lotusphere 2006: id107 - getting started with active directory integration
DESCRIPTION
Bridging the worlds of IBM Lotus Domino and the Active Directory (AD) can be a challenging task. This introductory session examines naming, authentication, authorization, field mapping, performance and other functional considerations when Lotus Domino administrators deploy Directory Assistance and ADSync solutions. In this session we intend to myth-bust ADSync and provide a clearer picture of what it can and, most importantly, cannot do for you. We'll also explore what other synchronization possibilities exist between Lotus Domino and Active Directory, as well as how to leverage the Lotus Domino Directory Assistance feature to bring you that much closer to Lotus Domino and Active Directory harmony. http://kenlin.comTRANSCRIPT
![Page 1: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/1.jpg)
ID107:Getting Started WithActive Directory Integration
Josh BurchardKen LinLotus Software, IBM Software Group
![Page 2: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/2.jpg)
Agenda and Goals
Clarify and correct common misconceptions Clarify and correct common mistakes Clarify relevant deployment scenarios
Examine ADSync and Directory Assistance for integrating IBM Lotus Domino directory
services and Microsoft Active Directory
![Page 3: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/3.jpg)
ADSync & Domino Why this presentation section?
There have been many questions in the IBM Notes and Domino forums about the Domino administration feature, ADSync
There is a lot of confusion about what ADSync is capable of, and what it isn’t
What I hope to give you: A high-level overview of what of what ADSync is and is not
What ADSync is capable of doing for you
Things to think on when deploying ADSync
![Page 4: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/4.jpg)
Terminology A couple of terms I’ll use throughout this section:
Object-Level For the scope of this presentation, “object” refers to Domino records (e.g.,
the Josh Burchard person document) or LDAP entries of type person or group
Field-Level The Domino fields (e.g., HTTPPassword) / LDAP attributes that comprise
person and group objects
![Page 5: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/5.jpg)
What ADSync Isn’t
Surprise! Despite the name, it’s not a full synchronization tool
![Page 6: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/6.jpg)
So What is it Then? It’s a Microsoft Management Console (MMC) Snap-In that
extends and expands on our Notes NT User Manager Add-In
It’s A Domino Administrator client install option
It’s a tool that allows for some synchronization by linking Domino and Active Directory objects.
It’s a way to do general Domino field-level administration from the MMC
It’s a way to do basic Domino object-level administration from the MMC
It’s more useful than simply migrating entries back and forth between a Domino Directory and Active Directory ?
![Page 7: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/7.jpg)
So What is it? (cont.) It’s only part of the Active Directory administration picture:
ADSync, along with the Domino Administrator client, can work together to perform limited, manual, synchronization of objects
Domino ActiveDirectory
Adm
in C
lient
AD
Sync
objects& fields
objectsonly
![Page 8: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/8.jpg)
Where does ADSync Live?
