With IBM Domino and IBM XWork Server you can set up web authentication against an external LDAP such as Microsoft Active Directory. This is useful if you are deploying a web application and your users are already in an external directory. In this blog post I will show you how to set this up.

1. Create a Directory Assistance application on the server based on the Directory Assistance application template
2. Edit the server document in the Domino Directory and add the path to the Directory Assistance application from step 1 to the Directory Assistance database name field on the Basics tab
3. Create a new Directory Assistance document in the Directory Assistance application and fill out the following:
   1. Domain type: LDAP
   2. Domain name: Company domain (notice: the domain name in the Directory Assistance document MUST not be equal to the Domino domain!)
   3. Company name: Company name
   4. Naming Contexts (Rules) – Trusted for Credentials: Yes
   5. Hostname: host name of Microsoft Active Directory (tip: use the Verify button to check access to the host)
   6. Optional authentication credential for search: If the Active Directory does not allow anonymous LDAP searches, then add username and password for a user with access to Active Directory
   7. LDAP vendor: Active Directory
   8. Base DN for search: DC=company,DC=com (use the Suggest button to find the correct format)
   9. Channel encryption: SSL or none (notice: if changing from SSL to none make sure that Naming Contexts (Rules) – Trusted for Credentials is not changed from Yes to No)
4. Restart your server

It’s now time to test your your LDAP configuration. Start by creating a new application with access control set to Readers for Default and No Access for Anonymous. Try to access the application from a browser and you will be prompted for credentials. Now logon using a valid username and password. You will be able to access the application if your Directory Assistance setup is working. Congratulations – you can now deploy your web application and have users authenticate using Microsoft Active Directory – without having any user details stored on the IBM Domino/IBM XWork server!

If authentication fails, you should start with issuing the “show xdir” command on the server console. You should see two entries in the list – the first one pointing to the Domino directory (names.nsf) and the second one pointing to your LDAP configuration.

You can also use the webauth_verbose_trace=1 option to enable debug messages on the server console by issuing “set conf webauth_verbose_trace=1” on the server console.

IBM released fix pack 2 for Domino and XWork Server 9.0.1 this week. Among many fixes it includes the following fix:

SPR# TMGN9KJTEB – Adds Internet Explorer 11 support for xPages

I asked Brian Gleeson from the IBM Dublin team what exactly this means, and he responded that it covers an upgrade of CKEditor from 3.6.x to 4.3.2 and an upgrade of Dojo from 1.8.3 to 1.9.2.

One issue I have seen so far with CKEditor 4.3.2 is that the “Insert image” button called ‘Image’ in a custom toolbar is different from the standard “Insert image” button used if you use the default toolbar. Instead, you need to use ‘IbmImage’ as the name of the image button.

The latest CKEditor adds a spell check option – either through the default toolbar or by adding ‘IbmSpellChecker’ to your custom toolbar. It’s great that the CKEditor in XPages finally adds that facility. Here it is in action:

With the new CKEditor the ‘toolbarType’ Dojo attribute no longer works. Instead use ‘toolbar’ as Dojo attribute with Slim, Medium, Large and Full as possible values.