage with our bloggers ▪ Follow us on Twitter – @IBMConnect and @IBMSocialBiz ▪ LinkedIn – Participate in the IBM Social Business group on LinkedIn ▪ Facebook – Like IBM Social Business on Facebook