ADSync
buttons
Container for
ADSync configur
ation
ADSync popup menu items
ADSync is a Snap-In to the Microsoft Management Console’s “Users and Computers” dialog that provides embedded Domino
functionality
![Page 9: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/9.jpg)
What can you do with these tools? Adds people to Active Directory or NT via the “Person
Registration Advanced Pane” and links them to their respective Domino object
Imports people and groups from Active Directory or NT via “Person Registration Migrate” (Domino Upgrade Service) and links them to their respective Domino object
You can add, delete, rename people in NT or Active Directory via the Domino Administrator client
You can migrate people and groups to Domino from NT or Active Directory via the Domino Administrator client
![Page 10: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/10.jpg)
What can you do with these tools? You can create new people and groups in Active Directory and at
the same time (or later, if you wish) register the people, or add the groups to Domino via ADSync
You can link people and groups that already exist in Active Directory and Domino via ADSync
You can delete groups in NT or Active Directory via the Domino Administrator client
You can synchronize changes made to an Active Directory object with the object it’s linked to in Domino
![Page 11: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/11.jpg)
Be Aware! (Prereqs and Planning Needed)
Prerequisites: Install the Domino Administrator client with the W2000 Sync Services option
The preferred way of running ADSync is from Windows 2000 Professional or Windows XP Professional with the Microsoft AdminPak
Planning: You can perform ADSync operations on more than one Domino server, but it
is not recommended
Domino registration operations are limited to the primary Domino Directory, no secondary directories
To perform Active Directory object level operations (like delete and rename) from the Domino Admin client, the objects must have been previously linked
You must have created a Domino policy when adding people in Active Directory and then registering them in Domino. This provides a way for Domino to specify default values for the fields that aren’t mapped from AD (e.g. Roaming user)
![Page 12: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/12.jpg)
Some Common Misconceptions We never do field-level manipulation from Domino to Active
Directory, only from Active Directory to Domino
During Domino person registration, ADSync can set a common password for Active Directory, Domino HTTP and the Notes ID
If you reset the common password via ADSync, the AD and Domino HTTP password will be made the same but the Notes ID password will not be modified. Even using Notes Single Logon will require a manual Notes ID password change
Since Domino field values never get applied to AD fields, the AD e-mail address needs to be manually set to the Domino e-mail address
ADSync configuration settings are not shared across Administrator client machines
![Page 13: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/13.jpg)
Some Common Misconceptions (cont.)
ADSync only synchronizes Active Directory changes made via the MMC. In general, these are manual changes made by administrators. Programmatic changes are not recognized
Changing a field in Active Directory prompts an automatic synchronization to occur which overwrites the corresponding Domino field
No scheduling of synchronizations
Synchronizing an Active Directory group will not register its members as people in Domino. It is only a field level synchronization operation that translates group members names
Renaming a group via ADSync does not create all of the necessary Administration Process requests, e.g. replacing the old name with the new in Domino database ACLs
![Page 14: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/14.jpg)
Points to Take Away ADSync requires careful planning beforehand, and careful
management once in use because: It can’t provide a perfect password-sync solution, even when used with Notes
Single Logon
Only manual MMC changes (not programmatic ones) kick off an auto-sync, which may leave orphaned objects or other directory anomalies
There exists only one-way field-level synchronization: from Active Directory to Domino
AdminP will not propagate Active Directory name changes to ACLs
There are other alternatives that IBM provides!
![Page 15: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/15.jpg)
Directory Assistance What is it?
How is it used by Notes and Web clients?
How is it set up?
What additional background information is useful?
What are the common problems and solutions?
![Page 16: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/16.jpg)
What is Directory Assistance?Directory of secondary directories
Domino server feature enabling customers to use secondary Domino or LDAP (e.g., Active Directory) directories for:
Internet Authentication
Notes and Internet Group Membership Lookups for Database Authorization
Notes Mail Address Resolution Type ahead (type/pause/complete) Select Addresses dialog F9 / Comma Address completion
Lookup User Attributes Email address MailFile Etc.
![Page 17: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/17.jpg)
Notes Client Database Access
YesYesNAMELookup
YesYesF9 name completion
NoYesSelect Addresses dialog
NoYesType ahead
Not applicable
YesAuthorization
Not applicable
YesAuthentication
Name in LDAP secondary(e.g., AD)
Name in secondary Domino
directory
![Page 18: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/18.jpg)
Web Client Database Access(non-DWA)
YesYesNAMELookup
NotApplicable
NotApplicable
F9 name completion
NoYesSelect Addresses dialog
NoNoType ahead
YesYesAuthorization
YesYesAuthentication
Name in LDAP secondary(e.g., AD)
Name in secondary Domino
directory
![Page 19: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/19.jpg)
DA
Backgrounder: Directory Interfaces
NSF/NIF APIe.g., NSFDbOpen,NIFFindByName
NAME APIe.g., NAMELookup
LDAP Server
Names.nsfNames2.nsfActive Directory
(bk2000)
NSF AppNAMELookup AppLDAP AppChased LDAP
Referral
Domino Server(klin0)
LDAP GwyNSF/NIF
directory data flow
LDAP Ref
XORReferral
Directory Services
Not used inour examples
NRPC NRPC
NSF/NIF/FT
LDAP
![Page 20: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/20.jpg)
DA Setup: Modify Server Document
1.Enter name of DA database that we will
create next - da.nsf
2.Save & Close
![Page 21: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/21.jpg)
DA Setup: Create DA.nsf Database
2. da.nsf matches Server
doc setting1. Use
Directory Assistance
da50.ntf (Show advanced templates)
![Page 22: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/22.jpg)
DA Setup: Basics Tab
1. Change Domain type from Notes (default) to
LDAP
2. Any unique admin-friendly
name3. Select types of
directory applications
4. Change Group Authorization
from No (default) to Yes to allow Active Directory
groups to be used for db access
5. Leave nested group expansion Yes to recognize
nested Active Directory groups
6. Leave Enabled set to YesNot covered - see
ID407 SSO Strategies
![Page 23: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/23.jpg)
Backgrounder: Database Authorization
DA permits only one secondary directory where Group Authorization is set to Yes
If you have both a secondary Active Directory and other Domino secondaries, make the primary an Extended Directory Catalog
Use fully qualified Notes names (slashes) in database ACLs – not abbreviated names – not LDAP names!
