This document provides an overview of using Active Directory Integration (ADI) with IBM Lotus Domino. It begins by clarifying common misconceptions about ADI and examining the ADSync and Directory Assistance tools. ADSync allows for some limited synchronization between Domino and Active Directory objects but is not a full synchronization tool. Directory Assistance enables using secondary directories like Active Directory for user authentication and authorization for Notes and web clients. The document reviews setting up and testing Directory Assistance by configuring the DA.nsf database and verifying the LDAP connection and startup. It also provides background on how user authorization works between the directories.
Building API's for a web 2.0 / web 3.0 aspiring service is very different than providing a tight integrated RPC service for some corporate client. It requires completely different ways of thinking and embracing new standards. I've composed a quick slideshow of all the architectural choices and considerations I've come across.
Building API's for a web 2.0 / web 3.0 aspiring service is very different than providing a tight integrated RPC service for some corporate client. It requires completely different ways of thinking and embracing new standards. I've composed a quick slideshow of all the architectural choices and considerations I've come across.
Learn what is tibco business works. Features of tibco business works and its benifits. Also know about xml activities,Parse Palette,role of EMS and benifits of EMS.
PL/SQL developers (as well as DBAs and many others involved) typically are uncertain what SOA means to them. They feel overwhelmed by a avalanche of acronyms. Yet they see it coming and instead of being surprised or bypassed, this session allows them to start participating and benefiting themselves. This session introduces SOA and the Oracle SOA Suite 11g to the realm of the PL/SQL developer - from which it sometimes seems so far removed. What are the key SOA concepts and objectives - what's the buzz about? What is at the heart of SOA Suite 11g: Composite Applications, BPEL PM and the Mediator.
The presentation demonstrates how SOA Services can be leveraged from the database – from Triggers and PL/SQL applications and how the database can publish events to the Event Delivery Network. It demonstrates how the SOA infrastructure can access the database, primarily using the Database Adapter – and how database developers can be instrumental in efficiently doing so. It concludes with some hints for applying SOA concepts for 'normal' database development.
How do you manage changing the LDAP system on IBM Connections, What if your organisation decides to change the users DN. Maybe you know how to manage Connections, but what about CCM, Cognos and Forms. Get tips and best practices from the field
The lazy administrator, how to make your life easier by using tdi to automate...Klaus Bild
My session on how you can use Tivoli Directory Integrator with other IBM Collaboration Solutions like IBM Connections or Domino to reuse data of the different systems.
Only an IBM Domino Server can take this much beating and still runAndreas Ponte
A field report from the real world by Andreas Ponte of badly configured and even worse maintained IBM Domino servers. We came across an environment that combined many failures and weaknesses that wrongly built IBM Domino/Notes environments can have.
Learn what is tibco business works. Features of tibco business works and its benifits. Also know about xml activities,Parse Palette,role of EMS and benifits of EMS.
PL/SQL developers (as well as DBAs and many others involved) typically are uncertain what SOA means to them. They feel overwhelmed by a avalanche of acronyms. Yet they see it coming and instead of being surprised or bypassed, this session allows them to start participating and benefiting themselves. This session introduces SOA and the Oracle SOA Suite 11g to the realm of the PL/SQL developer - from which it sometimes seems so far removed. What are the key SOA concepts and objectives - what's the buzz about? What is at the heart of SOA Suite 11g: Composite Applications, BPEL PM and the Mediator.
The presentation demonstrates how SOA Services can be leveraged from the database – from Triggers and PL/SQL applications and how the database can publish events to the Event Delivery Network. It demonstrates how the SOA infrastructure can access the database, primarily using the Database Adapter – and how database developers can be instrumental in efficiently doing so. It concludes with some hints for applying SOA concepts for 'normal' database development.
How do you manage changing the LDAP system on IBM Connections, What if your organisation decides to change the users DN. Maybe you know how to manage Connections, but what about CCM, Cognos and Forms. Get tips and best practices from the field
The lazy administrator, how to make your life easier by using tdi to automate...Klaus Bild
My session on how you can use Tivoli Directory Integrator with other IBM Collaboration Solutions like IBM Connections or Domino to reuse data of the different systems.
