Lotus Domino Administrator 8.5 Help - Creating a Directory Assistance document for a remote LDAP directory

DIRECTORY SERVICES

Creating a Directory Assistance document for a remote LDAP directory
To set up directory assistance for a remote LDAP directory, create a Directory Assistance document for the directory in a directory assistance database as follows. Make sure you have read about directory assistance services and concepts.

1. Make sure you have created and replicated a directory assistance database and have set up servers to use it.

2. If you are using the remote LDAP directory for any purpose other than LDAP service referrals, use the TCP/IP ping utility to test that the IBM® Lotus® Domino® servers that will use the LDAP directory can connect to the remote LDAP directory server.

3. From the Domino Administrator, choose File - Open Server, select a server that you have set up to use the directory assistance database, and click OK.

4. Click the Configuration tab.

5. In the left pane, expand Directory - Directory Assistance. If you see "Server Error: File does not exist," the server you selected in step 4 is not set up to use the directory assistance database.

6. Click Add Directory Assistance.

7. On the Basics tab, complete these fields:

Field Enter

Domain type Choose LDAP.

Domain name A domain name of your choice that is different from the domain name specified for any other Directory Assistance document - Notes or LDAP - in the directory assistance database. For more information, see the topic "Directory assistance and domain names."

Company name (Optional) The name of the company associated with this directory. Multiple Directory Assistance documents can use the same company name.

Search order (Optional) A number affecting the order in which servers search or refer LDAP clients to this directory relative to other directories configured in the directory assistance database. For more information, see the topic "How naming rules relate to directory search orders."

Make this domain available to Choose one or both:

"Notes clients and Internet Authentication/Authorization" to use this LDAP directory for Notes mail addressing, Internet client authentication (including LDAP client authentication), or to look up the members of groups for database authorization. For group authorization, you must also enable "Group Authorization" (see below).
"LDAP Clients" to enable a server running the LDAP service to refer LDAP clients to this LDAP directory when an LDAP search is not succesful in any Domino Directory.

Group Authorization Choose one:

Yes to search the members of groups in this LDAP directory when authorizing database access.
No (default) to prevent searching the member of groups in the directory when authorizing database access.
Choose Yes for only one directory, Notes or LDAP, configured in the directory assistance database.
You do not have to enable a rule that is "Trusted for Credentials."
If you select Yes, in the "Nested group expansion" field that appears choose one:

Yes (default) to search nested groups -- groups that are members of groups listed in database ACLs.
No to search only the members of groups listed in database ACLs, and not the members of groups nested within those groups.
For more information on group authorization, see the topic "Directory assistance and group lookups for database authorization."

Use exclusively for Group Authorization or Credential Authentication Note This item is only visible if Group Authorization has been enabled for this directory, or if at least one rule has "Trusted" enabled.
Choose Yes to allow directory assistance to use this directory exclusively for Group Authorization or Credential Authentication. Enabling this will minimize the number of non-authentication and non-authorization lookups to this directory.
For more information, see the topic "Limiting directories to authentication-only lookups."

Enabled Choose Yes to enable directory assistance for this LDAP directory.
Note You can also enable and disable directory assistance for this directory from the main view of the Directory Assistance database. Select the directory assistance record for the directory and, on the toolbar, click Enable/Disable.

Attribute to be used as name in an SSO token (map to Notes LTPA_UserNm) Enter the name of the directory attribute that should be returned when the LTPA_UserNm field is requested. This value is used as the user name in any SSO token generated by Domino.
For more information about name mapping in the LTPA token used for single sign-on, see the topic "Configuring user name mappings in the SSO LTPA token."

8. On the Naming Contexts (Rules) tab, for each rule you want to define for the directory, complete the following fields. By default, an all-asterisk rule is enabled with "Trusted for Credentials" set to No.

Field Enter

N.C. # Enter a naming context (rule) that describes the user names in the LDAP directory. For more information, see the topic "Directory assistance and naming rules.

