With IBM Domino and IBM XWork Server you can set up web authentication against an external LDAP such as Microsoft Active Directory. This is useful if you are deploying a web application and your users are already in an external directory. In this blog post I will show you how to set this up.
- Create a Directory Assistance application on the server based on the Directory Assistance application template
- Edit the server document in the Domino Directory and add the path to the Directory Assistance application from step 1 to the Directory Assistance database name field on the Basics tab
- Create a new Directory Assistance document in the Directory Assistance application and fill out the following:
- Domain type: LDAP
- Domain name: Company domain (notice: the domain name in the Directory Assistance document MUST not be equal to the Domino domain!)
- Company name: Company name
- Naming Contexts (Rules) – Trusted for Credentials: Yes
- Hostname: host name of Microsoft Active Directory (tip: use the Verify button to check access to the host)
- Optional authentication credential for search: If the Active Directory does not allow anonymous LDAP searches, then add username and password for a user with access to Active Directory
- LDAP vendor: Active Directory
- Base DN for search: DC=company,DC=com (use the Suggest button to find the correct format)
- Channel encryption: SSL or none (notice: if changing from SSL to none make sure that Naming Contexts (Rules) – Trusted for Credentials is not changed from Yes to No)
- Restart your server
It’s now time to test your your LDAP configuration. Start by creating a new application with access control set to Readers for Default and No Access for Anonymous. Try to access the application from a browser and you will be prompted for credentials. Now logon using a valid username and password. You will be able to access the application if your Directory Assistance setup is working. Congratulations – you can now deploy your web application and have users authenticate using Microsoft Active Directory – without having any user details stored on the IBM Domino/IBM XWork server!
If authentication fails, you should start with issuing the “show xdir” command on the server console. You should see two entries in the list – the first one pointing to the Domino directory (names.nsf) and the second one pointing to your LDAP configuration.
You can also use the webauth_verbose_trace=1 option to enable debug messages on the server console by issuing “set conf webauth_verbose_trace=1” on the server console.
Thanks for sharing this.
What about licensing ?
As I know, for “per users” licensing, IBM uses a tool that count the number of entries in names.nsf with a certificate or an http password
Thierry, good point.
The license to IBM XWork Server gives you unlimited authenticated users.
For IBM Domino you need a proper license – either through client access licenses for each user or through a server license.
Hi Per,
have you managed to get name pickers working from AD via LDAP ?
I struggled with this and for this and other reasons use a process to create names in the nab from AD but use LDAP for the actual authentication
Thanks, Sean
Hi Sean, yes I have a working solution that fetches names from LDAP and presents in the name picker. Perhaps I should blog about it? 🙂
that would be good, is it just using dirassist or is it coded ?
thanks, Sean
It is coded using Java as a bean name picker and connects to AD to get a list of names.