Configuring user name mapping when you manage Domino® users through Active Directory
Follow the steps in this topic to configure user name mapping for a Windows™ single sign-on environment if you manage IBM® Domino® user information primarily through Active Directory. This configuration requires you to add users' IBM® Notes® distinguished names to Active Directory user accounts.
Procedure
- In a directory assistance database, create an LDAP directory
assistance document to use to connect to the Active Directory server.
Table 1. Important Fields in an LDAP Directory Assistance Document Tab
Field
Value
Comment
Basics
Make this domain available to
Notes® clients and Internet Authentication/Authorization
- Required
- LDAP Clients is optional
Basics
Group Authorization
Yes or No
Select Yes if you want to use Active Directory groups in database ACLs.
Basics
Attribute to be used as name in an SSO token
$DN
- Required only if there is an IBM® WebSphere® SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names.
- Requires Map names in LTPA token to be enabled in the Web SSO Configuration document.
- Ensures proper SSO operation for servers that authenticate users against Active Directory.
Basics - SSO configuration
Windows™ single sign-on for Web clients
Enabled
Enables efficient name lookups based on users' Active Directory logon (Kerberos) names. In combination with Attribute to be used as Notes Distinguished Name, allows the user's Kerberos identity to be associated with the Domino® name.
Basics - SSO configuration
Kerberos realm
Active Directory domain
Specify in uppercase characters, for example, AD.RENOVATIONS.COM.
Naming Contexts (Rules)
Trusted for Credentials
Yes
LDAP
Attribute to be used as Notes® Distinguished Name
attribute - Attribute in Active Directory that stores users' Notes® distinguished names.
- A directory administrator may need to extend the Active Directory
schema to add an attribute for this name if there is no existing attribute
that already contains the Notes® distinguished
name. Alternatively it may be feasible to use the
altSecurityIdentities
attribute, if not already in use for another purpose. - A directory synchronization tool such asIBM® Tivoli® Directory Integrator can be used to populate the attribute with the Notes® names.
- The value stored in the attribute must adhere to valid distinguished name syntax. In Active Directory use LDAP comma (,) separators in the Notes® names rather than the Notes® forward slash (/) separators; for example:
cn=Betty Zechman,ou=Marketing,o=Renovations
rather than
cn=Betty Zechman/ou=Marketing/o=Renovations
- Used to link this Active Directory record to a Notes® distinguished name for determining user access to Domino® resources.
LDAP
Type of search filter to use
Active Directory
- If users have Person documents in the Domino® Directory, make the following edits
to them. Person documents are optional for Web users who are not IBM® iNotes® users.
Table 2. Edits Needed in Person Documents Tab
Field
Value
Comment
Basics
Internet Password
(HTTPPassword)
None (recommended)
Or
password-hash
- If desired, remove the password to use user's Active Directory passwords for Internet access that requires user password verification.
- When password removed, set directory access to prevent users from adding passwords themselves.
- When password removed, Domino® verifies user passwords in Active Directory in situations when Windows™ single sign-on is not available.
- If users have Domino® Person
documents but you do not include their Domino® Internet passwords in them, disable
the following Internet password settings in users' effective Security
Settings policy document:
Table 3. Settings to Disable in Users' Effective Security Settings Policy Document Tab
Field
Value
Comment
Password Management Basics
Allow Users to Change Internet Password over HTTP
No
The default behavior is Yes. If there is no Security Settings policy document specified for users, create one in order to change the default behavior.
Password Management Basics
Update Internet Password When Notes® client Password Changes
No
Password Management Basics
Enforce Password Expiration
Disabled or Notes® Only
- On the Domino® servers, for Internet authentication, select Fewer name variations with higher security. tab of the Server documents of participating
- If some SSO servers are authenticating users against Active
Directory, specify the following setting in the Web SSO Configuration
document:
Table 4. Web SSO Configuration Settings Tab
Field
Value
Comment
Basics - Token Configuration
Map names in LTPA tokens
Enabled
- Used to map Active Directory distinguished names in SSO LTPA tokens to Notes® distinguished names for determining user access to Domino® resources.
- Used to ensure functioning SSO at servers that authenticate the user against Active Directory.