Enabled Choose one:

Yes to enable a rule
No (default) to disable a rule

Trusted for Credentials Choose one:

Yes to allow servers to use credentials in the LDAP directory to authenticate Internet clients whose distinguished names in the directory correspond to the rule.
No (default) to prevent servers from using this directory to authenticate Internet clients whose distinguished names in the directory correspond to the rule.
For more information, see the topic "Trusted naming rules."

9. On the LDAP tab, complete the fields in the table below.

LDAP configuration wizard

It can be challenging to configure Directory Assistance to both successfully and efficiently communicate with foreign LDAP servers, as administrators must be familiar with LDAP and the schema and design of the foreign LDAP server. This tab features wizard functionality to help guide administrators in creating directory assistance LDAP configuration documents. Several fields on this tab have been set up to help adminstrators find and verify the required information for the field.

Clicking Suggest or Verify causes one or more agents to run on the Domino server and in many cases communicate with an LDAP server. It is assumed that the Directory Assistance database being configured is running on the server and is not a local replica.

Clicking Suggest opens a dialog box in which administrators can ask for suggested values by clicking Start. The suggested values are then populated in a list box. The administrator can either select the values and click OK, or simply cancel. Selected values are automatically copied into the Directory Assistance document. This is useful when configuring the Directory Assistance record for the first time.

Clicking Verify opens a dialog box that allows the administrator to verify that the current setting works correctly. This is useful both when verifying first-time Directory Assistance configurations, and for verifying that existing configurations continue to operate correctly.

Field Enter

Hostname The host name for the remote LDAP directory server -- for example, ldap.acme.com. A Domino server uses this host name to connect to the remote LDAP directory server, or to refer LDAP clients to the LDAP directory.
Click Suggest to open a dialog box that will enable you to look up the hostnames of any LDAP servers listed in your DNS.
Click Verify to open a dialog box that verifies that each hostname is an active LDAP server.
Or
Enter an additional host name or host names so that a Domino server can use an alternate LDAP directory server if the directory server represented by the first host name specified is unavailable. Separate host names with commas, semicolons, or by entering each host name on a new line.
If you specify more than one directory server and each listens on a different port, specify the ports after the host names. For example:
ldap1.acme.com:390, ldap2.acme.com:391
Port values entered in this field override those specified in the Port field. If no port is specified in this field, then the value specified in the Port field will be used.
Note IPv6 addresses are also supported for use in this field. However, it is important to note that if an IPv6 address is specified in this field, than the Directory Assistance database should not be used by a pre-7.0 servers, as they do not support IPv6.

Optional Authentication Credential (Optional) Below "Optional Authentication Credential," enter a user name and a password for a Domino server to present when it connects to the remote LDAP directory server. The LDAP directory server uses the name and password to authenticate the Domino server. If you don't specify a name and password, a Domino server attempts to connect anonymously.
Click Verify to open a dialog box that verifies that the user name and password you entered is valid on each hostname.
For more information, see the topic "Specifying a name and password for Domino servers in a Directory Assistance document for a remote LDAP directory."
This setting may affect change detection for LDAP servers. For more information, see the topic "Special considerations for change detection."

Base DN for search A search base, if the LDAP directory server requires one. For example:
o=Ace Industry
o=Ace Industry,c=US
Click Suggest to open a dialog box that enables you to search each hostname for likely search bases.
Click Verify to open a dialog box that enables you to verify that the search base is accessible on each hostname using the configured credentials.
This setting may affect change detection for LDAP servers. For more information, see the topic "Special considerations for change detection.

Channel encryption Choose one:

SSL (the default) to use SSL when a Domino server connects to the remote LDAP directory server
None to prevent SSL from being used.
Keep SSL selected in the "Channel encryption" field if you use the remote LDAP directory for client authentication or to look up the members of groups for database authorization.
If you choose SSL, make selections in these associated fields:

"Accept expired SSL certificates"
"SSL protocol version"
"Verify server name with remote server's certificate"
For more information, see the next topic "Configuring SSL in a Directory Assistance document for a remote LDAP directory."

Port The port number Domino servers use to connect to the remote LDAP directory server.