cn=MDN Admin/cn=Users/dc=bk/dc=notesdev/dc=ibm/dc=com
cn=Administrators/cn=Builtin/dc=bk/dc=notesdev/dc=ibm/dc=com
Review setting for File / Database / Access Control / Advanced / Maximum Internet name and password
![Page 24: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/24.jpg)
Backgrounder: Notes & AD Directory Organization
dc=bk,dc=notesdev,dc=ibm,dc=com
cn=Builtin cn=Computers cn=Users
cn=Administrators cn=Users cn=Beth Keach cn=MDN Admin
Active Directory
cn=Enterprise Admins
Note possible
use of DCs
(root)
LocalDomainAdmins o=IBM LDAP Server Dev
ou=Westford
cn=Josh Burchard cn=Ken Lin
Notes/Domino
person
group
container
![Page 25: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/25.jpg)
DA Setup: Naming Contexts Tab
Leave N.C.1 with all
asterisks(because DCs not
specifiable)
Change Trusted for Credentials
from No (default) to
Yes to allow Internet
authentication of Active
Directory users
![Page 26: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/26.jpg)
DA Setup: LDAP Tab
hostnamesLDAP bind DNfor
Searches
passwordLDAP
base DN for searc
h
SSL not
covered in this
presentatio
n
Change to
Active Directo
ry
![Page 27: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/27.jpg)
DA Setup: Hostname
DNS name or IP address (v6 also) of one or more replicated Active Directory servers
Obtain by asking your AD administrator
Alternate discovery methods: Query DNS SRV for _ldap._tcp.domainname using nslookup.exe (registered by
Windows 2003-based domain controllers)
Run an auto-discovery tool on your subnet
![Page 28: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/28.jpg)
DA Setup: Optional Authentication Credential
Use LDAP “Bind” distinguished name of a single AD user who can search desired AD entries
Use LDAP naming (attribute = value and commas)
Optionally protect clear text Passwords using normal “Encrypting documents using secret keys” procedure
![Page 29: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/29.jpg)
DA Setup: Base DN for Search
dc=bk,dc=notesdev,dc=ibm,dc=com
cn=Builtin cn=Computers cn=Users
cn=Administrators cn=Users cn=Beth Keach cn=MDN Admin cn=Enterprise Admins
Probably
what you want
LDAP searches require filter, base, and scope
Locate top of desired tree (e.g., root DSE’s defaultNamingContext)
![Page 30: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/30.jpg)
DA Setup: Authentication Filter
Base: dc=bk,dc=notesdev,dc=ibm,dc=co
mFilter: ( |
(cn=bkeach)
(sAMAccountName=bkeach)
(uid=bkeach)(sn=bkeach)
(givenname=bkeach)
(mail=bkeach) )
search
DN: cn=Beth Keach,cn=Users,
. . .success
LDAP Gwy AD
Nam
e re
solu
tion
Aut
hent
icat
ion
Beth authenticates
while opening
http://klin0/mail/klin.nsf
using Windows username
bindDN: cn=Beth Keach,cn=Users, . . . Password:
lotus
6.5.6
7.0.1
More name variations
lower security
![Page 31: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/31.jpg)
Backgrounder: NamesListNamesList (Effective Access) is composed of
Names and aliases
Groups
cn=Beth Keach,cn=Users, …
cn=Enterprise Admins,cn=Users, …
cn=Adminstrators,cn=Builtin, …
cn=Domain Adminstrators,cn=Builtin, …
is a member of
Grant AD admins
(including Beth) access
to http://klin0/mail/klin.nsf
![Page 32: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/32.jpg)
DA Setup: 6.5.4 Authorization Filter
Base: dc=bk,dc=notesdev,dc=ibm,dc=comFilter: (&(objectclass=group) (member=cn=Beth Keach,dc=Users, . . .))