Only an IBM Domino Server can take this much beating and still runAndreas Ponte
A field report from the real world by Andreas Ponte of badly configured and even worse maintained IBM Domino servers. We came across an environment that combined many failures and weaknesses that wrongly built IBM Domino/Notes environments can have.
Please follow the data and description Active Directory In gen.pdfapleathers
Please follow the data and description :
Active Directory :
In general the Active Directory is abbrevated as AD and is a directory service that Microsoft
developed for Windows domain networks. It is included in most of the available Windows
Server operating systems as a set of processes and services.
Considerations for designing a Active Directory :
Before moving on directly to the planning ang implementation of the Active Directory we just
need to get some major factors and their considerations into account so as to handle them
perfectly. When we are designing the Active Directory network, it is important to use the four
divisions (forests, domains, organizational units, and sites) to their maximum potential. Some of
the important factors/considerations are described below :
a) Active Directory elements :
When designing an Active Directory, we need to be completely clear of what each element or
part actually means and how it fits into the overall design.
b) Active Directory forest :
In general, the forest, in terms of Active Directory, basically means every domain, organizational
unit, and any other object stored within its database. The forest is the absolute top level of the
Active Directory infrastructure. We can have more than one forest in a company, which actually
represent the high level security boundaries, and can therefore improve security between
different business units or companies belonging to a single organization. The point behind the
forest is that we have all our domains and domain tree within the organization itself contained
within it. It is designed so that we can have a transitive links between all of the trees within one
forest.
c) Active Directory tree :
A tree with reference to the Active Directory basically refers to a domain and all of its objects
that merge into a single DNS name.
d) Organizational Units and the Leaf Objects :
In an Active Directory, Organizational Units abbrevated as OUs, which are also called as the
Containers, and the Leaf Objects, which are of non-containing objects such as computer accounts
and user accounts, are directly related. We can access the OUs and other objects through the
Microsoft Management Console (MMC) or through the Users and Computers tool in the
Administrative Tools.
e) Active Directory Sites :
The Sites and Services of the MMC is a utility that a lot of Windows administrators, particularly
in smaller organizations, completely overlook. This part of Active Directory, however, is one of
the most crucial parts to understand and implement correctly. These Sites give us a very unique
and well-designed approach to separate specific locations within the Active Directory. As the
principle of an Active Directory domain is global-meaning that it is meant to be the same
anywhere-it could present a problem for users who move from office to office, or for offices with
network connections that are slow. Active Directory sites allow one to specify the IP address
spaces or subnets used with.
เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...Tũi Wichets
เอกสาร แนวทาง การเชื่อมโยง Mac OS X เข้ากับระบบ Active Directory อย่างไร
Best Practices How to Integrating Mac OS X with Active Directory Technical White Paper
Lotusphere 2007: ID204 - Take Control of Your IBM Lotus Domino Directory Infr...Ken Lin
Where are your directory pain-points? It can be time consuming to configure, deploy and maintain a corporate directory infrastructure. In this session we'll cover the new Lotus Domino 8 directory features that will enable you to accomplish these tasks. We'll highlight Directory Lint, the new verification tool that enables admins to check directory integrity and suggest corrections. By popular demand, Directory Assistance now guides you through LDAP connection configuration and we'll show you how. Is your Lotus Domino LDAP server performance suffering? New LDAP statistics identify slow performing search patterns that your applications are sending. Last but not least, we'll touch on how tracing can help you better troubleshoot the root cause of an issue.
http://kenlin.com
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
2. Agenda and Goals
Clarify and correct common misconceptions
Clarify and correct common mistakes
Clarify relevant deployment scenarios
Examine ADSync and Directory Assistance
for integrating IBM Lotus Domino directory
services and Microsoft Active Directory
3. ADSync & Domino
Why this presentation section?