If you choose SSL in the "Channel encryption" field, the default port is 636.
If you choose None in the "Channel encryption" field, the default port is 389.
If the LDAP directory server doesn't use one of these default ports, enter a different port number manually.

Timeout The maximum number of seconds allowed for a search of the remote LDAP directory; default is 60 seconds.
If the remote LDAP directory server also has a timeout setting, the lower setting takes precedence.

Maximum number of entries returned The maximum number of entries the LDAP directory server can return for a name for which a Domino server searches. If the LDAP directory server also has a maximum setting, the lower setting takes precedence. If the LDAP directory server times out, it returns the number of names found up to that point.
Default is 100.

Dereference alias on search Choose one to control the extent to which alias dereferencing occurs during searches of the remote LDAP directory:

"Never"
"Only for subordinate entries"
"Only for search base entries"
"Always" (default)
If aliases are not used in the LDAP directory, selecting "Never" can improve search performance.
For more information, see the topic "Configuring alias dereferencing in a Directory Assistance document for a remote LDAP directory."

Preferred mail format If directory assistance is set up to allow Notes users to address mail to users in an LDAP directory, use this option to specify the format of addresses from the directory to be used in Notes mail. Choose one:

"Notes Mail Address" - for example, John Doe/Acme@Acme. Typically, this option is used only when the LDAP directory is a Domino Directory.
"Internet Mail Address" (default) - for example, jdoe@acme.com.
For more information, see the earlier topic "Notes mail addressing using a remote LDAP directory."

Attribute to be used as Notes Distinguished Name (Optional) If a Domino server uses the remote LDAP directory for client authentication or for database authorization, optionally map users' LDAP directory distinguished names to corresponding Notes distinguished names.
Click Verify to open a dialog box that enables you to verify that there is at least one object containing the Notes DN attribute on each hostname, using the configured credentials under the specified base.
For information, see the topic "Using Notes distinguished names in a remote LDAP directory."

Type of search filter to use Choose one to control which LDAP search filters are used to search the directory:

Standard LDAP (default)
Active Directory
Domino LDAP
IBM Directory Server
Custom
"Standard LDAP" works in most situations.
Click Suggest to open a dialog box that searches each hostname for the most likely type of search filter to use.
Click Verify to open a dialog box that verifies that the chosen search filter type is appropriate for each hostname.
Note The options "Domino LDAP" and "IBM Directory Server" allow the LDAP Gateway to take advantage of any special capabilities belonging to a given LDAP server. Once these capabilities are determined, LDAP clients can then decide whether to take advantage of them. For example, the LDAP server can now serve up new attributes in its root directory server entries (DSE) to directly support LDAP client detection of dominoAccessGroups capabilities.
For more information, see the topic "Configuring search filters in a Directory Assistance document for a remote LDAP directory."

1. Click Save & Close.

2. If you changed the Group Authorization field:

Wait for the change to replicate to all the servers that use the directory assistance database, or force the replication.
Use the Restart Server console command to stop and restart each server that uses directory assistance for group authorization, so each server detects the change.

Related topics

Directory assistance services

Directory assistance concepts

Creating and replicating a directory assistance database

Directory assistance and domain names

Directory assistance and naming rules

Directory assistance and group lookups for database authorization

Limiting directories to authentication-only lookups

Configuring user name mapping in the SSO LTPA token

Directory assistance and failover for a remote LDAP directory

Specifying a name and password for Domino servers in a Directory Assistance document for a remote LDAP directory

Special considerations for change detection

Configuring SSL in a Directory Assistance document for a remote LDAP directory

Configuring alias dereferencing in a Directory Assistance document for a remote LDAP directory

Directory assistance and Notes mail addressing

Setting up directory assistance

Using Notes distinguished names in a remote LDAP directory

Configuring search filters in a Directory Assistance document for a remote LDAP directory

