SlideShare a Scribd company logo

Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory

Download as PPT, PDF
E
Edson Oliveira

This document provides an overview of configuring Domino to use an LDAP directory and to function as an LDAP directory for other applications like IBM WebSphere Portal. It discusses LDAP concepts like objects, attributes and schemas. It then covers configuring the Domino LDAP service, importing users from an LDIF file, enabling write access, and troubleshooting issues. The document concludes with a section on configuring WebSphere Portal to use Domino as the LDAP server by modifying configuration files and scripts.

Education
1 of 89
Downloaded 1,246 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Most read
27
Most read
28
29
Most read
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
1900 – Configuring Domino to Be an LDAP Directory and to Use an LDAP Directory Rob Fox, Paul Godby, & Moacyr Mallemont
Copyright IBM Corporation 2006. All Rights Reserved. This presentation is intended to assist IBM SWG Sales and their business partners in understanding IBM Software marketing tactics, sales tactics, and our direction during 2006. This presentation can be used in sales situations except individual charts labeled VENDOR CONFIDENTIAL or IBM CONFIDENTIAL, in which case they should be considered confidential under the practices in place in your firm and under any existing agreements with IBM regarding disclosure of confidential information. For questions or to request permission for any other use of the information or distribution of the presentation, please contact any member of the IBM software sales team.
1900 – part I - Configuring Domino for LDAP By Rob Fox & Paul Godby January 20 th , 2006 – 10:15 am
The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino servers Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
Objective The objective of this presentation is to provide you with the following: Basic understanding of LDAP Understanding of proper usage of LDAP How LDAP relates to Lotus Domino
The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
What is LDAP? LDAP stands for Lightweight Directory Assistance Protocol Comes from the need of a smaller, less complex version of X.500, another Directory Access protocol (DAP) for directory assistance LDAP is much simpler to implement and develop for, and runs on top of TCP/IP unlike X.500 The defacto standard for client name lookups to a server used by millions of corporations and billions of users*.. *Statistic is made up. Did you know 56% of statistics are made up?
Who made LDAP? (hint – me) A bright young IBM engineer named Rob Fox. Okay, I lied. Open Standard defined by Internet Engineering Task Force (IETF) Original implementation of LDAP as server was University of Michigan Architecture designed to LDAP v3 specification Replication and Access Control are not yet standardized in LDAP v3 specification LDUP - Lightweight Directory Update Protocol draft Access Control - working standard (no acronym)
What do we use LDAP for? Corporations need an “address book” of all names and groups within the company. All of these names and groups can be stored on a dedicated server called a “Directory Server” LDAP is the standard protocol for name & group lookup on a directory server A centralized LDAP Directory Server means all applications have access to one consistent name & address book.
The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
Anatomy of LDAP Connector Database full of Names and Addresses Magic Happy User My LDAP Directory Server Joe Mama Angie Daddy Terd Ferguson Art Major Rob Fox Travis Womack … .
Anatomy of LDAP LDAP consists of attributes, objects and values arranged in a hierarchy. Getting access to these objects is generally done by binding to the server and using search filters to find specific information. The LDAP structure can be created or modified by hand, or imported via a file called an ‘LDIF file’.
Anatomy of LDAP Objects are generally the people or groups stored in the LDAP directory. These are arranged in a hierarchal tree Example: cn=us -> o=IBM -> ou=Lexington -> cn=Users -> uid=rfox would tell us that user rfox is in the Lexington group which is part of the IBM organization in the US.
Anatomy of LDAP
Anatomy of LDAP An attribute is a specific item defined in an entry, and a value is what it is.. Example: givenname=Rob sn=Fox mail=rob_fox@us.ibm.com phonenumber=888-555-1212
Anatomy of LDAP
Anatomy of LDAP An LDIF is a file that has these objects and attributes already defined in a text format that can be imported into a directory server Importing a LDIF is the easiest (and recommended) way to set up your own LDAP server For Domino, use the LDIF Domino Upgrade Service in the Administration client to import users The final location of the LDIF users in the LDAP tree is determined by the cert ID used while importing The service will not process LDIF group entries
Anatomy of LDAP
The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
Talking to an Existing LDAP There are only 3 things you need to consume data from an existing LDAP server: Fully qualified DNS name or IP address (and port if it’s not the default of 389) Base DN for searching Credentials Typically customers want to deploy applications and web servers using their existing LDAP in their infrastructure – so lets see how to do that…
Get proper LDAP connection information Get the fully qualified DNS name and port: The name and location of the server, and the port the LDAP service is listening on Get the base DN: The first place in the LDAP hierarchy tree to begin looking for names Get a sample user name to bind to if necessary: Determine if anonymous binding is allowed, and if the attributes needed are returned when bound anonymously. If a user is needed, determine the format of the name and password to connect to the LDAP server Note: Active Directory typically will not list any users or groups if bound to anonymously
The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
The Pieces of an LDAP DN… Here is a standard user full distinguished name: uid=wpsadmin,ou=users,dc=lexington,o=ibm
The Pieces of an LDAP DN… user prefix org unit uid=wpsadmin,cn=users,ou=lexington,o=ibm user suffix base DN
Acquire the proper tools… LDAPSearch utility Command-line utility shipped with Domino and Notes Softerra LDAP Browser or… Softerra LDAP Administrator or… Java based LDAP Browser (can import LDIF files) Found on Google
Using ldapsearch Can be used to search entries in any LDAP directory Connects to a directory server and returns results you specify Located in the Domino or Notes program directory
Using ldapsearch Syntax for ldapsearch: ldapsearch parameters searchfilter attributes -b baseDN for your search -D username to bind with -w password to bind with -h ldap server name -p port to query on the ldap server
Using ldapsearch Sample usage of ldapsearch: Use an authenticated bind to search under the baseDN cn=users,ou=lexington,o=databeam for a user with the common name of Homer Simpson: ldapsearch -h ldapserver.databeam.com -p 389 -D "cn=wpsbind,cn=users,ou=lexington,o=databeam" -w password -b "cn=users,ou=lexington,o=databeam" "cn=Homer Simpson"
Configuring Softerra… Add a profile name Add the FQDN of the LDAP server Add the base DN desired (or fetch them) Add a binding name to verify the correct format of a user Note: If you can bind with a long LDAP name, then the application (Sametime, Workplace, etc) can find the user when configuration is complete – bind with users to verify they exist and are in the correct format!
Configuring Softerra…
Configuring Softerra…
Gather information about the LDAP user… Determine if you want to log in with ‘cn’ or ‘uid’ or another attribute. Make sure an objectclass such as ‘inetOrgPerson’ exists. Determine the email attribute – typically ‘mail’. Look for a unique identifier – IDS5.1 user ‘ibm-appuuid’, Domino 6.5.4+ user ‘dominoUNID’ Most importantly – right click on the name to get the long LDAP name, for example: uid=wpsadmin,cn=users,dc=ibm,dc=com
Gather information about the LDAP user…
Gather information aboot the LDAP group… Determine what attribute designates the name of the group – typically ‘cn’ Determine the objectclass of the group – typically ‘groupOfUniqueNames’ or ‘groupOfNames’ Determine the member attribute name – typically ‘uniquemember’ or ‘member’ Make sure a unique identifier exists like ‘ibm-appuuid’ Again importantly: Right click on the name to get the long LDAP name (full DN): cn=wpsadmins,cn=group,dc=ibm,dc=com
Gather information about the LDAP user…
The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
Configure Domino to use a remote LDAP directory Directory Assistance allows you to lookup information in a directory other than the local primary Domino directory Domino Directory, Extended Directory Catalog, LDAP Create a Directory Assistance document in the Directory Assistance database (often named da.nsf) The Active Directory Domino Upgrade Service (AD DUS) can be used in conjunction with the Active Directory Synchronization (AdSync) to maintain the same set of users in AD and Domino
Directory Assistance example
Domino 7 LDAP service improvements Improved performance LDAP server thread pooling DA LDAP miss caching DDM LDAP server health monitoring Addition of aliases Support of universal Notes Ids (UNID) New “dominoUNID” operational attribute Enhanced LDAP search Now work with IBM Workplace products that use the WebSphere Member Manager (WMM) service to access user/group objects.
Starting the Domino LDAP service The LDAP task runs automatically on the admin server for the primary Domino directory To start automatically: Edit the “ServerTasks” setting in Notes.ini to include LDAP To start manually: Enter “Load LDAP” on the Domino console
Enable/Disable write access to the directory By default, the LDAP service does not allow write access To Enable write access: Open the directory using the Domino Admin Client Select the Servers  Configuration view Open the Configuration Settings document for the domain Create this document if it does not exist On the LDAP tab, set “Allow LDAP users write access” to Yes Restart each server in the domain running the LDAP service
The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
Using Domino as your LDAP server for Lotus Workplace… Add a ‘wpsadmin/domain’ user and ‘wpsadmins/domain’ group with manger access to the Domino directory – make sure the username and groupname field include the ‘/domain’ or they will NOT show up in Domino. Configure the wpconfig.properties file as before except do NOT fill out the LDAPSuffix (base DN) – rather, use the user and group suffix fields. If there is an ou, put that in front like ‘ou=lexington,o=databeam’.
Using Domino as your LDAP server for Lotus Workplace… Domino servers below 6.5.4 MUST do the following: Create a field called ‘dominoUNID’ in the Person, Group and Certifier forms with the computed text value of: @Text(@DocumentUniqueID) Create an agent to open/close/save all documents in the Domino Directory so the new field is computed and populated – verify the field shows up in LDAP by reloading the schema.
Using Domino as your LDAP server for Lotus Workplace… Edit <WP_root>\shared\app\wmm\wmm.xml and <WP_root>\wmm\wmmLDAPServerAttributes.xml to use Domino attributes (including the one you just created) so WebSphere Member Manager will recognize users. Change the WAS Admin user search filter and user id map: User search filter: (&(|(cn=%v)(mail=%v)(uid=%v))(objectclass=inetOrgPerson)) User ID map: *:uid Restart all services and servers.. It should work! (heh, yeah right)
The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
Troubleshooting… Q.) It doesn’t work. A.) Sorry, works for me. Q.) No Seriously… I followed all the steps for setting up Directory Assistance to an external LDAP directory, but user authentication still fails. A.) Domino will check the local directory for a username BEFORE using Directory Assistance to check the external directory. Make sure the name you are trying to authenticate with does not exist in the local Domino Directory.
Troubleshooting… Q.) Help! When using Domino as my LDAP server the searches are very slow! A.) Create a full-text index for the directory. If it’s still slow, limit the number of entries returned or create a timeout. Q.) My searches against my Domino LDAP server do not return a CN value. My “co-workers” configured that part…not me. What did they do wrong? A.) They likely added users to the directory without using Notes registration. You will have to add the common name as a second value in the FullName field of the Person documents.
The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
Bonus Level - Applying Our LDAP Experience in the Real World In the “real world” companies take their many applications and point to their LDAP server Having a centralized LDAP reduces management of multiple directories such as new passwords, name changes, department updates, etc Many IBM products can hook into an existing LDAP directory for authentication, user information, etc..
Bonus Level - Applying Our LDAP Experience in the Real World IBM Lotus Web Conferencing and Instant Messaging (Sametime) IBM Lotus Team Spaces (QuickPlace) IBM WebSphere Portal IBM Lotus Workplace These products use LDAP for user authentication, authorization and mapping of names to specific application needs
Bonus Level - Applying Our LDAP Experience in the Real World To get some hands on experience, we are going to configure IBM WebSphere Portal to use an existing LDAP server. This procedure is exactly the same for configuring IBM Lotus Workplace. These same principles apply to other applications such as Sametime and QuickPlace.
Bonus Level - Configure wpconfig.properties file… Located C:\WebSphere\PortalServer\config The LDAP section is at the bottom – we simply map the attributes and data we discovered with Softerra to the fields in the file Once wpconfig.properties is verified (twice) to be correct, in that same directory we run this script: WPSconfig enable-ldap-security > enablesecurity.log ‘ server1’ is the only server that should be running – stop ‘WebSphere_Portal’ and ‘LotusWorkplace_Server’ before running the script – run this to see what is up: serverStatus –all –username wpsadmin –password password Activity is logged to this file (tail –f to see it) – do a search to make sure no ‘FAILED’ messages appeared
Bonus Level - Configure wpconfig.properties file…
Bonus Level - Configure wpconfig.properties file… The ‘cn=root’ user is the administrator of the LDAP server with read/write access. The ‘wpsadmin’ user that was added should read/write access as well – they can be used as the Wps.LDAPAdminUId instead. Notice which entries use a short name and a long name. The ‘wpsadmins’ group is not checked when the script is run – VERIFY with Softerra it exists! If you see any BUILD FAILED messages in the enablesecurity.log file, examine the fields in the previous slide again and rerun the script – there should be NO ‘BUILD FAILED’ scripts. If you see SQL errors you may need to delete rows and read them with the DB2 Command Center if said tables with errors have primary keys in them.
Bonus Level - Verify ‘wpsadmin’ and ‘wpsadmins’ exist properly… Now is a good time to make sure the ‘wpsadmin’ user exists, the ‘wpsadmins’ group exists, and ‘wpsadmin’ exists in the ‘wpsadmins’ group. If your LDAP browser doesn’t show these two entries properly, DON’T PROCEED until they do!
Bonus Level - Hoping it works… The script shouldn’t take that long to run.. Either ‘tail –f’ the enablesecurity.log or entertain yourself in other productive ways:
Bonus Level - It works! (Da Da Da Dah!) Stop all servers (including IBM HTTP) and restart all servers. Log into Portal: http://nameofserver.domain.com/wps/portal or log into Workplace: http://nameofserver.domain.com/lwp/workplace verify the Web Conferences and Team Spaces places work properly
What you (should have) learned You now have the following information at your disposal thanks to this presentation: Basic understanding of LDAP, how it works, how it is put together and how to configure it Understanding of proper usage of LDAP including where and how to find names, and understand an LDAP schema How LDAP relates to our product suite and how to map attributes from an existing LDAP for client consumption and how to customize Domino into an LDAP server for the IBM product suite
Thanks a million.
1900 – part II – Linux Desktop Authentication Using Domino LDAP Moacyr Mallemont – IT Specialist Lotus/IBM Software Group
Session Objectives Provide an overview (step-by-step) on how to configure the Domino LDAP service to allow Linux desktop authentication. Show how easy is to integrate Domino and Linux and have an end-to-end Domino solution running on Linux
Agenda Requirements PAM configuration Extending the Domino LDAP Schema Enabling the Domino LDAP service as the default Linux directory Authenticating Setting up Domino to allow password changes from Linux prompt Troubleshooting
Requirements Default domino installation on a linux system (we used Domino 6.5.4 and RedHat AS 2.1) Domino Administrator and Designer Download and compile pam_ldap and nss_ldap on the Linux desktop client Knowledge on how to compile linux applications (it is really easy :)
PAM Configuration – What is pam and nss?
PAM Configuration - Compiling
PAM Configuration – Making a ldap search
PAM Configuration – Making a ldap search
PAM Configuration – setting up ldap.conf file
PAM Configuration – Setting up ldap.secrets file
Extending the Domino LDAP Schema – “LDAP POSIX Account” subform
Extending the Domino LDAP Schema – Creating the fields
Extending the Domino LDAP Schema – Insert the subform in the form “$PersonExtensibleSchema”
Extending the Domino LDAP Schema – Reload the LDAP Schema
Extending the Domino LDAP Schema - Verify the new fields in the LDAP Schema
Extending the Domino LDAP Schema - Verify the new fields in the LDAP Schema
Enabling the Domino LDAP service as the default Linux Directory – User Information Config
Enabling the Domino LDAP service as the default Linux Directory – Authentication Config
Enabling the Domino LDAP service as the default Linux Directory – Authenticating a Domino user!
Enabling the Domino LDAP service as the default Linux Directory – Creating home directories
Enabling the Domino LDAP service as the default Linux Directory – the “id” command
Setting up Lotus Domino to allow password change for LDAP users – Configuration Document and rights in the NAB ACL
Setting up Lotus Domino to allow password change for LDAP users – “Allow LDAP users write=yes”
Setting up Lotus Domino to allow password change for LDAP users - Advanced ACL
Setting up Lotus Domino to allow password change for LDAP users – Changing an user password from the Linux prompt
Troubleshooting Ldapsearch If you can’t run the suggested searches in this presentation, don’t go ahead to the next step. Try to understand what is going on! Password change from Linux Desktop If password change does not work, verify user rights in the NAB ACL, and the ldap.conf & ldap.secrets files. User root cannot login anymore! Use single user mode (in rescue) and clean every entry in the /etc/nsswitch.conf that has ldap references. While configuring and testing you can let “some” root sessions open that will allow you to fix your system.
Summary It can be very easy to integrate domino with other systems Domino uses and make use of open standards and protocols, that’s why it is so flexible! This is just another example on how Domino can be used to reduce the TCO of IT Solutions There are more complete solutions that should be evaluated as Tivoli solutions that are much more complete and can do much more If you already has Domino, your investments are preserved and extended - start integrating today!
Resources http://www.padl.com/Contents/OpenSourceSoftware.html http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-ldap-extrafunctionality.html http://www.ibm.com/dominolinux http://www-306.ibm.com/software/tivoli/solutions/security/
Questions?

