lotusphere 2006: id107 - getting started with active directory integration
DESCRIPTION
Bridging the worlds of IBM Lotus Domino and the Active Directory (AD) can be a challenging task. This introductory session examines naming, authentication, authorization, field mapping, performance and other functional considerations when Lotus Domino administrators deploy Directory Assistance and ADSync solutions. In this session we intend to myth-bust ADSync and provide a clearer picture of what it can and, most importantly, cannot do for you. We'll also explore what other synchronization possibilities exist between Lotus Domino and Active Directory, as well as how to leverage the Lotus Domino Directory Assistance feature to bring you that much closer to Lotus Domino and Active Directory harmony. http://kenlin.comTRANSCRIPT
ID107:Getting Started WithActive Directory Integration
Josh BurchardKen LinLotus Software, IBM Software Group
Agenda and Goals
Clarify and correct common misconceptions Clarify and correct common mistakes Clarify relevant deployment scenarios
Examine ADSync and Directory Assistance for integrating IBM Lotus Domino directory
services and Microsoft Active Directory
ADSync & Domino Why this presentation section?
There have been many questions in the IBM Notes and Domino forums about the Domino administration feature, ADSync
There is a lot of confusion about what ADSync is capable of, and what it isn’t
What I hope to give you: A high-level overview of what of what ADSync is and is not
What ADSync is capable of doing for you
Things to think on when deploying ADSync
Terminology A couple of terms I’ll use throughout this section:
Object-Level For the scope of this presentation, “object” refers to Domino records (e.g.,
the Josh Burchard person document) or LDAP entries of type person or group
Field-Level The Domino fields (e.g., HTTPPassword) / LDAP attributes that comprise
person and group objects
What ADSync Isn’t
Surprise! Despite the name, it’s not a full synchronization tool
So What is it Then? It’s a Microsoft Management Console (MMC) Snap-In that
extends and expands on our Notes NT User Manager Add-In
It’s A Domino Administrator client install option
It’s a tool that allows for some synchronization by linking Domino and Active Directory objects.
It’s a way to do general Domino field-level administration from the MMC
It’s a way to do basic Domino object-level administration from the MMC
It’s more useful than simply migrating entries back and forth between a Domino Directory and Active Directory ?
So What is it? (cont.) It’s only part of the Active Directory administration picture:
ADSync, along with the Domino Administrator client, can work together to perform limited, manual, synchronization of objects
Domino ActiveDirectory
Adm
in C
lient
AD
Sync
objects& fields
objectsonly
Where does ADSync Live?
ADSync
buttons
Container for
ADSync configur
ation
ADSync popup menu items
ADSync is a Snap-In to the Microsoft Management Console’s “Users and Computers” dialog that provides embedded Domino
functionality
What can you do with these tools? Adds people to Active Directory or NT via the “Person
Registration Advanced Pane” and links them to their respective Domino object
Imports people and groups from Active Directory or NT via “Person Registration Migrate” (Domino Upgrade Service) and links them to their respective Domino object
You can add, delete, rename people in NT or Active Directory via the Domino Administrator client
You can migrate people and groups to Domino from NT or Active Directory via the Domino Administrator client
What can you do with these tools? You can create new people and groups in Active Directory and at
the same time (or later, if you wish) register the people, or add the groups to Domino via ADSync
You can link people and groups that already exist in Active Directory and Domino via ADSync
You can delete groups in NT or Active Directory via the Domino Administrator client
You can synchronize changes made to an Active Directory object with the object it’s linked to in Domino
Be Aware! (Prereqs and Planning Needed)
Prerequisites: Install the Domino Administrator client with the W2000 Sync Services option
The preferred way of running ADSync is from Windows 2000 Professional or Windows XP Professional with the Microsoft AdminPak
Planning: You can perform ADSync operations on more than one Domino server, but it
is not recommended
Domino registration operations are limited to the primary Domino Directory, no secondary directories
To perform Active Directory object level operations (like delete and rename) from the Domino Admin client, the objects must have been previously linked
You must have created a Domino policy when adding people in Active Directory and then registering them in Domino. This provides a way for Domino to specify default values for the fields that aren’t mapped from AD (e.g. Roaming user)
Some Common Misconceptions We never do field-level manipulation from Domino to Active
Directory, only from Active Directory to Domino
During Domino person registration, ADSync can set a common password for Active Directory, Domino HTTP and the Notes ID
If you reset the common password via ADSync, the AD and Domino HTTP password will be made the same but the Notes ID password will not be modified. Even using Notes Single Logon will require a manual Notes ID password change
Since Domino field values never get applied to AD fields, the AD e-mail address needs to be manually set to the Domino e-mail address
ADSync configuration settings are not shared across Administrator client machines
Some Common Misconceptions (cont.)
