Authenticating your IBM Domino and IBM XWork Server web apps against Active Directory (LDAP)August 28th, 2014
With IBM Domino and IBM XWork Server you can set up web authentication against an external LDAP such as Microsoft Active Directory. This is useful if you are deploying a web application and your users are already in an external directory. In this blog post I will show you how to set this up.
- Create a Directory Assistance application on the server based on the Directory Assistance application template
- Edit the server document in the Domino Directory and add the path to the Directory Assistance application from step 1 to the Directory Assistance database name field on the Basics tab
- Create a new Directory Assistance document in the Directory Assistance application and fill out the following:
- Domain type: LDAP
- Domain name: Company domain (notice: the domain name in the Directory Assistance document MUST not be equal to the Domino domain!)
- Company name: Company name
- Naming Contexts (Rules) - Trusted for Credentials: Yes
- Hostname: host name of Microsoft Active Directory (tip: use the Verify button to check access to the host)
- Optional authentication credential for search: If the Active Directory does not allow anonymous LDAP searches, then add username and password for a user with access to Active Directory
- LDAP vendor: Active Directory
- Base DN for search: DC=company,DC=com (use the Suggest button to find the correct format)
- Channel encryption: SSL or none (notice: if changing from SSL to none make sure that Naming Contexts (Rules) - Trusted for Credentials is not changed from Yes to No)
- Restart your server
It's now time to test your your LDAP configuration. Start by creating a new application with access control set to Readers for Default and No Access for Anonymous. Try to access the application from a browser and you will be prompted for credentials. Now logon using a valid username and password. You will be able to access the application if your Directory Assistance setup is working. Congratulations - you can now deploy your web application and have users authenticate using Microsoft Active Directory - without having any user details stored on the IBM Domino/IBM XWork server!
If authentication fails, you should start with issuing the "show xdir" command on the server console. You should see two entries in the list - the first one pointing to the Domino directory (names.nsf) and the second one pointing to your LDAP configuration.
You can also use the webauth_verbose_trace=1 option to enable debug messages on the server console by issuing "set conf webauth_verbose_trace=1" on the server console.