More Related Content

PPTX
HCL Domino V12 Key Security Features Overview
hemantnaik
 
PDF
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
panagenda
 
PDF
The Ultimate Administrator’s Guide to HCL Nomad Web
panagenda
 
PDF
RNUG - HCL Notes V11 Performance Boost
Christoph Adler
 
PDF
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
Howard Greenberg
 
POTX
IBM Domino / IBM Notes Performance Tuning
Vladislav Tatarincev
 
PPT
Daos
Ulrich Krause
 
PDF
From frustration to fascination: dissecting Replication
Benedek Menesi
 
HCL Domino V12 Key Security Features Overview
hemantnaik
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
panagenda
 
The Ultimate Administrator’s Guide to HCL Nomad Web
panagenda
 
RNUG - HCL Notes V11 Performance Boost
Christoph Adler
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
Howard Greenberg
 
IBM Domino / IBM Notes Performance Tuning
Vladislav Tatarincev
 
Daos
Ulrich Krause
 
From frustration to fascination: dissecting Replication
Benedek Menesi
 

What's hot (20)

PDF
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
BCC - Solutions for IBM Collaboration Software
 
PDF
Important tips on Router and SMTP mail routing
jayeshpar2006
 
PDF
RNUG - Virtual, Faster, Better! How to deploy HCL Notes 11.0.1 FP2 for Citrix...
Christoph Adler
 
PDF
RESTful services on IBM Domino/XWork
John Dalsgaard
 
PDF
IBM Notes Performance Boost - Reloaded (DEV-1185)
Christoph Adler
 
PDF
Self Healing Capabilities of Domino 10
Kim Greene Consulting, Inc.
 
PDF
Domino policies deep dive
Martijn de Jong
 
PDF
Understanding domino memory 2017
mJOBrr
 
PDF
DNUG HCL Domino 11 First Look
daniel_nashed
 
PDF
Auto Update(AUT) - HCL Notes
Ranjit Rai
 
PDF
HCL Domino V12 - TOTP
Ales Lichtenberg
 
PDF
Engage2022 - Domino Admin Tips
Gabriella Davis
 
PDF
HCL Sametime 12.0 on Docker - Step-By-Step.pdf
Ales Lichtenberg
 
PPTX
INF107 - Integrating HCL Domino and Microsoft 365
Dylan Redfield
 
PDF
RNUG - Dirty Secrets of the Notes Client
Christoph Adler
 
PDF
June OpenNTF Webinar - Domino V12 Certification Manager
Howard Greenberg
 
PPTX
dominocamp2022.t1s1.dde.pptx
Ulrich Krause
 
PDF
From A to Z-itrix: Setting up the most stable and fastest HCL Notes client on...
panagenda
 
PDF
HTTP - The Other Face Of Domino
Gabriella Davis
 
PDF
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
panagenda
 
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
BCC - Solutions for IBM Collaboration Software
 
Important tips on Router and SMTP mail routing
jayeshpar2006
 
RNUG - Virtual, Faster, Better! How to deploy HCL Notes 11.0.1 FP2 for Citrix...
Christoph Adler
 
RESTful services on IBM Domino/XWork
John Dalsgaard
 
IBM Notes Performance Boost - Reloaded (DEV-1185)
Christoph Adler
 
Self Healing Capabilities of Domino 10
Kim Greene Consulting, Inc.
 