ADSync only synchronizes Active Directory changes made via the MMC. In general, these are manual changes made by administrators. Programmatic changes are not recognized
Changing a field in Active Directory prompts an automatic synchronization to occur which overwrites the corresponding Domino field
No scheduling of synchronizations
Synchronizing an Active Directory group will not register its members as people in Domino. It is only a field level synchronization operation that translates group members names
Renaming a group via ADSync does not create all of the necessary Administration Process requests, e.g. replacing the old name with the new in Domino database ACLs
Points to Take Away ADSync requires careful planning beforehand, and careful
management once in use because: It can’t provide a perfect password-sync solution, even when used with Notes
Single Logon
Only manual MMC changes (not programmatic ones) kick off an auto-sync, which may leave orphaned objects or other directory anomalies
There exists only one-way field-level synchronization: from Active Directory to Domino
AdminP will not propagate Active Directory name changes to ACLs
There are other alternatives that IBM provides!
Directory Assistance What is it?
How is it used by Notes and Web clients?
How is it set up?
What additional background information is useful?
What are the common problems and solutions?
What is Directory Assistance?Directory of secondary directories
Domino server feature enabling customers to use secondary Domino or LDAP (e.g., Active Directory) directories for:
Internet Authentication
Notes and Internet Group Membership Lookups for Database Authorization
Notes Mail Address Resolution Type ahead (type/pause/complete) Select Addresses dialog F9 / Comma Address completion
Lookup User Attributes Email address MailFile Etc.
Notes Client Database Access
YesYesNAMELookup
YesYesF9 name completion
NoYesSelect Addresses dialog
NoYesType ahead
Not applicable
YesAuthorization
Not applicable
YesAuthentication
Name in LDAP secondary(e.g., AD)
Name in secondary Domino
directory
Web Client Database Access(non-DWA)
YesYesNAMELookup
NotApplicable
NotApplicable
F9 name completion
NoYesSelect Addresses dialog
NoNoType ahead
YesYesAuthorization
YesYesAuthentication
Name in LDAP secondary(e.g., AD)
Name in secondary Domino
directory
DA
Backgrounder: Directory Interfaces
NSF/NIF APIe.g., NSFDbOpen,NIFFindByName
NAME APIe.g., NAMELookup
LDAP Server
Names.nsfNames2.nsfActive Directory
(bk2000)
NSF AppNAMELookup AppLDAP AppChased LDAP
Referral
Domino Server(klin0)
LDAP GwyNSF/NIF
directory data flow
LDAP Ref
XORReferral
Directory Services
Not used inour examples
NRPC NRPC
NSF/NIF/FT
LDAP
DA Setup: Modify Server Document
1.Enter name of DA database that we will
create next - da.nsf
2.Save & Close
DA Setup: Create DA.nsf Database
2. da.nsf matches Server
doc setting1. Use
Directory Assistance
da50.ntf (Show advanced templates)
DA Setup: Basics Tab
1. Change Domain type from Notes (default) to
LDAP
2. Any unique admin-friendly
name3. Select types of
directory applications
4. Change Group Authorization
from No (default) to Yes to allow Active Directory
groups to be used for db access
5. Leave nested group expansion Yes to recognize
nested Active Directory groups
6. Leave Enabled set to YesNot covered - see
ID407 SSO Strategies
Backgrounder: Database Authorization
DA permits only one secondary directory where Group Authorization is set to Yes
If you have both a secondary Active Directory and other Domino secondaries, make the primary an Extended Directory Catalog
Use fully qualified Notes names (slashes) in database ACLs – not abbreviated names – not LDAP names!