There have been many questions in the IBM Notes and Domino forums
about the Domino administration feature, ADSync
There is a lot of confusion about what ADSync is capable of, and what it isn’t
What I hope to give you:
A high-level overview of what of what ADSync is and is not
What ADSync is capable of doing for you
Things to think on when deploying ADSync
4. Terminology
A couple of terms I’ll use throughout this section:
Object-Level
For the scope of this presentation, “object” refers to Domino records (e.g.,
the Josh Burchard person document) or LDAP entries of type person or
group
Field-Level
The Domino fields (e.g., HTTPPassword) / LDAP attributes that comprise
person and group objects
6. So What is it Then?
It’s a Microsoft Management Console (MMC) Snap-In that
extends and expands on our Notes NT User Manager Add-In
It’s A Domino Administrator client install option
It’s a tool that allows for some synchronization by linking Domino
and Active Directory objects.
It’s a way to do general Domino field-level administration from the
MMC
It’s a way to do basic Domino object-level administration from the
MMC
It’s more useful than simply migrating entries back and forth
between a Domino Directory and Active Directory
?
7. So What is it? (cont.)
It’s only part of the Active Directory administration picture:
ADSync, along with the Domino Administrator client, can work together to
perform limited, manual, synchronization of objects
Domino
Active
Directory
AdminClient
ADSync
objects
& fields
objects
only
8. Where does ADSync Live?
ADSyn
c
buttons
Contain
er for
ADSync
popup
menu
ADSync is a Snap-In to the Microsoft Management Console’s
“Users and Computers” dialog that provides embedded Domino
functionality
9. What can you do with these tools?
Adds people to Active Directory or NT via the “Person
Registration Advanced Pane” and links them to their respective
Domino object
Imports people and groups from Active Directory or NT via
“Person Registration Migrate” (Domino Upgrade Service) and
links them to their respective Domino object
You can add, delete, rename people in NT or Active Directory via
the Domino Administrator client
You can migrate people and groups to Domino from NT or Active
Directory via the Domino Administrator client
10. What can you do with these tools?
You can create new people and groups in Active Directory and at
the same time (or later, if you wish) register the people, or add the
groups to Domino via ADSync
You can link people and groups that already exist in Active
Directory and Domino via ADSync
You can delete groups in NT or Active Directory via the Domino
Administrator client
You can synchronize changes made to an Active Directory object
with the object it’s linked to in Domino
11. Be Aware! (Prereqs and Planning Needed)
Prerequisites:
Install the Domino Administrator client with the W2000 Sync Services option
The preferred way of running ADSync is from Windows 2000 Professional or
Windows XP Professional with the Microsoft AdminPak
Planning:
You can perform ADSync operations on more than one Domino server, but it
is not recommended
Domino registration operations are limited to the primary Domino Directory,
no secondary directories
To perform Active Directory object level operations (like delete and rename)
from the Domino Admin client, the objects must have been previously linked
You must have created a Domino policy when adding people in Active
Directory and then registering them in Domino. This provides a way for
Domino to specify default values for the fields that aren’t mapped from AD
(e.g. Roaming user)
12. Some Common Misconceptions
We never do field-level manipulation from Domino to Active
Directory, only from Active Directory to Domino
During Domino person registration, ADSync can set a common
password for Active Directory, Domino HTTP and the Notes ID
If you reset the common password via ADSync, the AD and
Domino HTTP password will be made the same but the Notes ID
password will not be modified. Even using Notes Single Logon
will require a manual Notes ID password change
Since Domino field values never get applied to AD fields, the AD
e-mail address needs to be manually set to the Domino e-mail
address
ADSync configuration settings are not shared across
Administrator client machines
13. Some Common Misconceptions (cont.)
ADSync only synchronizes Active Directory changes made via the
MMC. In general, these are manual changes made by
administrators. Programmatic changes are not recognized
Changing a field in Active Directory prompts an automatic
synchronization to occur which overwrites the corresponding
Domino field
No scheduling of synchronizations
Synchronizing an Active Directory group will not register its
members as people in Domino. It is only a field level
synchronization operation that translates group members names
Renaming a group via ADSync does not create all of the
necessary Administration Process requests, e.g. replacing the old
name with the new in Domino database ACLs
14. Points to Take Away
ADSync requires careful planning beforehand, and careful
management once in use because:
It can’t provide a perfect password-sync solution, even when used with Notes
Single Logon
Only manual MMC changes (not programmatic ones) kick off an auto-sync,
which may leave orphaned objects or other directory anomalies
There exists only one-way field-level synchronization: from Active Directory to
Domino
AdminP will not propagate Active Directory name changes to ACLs
There are other alternatives that IBM provides!