Domino policies deep dive
Martijn de Jong
 
Understanding domino memory 2017
mJOBrr
 
DNUG HCL Domino 11 First Look
daniel_nashed
 
Auto Update(AUT) - HCL Notes
Ranjit Rai
 
HCL Domino V12 - TOTP
Ales Lichtenberg
 
Engage2022 - Domino Admin Tips
Gabriella Davis
 
HCL Sametime 12.0 on Docker - Step-By-Step.pdf
Ales Lichtenberg
 
INF107 - Integrating HCL Domino and Microsoft 365
Dylan Redfield
 
RNUG - Dirty Secrets of the Notes Client
Christoph Adler
 
June OpenNTF Webinar - Domino V12 Certification Manager
Howard Greenberg
 
dominocamp2022.t1s1.dde.pptx
Ulrich Krause
 
From A to Z-itrix: Setting up the most stable and fastest HCL Notes client on...
panagenda
 
HTTP - The Other Face Of Domino
Gabriella Davis
 
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
panagenda
 
Ad

Viewers also liked (20)

ODP
How to Create a Perfect Profile: A Hitchiker's Guide to A Smarter Workforce
Mitch Cohen
 
PDF
Securing Lotus Domino for the Web - Email Relay
John Lawren James
 
PDF
Migrate your Sametime Server to LDAP Authentication (Admincamp 2013)
Novakenstein
 
PPT
Netcore Solutions - Corporate Presentation
Netcore Solutions
 
PPTX
Ubuntu SSL VPN
sharetech
 
PPT
Vpn 3
Swarup Kumar Mall
 
PDF
Site to Site VPN CISCO ASA
Rahul E
 
PDF
Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718
guest75224e4
 
PPTX
Network Service in OpenStack Cloud, by Yaohui Jin
Hui Cheng
 
PPT
Cyberoam SSL VPN
Ajay Nawani
 
PPT
my presentation on vpn
jadeja dhanraj
 
PPTX
Active Directory & LDAP Authentication Without Triggers
Perforce
 
PDF
Spring Ldap
Piergiorgio Lucidi
 
PPT
SSL VPN from your android phone
sharetech
 
PDF
Fortigate Hand Book
Yusuf Usmani
 
PPTX
Open LDAP vs. Active Directory
Ahmad Haghighi
 
PPT
Juniper sa-sslvpn
n|u - The Open Security Community
 
PPTX
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
NetProtocol Xpert
 
PPTX
Implementing a Secure and Effective PKI on Windows Server 2012 R2
Frank Lesniak
 
PPTX
IPSec VPN & IPSec Protocols
NetProtocol Xpert
 
How to Create a Perfect Profile: A Hitchiker's Guide to A Smarter Workforce
Mitch Cohen
 
Securing Lotus Domino for the Web - Email Relay
John Lawren James
 
Migrate your Sametime Server to LDAP Authentication (Admincamp 2013)
Novakenstein
 
Netcore Solutions - Corporate Presentation
Netcore Solutions
 
Ubuntu SSL VPN
sharetech
 
Vpn 3
Swarup Kumar Mall
 
Site to Site VPN CISCO ASA
Rahul E
 
Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718
guest75224e4
 
Network Service in OpenStack Cloud, by Yaohui Jin
Hui Cheng
 
Cyberoam SSL VPN
Ajay Nawani
 
my presentation on vpn
jadeja dhanraj
 
Active Directory & LDAP Authentication Without Triggers
Perforce
 
Spring Ldap
Piergiorgio Lucidi
 
SSL VPN from your android phone
sharetech
 
Fortigate Hand Book
Yusuf Usmani
 
Open LDAP vs. Active Directory
Ahmad Haghighi
 
Juniper sa-sslvpn
n|u - The Open Security Community
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
NetProtocol Xpert
 
Implementing a Secure and Effective PKI on Windows Server 2012 R2
Frank Lesniak
 
IPSec VPN & IPSec Protocols
NetProtocol Xpert
 
Ad

Similar to Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory (20)

DOC
LDAP
Lokesh Kumar N
 
PPT
Open Ldap Integration and Configuration with Lifray 6.2
Vinaykumar Hebballi
 
ODP
Ldapsession 1217528612650451-9
rezgui
 
ODP
Ldapsession
guest648519
 
PPT
Ldap system administration
Ali Abdo
 
PPTX
Directory Introduction
Aidy Tificate
 
DOC
Ldap
Shiva Krishna Chandra Shekar
 
PPT
The Ldap Protocol
Glen Plantz
 
ODP
Ldap2010
CYJ
 
ODP
LDAP Storage for Archetypes
Ricado Alves
 
PDF
LDAP Applied (EuroOSCON 2005)
Fran Fabrizio
 
PPTX
LDAP(In_Linux).pptx
ShanmugapriyaSenthil3
 
PPTX
User administration without you - integrating LDAP
MongoDB
 
PPTX
LDAP - Lightweight Directory Access Protocol
S. Hasnain Raza
 
PPTX
Integrate with ldap
Son Nguyen
 
PPTX
Mule MMC Integration with LDAP
Sanjeet Pandey
 
PPT
Name services
Rajendran N
 
PDF
Ldap 121020013604-phpapp01
SANE Ibrahima
 
PDF
Ldap introduction (eng)
Anatoliy Okhotnikov
 
PPTX
MMC Integration with LDAP and LDAP PS(SSL)
alfa
 
LDAP
Lokesh Kumar N
 
Open Ldap Integration and Configuration with Lifray 6.2
Vinaykumar Hebballi
 
Ldapsession 1217528612650451-9
rezgui
 
Ldapsession
guest648519
 
Ldap system administration
Ali Abdo
 
Directory Introduction
Aidy Tificate
 
Ldap
Shiva Krishna Chandra Shekar
 
The Ldap Protocol
Glen Plantz
 
Ldap2010
CYJ
 
LDAP Storage for Archetypes
Ricado Alves
 
LDAP Applied (EuroOSCON 2005)
Fran Fabrizio
 
LDAP(In_Linux).pptx
ShanmugapriyaSenthil3
 
User administration without you - integrating LDAP
MongoDB
 
LDAP - Lightweight Directory Access Protocol
S. Hasnain Raza
 
Integrate with ldap
Son Nguyen
 
Mule MMC Integration with LDAP
Sanjeet Pandey
 
Name services
Rajendran N
 
Ldap 121020013604-phpapp01
SANE Ibrahima
 
Ldap introduction (eng)
Anatoliy Okhotnikov
 
MMC Integration with LDAP and LDAP PS(SSL)
alfa
 

Recently uploaded (20)

PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PPTX
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
master seminar digital applications in india
ananyaray35
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 

Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory

  • 1. 1900 – Configuring Domino to Be an LDAP Directory and to Use an LDAP Directory Rob Fox, Paul Godby, & Moacyr Mallemont
  • 2. Copyright IBM Corporation 2006. All Rights Reserved. This presentation is intended to assist IBM SWG Sales and their business partners in understanding IBM Software marketing tactics, sales tactics, and our direction during 2006. This presentation can be used in sales situations except individual charts labeled VENDOR CONFIDENTIAL or IBM CONFIDENTIAL, in which case they should be considered confidential under the practices in place in your firm and under any existing agreements with IBM regarding disclosure of confidential information. For questions or to request permission for any other use of the information or distribution of the presentation, please contact any member of the IBM software sales team.
  • 3. 1900 – part I - Configuring Domino for LDAP By Rob Fox & Paul Godby January 20 th , 2006 – 10:15 am
  • 4. The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino servers Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
  • 5. Objective The objective of this presentation is to provide you with the following: Basic understanding of LDAP Understanding of proper usage of LDAP How LDAP relates to Lotus Domino
  • 6. The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
  • 7. What is LDAP? LDAP stands for Lightweight Directory Assistance Protocol Comes from the need of a smaller, less complex version of X.500, another Directory Access protocol (DAP) for directory assistance LDAP is much simpler to implement and develop for, and runs on top of TCP/IP unlike X.500 The defacto standard for client name lookups to a server used by millions of corporations and billions of users*.. *Statistic is made up. Did you know 56% of statistics are made up?
  • 8. Who made LDAP? (hint – me) A bright young IBM engineer named Rob Fox. Okay, I lied. Open Standard defined by Internet Engineering Task Force (IETF) Original implementation of LDAP as server was University of Michigan Architecture designed to LDAP v3 specification Replication and Access Control are not yet standardized in LDAP v3 specification LDUP - Lightweight Directory Update Protocol draft Access Control - working standard (no acronym)
  • 9. What do we use LDAP for? Corporations need an “address book” of all names and groups within the company. All of these names and groups can be stored on a dedicated server called a “Directory Server” LDAP is the standard protocol for name & group lookup on a directory server A centralized LDAP Directory Server means all applications have access to one consistent name & address book.
  • 10. The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
  • 11. Anatomy of LDAP Connector Database full of Names and Addresses Magic Happy User My LDAP Directory Server Joe Mama Angie Daddy Terd Ferguson Art Major Rob Fox Travis Womack … .
  • 12. Anatomy of LDAP LDAP consists of attributes, objects and values arranged in a hierarchy. Getting access to these objects is generally done by binding to the server and using search filters to find specific information. The LDAP structure can be created or modified by hand, or imported via a file called an ‘LDIF file’.
  • 13. Anatomy of LDAP Objects are generally the people or groups stored in the LDAP directory. These are arranged in a hierarchal tree Example: cn=us -> o=IBM -> ou=Lexington -> cn=Users -> uid=rfox would tell us that user rfox is in the Lexington group which is part of the IBM organization in the US.
  • 15. Anatomy of LDAP An attribute is a specific item defined in an entry, and a value is what it is.. Example: givenname=Rob sn=Fox mail=rob_fox@us.ibm.com phonenumber=888-555-1212
  • 17. Anatomy of LDAP An LDIF is a file that has these objects and attributes already defined in a text format that can be imported into a directory server Importing a LDIF is the easiest (and recommended) way to set up your own LDAP server For Domino, use the LDIF Domino Upgrade Service in the Administration client to import users The final location of the LDIF users in the LDAP tree is determined by the cert ID used while importing The service will not process LDIF group entries
  • 19. The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
  • 20. Talking to an Existing LDAP There are only 3 things you need to consume data from an existing LDAP server: Fully qualified DNS name or IP address (and port if it’s not the default of 389) Base DN for searching Credentials Typically customers want to deploy applications and web servers using their existing LDAP in their infrastructure – so lets see how to do that…
  • 21. Get proper LDAP connection information Get the fully qualified DNS name and port: The name and location of the server, and the port the LDAP service is listening on Get the base DN: The first place in the LDAP hierarchy tree to begin looking for names Get a sample user name to bind to if necessary: Determine if anonymous binding is allowed, and if the attributes needed are returned when bound anonymously. If a user is needed, determine the format of the name and password to connect to the LDAP server Note: Active Directory typically will not list any users or groups if bound to anonymously
  • 22. The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
  • 23. The Pieces of an LDAP DN… Here is a standard user full distinguished name: uid=wpsadmin,ou=users,dc=lexington,o=ibm
  • 24. The Pieces of an LDAP DN… user prefix org unit uid=wpsadmin,cn=users,ou=lexington,o=ibm user suffix base DN
  • 25. Acquire the proper tools… LDAPSearch utility Command-line utility shipped with Domino and Notes Softerra LDAP Browser or… Softerra LDAP Administrator or… Java based LDAP Browser (can import LDIF files) Found on Google
  • 26. Using ldapsearch Can be used to search entries in any LDAP directory Connects to a directory server and returns results you specify Located in the Domino or Notes program directory
  • 27. Using ldapsearch Syntax for ldapsearch: ldapsearch parameters searchfilter attributes -b baseDN for your search -D username to bind with -w password to bind with -h ldap server name -p port to query on the ldap server
  • 28. Using ldapsearch Sample usage of ldapsearch: Use an authenticated bind to search under the baseDN cn=users,ou=lexington,o=databeam for a user with the common name of Homer Simpson: ldapsearch -h ldapserver.databeam.com -p 389 -D &quot;cn=wpsbind,cn=users,ou=lexington,o=databeam&quot; -w password -b &quot;cn=users,ou=lexington,o=databeam&quot; &quot;cn=Homer Simpson&quot;
  • 29. Configuring Softerra… Add a profile name Add the FQDN of the LDAP server Add the base DN desired (or fetch them) Add a binding name to verify the correct format of a user Note: If you can bind with a long LDAP name, then the application (Sametime, Workplace, etc) can find the user when configuration is complete – bind with users to verify they exist and are in the correct format!
  • 32. Gather information about the LDAP user… Determine if you want to log in with ‘cn’ or ‘uid’ or another attribute. Make sure an objectclass such as ‘inetOrgPerson’ exists. Determine the email attribute – typically ‘mail’. Look for a unique identifier – IDS5.1 user ‘ibm-appuuid’, Domino 6.5.4+ user ‘dominoUNID’ Most importantly – right click on the name to get the long LDAP name, for example: uid=wpsadmin,cn=users,dc=ibm,dc=com
  • 33. Gather information about the LDAP user…
  • 34. Gather information aboot the LDAP group… Determine what attribute designates the name of the group – typically ‘cn’ Determine the objectclass of the group – typically ‘groupOfUniqueNames’ or ‘groupOfNames’ Determine the member attribute name – typically ‘uniquemember’ or ‘member’ Make sure a unique identifier exists like ‘ibm-appuuid’ Again importantly: Right click on the name to get the long LDAP name (full DN): cn=wpsadmins,cn=group,dc=ibm,dc=com
  • 35. Gather information about the LDAP user…
  • 36. The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
  • 37. Configure Domino to use a remote LDAP directory Directory Assistance allows you to lookup information in a directory other than the local primary Domino directory Domino Directory, Extended Directory Catalog, LDAP Create a Directory Assistance document in the Directory Assistance database (often named da.nsf) The Active Directory Domino Upgrade Service (AD DUS) can be used in conjunction with the Active Directory Synchronization (AdSync) to maintain the same set of users in AD and Domino
  • 39. Domino 7 LDAP service improvements Improved performance LDAP server thread pooling DA LDAP miss caching DDM LDAP server health monitoring Addition of aliases Support of universal Notes Ids (UNID) New “dominoUNID” operational attribute Enhanced LDAP search Now work with IBM Workplace products that use the WebSphere Member Manager (WMM) service to access user/group objects.
  • 40. Starting the Domino LDAP service The LDAP task runs automatically on the admin server for the primary Domino directory To start automatically: Edit the “ServerTasks” setting in Notes.ini to include LDAP To start manually: Enter “Load LDAP” on the Domino console
  • 41. Enable/Disable write access to the directory By default, the LDAP service does not allow write access To Enable write access: Open the directory using the Domino Admin Client Select the Servers  Configuration view Open the Configuration Settings document for the domain Create this document if it does not exist On the LDAP tab, set “Allow LDAP users write access” to Yes Restart each server in the domain running the LDAP service
  • 42. The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
  • 43. Using Domino as your LDAP server for Lotus Workplace… Add a ‘wpsadmin/domain’ user and ‘wpsadmins/domain’ group with manger access to the Domino directory – make sure the username and groupname field include the ‘/domain’ or they will NOT show up in Domino. Configure the wpconfig.properties file as before except do NOT fill out the LDAPSuffix (base DN) – rather, use the user and group suffix fields. If there is an ou, put that in front like ‘ou=lexington,o=databeam’.