cn=MDN Admin/cn=Users/dc=bk/dc=notesdev/dc=ibm/dc=com
cn=Administrators/cn=Builtin/dc=bk/dc=notesdev/dc=ibm/dc=com
Review setting for File / Database / Access Control / Advanced / Maximum Internet name and password
Backgrounder: Notes & AD Directory Organization
dc=bk,dc=notesdev,dc=ibm,dc=com
cn=Builtin cn=Computers cn=Users
cn=Administrators cn=Users cn=Beth Keach cn=MDN Admin
Active Directory
cn=Enterprise Admins
Note possible
use of DCs
(root)
LocalDomainAdmins o=IBM LDAP Server Dev
ou=Westford
cn=Josh Burchard cn=Ken Lin
Notes/Domino
person
group
container
DA Setup: Naming Contexts Tab
Leave N.C.1 with all
asterisks(because DCs not
specifiable)
Change Trusted for Credentials
from No (default) to
Yes to allow Internet
authentication of Active
Directory users
DA Setup: LDAP Tab
hostnamesLDAP bind DNfor
Searches
passwordLDAP
base DN for searc
h
SSL not
covered in this
presentatio
n
Change to
Active Directo
ry
DA Setup: Hostname
DNS name or IP address (v6 also) of one or more replicated Active Directory servers
Obtain by asking your AD administrator
Alternate discovery methods: Query DNS SRV for _ldap._tcp.domainname using nslookup.exe (registered by
Windows 2003-based domain controllers)
Run an auto-discovery tool on your subnet
DA Setup: Optional Authentication Credential
Use LDAP “Bind” distinguished name of a single AD user who can search desired AD entries
Use LDAP naming (attribute = value and commas)
Optionally protect clear text Passwords using normal “Encrypting documents using secret keys” procedure
DA Setup: Base DN for Search
dc=bk,dc=notesdev,dc=ibm,dc=com
cn=Builtin cn=Computers cn=Users
cn=Administrators cn=Users cn=Beth Keach cn=MDN Admin cn=Enterprise Admins
Probably
what you want
LDAP searches require filter, base, and scope
Locate top of desired tree (e.g., root DSE’s defaultNamingContext)
DA Setup: Authentication Filter
Base: dc=bk,dc=notesdev,dc=ibm,dc=co
mFilter: ( |
(cn=bkeach)
(sAMAccountName=bkeach)
(uid=bkeach)(sn=bkeach)
(givenname=bkeach)
(mail=bkeach) )
search
DN: cn=Beth Keach,cn=Users,
. . .success
LDAP Gwy AD
Nam
e re
solu
tion
Aut
hent
icat
ion
Beth authenticates
while opening
http://klin0/mail/klin.nsf
using Windows username
bindDN: cn=Beth Keach,cn=Users, . . . Password:
lotus
6.5.6
7.0.1
More name variations
lower security
Backgrounder: NamesListNamesList (Effective Access) is composed of
Names and aliases
Groups
cn=Beth Keach,cn=Users, …
cn=Enterprise Admins,cn=Users, …
cn=Adminstrators,cn=Builtin, …
cn=Domain Adminstrators,cn=Builtin, …
is a member of
Grant AD admins
(including Beth) access
to http://klin0/mail/klin.nsf
DA Setup: 6.5.4 Authorization Filter
Base: dc=bk,dc=notesdev,dc=ibm,dc=comFilter: (&(objectclass=group) (member=cn=Beth Keach,dc=Users, . . .))
DN: cn=Domain Adminstrators,cn=Builtin, . . . DN: cn=Enterprise Admins,cn=Users, . . .
LDAP Gwy AD
Base: dc=bk,dc=notesdev,dc=ibm,dc=comFilter: (&(objectclass=group) (member=cn=Domain Administrators,cn=Builtin, . . .))
(no such object)
Base: dc=bk,dc=notesdev,dc=ibm,dc=comFilter: (&(objectclass=group) (member=cn=Enterprise Admins,dc=Users, . . .))
DN:
cn=Administrators,cn=Builtin, . . .
Etc.
DA Setup: 6.5.5 Authorization Filter
DN: cn=Beth Keach,cn=Users, . . . memberOf: cn=Domain Adminstrators,cn=Builtin, . . .
memberOf: cn=Enterprise Admins,cn=Users, . . .
LDAP Gwy AD
Base: cn=Domain Administrators,cn=Builtin, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf
DN: cn=Domain Adminstrators,cn=Builtin, . . .
Base: cn=Enterprise Admins,cn=Users, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf
DN: cn=Enterprise Admins,cn=Users, . . . memberOf:
cn=Administrators,cn=Builtin, . . .
Base:
cn=Administrators,cn=Builtin, . . .
Etc.
