SECURITY


Configuring user name mapping when you manage Domino users through Domino Directory
Follow the steps in this topic to configure user name mapping for a Windows® single sign-on environment if you manage Lotus® Domino® user information primarily through Domino Directory. You might want to use a directory synchronization tool such as IBM® Tivoli® Directory Integrator to populate required Active Directory information into Domino.

Perform the following steps:

1. Make the following edits to participating Web users' Person documents in the Domino Directory.
TabFieldValueComment
BasicsUser name

(FullName)

Two-part Active Directory logon name
  • Specify the logon name shown in the user's Active Directory account user interface.
  • Specify as the third or subsequent name in this field.
  • Use exact case shown in Active Directory for the first name part. Use upper case for the second name part, regardless of case shown in Active Directory.
For example: bzechman@AD1.SUBNET2.RENOVATIONS.COM
  • Can optionally add name to krbPrincipalName field too (see below).
  • Used to link this Person record to the Active Directory Kerberos identity.
BasicsUser name (FullName)User's distinguished name in Active Directory
  • Required only if there is an IBM® WebSphere® SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names.
  • Add this name after the other names that already exist in the field.
  • Use the exact character case that is used in Active Directory.
  • Use Notes forward slash (/) separators in the Active Directory name rather than LDAP comma (,) separators; for example:
uid=bzechman/ou=marketing/dc=renovations/dc=com

rather than

uid=bzechman,ou=marketing,dc=renovations,dc=com

  • Used to map Active Directory distinguished names in SSO LTPA tokens to Notes distinguished names for determining user access to Domino resources.
BasicsInternet Password (HTTPPassword)<password-hash>
  • If Domino uses directory assistance to connect to the Active Directory server, this user password must be different than the user password in Active Directory.
  • Enables Domino to verify user passwords in the Domino Directory in situations when Windows single sign-on is not available.
Administration (Client Information section)Active Directory (Kerberos) logon name

(krbPrincipalName)

Two-part Active Directory logon name
  • Optional for this field.
  • Specify the logon name shown in the user's Active Directory account user interface.
  • See the first row in this table for more information on this name.
  • If specified in this field, add the following setting to the server NOTES.INI file to enable the value to be found in this field in Domino Directory or in any secondary directory accessed through directory assistance:
WIDE_SEARCH_FOR_KERBEROS_NAMES=1
  • If specified in this field, create a full-text index for the Domino Directory to optimize searches of this field.
Administration (Client Information section)LTPA user nameUser's distinguished name in Active Directory
  • Required only if there is an IBM WebSphere SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names.
  • Used to map Active Directory distinguished names in SSO LTPA tokens to Notes distinguished names for determining user access to Domino resources.
2. If some SSO servers are authenticating users against Active Directory, specify the following setting in the Web SSO Configuration document:
TabFieldValueComment
Basics - Token ConfigurationMap names in LTPA tokensEnabled
  • Ensures proper SSO operation for servers that authenticate users against Active Directory.
Note If you use a separate IBM® application to manage Internet access to Domino, for example IBM® Tivoli® Access Manager WebSEAL reverse proxy or IBM® WebSphere® DataPower security gateway, the application can be set up to authenticate the Internet user against the user's Active Directory record rather than the Domino Person document. In this case:


Related topics