  • 44. Using Domino as your LDAP server for Lotus Workplace… Domino servers below 6.5.4 MUST do the following: Create a field called ‘dominoUNID’ in the Person, Group and Certifier forms with the computed text value of: @Text(@DocumentUniqueID) Create an agent to open/close/save all documents in the Domino Directory so the new field is computed and populated – verify the field shows up in LDAP by reloading the schema.
  • 45. Using Domino as your LDAP server for Lotus Workplace… Edit <WP_root>\shared\app\wmm\wmm.xml and <WP_root>\wmm\wmmLDAPServerAttributes.xml to use Domino attributes (including the one you just created) so WebSphere Member Manager will recognize users. Change the WAS Admin user search filter and user id map: User search filter: (&(|(cn=%v)(mail=%v)(uid=%v))(objectclass=inetOrgPerson)) User ID map: *:uid Restart all services and servers.. It should work! (heh, yeah right)
  • 46. The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
  • 47. Troubleshooting… Q.) It doesn’t work. A.) Sorry, works for me. Q.) No Seriously… I followed all the steps for setting up Directory Assistance to an external LDAP directory, but user authentication still fails. A.) Domino will check the local directory for a username BEFORE using Directory Assistance to check the external directory. Make sure the name you are trying to authenticate with does not exist in the local Domino Directory.
  • 48. Troubleshooting… Q.) Help! When using Domino as my LDAP server the searches are very slow! A.) Create a full-text index for the directory. If it’s still slow, limit the number of entries returned or create a timeout. Q.) My searches against my Domino LDAP server do not return a CN value. My “co-workers” configured that part…not me. What did they do wrong? A.) They likely added users to the directory without using Notes registration. You will have to add the common name as a second value in the FullName field of the Person documents.
  • 49. The Agenda What is LDAP? The Anatomy of LDAP Identifying the LDAP server and its attributes Deciphering the LDAP schema Information and Configuration of LDAP for Domino server Making Lotus Domino an LDAP server to be used by IBM WebSphere Portal Troubleshooting and Diagnostics Extra -- Mapping the LDAP attributes to a client application: WebSphere Portal and Lotus Workplace
  • 50. Bonus Level - Applying Our LDAP Experience in the Real World In the “real world” companies take their many applications and point to their LDAP server Having a centralized LDAP reduces management of multiple directories such as new passwords, name changes, department updates, etc Many IBM products can hook into an existing LDAP directory for authentication, user information, etc..
  • 51. Bonus Level - Applying Our LDAP Experience in the Real World IBM Lotus Web Conferencing and Instant Messaging (Sametime) IBM Lotus Team Spaces (QuickPlace) IBM WebSphere Portal IBM Lotus Workplace These products use LDAP for user authentication, authorization and mapping of names to specific application needs
  • 52. Bonus Level - Applying Our LDAP Experience in the Real World To get some hands on experience, we are going to configure IBM WebSphere Portal to use an existing LDAP server. This procedure is exactly the same for configuring IBM Lotus Workplace. These same principles apply to other applications such as Sametime and QuickPlace.
  • 53. Bonus Level - Configure wpconfig.properties file… Located C:\WebSphere\PortalServer\config The LDAP section is at the bottom – we simply map the attributes and data we discovered with Softerra to the fields in the file Once wpconfig.properties is verified (twice) to be correct, in that same directory we run this script: WPSconfig enable-ldap-security > enablesecurity.log ‘ server1’ is the only server that should be running – stop ‘WebSphere_Portal’ and ‘LotusWorkplace_Server’ before running the script – run this to see what is up: serverStatus –all –username wpsadmin –password password Activity is logged to this file (tail –f to see it) – do a search to make sure no ‘FAILED’ messages appeared
  • 54. Bonus Level - Configure wpconfig.properties file…
  • 55. Bonus Level - Configure wpconfig.properties file… The ‘cn=root’ user is the administrator of the LDAP server with read/write access. The ‘wpsadmin’ user that was added should read/write access as well – they can be used as the Wps.LDAPAdminUId instead. Notice which entries use a short name and a long name. The ‘wpsadmins’ group is not checked when the script is run – VERIFY with Softerra it exists! If you see any BUILD FAILED messages in the enablesecurity.log file, examine the fields in the previous slide again and rerun the script – there should be NO ‘BUILD FAILED’ scripts. If you see SQL errors you may need to delete rows and read them with the DB2 Command Center if said tables with errors have primary keys in them.
  • 56. Bonus Level - Verify ‘wpsadmin’ and ‘wpsadmins’ exist properly… Now is a good time to make sure the ‘wpsadmin’ user exists, the ‘wpsadmins’ group exists, and ‘wpsadmin’ exists in the ‘wpsadmins’ group. If your LDAP browser doesn’t show these two entries properly, DON’T PROCEED until they do!
  • 57. Bonus Level - Hoping it works… The script shouldn’t take that long to run.. Either ‘tail –f’ the enablesecurity.log or entertain yourself in other productive ways:
  • 58. Bonus Level - It works! (Da Da Da Dah!) Stop all servers (including IBM HTTP) and restart all servers. Log into Portal: http://nameofserver.domain.com/wps/portal or log into Workplace: http://nameofserver.domain.com/lwp/workplace verify the Web Conferences and Team Spaces places work properly
  • 59. What you (should have) learned You now have the following information at your disposal thanks to this presentation: Basic understanding of LDAP, how it works, how it is put together and how to configure it Understanding of proper usage of LDAP including where and how to find names, and understand an LDAP schema How LDAP relates to our product suite and how to map attributes from an existing LDAP for client consumption and how to customize Domino into an LDAP server for the IBM product suite
  • 61. 1900 – part II – Linux Desktop Authentication Using Domino LDAP Moacyr Mallemont – IT Specialist Lotus/IBM Software Group
  • 62. Session Objectives Provide an overview (step-by-step) on how to configure the Domino LDAP service to allow Linux desktop authentication. Show how easy is to integrate Domino and Linux and have an end-to-end Domino solution running on Linux
  • 63. Agenda Requirements PAM configuration Extending the Domino LDAP Schema Enabling the Domino LDAP service as the default Linux directory Authenticating Setting up Domino to allow password changes from Linux prompt Troubleshooting
  • 64. Requirements Default domino installation on a linux system (we used Domino 6.5.4 and RedHat AS 2.1) Domino Administrator and Designer Download and compile pam_ldap and nss_ldap on the Linux desktop client Knowledge on how to compile linux applications (it is really easy :)
  • 65. PAM Configuration – What is pam and nss?
  • 66. PAM Configuration - Compiling
  • 67. PAM Configuration – Making a ldap search
  • 68. PAM Configuration – Making a ldap search
  • 69. PAM Configuration – setting up ldap.conf file
  • 70. PAM Configuration – Setting up ldap.secrets file
  • 71. Extending the Domino LDAP Schema – “LDAP POSIX Account” subform
  • 72. Extending the Domino LDAP Schema – Creating the fields
  • 73. Extending the Domino LDAP Schema – Insert the subform in the form “$PersonExtensibleSchema”
  • 74. Extending the Domino LDAP Schema – Reload the LDAP Schema
  • 75. Extending the Domino LDAP Schema - Verify the new fields in the LDAP Schema
  • 76. Extending the Domino LDAP Schema - Verify the new fields in the LDAP Schema
  • 77. Enabling the Domino LDAP service as the default Linux Directory – User Information Config
  • 78. Enabling the Domino LDAP service as the default Linux Directory – Authentication Config
  • 79. Enabling the Domino LDAP service as the default Linux Directory – Authenticating a Domino user!
  • 80. Enabling the Domino LDAP service as the default Linux Directory – Creating home directories
  • 81. Enabling the Domino LDAP service as the default Linux Directory – the “id” command
  • 82. Setting up Lotus Domino to allow password change for LDAP users – Configuration Document and rights in the NAB ACL
  • 83. Setting up Lotus Domino to allow password change for LDAP users – “Allow LDAP users write=yes”
  • 84. Setting up Lotus Domino to allow password change for LDAP users - Advanced ACL
  • 85. Setting up Lotus Domino to allow password change for LDAP users – Changing an user password from the Linux prompt
  • 86. Troubleshooting Ldapsearch If you can’t run the suggested searches in this presentation, don’t go ahead to the next step. Try to understand what is going on! Password change from Linux Desktop If password change does not work, verify user rights in the NAB ACL, and the ldap.conf & ldap.secrets files. User root cannot login anymore! Use single user mode (in rescue) and clean every entry in the /etc/nsswitch.conf that has ldap references. While configuring and testing you can let “some” root sessions open that will allow you to fix your system.
  • 87. Summary It can be very easy to integrate domino with other systems Domino uses and make use of open standards and protocols, that’s why it is so flexible! This is just another example on how Domino can be used to reduce the TCO of IT Solutions There are more complete solutions that should be evaluated as Tivoli solutions that are much more complete and can do much more If you already has Domino, your investments are preserved and extended - start integrating today!

