Lotus Domino Administrator 8.5 Help - Configuring user name mapping when you manage Domino users through Domino Directory

SECURITY

Configuring user name mapping when you manage Domino users through Domino Directory
Follow the steps in this topic to configure user name mapping for a Windows® single sign-on environment if you manage Lotus® Domino® user information primarily through Domino Directory. You might want to use a directory synchronization tool such as IBM® Tivoli® Directory Integrator to populate required Active Directory information into Domino.

Perform the following steps:

1. Make the following edits to participating Web users' Person documents in the Domino Directory.

Tab Field Value Comment

Basics User name
(FullName)
Two-part Active Directory logon name

Specify the logon name shown in the user's Active Directory account user interface.
Specify as the third or subsequent name in this field.
Use exact case shown in Active Directory for the first name part. Use upper case for the second name part, regardless of case shown in Active Directory.
For example: bzechman@AD1.SUBNET2.RENOVATIONS.COM

Can optionally add name to krbPrincipalName field too (see below).
Used to link this Person record to the Active Directory Kerberos identity.

Basics User name (FullName) User's distinguished name in Active Directory

Required only if there is an IBM® WebSphere® SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names.
Add this name after the other names that already exist in the field.
Use the exact character case that is used in Active Directory.
Use Notes forward slash (/) separators in the Active Directory name rather than LDAP comma (,) separators; for example:
uid=bzechman/ou=marketing/dc=renovations/dc=com
rather than
uid=bzechman,ou=marketing,dc=renovations,dc=com

Used to map Active Directory distinguished names in SSO LTPA tokens to Notes distinguished names for determining user access to Domino resources.

Basics Internet Password (HTTPPassword) <password-hash>

If Domino uses directory assistance to connect to the Active Directory server, this user password must be different than the user password in Active Directory.
Enables Domino to verify user passwords in the Domino Directory in situations when Windows single sign-on is not available.

Administration (Client Information section) Active Directory (Kerberos) logon name
(krbPrincipalName)
Two-part Active Directory logon name

Optional for this field.
Specify the logon name shown in the user's Active Directory account user interface.
See the first row in this table for more information on this name.
If specified in this field, add the following setting to the server NOTES.INI file to enable the value to be found in this field in Domino Directory or in any secondary directory accessed through directory assistance:
WIDE_SEARCH_FOR_KERBEROS_NAMES=1

If specified in this field, create a full-text index for the Domino Directory to optimize searches of this field.

Administration (Client Information section) LTPA user name User's distinguished name in Active Directory

Required only if there is an IBM WebSphere SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names.
Used to map Active Directory distinguished names in SSO LTPA tokens to Notes distinguished names for determining user access to Domino resources.

2. If some SSO servers are authenticating users against Active Directory, specify the following setting in the Web SSO Configuration document:

Tab Field Value Comment

Basics - Token Configuration Map names in LTPA tokens Enabled

Ensures proper SSO operation for servers that authenticate users against Active Directory.

Note If you use a separate IBM® application to manage Internet access to Domino, for example IBM® Tivoli® Access Manager WebSEAL reverse proxy or IBM® WebSphere® DataPower security gateway, the application can be set up to authenticate the Internet user against the user's Active Directory record rather than the Domino Person document. In this case:

Specifying a password in the Internet Password (HTTPPassword) field in the Domino Person document is optional in Step 1. Neither Windows single sign-on for Web clients nor Internet authentication managed by the IBM application use this field.
If the IBM application always creates the LTPA token on behalf of the user, completing the "LTPA user name" field in Step 1 and Step 2 is optional.

Configuring user name mapping in a Windows single sign-on for Web clients environment

Troubleshooting Windows single sign-on for Web clients

Setting up Windows single sign-on for Web clients

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Tab	Field	Value	Comment
Basics	User name (FullName)	Two-part Active Directory logon name	Specify the logon name shown in the user's Active Directory account user interface. Specify as the third or subsequent name in this field. Use exact case shown in Active Directory for the first name part. Use upper case for the second name part, regardless of case shown in Active Directory. For example: bzechman@AD1.SUBNET2.RENOVATIONS.COM Can optionally add name to krbPrincipalName field too (see below). Used to link this Person record to the Active Directory Kerberos identity.
Basics	User name (FullName)	User's distinguished name in Active Directory	Required only if there is an IBM® WebSphere® SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names. Add this name after the other names that already exist in the field. Use the exact character case that is used in Active Directory. Use Notes forward slash (/) separators in the Active Directory name rather than LDAP comma (,) separators; for example: uid=bzechman/ou=marketing/dc=renovations/dc=com rather than uid=bzechman,ou=marketing,dc=renovations,dc=com Used to map Active Directory distinguished names in SSO LTPA tokens to Notes distinguished names for determining user access to Domino resources.
Basics	Internet Password (HTTPPassword)	<password-hash>	If Domino uses directory assistance to connect to the Active Directory server, this user password must be different than the user password in Active Directory. Enables Domino to verify user passwords in the Domino Directory in situations when Windows single sign-on is not available.
Administration (Client Information section)	Active Directory (Kerberos) logon name (krbPrincipalName)	Two-part Active Directory logon name	Optional for this field. Specify the logon name shown in the user's Active Directory account user interface. See the first row in this table for more information on this name. If specified in this field, add the following setting to the server NOTES.INI file to enable the value to be found in this field in Domino Directory or in any secondary directory accessed through directory assistance: WIDE_SEARCH_FOR_KERBEROS_NAMES=1 If specified in this field, create a full-text index for the Domino Directory to optimize searches of this field.
Administration (Client Information section)	LTPA user name	User's distinguished name in Active Directory	Required only if there is an IBM WebSphere SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names. Used to map Active Directory distinguished names in SSO LTPA tokens to Notes distinguished names for determining user access to Domino resources.