15. Directory Assistance
What is it?
How is it used by Notes and Web clients?
How is it set up?
What additional background information is useful?
What are the common problems and solutions?
16. What is Directory Assistance?
Directory of secondary directories
Domino server feature enabling customers to use secondary
Domino or LDAP (e.g., Active Directory) directories for:
Internet Authentication
Notes and Internet Group Membership Lookups for Database
Authorization
Notes Mail Address Resolution
Type ahead (type/pause/complete)
Select Addresses dialog
F9 / Comma Address completion
Lookup User Attributes
Email address
MailFile
Etc.
17. Notes Client Database Access
YesYesNAMELookup
YesYesF9 name
completion
NoYesSelect Addresses
dialog
NoYesType ahead
Not
applicable
YesAuthorization
Not
applicable
YesAuthentication
Name in LDAP
secondary
(e.g., AD)
Name in
secondary Domino
directory
18. Web Client Database Access
(non-DWA)
YesYesNAMELookup
Not
Applicable
Not
Applicable
F9 name
completion
NoYesSelect Addresses
dialog
NoNoType ahead
YesYesAuthorization
YesYesAuthentication
Name in LDAP
secondary
(e.g., AD)
Name in
secondary Domino
directory
19. DA
Backgrounder: Directory Interfaces
NSF/NIF API
e.g., NSFDbOpen,
NIFFindByName
NAME API
e.g., NAMELookup
LDAP Server
Names.nsfNames2.nsf
Active Directo
(bk2000)
NSF AppNAMELookup AppLDAP App
Chased LDAP
Referral
Domino Server
(klin0)
LDAP GwyNSF/NIF
directory data flow
LDAP Ref
XOR
Referral
Directory
Services
Not used in
our examples
NRPC NRPC
NSF/NIF/FT
LDAP
20. DA Setup: Modify Server Document
1.Enter name of
DA database
that we will
create next -
21. DA Setup: Create DA.nsf Database
2. da.nsf
matches Server
doc setting
1. Use
Directory
Assistance
da50.ntf (Show
advanced
22. DA Setup: Basics Tab
1. Change
Domain type from
Notes (default) to
LDAP
2. Any unique
admin-friendly
name
3. Select types of
directory
applications
4. Change Group
Authorization
from No (default)
to Yes to allow
Active Directory
5. Leave nested
group expansion
Yes to recognize
6. Leave Enabled
set to YesNot covered - see
23. Backgrounder: Database Authorization
DA permits only one secondary directory where Group Authorization is
set to Yes
If you have both a secondary Active Directory and other Domino secondaries, make
the primary an Extended Directory Catalog
Use fully qualified Notes names (slashes) in database ACLs – not
abbreviated names – not LDAP names!
cn=MDN Admin/cn=Users/dc=bk/dc=notesdev/dc=ibm/dc=com
cn=Administrators/cn=Builtin/dc=bk/dc=notesdev/dc=ibm/dc=com
Review setting for File / Database / Access Control / Advanced /
Maximum Internet name and password
24. Backgrounder: Notes & AD Directory Organization
dc=bk,dc=notesdev,dc=ibm,dc=com
cn=Builtin cn=Computers cn=Users
cn=Administrators cn=Users cn=Beth Keach cn=MDN Admin
ctive Directory
cn=Enterprise Admins
Note
possi
ble
use of
DCs
(root)
LocalDomainAdmins o=IBM LDAP Server Dev
ou=Westford
cn=Josh Burchard cn=Ken Lin
otes/Domino
person
group
container
25. DA Setup: Naming Contexts Tab
Leave N.C.1
with all
asterisks
(because
Change
Trusted for
Credentials
26. DA Setup: LDAP Tab
hostn
amesLDAP
bind
DN
for
Searc
hes
passw
ordLDAP
base
DN for
searc
h
SSL
not
cover
ed in
Change
to
27. DA Setup: Hostname
DNS name or IP address (v6 also) of one or more replicated Active
Directory servers
Obtain by asking your AD administrator
Alternate discovery methods:
Query DNS SRV for _ldap._tcp.domainname using nslookup.exe (registered by
Windows 2003-based domain controllers)
Run an auto-discovery tool on your subnet
28. DA Setup: Optional Authentication
Credential
Use LDAP “Bind” distinguished name of a single AD user who can
search desired AD entries
Use LDAP naming (attribute = value and commas)
Optionally protect clear text Passwords using normal “Encrypting
documents using secret keys” procedure
29. DA Setup: Base DN for Search
dc=bk,dc=notesdev,dc=ibm,dc=com
cn=Builtin cn=Computers cn=Users
cn=Administrators cn=Users cn=Beth Keach cn=MDN Admin cn=Enterprise Admins
Proba
bly
what
you
LDAP searches require filter, base, and scope
Locate top of desired tree (e.g., root DSE’s defaultNamingContext)
30. DA Setup: Authentication Filter
Base:
dc=bk,dc=notesd
ev,dc=ibm,dc=co
m
Filter: ( |
(cn=bkeach)
search
DN: cn=Beth
Keach,cn=Users,
. . .