Editor's Notes

  • #63: The knowledge that you will receive from this document/session was actually used in a real technical environment running on virtual machines under vmware workstation. All the screens have been captured so that you can have complete understanding on what to do to have your Linux workstations authenticating on an IBM Lotus Domino LDAP service.
  • #66: What is nss_ldap and pam_ldap? The nss_ldap is a LDAP module for the “Solaris Nameservice Switch” (NSS). NSS is a set of C libraries with extensions needed to access information in a LDAP directory service that will be used instead of the “Network Information Service” (NIS) or flat files (that is the Linux default); the nss_ldap is necessary so that the Linux desktop can use their native LDAP service. The pam_ldap is used to integrate the LDAP authentication into the PAM API. Using the pam_ldap enables users to authenticate and change password using a LDAP service. Both modules are part of the nss_ldap package. The nss_ldap and pam_ldap installation To setup the Linux authentication with the Lotus Domino LDAP server it is necessary to download two PAM modules, the nss_ldap and the pam_ldap. Those modules will latter in the process be compiled and installed in the Linux workstation that will authenticate in the Lotus Domino LDAP service: Compiling nss_ldap e pam_ldap After copying the two modules to the Linux desktop, you have to unzip, compile and setup them. To do that, use the following commands: gunzip *tgz tar -xvf cd nss_ldap ./configure make make install cd .. cd pam_ldap ./configure make make install Making a ldap search using PAM Now that PAM has the new modules installed, you can validate access from the Linux desktop to the Lotus Domino LDAP service using the following command: Ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta The results can span more than one screen, so you can use “| more” to page the output. It should show the ldap schema objects that the user “mcosta” has in the Lotus Domino server directory . Setting up the ldap.conf file Now it is possible to setup the “/etc/ldap.conf” file, so that the Linux desktop will be able to use the Lotus Domino LDAP server for authentication and user information. The following lines should be used (let all the other lines as comments): host domino.br.ibm.com base o=ibm uri ldap://domino.br.ibm.com binddn cn=ldapbind,o=ibm bindpw pawws0rd rootbinddn cn=ldapbind,o=ibm pam_password clear ssl no Setting up the ldap.secrets file Completing the PAM configuration (ldap.secret) You will now need to create the “/etc/ldap.secret” file that holds the password for the rootdn user (specified in /etc/ldap.conf). This user will be used whenever the Linux root user makes a ldap search. To do this you should run the following commands: creating ldap.secret echo passw0rd &gt;/etc/ldap.secret chmod ou-rw /etc/ldap.secret Please note that the “/etc/ldap.secret” file will be only accessible by the root user.
  • #67: What is nss_ldap and pam_ldap? The nss_ldap is a LDAP module for the “Solaris Nameservice Switch” (NSS). NSS is a set of C libraries with extensions needed to access information in a LDAP directory service that will be used instead of the “Network Information Service” (NIS) or flat files (that is the Linux default); the nss_ldap is necessary so that the Linux desktop can use their native LDAP service. The pam_ldap is used to integrate the LDAP authentication into the PAM API. Using the pam_ldap enables users to authenticate and change password using a LDAP service. Both modules are part of the nss_ldap package. The nss_ldap and pam_ldap installation To setup the Linux authentication with the Lotus Domino LDAP server it is necessary to download two PAM modules, the nss_ldap and the pam_ldap. Those modules will latter in the process be compiled and installed in the Linux workstation that will authenticate in the Lotus Domino LDAP service: Compiling nss_ldap e pam_ldap After copying the two modules to the Linux desktop, you have to unzip, compile and setup them. To do that, use the following commands: gunzip *tgz tar -xvf cd nss_ldap ./configure make make install cd .. cd pam_ldap ./configure make make install Making a ldap search using PAM Now that PAM has the new modules installed, you can validate access from the Linux desktop to the Lotus Domino LDAP service using the following command: Ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta The results can span more than one screen, so you can use “| more” to page the output. It should show the ldap schema objects that the user “mcosta” has in the Lotus Domino server directory . Setting up the ldap.conf file Now it is possible to setup the “/etc/ldap.conf” file, so that the Linux desktop will be able to use the Lotus Domino LDAP server for authentication and user information. The following lines should be used (let all the other lines as comments): host domino.br.ibm.com base o=ibm uri ldap://domino.br.ibm.com binddn cn=ldapbind,o=ibm bindpw pawws0rd rootbinddn cn=ldapbind,o=ibm pam_password clear ssl no Setting up the ldap.secrets file Completing the PAM configuration (ldap.secret) You will now need to create the “/etc/ldap.secret” file that holds the password for the rootdn user (specified in /etc/ldap.conf). This user will be used whenever the Linux root user makes a ldap search. To do this you should run the following commands: creating ldap.secret echo passw0rd &gt;/etc/ldap.secret chmod ou-rw /etc/ldap.secret Please note that the “/etc/ldap.secret” file will be only accessible by the root user.
  • #68: What is nss_ldap and pam_ldap? The nss_ldap is a LDAP module for the “Solaris Nameservice Switch” (NSS). NSS is a set of C libraries with extensions needed to access information in a LDAP directory service that will be used instead of the “Network Information Service” (NIS) or flat files (that is the Linux default); the nss_ldap is necessary so that the Linux desktop can use their native LDAP service. The pam_ldap is used to integrate the LDAP authentication into the PAM API. Using the pam_ldap enables users to authenticate and change password using a LDAP service. Both modules are part of the nss_ldap package. The nss_ldap and pam_ldap installation To setup the Linux authentication with the Lotus Domino LDAP server it is necessary to download two PAM modules, the nss_ldap and the pam_ldap. Those modules will latter in the process be compiled and installed in the Linux workstation that will authenticate in the Lotus Domino LDAP service: Compiling nss_ldap e pam_ldap After copying the two modules to the Linux desktop, you have to unzip, compile and setup them. To do that, use the following commands: gunzip *tgz tar -xvf cd nss_ldap ./configure make make install cd .. cd pam_ldap ./configure make make install Making a ldap search using PAM Now that PAM has the new modules installed, you can validate access from the Linux desktop to the Lotus Domino LDAP service using the following command: Ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta The results can span more than one screen, so you can use “| more” to page the output. It should show the ldap schema objects that the user “mcosta” has in the Lotus Domino server directory . Setting up the ldap.conf file Now it is possible to setup the “/etc/ldap.conf” file, so that the Linux desktop will be able to use the Lotus Domino LDAP server for authentication and user information. The following lines should be used (let all the other lines as comments): host domino.br.ibm.com base o=ibm uri ldap://domino.br.ibm.com binddn cn=ldapbind,o=ibm bindpw pawws0rd rootbinddn cn=ldapbind,o=ibm pam_password clear ssl no Setting up the ldap.secrets file Completing the PAM configuration (ldap.secret) You will now need to create the “/etc/ldap.secret” file that holds the password for the rootdn user (specified in /etc/ldap.conf). This user will be used whenever the Linux root user makes a ldap search. To do this you should run the following commands: creating ldap.secret echo passw0rd &gt;/etc/ldap.secret chmod ou-rw /etc/ldap.secret Please note that the “/etc/ldap.secret” file will be only accessible by the root user.
  • #69: What is nss_ldap and pam_ldap? The nss_ldap is a LDAP module for the “Solaris Nameservice Switch” (NSS). NSS is a set of C libraries with extensions needed to access information in a LDAP directory service that will be used instead of the “Network Information Service” (NIS) or flat files (that is the Linux default); the nss_ldap is necessary so that the Linux desktop can use their native LDAP service. The pam_ldap is used to integrate the LDAP authentication into the PAM API. Using the pam_ldap enables users to authenticate and change password using a LDAP service. Both modules are part of the nss_ldap package. The nss_ldap and pam_ldap installation To setup the Linux authentication with the Lotus Domino LDAP server it is necessary to download two PAM modules, the nss_ldap and the pam_ldap. Those modules will latter in the process be compiled and installed in the Linux workstation that will authenticate in the Lotus Domino LDAP service: Compiling nss_ldap e pam_ldap After copying the two modules to the Linux desktop, you have to unzip, compile and setup them. To do that, use the following commands: gunzip *tgz tar -xvf cd nss_ldap ./configure make make install cd .. cd pam_ldap ./configure make make install Making a ldap search using PAM Now that PAM has the new modules installed, you can validate access from the Linux desktop to the Lotus Domino LDAP service using the following command: Ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta The results can span more than one screen, so you can use “| more” to page the output. It should show the ldap schema objects that the user “mcosta” has in the Lotus Domino server directory . Setting up the ldap.conf file Now it is possible to setup the “/etc/ldap.conf” file, so that the Linux desktop will be able to use the Lotus Domino LDAP server for authentication and user information. The following lines should be used (let all the other lines as comments): host domino.br.ibm.com base o=ibm uri ldap://domino.br.ibm.com binddn cn=ldapbind,o=ibm bindpw pawws0rd rootbinddn cn=ldapbind,o=ibm pam_password clear ssl no Setting up the ldap.secrets file Completing the PAM configuration (ldap.secret) You will now need to create the “/etc/ldap.secret” file that holds the password for the rootdn user (specified in /etc/ldap.conf). This user will be used whenever the Linux root user makes a ldap search. To do this you should run the following commands: creating ldap.secret echo passw0rd &gt;/etc/ldap.secret chmod ou-rw /etc/ldap.secret Please note that the “/etc/ldap.secret” file will be only accessible by the root user.
  • #70: What is nss_ldap and pam_ldap? The nss_ldap is a LDAP module for the “Solaris Nameservice Switch” (NSS). NSS is a set of C libraries with extensions needed to access information in a LDAP directory service that will be used instead of the “Network Information Service” (NIS) or flat files (that is the Linux default); the nss_ldap is necessary so that the Linux desktop can use their native LDAP service. The pam_ldap is used to integrate the LDAP authentication into the PAM API. Using the pam_ldap enables users to authenticate and change password using a LDAP service. Both modules are part of the nss_ldap package. The nss_ldap and pam_ldap installation To setup the Linux authentication with the Lotus Domino LDAP server it is necessary to download two PAM modules, the nss_ldap and the pam_ldap. Those modules will latter in the process be compiled and installed in the Linux workstation that will authenticate in the Lotus Domino LDAP service: Compiling nss_ldap e pam_ldap After copying the two modules to the Linux desktop, you have to unzip, compile and setup them. To do that, use the following commands: gunzip *tgz tar -xvf cd nss_ldap ./configure make make install cd .. cd pam_ldap ./configure make make install Making a ldap search using PAM Now that PAM has the new modules installed, you can validate access from the Linux desktop to the Lotus Domino LDAP service using the following command: Ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta The results can span more than one screen, so you can use “| more” to page the output. It should show the ldap schema objects that the user “mcosta” has in the Lotus Domino server directory . Setting up the ldap.conf file Now it is possible to setup the “/etc/ldap.conf” file, so that the Linux desktop will be able to use the Lotus Domino LDAP server for authentication and user information. The following lines should be used (let all the other lines as comments): host domino.br.ibm.com base o=ibm uri ldap://domino.br.ibm.com binddn cn=ldapbind,o=ibm bindpw pawws0rd rootbinddn cn=ldapbind,o=ibm pam_password clear ssl no Setting up the ldap.secrets file Completing the PAM configuration (ldap.secret) You will now need to create the “/etc/ldap.secret” file that holds the password for the rootdn user (specified in /etc/ldap.conf). This user will be used whenever the Linux root user makes a ldap search. To do this you should run the following commands: creating ldap.secret echo passw0rd &gt;/etc/ldap.secret chmod ou-rw /etc/ldap.secret Please note that the “/etc/ldap.secret” file will be only accessible by the root user.