Directory assistance

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Field	Enter
Domain type	Choose LDAP.
Domain name	A domain name of your choice that is different from the domain name specified for any other Directory Assistance document - Notes or LDAP - in the directory assistance database. For more information, see the topic "Directory assistance and domain names."
Company name	(Optional) The name of the company associated with this directory. Multiple Directory Assistance documents can use the same company name.
Search order	(Optional) A number affecting the order in which servers search or refer LDAP clients to this directory relative to other directories configured in the directory assistance database. For more information, see the topic "How naming rules relate to directory search orders."
Make this domain available to	Choose one or both: "Notes clients and Internet Authentication/Authorization" to use this LDAP directory for Notes mail addressing, Internet client authentication (including LDAP client authentication), or to look up the members of groups for database authorization. For group authorization, you must also enable "Group Authorization" (see below). "LDAP Clients" to enable a server running the LDAP service to refer LDAP clients to this LDAP directory when an LDAP search is not succesful in any Domino Directory.
Group Authorization	Choose one: Yes to search the members of groups in this LDAP directory when authorizing database access. No (default) to prevent searching the member of groups in the directory when authorizing database access. Choose Yes for only one directory, Notes or LDAP, configured in the directory assistance database. You do not have to enable a rule that is "Trusted for Credentials." If you select Yes, in the "Nested group expansion" field that appears choose one: Yes (default) to search nested groups -- groups that are members of groups listed in database ACLs. No to search only the members of groups listed in database ACLs, and not the members of groups nested within those groups. For more information on group authorization, see the topic "Directory assistance and group lookups for database authorization."
Use exclusively for Group Authorization or Credential Authentication	Note This item is only visible if Group Authorization has been enabled for this directory, or if at least one rule has "Trusted" enabled. Choose Yes to allow directory assistance to use this directory exclusively for Group Authorization or Credential Authentication. Enabling this will minimize the number of non-authentication and non-authorization lookups to this directory. For more information, see the topic "Limiting directories to authentication-only lookups."
Enabled	Choose Yes to enable directory assistance for this LDAP directory. Note You can also enable and disable directory assistance for this directory from the main view of the Directory Assistance database. Select the directory assistance record for the directory and, on the toolbar, click Enable/Disable.
Attribute to be used as name in an SSO token (map to Notes LTPA_UserNm)	Enter the name of the directory attribute that should be returned when the LTPA_UserNm field is requested. This value is used as the user name in any SSO token generated by Domino. For more information about name mapping in the LTPA token used for single sign-on, see the topic "Configuring user name mappings in the SSO LTPA token."

Field	Enter
N.C. #	Enter a naming context (rule) that describes the user names in the LDAP directory. For more information, see the topic "Directory assistance and naming rules.
Enabled	Choose one: Yes to enable a rule No (default) to disable a rule
Trusted for Credentials	Choose one: Yes to allow servers to use credentials in the LDAP directory to authenticate Internet clients whose distinguished names in the directory correspond to the rule. No (default) to prevent servers from using this directory to authenticate Internet clients whose distinguished names in the directory correspond to the rule. For more information, see the topic "Trusted naming rules."