suc
ces
LDAP Gwy AD
Nameresolutionuthentication
Beth
authenticates
while
opening
http://klin0/mail/klin.nsf
using
Windows
username
bindDN: cn=Beth
Keach,cn=User
s, . . . Password:
6.5.
6
7.0.
1
More name
variations
lower security
31. Backgrounder: NamesList
NamesList (Effective Access) is composed of
Names and aliases
Groups
=Beth Keach,cn=Users, …
cn=Enterprise Admins,cn=Users, …
cn=Adminstrators,cn=Builtin, …
cn=Domain Adminstrators,cn=Builtin, …
a member of
Grant AD
admins
(including
Beth) access
to
http://klin0/mail/
34. [C:Notes] ldapsearch.exe
-h bk2000.notesdev.ibm.com
–p 389
-D “cn=mdn admin,cn=users,dc=bk,
dc=notesdev,dc=ibm,dc=com”
-w “rosebud”
-b “dc=bk,dc=notesdev,dc=ibm,dc=com”
-s subtree
“(cn=Administrators)”
Test DA: LDAP Connection
hostn
ame
LDAP
bind
DN
passw
ordLDAP
base
DN for
searc
Find an
entry
port
Test DA LDAP Configuration settings using ldapsearch tool
35. Test DA: Verify Startup
> SHOW XDIR
DomainName DirectoryType ClientProtocol Replica/LDAP Server
---------- -------------- -------------- -------------------
1 KLIN0 Primary-Notes Notes & LDAP names.nsf
2 BK2000 Secondary-LDAP Notes & LDAP [bk2000.notesdev.ibm.com]:389
Success
01/05/2006 07:12:54 PM Error attempting to access the Directory
*[bk2000.notesdev.ibm.com]:389 (no available alternatives), error is
LDAP Server is NOT available.
> SHOW XDIR
DomainName DirectoryType ClientProtocol Replica/LDAP Server
---------- ------------- -------------- -------------------
1 KLIN0 Primary-Notes Notes & LDAP names.nsf
Port or Bind DN / Password Failure
36. Monitor DA: WebAuth_Verbose_Trace=1
NAMELookup::<NAMEVerifyLDAPPassword>>
BIND LDAP host='[bk2000.notesdev.ibm.com]:389' w/ user='CN=Beth Keach
/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com'
WebAuth> VERIFY password
essful Name ResolutionWebAuth> LOOKUP in view $Users (user=‘bkeach' org='')
NAMELookup::<LDAP GW> Searching for name=‘bkeach' in LDAP
server='[bk2000.notesdev.ibm.com]‘
NAMELookup::<LDAP GW> Base: dc=bk,dc=notesdev,dc=ibm,dc=com
NAMELookup::<LDAP GW> Scope: 2
NAMELookup::<LDAP GW> Filter: (|(cn=bkeach)
(sAMAccountName=bkeach)(uid=bkeach)(mail=bkeach))
. . .
NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Beth Keach
/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com'
cessful Authentication
37. NAMELookup::<LDAP GW> Searching for name='CN=Beth Keach/CN=Users
/DC=bk/DC=notesdev/DC=ibm/DC=com' in LDAP server=
'[bk2000.notesdev.ibm.com]‘
NAMELookup::<LDAP GW> Base: CN=Beth Keach,CN=Users,
DC=bk,DC=notesdev,DC=ibm,DC=com
NAMELookup::<LDAP GW> Scope: 0
NAMELookup::<LDAP GW> Filter: (objectClass=*)
NAMELookup::<LDAP GW> Attrs: memberOf
. . .
NAMELookup::<LDAP GW> SEARCH returned '2' match(es).
NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Enterprise
Admins/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com'
NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Domain
Administrators/CN=Builtin/DC=bk/DC=notesdev/DC=ibm/DC=com‘
Etc.
sful 6.5.5 NamesList Generation
Monitor DA: WebAuth_Verbose_Trace=1
38. DA: Points to Take Away
Allows AD users to access Domino databases with web clients
Setup:
Specify AD users or groups in Domino database ACLs as Notes names
Group Authorization – Yes
Trusted for Credentials – Yes
Optional Authentication Credential – Must supply an LDAP name
Base DN for Search – Must supply an LDAP name
Type of Search Filter to use – Active Directory
Testing and Monitoring:
ldapsearch command line tool
Show XDIR server console command
WebAuth_Verbose_Trace=1 Notes.ini setting
39. IBM Tivoli Directory Integrator
General purpose data synchronization toolkit / engine
Change Propagation
Built-in connectors perform I/O with popular data sources (e.g., LDAP, NSF)
Built-in event handlers wait for and react to specific event (e.g., AD change,
LDAP changelog detection)
Administrators code assembly lines using connectors and/or event handlers to
transform and propagate information
Password Change Propagation
Separately installable plug-in entities capture AD password and Domino HTTP
password changes, updates other directories with new password
ITDI Compared with ADSync
ITDI change-triggered or batch execution vs. ADSync is manual only
ITDI is flexible (you provide programming) vs. ADSync is limited
ITDI assembly lines coded using JavaScript or Java
40. Summary
Use ADSync when
You want to allow Active Directory users to access Domino databases using
the Notes or Web clients
You want Active Directory administrators to handle most people and group
administration for your Domino domain
You don’t mind not having the most up-to-date directory entries
Use Directory Assistance when
You want to allow Active Directory users to access Domino databases using
Web clients
You do not want to continually maintain and sync directory content
Consider IBM Tivoli Directory Integrator when
Your synchronization requirements are more advanced
41. References
IBM Redbooks | Using LDAP for Directory Integration
ADSync
IBM Redbooks | Active Directory Synchronization with Lotus ADSync
http://www.redbooks.ibm.com
Administering the Domino System – Using Domino with Windows
Synchronization Tools
Directory Assistance
Administering the Domino System – Setting Up Directory Assistance
Single sign-on in a Multi-directory World
http://www-128.ibm.com/developerworks/lotus/library/sso1/
Google “Domino Directory FAQ”
Editor's Notes
Assume some audience has heard of DA. Balance of presentation is based upon our monitoring of ND and BP forums – more DA than ADSync questions
If half the functionality is in the Domino Admin client then…………….. (Ask question on title.)
They’ll see it later on, but explicitly point out that Domino registration can only create PEOPLE in AD, but AD can create people or groups in Domino.
Target audience: Somewhat familiar with DA and LDAP My value: common problems / inner workings
Not interesting for Active Directory deployment scenario Not applicable because running a Notes client requires and ID, and therefore a Domino directory infrastructure Not to be confused with (mention) LDAP connection docs
Star = Points to pay attention to DA-AD used mainly for Web authentication/authorization
Magic Hat = Details for geeks
(Don’t attempt to explain on this slide) Mention next 2 slides are Side notes
http://www.awprofessional.com/articles/article.asp?p=26918&rl=1 Investigate migration hierarchies vs. brand new hierarchies
Need a sentence defining Name Rule. “ Just use all asterisks”
Go through these quickly (will be covered in depth later) SSL Warning – see lab (red lotus security handbook)