Lotus Domino Administrator 8.5 Help - Configuring user name mapping when you manage Domino users through Active Directory

SECURITY

Configuring user name mapping when you manage Domino users through Active Directory
Follow the steps in this topic to configure user name mapping for a Windows single sign-on environment if you manage Lotus® Domino® user information primarily through Active Directory. This configuration requires you to add users' Notes distinguished names to Active Directory user accounts.

1. In a directory assistance database, create an LDAP directory assistance document to use to connect to the Active Directory server. The following table describes the most important fields to configure in the document.

Tab Field Value Comment

Basics Make this domain available to Notes Clients and Internet Authentication/Authorization

Required
LDAP Clients is optional

Basics Group Authorization Yes or No

Select Yes if you want to use Active Directory groups in database ACLs.

Basics Attribute to be used as name in an SSO token $DN

Required only if there is an IBM® WebSphere® SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names.
Requires "Map names in LTPA token" to be enabled in the Web SSO Configuration document.
Ensures proper SSO operation for servers that authenticate users against Active Directory.

Basics - SSO configuration Windows single sign-on for Web clients Enabled

Enables efficient name lookups based on users' Active Directory logon (Kerberos) names. In combination with "Attribute to be used as Notes Distinguished Name", allows the user's Kerberos identity to be associated with the Domino name.

Basics - SSO configuration Kerberos realm Active Directory domain

Specify in upper case characters, for example, AD.ACME.COM.

Naming Contexts (Rules) Trusted for Credentials Yes --

LDAP Attribute to be used as Notes Distinguished Name <attribute>

Attribute in Active Directory that stores users' Notes distinguished names.
A directory administrator may need to extend the Active Directory schema to add an attribute for this name if there is no existing attribute that already contains the Notes distinguished name. Alternatively it may be feasible to use the altSecurityIdentities attribute, if not already in use for another purpose.
A directory synchronization tool such as IBM® Tivoli® Directory Integrator can be used to populate the attribute with the Notes names.
The value stored in the attribute must adhere to valid distinguished name syntax. In Active Directory use LDAP comma (,) separators in the Notes names rather than the Notes forward slash (/) separators; for example:
cn=Betty Zechman,ou=Marketing,o=Renovations
rather than
cn=Betty Zechman/ou=Marketing/o=Renovations

Used to link this Active Directory record to a Notes distinguished name for determining user access to Domino resources.

LDAP Type of search filter to use Active Directory --

2. If users have Person documents in the Domino Directory, make the following edits to them. Person documents are optional for Web users who are not Lotus® iNotes® users.

Tab Field Value Comment

Basics Internet Address Value of the mail attribute in the user' Active Directory account

Used to link Web user Person document to the Active Directory user account.

Basics Internet Password
(HTTPPassword)
None (recommended)
Or
<password-hash>

If desired, remove the password to use user's Active Directory passwords for Internet access that requires user password verification.
When password removed, set directory access to prevent users from adding passwords themselves.
When password removed, Domino verifies user passwords in Active Directory in situations when Windows single sign-on is not available.

3. If users have Domino Person documents but you do not include their Domino Internet passwords in them, disable the following Internet password settings in users' effective Security Settings policy document:

Tab Field Value Comment

Password Management Basics Allow Users to Change Internet Password over HTTP No

The default behavior is Yes. If there is no Security Settings policy document specified for users, create one in order to change the default behavior.

Password Management Basics Update Internet Password When Notes client Password Changes No --

Password Management Basics Enforce Password Expiration Disabled
or
Notes Only
--

4. Specify the following setting in the Server documents of participating Domino servers:

Tab Field Value Comment

Security - Internet Access Internet authentication Fewer name variations with higher security --

5. If some SSO servers are authenticating users against Active Directory, specify the following setting in the Web SSO Configuration document:

Tab Field Value Comment

Basics - Token Configuration Map names in LTPA tokens Enabled

Used to map Active Directory distinguished names in SSO LTPA tokens to Notes distinguished names for determining user access to Domino resources.
Used to ensure functioning SSO at servers that authenticate the user against Active Directory.

Related topics

Creating a Directory Assistance document for a remote LDAP directory

Creating a security policy settings document

Creating a Web SSO configuration document

Configuring user name mapping in a Windows single sign-on for Web clients environment

Access levels in the ACL

Troubleshooting Windows single sign-on for Web clients

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Tab	Field	Value	Comment
Basics	Make this domain available to	Notes Clients and Internet Authentication/Authorization	Required LDAP Clients is optional
Basics	Group Authorization	Yes or No	Select Yes if you want to use Active Directory groups in database ACLs.
Basics	Attribute to be used as name in an SSO token	$DN	Required only if there is an IBM® WebSphere® SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names. Requires "Map names in LTPA token" to be enabled in the Web SSO Configuration document. Ensures proper SSO operation for servers that authenticate users against Active Directory.
Basics - SSO configuration	Windows single sign-on for Web clients	Enabled	Enables efficient name lookups based on users' Active Directory logon (Kerberos) names. In combination with "Attribute to be used as Notes Distinguished Name", allows the user's Kerberos identity to be associated with the Domino name.
Basics - SSO configuration	Kerberos realm	Active Directory domain	Specify in upper case characters, for example, AD.ACME.COM.
Naming Contexts (Rules)	Trusted for Credentials	Yes	--
LDAP	Attribute to be used as Notes Distinguished Name	<attribute>	Attribute in Active Directory that stores users' Notes distinguished names. A directory administrator may need to extend the Active Directory schema to add an attribute for this name if there is no existing attribute that already contains the Notes distinguished name. Alternatively it may be feasible to use the altSecurityIdentities attribute, if not already in use for another purpose. A directory synchronization tool such as IBM® Tivoli® Directory Integrator can be used to populate the attribute with the Notes names. The value stored in the attribute must adhere to valid distinguished name syntax. In Active Directory use LDAP comma (,) separators in the Notes names rather than the Notes forward slash (/) separators; for example: cn=Betty Zechman,ou=Marketing,o=Renovations rather than cn=Betty Zechman/ou=Marketing/o=Renovations Used to link this Active Directory record to a Notes distinguished name for determining user access to Domino resources.
LDAP	Type of search filter to use	Active Directory	--