DN: cn=Domain Adminstrators,cn=Builtin, . . . DN: cn=Enterprise Admins,cn=Users, . . .
LDAP Gwy AD
Base: dc=bk,dc=notesdev,dc=ibm,dc=comFilter: (&(objectclass=group) (member=cn=Domain Administrators,cn=Builtin, . . .))
(no such object)
Base: dc=bk,dc=notesdev,dc=ibm,dc=comFilter: (&(objectclass=group) (member=cn=Enterprise Admins,dc=Users, . . .))
DN:
cn=Administrators,cn=Builtin, . . .
Etc.
![Page 33: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/33.jpg)
DA Setup: 6.5.5 Authorization Filter
DN: cn=Beth Keach,cn=Users, . . . memberOf: cn=Domain Adminstrators,cn=Builtin, . . .
memberOf: cn=Enterprise Admins,cn=Users, . . .
LDAP Gwy AD
Base: cn=Domain Administrators,cn=Builtin, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf
DN: cn=Domain Adminstrators,cn=Builtin, . . .
Base: cn=Enterprise Admins,cn=Users, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf
DN: cn=Enterprise Admins,cn=Users, . . . memberOf:
cn=Administrators,cn=Builtin, . . .
Base:
cn=Administrators,cn=Builtin, . . .
Etc.
Base: cn=Beth Keach,dc=Users, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf Big
Performan
ce Improvement
![Page 34: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/34.jpg)
[C:\Notes] ldapsearch.exe
-h bk2000.notesdev.ibm.com
–p 389
-D “cn=mdn admin,cn=users,dc=bk,dc=notesdev,dc=ibm,dc=com”
-w “rosebud”
-b “dc=bk,dc=notesdev,dc=ibm,dc=com”
-s subtree
“(cn=Administrators)”
Test DA: LDAP Connection
hostname
LDAP bind DN
passwordLDAP
base DN for searc
h
Find an entry that is
known to exist
port
Test DA LDAP Configuration settings using ldapsearch tool
![Page 35: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/35.jpg)
Test DA: Verify Startup
> SHOW XDIR DomainName DirectoryType ClientProtocol Replica/LDAP Server ---------- -------------- -------------- -------------------
1 KLIN0 Primary-Notes Notes & LDAP names.nsf 2 BK2000 Secondary-LDAP Notes & LDAP [bk2000.notesdev.ibm.com]:389
Success
01/05/2006 07:12:54 PM Error attempting to access the Directory *[bk2000.notesdev.ibm.com]:389 (no available alternatives), error is
LDAP Server is NOT available.> SHOW XDIR
DomainName DirectoryType ClientProtocol Replica/LDAP Server ---------- ------------- -------------- -------------------
1 KLIN0 Primary-Notes Notes & LDAP names.nsf
Hostname / Port or Bind DN / Password Failure
![Page 36: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/36.jpg)
Monitor DA: WebAuth_Verbose_Trace=1
NAMELookup::<NAMEVerifyLDAPPassword>> BIND LDAP host='[bk2000.notesdev.ibm.com]:389' w/ user='CN=Beth Keach
/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com'WebAuth> VERIFY password
1. Successful Name ResolutionWebAuth> LOOKUP in view $Users (user=‘bkeach' org='')NAMELookup::<LDAP GW> Searching for name=‘bkeach' in LDAP
server='[bk2000.notesdev.ibm.com]‘NAMELookup::<LDAP GW> Base: dc=bk,dc=notesdev,dc=ibm,dc=com
NAMELookup::<LDAP GW> Scope: 2NAMELookup::<LDAP GW> Filter: (|(cn=bkeach)
(sAMAccountName=bkeach)(uid=bkeach)(mail=bkeach))
. . .
NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Beth Keach/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com'
2. Successful Authentication
![Page 37: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/37.jpg)
NAMELookup::<LDAP GW> Searching for name='CN=Beth Keach/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com' in LDAP server=
'[bk2000.notesdev.ibm.com]‘NAMELookup::<LDAP GW> Base: CN=Beth Keach,CN=Users,
DC=bk,DC=notesdev,DC=ibm,DC=comNAMELookup::<LDAP GW> Scope: 0
NAMELookup::<LDAP GW> Filter: (objectClass=*)NAMELookup::<LDAP GW> Attrs: memberOf
. . .
NAMELookup::<LDAP GW> SEARCH returned '2' match(es).NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Enterprise
Admins/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com'NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Domain
Administrators/CN=Builtin/DC=bk/DC=notesdev/DC=ibm/DC=com‘
Etc.
3. Successful 6.5.5 NamesList Generation
Monitor DA: WebAuth_Verbose_Trace=1
![Page 38: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/38.jpg)
DA: Points to Take Away Allows AD users to access Domino databases with web clients
Setup: Specify AD users or groups in Domino database ACLs as Notes names
Group Authorization – Yes
Trusted for Credentials – Yes
Optional Authentication Credential – Must supply an LDAP name
Base DN for Search – Must supply an LDAP name
Type of Search Filter to use – Active Directory
Testing and Monitoring: ldapsearch command line tool
Show XDIR server console command
WebAuth_Verbose_Trace=1 Notes.ini setting
![Page 39: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/39.jpg)
IBM Tivoli Directory Integrator General purpose data synchronization toolkit / engine
Change Propagation Built-in connectors perform I/O with popular data sources (e.g., LDAP, NSF) Built-in event handlers wait for and react to specific event (e.g., AD change,
LDAP changelog detection) Administrators code assembly lines using connectors and/or event handlers to
transform and propagate information
Password Change Propagation Separately installable plug-in entities capture AD password and Domino HTTP
password changes, updates other directories with new password
ITDI Compared with ADSync ITDI change-triggered or batch execution vs. ADSync is manual only
ITDI is flexible (you provide programming) vs. ADSync is limited
ITDI assembly lines coded using JavaScript or Java
![Page 40: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/40.jpg)
Summary Use ADSync when
You want to allow Active Directory users to access Domino databases using the Notes or Web clients
You want Active Directory administrators to handle most people and group administration for your Domino domain
You don’t mind not having the most up-to-date directory entries
Use Directory Assistance when You want to allow Active Directory users to access Domino databases using
Web clients You do not want to continually maintain and sync directory content
Consider IBM Tivoli Directory Integrator when Your synchronization requirements are more advanced
![Page 41: Lotusphere 2006: ID107 - Getting Started with Active Directory Integration](https://reader033.vdocuments.us/reader033/viewer/2022061223/54c6af234a795907748b4599/html5/thumbnails/41.jpg)
References IBM Redbooks | Using LDAP for Directory Integration
ADSync IBM Redbooks | Active Directory Synchronization with Lotus ADSync
http://www.redbooks.ibm.com
Administering the Domino System – Using Domino with Windows Synchronization Tools
Directory Assistance Administering the Domino System – Setting Up Directory Assistance
Single sign-on in a Multi-directory Worldhttp://www-128.ibm.com/developerworks/lotus/library/sso1/
Google “Domino Directory FAQ”