  • #71: What is nss_ldap and pam_ldap? The nss_ldap is a LDAP module for the “Solaris Nameservice Switch” (NSS). NSS is a set of C libraries with extensions needed to access information in a LDAP directory service that will be used instead of the “Network Information Service” (NIS) or flat files (that is the Linux default); the nss_ldap is necessary so that the Linux desktop can use their native LDAP service. The pam_ldap is used to integrate the LDAP authentication into the PAM API. Using the pam_ldap enables users to authenticate and change password using a LDAP service. Both modules are part of the nss_ldap package. The nss_ldap and pam_ldap installation To setup the Linux authentication with the Lotus Domino LDAP server it is necessary to download two PAM modules, the nss_ldap and the pam_ldap. Those modules will latter in the process be compiled and installed in the Linux workstation that will authenticate in the Lotus Domino LDAP service: Compiling nss_ldap e pam_ldap After copying the two modules to the Linux desktop, you have to unzip, compile and setup them. To do that, use the following commands: gunzip *tgz tar -xvf cd nss_ldap ./configure make make install cd .. cd pam_ldap ./configure make make install Making a ldap search using PAM Now that PAM has the new modules installed, you can validate access from the Linux desktop to the Lotus Domino LDAP service using the following command: Ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta The results can span more than one screen, so you can use “| more” to page the output. It should show the ldap schema objects that the user “mcosta” has in the Lotus Domino server directory . Setting up the ldap.conf file Now it is possible to setup the “/etc/ldap.conf” file, so that the Linux desktop will be able to use the Lotus Domino LDAP server for authentication and user information. The following lines should be used (let all the other lines as comments): host domino.br.ibm.com base o=ibm uri ldap://domino.br.ibm.com binddn cn=ldapbind,o=ibm bindpw pawws0rd rootbinddn cn=ldapbind,o=ibm pam_password clear ssl no Setting up the ldap.secrets file Completing the PAM configuration (ldap.secret) You will now need to create the “/etc/ldap.secret” file that holds the password for the rootdn user (specified in /etc/ldap.conf). This user will be used whenever the Linux root user makes a ldap search. To do this you should run the following commands: creating ldap.secret echo passw0rd &gt;/etc/ldap.secret chmod ou-rw /etc/ldap.secret Please note that the “/etc/ldap.secret” file will be only accessible by the root user.
  • #72: Extending the Domino LDAP Schema Creating a subform “LDAP posixAccount Schema” Now it is necessary to extend the domino ldap schema to allow the Linux desktop to authenticate in the Domino LDAP server. This is needed because the standard Domino ldap schema does not have all the necessary fields to support the posixAccount schema that is used by Linux. Open the Domino Directory (names.nsf) with the IBM Lotus Domino Designer, create a new subform named “LDAP posixAccount” and add the following fields: Field: UIDNumber Datatype: Text Field Type: Editable Default Value Formula: @Text(@Integer(1000 + (@Random * 1000))); Field: GIDNumber Datatype: Text Field Type: Computed Formula: UIDNumber Field: homedirectory Datatype: Text Field Type: Computed Formula: &amp;quot;/home/&amp;quot; + @LowerCase(shortname); Field: loginshel Datatype: Text Field Type: Computed Formula: &amp;quot;/bin/bash&amp;quot; Field: $objectclass Datatype: Text Input Multi-Value Separator(s): Comma, Semicolon Display Multi-Value Separator: Semicolon Field Type: Computed Formula: &amp;quot;posixAccount&amp;quot; : &amp;quot;posixGroup&amp;quot;; It is very important to observe that the use of a random function to define userid and groupid has effect only for demonstration purposes and proof of concepts. In production environment, Domino agents should be used to set this values according to the naming standards in use. Save the “LDAP posixAccount Schema” subform: Insert the new subform into the existing “$PersonExtensibleSchema” subform and then refresh (edit and save) the person documents of the users that will authenticate in the Linux desktop: Note. For larger address books with many users you can set up an agent in the name and address book to refresh all the users. Reloading the LDAP Schema In order to publish your changes, you must reload the Domino ldap schema. In the IBM Lotus Domino server console run the following command: tell ldap reload schema The new LDAP schema will be in use by the LDAP Service: Verifying the new fields in the Domino LDAP Schema Let’s make a simple test running ldapsearch to validate that the new fields are retrieved by LDAP clients and the LDAP schema was correctly extended: ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta You should have more than one output screen:
  • #73: Extending the Domino LDAP Schema Creating a subform “LDAP posixAccount Schema” Now it is necessary to extend the domino ldap schema to allow the Linux desktop to authenticate in the Domino LDAP server. This is needed because the standard Domino ldap schema does not have all the necessary fields to support the posixAccount schema that is used by Linux. Open the Domino Directory (names.nsf) with the IBM Lotus Domino Designer, create a new subform named “LDAP posixAccount” and add the following fields: Field: UIDNumber Datatype: Text Field Type: Editable Default Value Formula: @Text(@Integer(1000 + (@Random * 1000))); Field: GIDNumber Datatype: Text Field Type: Computed Formula: UIDNumber Field: homedirectory Datatype: Text Field Type: Computed Formula: &amp;quot;/home/&amp;quot; + @LowerCase(shortname); Field: loginshel Datatype: Text Field Type: Computed Formula: &amp;quot;/bin/bash&amp;quot; Field: $objectclass Datatype: Text Input Multi-Value Separator(s): Comma, Semicolon Display Multi-Value Separator: Semicolon Field Type: Computed Formula: &amp;quot;posixAccount&amp;quot; : &amp;quot;posixGroup&amp;quot;; It is very important to observe that the use of a random function to define userid and groupid has effect only for demonstration purposes and proof of concepts. In production environment, Domino agents should be used to set this values according to the naming standards in use. Save the “LDAP posixAccount Schema” subform: Insert the new subform into the existing “$PersonExtensibleSchema” subform and then refresh (edit and save) the person documents of the users that will authenticate in the Linux desktop: Note. For larger address books with many users you can set up an agent in the name and address book to refresh all the users. Reloading the LDAP Schema In order to publish your changes, you must reload the Domino ldap schema. In the IBM Lotus Domino server console run the following command: tell ldap reload schema The new LDAP schema will be in use by the LDAP Service: Verifying the new fields in the Domino LDAP Schema Let’s make a simple test running ldapsearch to validate that the new fields are retrieved by LDAP clients and the LDAP schema was correctly extended: ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta You should have more than one output screen:
  • #74: Extending the Domino LDAP Schema Creating a subform “LDAP posixAccount Schema” Now it is necessary to extend the domino ldap schema to allow the Linux desktop to authenticate in the Domino LDAP server. This is needed because the standard Domino ldap schema does not have all the necessary fields to support the posixAccount schema that is used by Linux. Open the Domino Directory (names.nsf) with the IBM Lotus Domino Designer, create a new subform named “LDAP posixAccount” and add the following fields: Field: UIDNumber Datatype: Text Field Type: Editable Default Value Formula: @Text(@Integer(1000 + (@Random * 1000))); Field: GIDNumber Datatype: Text Field Type: Computed Formula: UIDNumber Field: homedirectory Datatype: Text Field Type: Computed Formula: &amp;quot;/home/&amp;quot; + @LowerCase(shortname); Field: loginshel Datatype: Text Field Type: Computed Formula: &amp;quot;/bin/bash&amp;quot; Field: $objectclass Datatype: Text Input Multi-Value Separator(s): Comma, Semicolon Display Multi-Value Separator: Semicolon Field Type: Computed Formula: &amp;quot;posixAccount&amp;quot; : &amp;quot;posixGroup&amp;quot;; It is very important to observe that the use of a random function to define userid and groupid has effect only for demonstration purposes and proof of concepts. In production environment, Domino agents should be used to set this values according to the naming standards in use. Save the “LDAP posixAccount Schema” subform: Insert the new subform into the existing “$PersonExtensibleSchema” subform and then refresh (edit and save) the person documents of the users that will authenticate in the Linux desktop: Note. For larger address books with many users you can set up an agent in the name and address book to refresh all the users. Reloading the LDAP Schema In order to publish your changes, you must reload the Domino ldap schema. In the IBM Lotus Domino server console run the following command: tell ldap reload schema The new LDAP schema will be in use by the LDAP Service: Verifying the new fields in the Domino LDAP Schema Let’s make a simple test running ldapsearch to validate that the new fields are retrieved by LDAP clients and the LDAP schema was correctly extended: ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta You should have more than one output screen:
  • #75: Extending the Domino LDAP Schema Creating a subform “LDAP posixAccount Schema” Now it is necessary to extend the domino ldap schema to allow the Linux desktop to authenticate in the Domino LDAP server. This is needed because the standard Domino ldap schema does not have all the necessary fields to support the posixAccount schema that is used by Linux. Open the Domino Directory (names.nsf) with the IBM Lotus Domino Designer, create a new subform named “LDAP posixAccount” and add the following fields: Field: UIDNumber Datatype: Text Field Type: Editable Default Value Formula: @Text(@Integer(1000 + (@Random * 1000))); Field: GIDNumber Datatype: Text Field Type: Computed Formula: UIDNumber Field: homedirectory Datatype: Text Field Type: Computed Formula: &amp;quot;/home/&amp;quot; + @LowerCase(shortname); Field: loginshel Datatype: Text Field Type: Computed Formula: &amp;quot;/bin/bash&amp;quot; Field: $objectclass Datatype: Text Input Multi-Value Separator(s): Comma, Semicolon Display Multi-Value Separator: Semicolon Field Type: Computed Formula: &amp;quot;posixAccount&amp;quot; : &amp;quot;posixGroup&amp;quot;; It is very important to observe that the use of a random function to define userid and groupid has effect only for demonstration purposes and proof of concepts. In production environment, Domino agents should be used to set this values according to the naming standards in use. Save the “LDAP posixAccount Schema” subform: Insert the new subform into the existing “$PersonExtensibleSchema” subform and then refresh (edit and save) the person documents of the users that will authenticate in the Linux desktop: Note. For larger address books with many users you can set up an agent in the name and address book to refresh all the users. Reloading the LDAP Schema In order to publish your changes, you must reload the Domino ldap schema. In the IBM Lotus Domino server console run the following command: tell ldap reload schema The new LDAP schema will be in use by the LDAP Service: Verifying the new fields in the Domino LDAP Schema Let’s make a simple test running ldapsearch to validate that the new fields are retrieved by LDAP clients and the LDAP schema was correctly extended: ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta You should have more than one output screen:
  • #76: Extending the Domino LDAP Schema Creating a subform “LDAP posixAccount Schema” Now it is necessary to extend the domino ldap schema to allow the Linux desktop to authenticate in the Domino LDAP server. This is needed because the standard Domino ldap schema does not have all the necessary fields to support the posixAccount schema that is used by Linux. Open the Domino Directory (names.nsf) with the IBM Lotus Domino Designer, create a new subform named “LDAP posixAccount” and add the following fields: Field: UIDNumber Datatype: Text Field Type: Editable Default Value Formula: @Text(@Integer(1000 + (@Random * 1000))); Field: GIDNumber Datatype: Text Field Type: Computed Formula: UIDNumber Field: homedirectory Datatype: Text Field Type: Computed Formula: &amp;quot;/home/&amp;quot; + @LowerCase(shortname); Field: loginshel Datatype: Text Field Type: Computed Formula: &amp;quot;/bin/bash&amp;quot; Field: $objectclass Datatype: Text Input Multi-Value Separator(s): Comma, Semicolon Display Multi-Value Separator: Semicolon Field Type: Computed Formula: &amp;quot;posixAccount&amp;quot; : &amp;quot;posixGroup&amp;quot;; It is very important to observe that the use of a random function to define userid and groupid has effect only for demonstration purposes and proof of concepts. In production environment, Domino agents should be used to set this values according to the naming standards in use. Save the “LDAP posixAccount Schema” subform: Insert the new subform into the existing “$PersonExtensibleSchema” subform and then refresh (edit and save) the person documents of the users that will authenticate in the Linux desktop: Note. For larger address books with many users you can set up an agent in the name and address book to refresh all the users. Reloading the LDAP Schema In order to publish your changes, you must reload the Domino ldap schema. In the IBM Lotus Domino server console run the following command: tell ldap reload schema The new LDAP schema will be in use by the LDAP Service: Verifying the new fields in the Domino LDAP Schema Let’s make a simple test running ldapsearch to validate that the new fields are retrieved by LDAP clients and the LDAP schema was correctly extended: ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta You should have more than one output screen:
  • #77: Extending the Domino LDAP Schema Creating a subform “LDAP posixAccount Schema” Now it is necessary to extend the domino ldap schema to allow the Linux desktop to authenticate in the Domino LDAP server. This is needed because the standard Domino ldap schema does not have all the necessary fields to support the posixAccount schema that is used by Linux. Open the Domino Directory (names.nsf) with the IBM Lotus Domino Designer, create a new subform named “LDAP posixAccount” and add the following fields: Field: UIDNumber Datatype: Text Field Type: Editable Default Value Formula: @Text(@Integer(1000 + (@Random * 1000))); Field: GIDNumber Datatype: Text Field Type: Computed Formula: UIDNumber Field: homedirectory Datatype: Text Field Type: Computed Formula: &amp;quot;/home/&amp;quot; + @LowerCase(shortname); Field: loginshel Datatype: Text Field Type: Computed Formula: &amp;quot;/bin/bash&amp;quot; Field: $objectclass Datatype: Text Input Multi-Value Separator(s): Comma, Semicolon Display Multi-Value Separator: Semicolon Field Type: Computed Formula: &amp;quot;posixAccount&amp;quot; : &amp;quot;posixGroup&amp;quot;; It is very important to observe that the use of a random function to define userid and groupid has effect only for demonstration purposes and proof of concepts. In production environment, Domino agents should be used to set this values according to the naming standards in use. Save the “LDAP posixAccount Schema” subform: Insert the new subform into the existing “$PersonExtensibleSchema” subform and then refresh (edit and save) the person documents of the users that will authenticate in the Linux desktop: Note. For larger address books with many users you can set up an agent in the name and address book to refresh all the users. Reloading the LDAP Schema In order to publish your changes, you must reload the Domino ldap schema. In the IBM Lotus Domino server console run the following command: tell ldap reload schema The new LDAP schema will be in use by the LDAP Service: Verifying the new fields in the Domino LDAP Schema Let’s make a simple test running ldapsearch to validate that the new fields are retrieved by LDAP clients and the LDAP schema was correctly extended: ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta You should have more than one output screen:
