Active Directory / Domino Authentication – easy but not easy enough

I have been working on a scheme to use Active Directory LDAP authentication for an XPages App. I posted about my early experiences with it here – everything seemed very promising but actually putting it into production has proved quite difficult. The scheme is based on dual entries in the AD Directory and the Domino Directory which are kept in sync by an agent. This is running on an XPages appliance with no day to day local IT involvement.

The difficulty comes from mapping user names from AD to Domino in a useful way.

A typical AD Distinguished Name looks like this CN=Sean Cull/OU=Users/OU=SiteA/OU=Resources/DC=acme-uk/DC=acme/DC=local

The directory assistance document allows you to map which AD field you want to use as the Notes Distinguished Name but you can only use an existing AD Attribute as opposed to constructing a mapping scheme e.g. name & “/OU=some OU”….. Effectively this means choosing one of the following :

CN=Sean Cull//OU=Users/OU=SiteA/OU=Resources/DC=acme-uk/DC=acme/DC=local
Sean Cull
CullS

Only the first option is acceptable because you can easily get two people with the same name but from different OUs.

Because Notes does not seem to regard the CN=xxx…..DC=acme  as a fully hierarchical name ( because of the DC element ? ) the abbreviated name function does not work although the Common Name does. In many of our applications we would display names in the format Sean Cull/FoCul to give some protection against people from different OUs having the same name – with Domino authentication we could do this by computing a display name from the full name.

To achieve the same thing with AD authentication we have to maintain a document which maps the actual username to a display name and a set of parallel fields on the forms for the real names and the display names.

This solution is manageable but it would be so much nicer to be able to map the AD name to a different name structure in the Domino NAB.

From the users perspective it is great though, they just log into the application with their usual name and password.

IT love it too because it is one less thing to worry about.

As solution providers we love it because it is one less barrier to getting appliance based XPage applications into non-domino shops or ex-domino shops.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 + 8 =