Authenticating your IBM Domino and IBM XWork Server web apps against Active Directory (LDAP)

August 28th, 2014

With IBM Domino and IBM XWork Server you can set up web authentication against an external LDAP such as Microsoft Active Directory. This is useful if you are deploying a web application and your users are already in an external directory. In this blog post I will show you how to set this up.

  1. Create a Directory Assistance application on the server based on the Directory Assistance application template
  2. Edit the server document in the Domino Directory and add the path to the Directory Assistance application from step 1 to the Directory Assistance database name field on the Basics tab
  3. Create a new Directory Assistance document in the Directory Assistance application and fill out the following:
    1. Domain type: LDAP
    2. Domain name: Company domain (notice: the domain name in the Directory Assistance document MUST not be equal to the Domino domain!)
    3. Company name: Company name
    4. Naming Contexts (Rules) - Trusted for Credentials: Yes
    5. Hostname: host name of Microsoft Active Directory (tip: use the Verify button to check access to the host)
    6. Optional authentication credential for search: If the Active Directory does not allow anonymous LDAP searches, then add username and password for a user with access to Active Directory
    7. LDAP vendor: Active Directory
    8. Base DN for search: DC=company,DC=com (use the Suggest button to find the correct format)
    9. Channel encryption: SSL or none (notice: if changing from SSL to none make sure that Naming Contexts (Rules) - Trusted for Credentials is not changed from Yes to No)
  4. Restart your server

It's now time to test your your LDAP configuration. Start by creating a new application with access control set to Readers for Default and No Access for Anonymous. Try to access the application from a browser and you will be prompted for credentials. Now logon using a valid username and password. You will be able to access the application if your Directory Assistance setup is working. Congratulations - you can now deploy your web application and have users authenticate using Microsoft Active Directory - without having any user details stored on the IBM Domino/IBM XWork server!

If authentication fails, you should start with issuing the "show xdir" command on the server console. You should see two entries in the list - the first one pointing to the Domino directory (names.nsf) and the second one pointing to your LDAP configuration.

You can also use the webauth_verbose_trace=1 option to enable debug messages on the server console by issuing "set conf webauth_verbose_trace=1" on the server console.

Tags: , ,

6 Responses to “Authenticating your IBM Domino and IBM XWork Server web apps against Active Directory (LDAP)”

  1. Thierry Says:

    Thanks for sharing this.
    What about licensing ?
    As I know, for "per users" licensing, IBM uses a tool that count the number of entries in names.nsf with a certificate or an http password

  2. Per Henrik Lausten Says:

    Thierry, good point.

    The license to IBM XWork Server gives you unlimited authenticated users.

    For IBM Domino you need a proper license - either through client access licenses for each user or through a server license.

  3. Sean Cull Says:

    Hi Per,

    have you managed to get name pickers working from AD via LDAP ?
    I struggled with this and for this and other reasons use a process to create names in the nab from AD but use LDAP for the actual authentication

    Thanks, Sean

  4. Per Henrik Lausten Says:

    Hi Sean, yes I have a working solution that fetches names from LDAP and presents in the name picker. Perhaps I should blog about it? 🙂

  5. Sean Cull Says:

    that would be good, is it just using dirassist or is it coded ?

    thanks, Sean

  6. Per Henrik Lausten Says:

    It is coded using Java as a bean name picker and connects to AD to get a list of names.