  • #78: Enabling the Domino LDAP server as the default Linux directory The authconfig command Now with the authconfig command, it is finally possible to enable the Domino LDAP server as the default directory for authentication and user information. As the root user, run the following command: authconfig User Information Configuration In the “User Information Configuration” option it is possible to define where Linux will search for user information (let’s point it to our Domino LDAP service): Authentication Configuration In the “Authentication Configuration” option it is possible to choose where the Linux desktop will authenticate the users (again our Domino LDAP Service): Authenticating a Domino user in the Linux After all the configurations have been finished and the authconfig command is commited, it should be possible to authenticate in the Linux workstation using the Domino LDAP users as shown in the next picture: Creating home directories for the Domino users Note that the user does not have a home directory (as specified in the Domino LDAP in the “homedirectory” variable). The root user can be used to create a directory for the user and change the user rights for the Domino user to behave as a native Linux user, as follows: Verifying user information (the id command) As you can see, if the user “mcosta” runs the “id” command, the user information for this user is retrieved from the Domino Directory and then displayed in the output:
  • #79: Enabling the Domino LDAP server as the default Linux directory The authconfig command Now with the authconfig command, it is finally possible to enable the Domino LDAP server as the default directory for authentication and user information. As the root user, run the following command: authconfig User Information Configuration In the “User Information Configuration” option it is possible to define where Linux will search for user information (let’s point it to our Domino LDAP service): Authentication Configuration In the “Authentication Configuration” option it is possible to choose where the Linux desktop will authenticate the users (again our Domino LDAP Service): Authenticating a Domino user in the Linux After all the configurations have been finished and the authconfig command is commited, it should be possible to authenticate in the Linux workstation using the Domino LDAP users as shown in the next picture: Creating home directories for the Domino users Note that the user does not have a home directory (as specified in the Domino LDAP in the “homedirectory” variable). The root user can be used to create a directory for the user and change the user rights for the Domino user to behave as a native Linux user, as follows: Verifying user information (the id command) As you can see, if the user “mcosta” runs the “id” command, the user information for this user is retrieved from the Domino Directory and then displayed in the output:
  • #80: Enabling the Domino LDAP server as the default Linux directory The authconfig command Now with the authconfig command, it is finally possible to enable the Domino LDAP server as the default directory for authentication and user information. As the root user, run the following command: authconfig User Information Configuration In the “User Information Configuration” option it is possible to define where Linux will search for user information (let’s point it to our Domino LDAP service): Authentication Configuration In the “Authentication Configuration” option it is possible to choose where the Linux desktop will authenticate the users (again our Domino LDAP Service): Authenticating a Domino user in the Linux After all the configurations have been finished and the authconfig command is commited, it should be possible to authenticate in the Linux workstation using the Domino LDAP users as shown in the next picture: Creating home directories for the Domino users Note that the user does not have a home directory (as specified in the Domino LDAP in the “homedirectory” variable). The root user can be used to create a directory for the user and change the user rights for the Domino user to behave as a native Linux user, as follows: Verifying user information (the id command) As you can see, if the user “mcosta” runs the “id” command, the user information for this user is retrieved from the Domino Directory and then displayed in the output:
  • #81: Enabling the Domino LDAP server as the default Linux directory The authconfig command Now with the authconfig command, it is finally possible to enable the Domino LDAP server as the default directory for authentication and user information. As the root user, run the following command: authconfig User Information Configuration In the “User Information Configuration” option it is possible to define where Linux will search for user information (let’s point it to our Domino LDAP service): Authentication Configuration In the “Authentication Configuration” option it is possible to choose where the Linux desktop will authenticate the users (again our Domino LDAP Service): Authenticating a Domino user in the Linux After all the configurations have been finished and the authconfig command is commited, it should be possible to authenticate in the Linux workstation using the Domino LDAP users as shown in the next picture: Creating home directories for the Domino users Note that the user does not have a home directory (as specified in the Domino LDAP in the “homedirectory” variable). The root user can be used to create a directory for the user and change the user rights for the Domino user to behave as a native Linux user, as follows: Verifying user information (the id command) As you can see, if the user “mcosta” runs the “id” command, the user information for this user is retrieved from the Domino Directory and then displayed in the output:
  • #82: Enabling the Domino LDAP server as the default Linux directory The authconfig command Now with the authconfig command, it is finally possible to enable the Domino LDAP server as the default directory for authentication and user information. As the root user, run the following command: authconfig User Information Configuration In the “User Information Configuration” option it is possible to define where Linux will search for user information (let’s point it to our Domino LDAP service): Authentication Configuration In the “Authentication Configuration” option it is possible to choose where the Linux desktop will authenticate the users (again our Domino LDAP Service): Authenticating a Domino user in the Linux After all the configurations have been finished and the authconfig command is commited, it should be possible to authenticate in the Linux workstation using the Domino LDAP users as shown in the next picture: Creating home directories for the Domino users Note that the user does not have a home directory (as specified in the Domino LDAP in the “homedirectory” variable). The root user can be used to create a directory for the user and change the user rights for the Domino user to behave as a native Linux user, as follows: Verifying user information (the id command) As you can see, if the user “mcosta” runs the “id” command, the user information for this user is retrieved from the Domino Directory and then displayed in the output:
  • #83: Setting up Lotus Domino to allow password change for LDAP users Configuration Document and user rights in the ACL To allow password change via the Domino LDAP server some changes have to be done as follows: Edit the server “Configuration Document” in the Basics section and check the field “Use these settings as the default settings for all servers” as follows: Then in the “LDAP” tab, verify that the field “Allow LDAP users write access:” is “yes” to allow password change via LDAP access. Finally, make sure that the “ldapbind/ibm” has permission to edit users (can be manager) in the name and address book ACL and that in the ACL advanced properties the “maximum internet name and password” is at least “Editor” as follows: Changing a user password After you have saved the configuration document and setup the name and address book ACL rights, you should restart the IBM Lotus Domino Server and then test the password change using your Linux prompt as a regular Linux user:
  • #84: Setting up Lotus Domino to allow password change for LDAP users Configuration Document and user rights in the ACL To allow password change via the Domino LDAP server some changes have to be done as follows: Edit the server “Configuration Document” in the Basics section and check the field “Use these settings as the default settings for all servers” as follows: Then in the “LDAP” tab, verify that the field “Allow LDAP users write access:” is “yes” to allow password change via LDAP access. Finally, make sure that the “ldapbind/ibm” has permission to edit users (can be manager) in the name and address book ACL and that in the ACL advanced properties the “maximum internet name and password” is at least “Editor” as follows: Changing a user password After you have saved the configuration document and setup the name and address book ACL rights, you should restart the IBM Lotus Domino Server and then test the password change using your Linux prompt as a regular Linux user:
  • #85: Setting up Lotus Domino to allow password change for LDAP users Configuration Document and user rights in the ACL To allow password change via the Domino LDAP server some changes have to be done as follows: Edit the server “Configuration Document” in the Basics section and check the field “Use these settings as the default settings for all servers” as follows: Then in the “LDAP” tab, verify that the field “Allow LDAP users write access:” is “yes” to allow password change via LDAP access. Finally, make sure that the “ldapbind/ibm” has permission to edit users (can be manager) in the name and address book ACL and that in the ACL advanced properties the “maximum internet name and password” is at least “Editor” as follows: Changing a user password After you have saved the configuration document and setup the name and address book ACL rights, you should restart the IBM Lotus Domino Server and then test the password change using your Linux prompt as a regular Linux user:
  • #86: Setting up Lotus Domino to allow password change for LDAP users Configuration Document and user rights in the ACL To allow password change via the Domino LDAP server some changes have to be done as follows: Edit the server “Configuration Document” in the Basics section and check the field “Use these settings as the default settings for all servers” as follows: Then in the “LDAP” tab, verify that the field “Allow LDAP users write access:” is “yes” to allow password change via LDAP access. Finally, make sure that the “ldapbind/ibm” has permission to edit users (can be manager) in the name and address book ACL and that in the ACL advanced properties the “maximum internet name and password” is at least “Editor” as follows: Changing a user password After you have saved the configuration document and setup the name and address book ACL rights, you should restart the IBM Lotus Domino Server and then test the password change using your Linux prompt as a regular Linux user:
  • #87: Troubleshooting Ldapsearch The ldapsearch command is the best way to validate that the Linux desktop will reach and access the Domino LDAP service. If you can’t run the ldapsearch searches that this document asks you to do, don’t go ahead with the next step because you can loose access to the Linux workstation. Password change from the Linux desktop If password change does not work verify user rights for the ldapbind user in the names and address book access control list. You should also verify that in the advanced access control list the maximum access is at least Editor. User root cannot login anymore! If you did some mistake and cannot login with the root user to the Linux desktop anymore don’t get desperate! You still having a way out! Do a ctrl+alt+del in the Linux desktop and restart the system in the single user mode typing “Linux 1” in the Lilo prompt (you should have an option like this in Grub). Then after you are in the root prompt, edit the file /etc/nsswitch.conf (make a backup copy of the file before) and remove all the ldap references on the file. Now that you have seen the hard work to recover the system, there is a trick! When configuring the system you can let some root sessions open that will allow you to recover the login properties without having to restart the system in recover mode.
  • #88: The IBM Lotus Domino server shows each day that it is the most flexible and easy to setup messaging and collaboration solution in the market, because it is based on open standards and protocols. This document is just another example on how Domino can be used to reduce the total cost of ownership of your IT environment and solutions. Note that it is very important to remember that the solution described here is not the more complete solution from IBM to integrate Linux authentication in a LDAP service. IBM Tivoli software has solutions in this area that can do much more, like user management, access control, system management and security control. You can find more information about those capabilities accessing http://www.tivoli.com or http://www-306.ibm.com/software/tivoli/solutions/security/.