With IBM Domino and IBM XWork Server you can set up web authentication against an external LDAP such as Microsoft Active Directory. This is useful if you are deploying a web application and your users are already in an external directory. In this blog post I will show you how to set this up.
- Create a Directory Assistance application on the server based on the Directory Assistance application template
- Edit the server document in the Domino Directory and add the path to the Directory Assistance application from step 1 to the Directory Assistance database name field on the Basics tab
- Create a new Directory Assistance document in the Directory Assistance application and fill out the following:
- Domain type: LDAP
- Domain name: Company domain (notice: the domain name in the Directory Assistance document MUST not be equal to the Domino domain!)
- Company name: Company name
- Naming Contexts (Rules) - Trusted for Credentials: Yes
- Hostname: host name of Microsoft Active Directory (tip: use the Verify button to check access to the host)
- Optional authentication credential for search: If the Active Directory does not allow anonymous LDAP searches, then add username and password for a user with access to Active Directory
- LDAP vendor: Active Directory
- Base DN for search: DC=company,DC=com (use the Suggest button to find the correct format)
- Channel encryption: SSL or none (notice: if changing from SSL to none make sure that Naming Contexts (Rules) - Trusted for Credentials is not changed from Yes to No)
- Restart your server
It's now time to test your your LDAP configuration. Start by creating a new application with access control set to Readers for Default and No Access for Anonymous. Try to access the application from a browser and you will be prompted for credentials. Now logon using a valid username and password. You will be able to access the application if your Directory Assistance setup is working. Congratulations - you can now deploy your web application and have users authenticate using Microsoft Active Directory - without having any user details stored on the IBM Domino/IBM XWork server!
If authentication fails, you should start with issuing the "show xdir" command on the server console. You should see two entries in the list - the first one pointing to the Domino directory (names.nsf) and the second one pointing to your LDAP configuration.
You can also use the webauth_verbose_trace=1 option to enable debug messages on the server console by issuing "set conf webauth_verbose_trace=1" on the server console.