SECURITY


Configuring user name mapping when you manage Domino users through Active Directory
Follow the steps in this topic to configure user name mapping for a Windows single sign-on environment if you manage Lotus® Domino® user information primarily through Active Directory. This configuration requires you to add users' Notes distinguished names to Active Directory user accounts.

1. In a directory assistance database, create an LDAP directory assistance document to use to connect to the Active Directory server. The following table describes the most important fields to configure in the document.
TabFieldValueComment
BasicsMake this domain available toNotes Clients and Internet Authentication/Authorization
  • Required
  • LDAP Clients is optional
BasicsGroup AuthorizationYes or No
  • Select Yes if you want to use Active Directory groups in database ACLs.
BasicsAttribute to be used as name in an SSO token$DN
  • Required only if there is an IBM® WebSphere® SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names.
  • Requires "Map names in LTPA token" to be enabled in the Web SSO Configuration document.
  • Ensures proper SSO operation for servers that authenticate users against Active Directory.
Basics - SSO configurationWindows single sign-on for Web clientsEnabled
  • Enables efficient name lookups based on users' Active Directory logon (Kerberos) names. In combination with "Attribute to be used as Notes Distinguished Name", allows the user's Kerberos identity to be associated with the Domino name.
Basics - SSO configurationKerberos realmActive Directory domain
  • Specify in upper case characters, for example, AD.ACME.COM.
Naming Contexts (Rules)Trusted for CredentialsYes--
LDAPAttribute to be used as Notes Distinguished Name<attribute>
  • Attribute in Active Directory that stores users' Notes distinguished names.
  • A directory administrator may need to extend the Active Directory schema to add an attribute for this name if there is no existing attribute that already contains the Notes distinguished name. Alternatively it may be feasible to use the altSecurityIdentities attribute, if not already in use for another purpose.
  • A directory synchronization tool such as IBM® Tivoli® Directory Integrator can be used to populate the attribute with the Notes names.
  • The value stored in the attribute must adhere to valid distinguished name syntax. In Active Directory use LDAP comma (,) separators in the Notes names rather than the Notes forward slash (/) separators; for example:
cn=Betty Zechman,ou=Marketing,o=Renovations

rather than

cn=Betty Zechman/ou=Marketing/o=Renovations

  • Used to link this Active Directory record to a Notes distinguished name for determining user access to Domino resources.
LDAPType of search filter to useActive Directory--
2. If users have Person documents in the Domino Directory, make the following edits to them. Person documents are optional for Web users who are not Lotus® iNotes® users.
TabFieldValueComment
BasicsInternet AddressValue of the mail attribute in the user' Active Directory account
  • Used to link Web user Person document to the Active Directory user account.
BasicsInternet Password

(HTTPPassword)

None (recommended)

Or

<password-hash>

  • If desired, remove the password to use user's Active Directory passwords for Internet access that requires user password verification.
  • When password removed, set directory access to prevent users from adding passwords themselves.
  • When password removed, Domino verifies user passwords in Active Directory in situations when Windows single sign-on is not available.
3. If users have Domino Person documents but you do not include their Domino Internet passwords in them, disable the following Internet password settings in users' effective Security Settings policy document:
TabFieldValueComment
Password Management BasicsAllow Users to Change Internet Password over HTTPNo
  • The default behavior is Yes. If there is no Security Settings policy document specified for users, create one in order to change the default behavior.
Password Management BasicsUpdate Internet Password When Notes client Password ChangesNo--
Password Management BasicsEnforce Password ExpirationDisabled

or

Notes Only

--
4. Specify the following setting in the Server documents of participating Domino servers:
TabFieldValueComment
Security - Internet AccessInternet authenticationFewer name variations with higher security--
5. If some SSO servers are authenticating users against Active Directory, specify the following setting in the Web SSO Configuration document:
TabFieldValueComment
Basics - Token ConfigurationMap names in LTPA tokensEnabled
  • Used to map Active Directory distinguished names in SSO LTPA tokens to Notes distinguished names for determining user access to Domino resources.
  • Used to ensure functioning SSO at servers that authenticate the user against Active Directory.
Related topics