This article describes how you can use Active Directory via LDAP and Directory Assistance to authenticate your web users. This is particularly useful in our case where we have an XPages based application running in on a black boxed appliance in a MS shop.
The example uses a Windows Server 2008 R2 for AD and Domino 8.5.2 running on Linux. The scheme is simple enough but I struggled to piece the bits together so I thought a write up would be useful.
I found that the Apache Directory Studio was really useful. This allows you to explore the Active Directory LDAP feed and get a feel for its structure.
Useful debugging parameters
I found the following two parameters very useful because you can see the structures of the names and groups in AD as they are queried by Domino – these settings are for temporary use only as they create overhead and also show users passwords on the console in plain text ( somewhat disconcerting )
Setting up an AD test environment
This was very straight froward. I installed a 2008 R2 server as a VM and used the Server Roles Manager wizard to install Active Directory accepting the defaults and dependencies.
I then created a new user ( joe bloggs ) and used that account to authenticate the LDAP feed.
Exploring the LDAP Feed with Apache Directory Studio
Use File New and then choose LDAP Connection
Press the check Authentication button and all should be well
Next you can browse the LDAP tree and see information on the users and groups
The equivalent “Notes name” as used in an ACL would be
Configuring Domino to use the Active Directory LDAP
You need to create a Directory Assistance Database and then list this in the server record
The directory assistance template is an advanced template called called Directory Assistance ( da.ntf )
The server document entry looks like this
In the Directory Assistance Database create a record as follows.
Note that Gabriella Davis and Marie Scott on page 20 of their very useful presentation One DirectoryTo Rule Them All, Yes suggests encrypting the LDAP configuration document – not sure how to do that just yet.
Note that the suggest and verify buttons are very useful, particularly for the Base DN for search
Start with the most basic example you can.
With a test database set anaonymous access to No Access and Default Access to reader or higher.
Open the URL and attempt to login – in my case as Joe Bloggs. In the console you will see something similar to this :
Your authentication is working.
You can now test it with a specific name. You can see the shape of the name from the console output
The AD name CN=joe bloggs,CN=Users,DC=ad,DC=focul,DC=net gets mapped to CN=joe bloggs/CN=Users/DC=ad/DC=focul/DC=net for use in the ACL
Groups also work but note that if you put a group into the AD as a peer of “Users” the group name construct includes “Builtin” as in CN=testgroup/CN=Builtin/DC=ad/DC=focul/DC=net so it is better to put the groups within the users branch.
In our case the group name is CN=testgroup4/CN=Users/DC=ad/DC=focul/DC=net
Other useful presentations
As mentioned above I found Gabriella Davis and Marie Scott’s presentation very useful – One DirectoryTo Rule Them All, Yes
A mild rant
In pulling this material together I have come to the conclusion that it is a real shame that IBM has not published the slide decks from lotussphere 2011.
It would make it a lot easier for developers to make the IBM products more popular if IBM as an organisation was a good citizen of the community in that respect.
I have huge admiration for many individuals within IBM that do their best despite IBM in this regard. I also think it is unfair to expect the community to contribute to the IBM Wikis when they are sitting on hundreds of excellent presentations by the world experts in this area – experts who gave up thousands of hours to prepare those slide decks.
Its hardly what I would describe as a good example of a Social Business.