Field	Enter
Hostname	The host name for the remote LDAP directory server -- for example, ldap.acme.com. A Domino server uses this host name to connect to the remote LDAP directory server, or to refer LDAP clients to the LDAP directory. Click Suggest to open a dialog box that will enable you to look up the hostnames of any LDAP servers listed in your DNS. Click Verify to open a dialog box that verifies that each hostname is an active LDAP server. Or Enter an additional host name or host names so that a Domino server can use an alternate LDAP directory server if the directory server represented by the first host name specified is unavailable. Separate host names with commas, semicolons, or by entering each host name on a new line. If you specify more than one directory server and each listens on a different port, specify the ports after the host names. For example: `ldap1.acme.com:390, ldap2.acme.com:391` Port values entered in this field override those specified in the Port field. If no port is specified in this field, then the value specified in the Port field will be used. Note IPv6 addresses are also supported for use in this field. However, it is important to note that if an IPv6 address is specified in this field, than the Directory Assistance database should not be used by a pre-7.0 servers, as they do not support IPv6.
Optional Authentication Credential	(Optional) Below "Optional Authentication Credential," enter a user name and a password for a Domino server to present when it connects to the remote LDAP directory server. The LDAP directory server uses the name and password to authenticate the Domino server. If you don't specify a name and password, a Domino server attempts to connect anonymously. Click Verify to open a dialog box that verifies that the user name and password you entered is valid on each hostname. For more information, see the topic "Specifying a name and password for Domino servers in a Directory Assistance document for a remote LDAP directory." This setting may affect change detection for LDAP servers. For more information, see the topic "Special considerations for change detection."
Base DN for search	A search base, if the LDAP directory server requires one. For example: o=Ace Industry o=Ace Industry,c=US Click Suggest to open a dialog box that enables you to search each hostname for likely search bases. Click Verify to open a dialog box that enables you to verify that the search base is accessible on each hostname using the configured credentials. This setting may affect change detection for LDAP servers. For more information, see the topic "Special considerations for change detection.
Channel encryption	Choose one: SSL (the default) to use SSL when a Domino server connects to the remote LDAP directory server None to prevent SSL from being used. Keep SSL selected in the "Channel encryption" field if you use the remote LDAP directory for client authentication or to look up the members of groups for database authorization. If you choose SSL, make selections in these associated fields: "Accept expired SSL certificates" "SSL protocol version" "Verify server name with remote server's certificate" For more information, see the next topic "Configuring SSL in a Directory Assistance document for a remote LDAP directory."
Port	The port number Domino servers use to connect to the remote LDAP directory server. If you choose SSL in the "Channel encryption" field, the default port is 636. If you choose None in the "Channel encryption" field, the default port is 389. If the LDAP directory server doesn't use one of these default ports, enter a different port number manually.
Timeout	The maximum number of seconds allowed for a search of the remote LDAP directory; default is 60 seconds. If the remote LDAP directory server also has a timeout setting, the lower setting takes precedence.
Maximum number of entries returned	The maximum number of entries the LDAP directory server can return for a name for which a Domino server searches. If the LDAP directory server also has a maximum setting, the lower setting takes precedence. If the LDAP directory server times out, it returns the number of names found up to that point. Default is 100.
Dereference alias on search	Choose one to control the extent to which alias dereferencing occurs during searches of the remote LDAP directory: "Never" "Only for subordinate entries" "Only for search base entries" "Always" (default) If aliases are not used in the LDAP directory, selecting "Never" can improve search performance. For more information, see the topic "Configuring alias dereferencing in a Directory Assistance document for a remote LDAP directory."
Preferred mail format	If directory assistance is set up to allow Notes users to address mail to users in an LDAP directory, use this option to specify the format of addresses from the directory to be used in Notes mail. Choose one: "Notes Mail Address" - for example, John Doe/Acme@Acme. Typically, this option is used only when the LDAP directory is a Domino Directory. "Internet Mail Address" (default) - for example, jdoe@acme.com. For more information, see the earlier topic "Notes mail addressing using a remote LDAP directory."
Attribute to be used as Notes Distinguished Name	(Optional) If a Domino server uses the remote LDAP directory for client authentication or for database authorization, optionally map users' LDAP directory distinguished names to corresponding Notes distinguished names. Click Verify to open a dialog box that enables you to verify that there is at least one object containing the Notes DN attribute on each hostname, using the configured credentials under the specified base. For information, see the topic "Using Notes distinguished names in a remote LDAP directory."
Type of search filter to use	Choose one to control which LDAP search filters are used to search the directory: Standard LDAP (default) Active Directory Domino LDAP IBM Directory Server Custom "Standard LDAP" works in most situations. Click Suggest to open a dialog box that searches each hostname for the most likely type of search filter to use. Click Verify to open a dialog box that verifies that the chosen search filter type is appropriate for each hostname. Note The options "Domino LDAP" and "IBM Directory Server" allow the LDAP Gateway to take advantage of any special capabilities belonging to a given LDAP server. Once these capabilities are determined, LDAP clients can then decide whether to take advantage of them. For example, the LDAP server can now serve up new attributes in its root directory server entries (DSE) to directly support LDAP client detection of dominoAccessGroups capabilities. For more information, see the topic "Configuring search filters in a Directory Assistance document for a remote LDAP directory."