Base: cn=Beth Keach,dc=Users, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf Big
Performan
ce Improvement
[C:\Notes] ldapsearch.exe
-h bk2000.notesdev.ibm.com
–p 389
-D “cn=mdn admin,cn=users,dc=bk,dc=notesdev,dc=ibm,dc=com”
-w “rosebud”
-b “dc=bk,dc=notesdev,dc=ibm,dc=com”
-s subtree
“(cn=Administrators)”
Test DA: LDAP Connection
hostname
LDAP bind DN
passwordLDAP
base DN for searc
h
Find an entry that is
known to exist
port
Test DA LDAP Configuration settings using ldapsearch tool
Test DA: Verify Startup
> SHOW XDIR DomainName DirectoryType ClientProtocol Replica/LDAP Server ---------- -------------- -------------- -------------------
1 KLIN0 Primary-Notes Notes & LDAP names.nsf 2 BK2000 Secondary-LDAP Notes & LDAP [bk2000.notesdev.ibm.com]:389
Success
01/05/2006 07:12:54 PM Error attempting to access the Directory *[bk2000.notesdev.ibm.com]:389 (no available alternatives), error is
LDAP Server is NOT available.> SHOW XDIR
DomainName DirectoryType ClientProtocol Replica/LDAP Server ---------- ------------- -------------- -------------------
1 KLIN0 Primary-Notes Notes & LDAP names.nsf
Hostname / Port or Bind DN / Password Failure
Monitor DA: WebAuth_Verbose_Trace=1
NAMELookup::<NAMEVerifyLDAPPassword>> BIND LDAP host='[bk2000.notesdev.ibm.com]:389' w/ user='CN=Beth Keach
/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com'WebAuth> VERIFY password
1. Successful Name ResolutionWebAuth> LOOKUP in view $Users (user=‘bkeach' org='')NAMELookup::<LDAP GW> Searching for name=‘bkeach' in LDAP
server='[bk2000.notesdev.ibm.com]‘NAMELookup::<LDAP GW> Base: dc=bk,dc=notesdev,dc=ibm,dc=com
NAMELookup::<LDAP GW> Scope: 2NAMELookup::<LDAP GW> Filter: (|(cn=bkeach)
(sAMAccountName=bkeach)(uid=bkeach)(mail=bkeach))
. . .
NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Beth Keach/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com'
2. Successful Authentication
NAMELookup::<LDAP GW> Searching for name='CN=Beth Keach/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com' in LDAP server=
'[bk2000.notesdev.ibm.com]‘NAMELookup::<LDAP GW> Base: CN=Beth Keach,CN=Users,
DC=bk,DC=notesdev,DC=ibm,DC=comNAMELookup::<LDAP GW> Scope: 0
NAMELookup::<LDAP GW> Filter: (objectClass=*)NAMELookup::<LDAP GW> Attrs: memberOf
. . .
NAMELookup::<LDAP GW> SEARCH returned '2' match(es).NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Enterprise
Admins/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com'NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Domain
Administrators/CN=Builtin/DC=bk/DC=notesdev/DC=ibm/DC=com‘
Etc.
3. Successful 6.5.5 NamesList Generation
Monitor DA: WebAuth_Verbose_Trace=1
DA: Points to Take Away Allows AD users to access Domino databases with web clients
Setup: Specify AD users or groups in Domino database ACLs as Notes names
Group Authorization – Yes
Trusted for Credentials – Yes
Optional Authentication Credential – Must supply an LDAP name
Base DN for Search – Must supply an LDAP name
Type of Search Filter to use – Active Directory
Testing and Monitoring: ldapsearch command line tool
Show XDIR server console command
WebAuth_Verbose_Trace=1 Notes.ini setting
IBM Tivoli Directory Integrator General purpose data synchronization toolkit / engine
Change Propagation Built-in connectors perform I/O with popular data sources (e.g., LDAP, NSF) Built-in event handlers wait for and react to specific event (e.g., AD change,
LDAP changelog detection) Administrators code assembly lines using connectors and/or event handlers to
transform and propagate information
Password Change Propagation Separately installable plug-in entities capture AD password and Domino HTTP
password changes, updates other directories with new password
ITDI Compared with ADSync ITDI change-triggered or batch execution vs. ADSync is manual only
ITDI is flexible (you provide programming) vs. ADSync is limited
ITDI assembly lines coded using JavaScript or Java
Summary Use ADSync when
You want to allow Active Directory users to access Domino databases using the Notes or Web clients
You want Active Directory administrators to handle most people and group administration for your Domino domain
You don’t mind not having the most up-to-date directory entries
Use Directory Assistance when You want to allow Active Directory users to access Domino databases using
Web clients You do not want to continually maintain and sync directory content
Consider IBM Tivoli Directory Integrator when Your synchronization requirements are more advanced
References IBM Redbooks | Using LDAP for Directory Integration
ADSync IBM Redbooks | Active Directory Synchronization with Lotus ADSync
http://www.redbooks.ibm.com
Administering the Domino System – Using Domino with Windows Synchronization Tools
Directory Assistance Administering the Domino System – Setting Up Directory Assistance
Single sign-on in a Multi-directory Worldhttp://www-128.ibm.com/developerworks/lotus/library/sso1/
Google “Domino Directory FAQ”