Configuring user name mapping when you manage Domino® users through Domino® Directory
Follow the steps in this topic to configure user name mapping for a Windows™ single sign-on environment if you manage IBM® Domino® user information primarily through Domino® Directory. You might want to use a directory synchronization tool such as IBM® Tivoli® Directory Integratorto populate required Active Directory information into Domino®.
About this task
- Specifying a password in the Internet Password (HTTP Password) field in the Domino® Person document is optional in Step 1. Neither Windows™ single sign-on for Web clients nor Internet authentication managed by the IBM® application use this field.
- If the IBM® application always creates the LTPA token on behalf of the user, completing the LTPA user name field in Step 1 and Step 2 is optional.
Procedure
- Make the following edits to participating Web users' Person
documents in the Domino® Directory.
Table 1. Edits to Person Document for Web Users Tab
Field
Value
Comment
Basics
User name
(FullName)
Two-part Active Directory logon name
- Specify the logon name shown in the user's Active Directory account user interface.
- Specify as the third or subsequent name in this field.
- Use exact case shown in Active Directory for the first name part. Use uppercase for the second name part, regardless of case shown in Active Directory.
For example: bzechman@AD1.SUBNET2.RENOVATIONS.COM
- Can optionally add name to krbPrincipalName field too.
- Used to link this Person record to the Active Directory Kerberos identity.
Basics
User name (FullName)
User's distinguished name in Active Directory
- Required only if there is an IBM® WebSphere® SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names.
- Add this name after the other names that already exist in the field.
- Use the exact character case that is used in Active Directory.
- Use IBM® Notes® forward slash (/) separators in the Active Directory name rather than LDAP comma (,) separators; for example:
uid=bzechman/ou=marketing/dc=renovations/dc=com
rather than
uid=bzechman,ou=marketing,dc=renovations,dc=com
- Used to map Active Directory distinguished names in SSO LTPA tokens to Notes® distinguished names for determining user access to Domino® resources.
Basics
Internet Password (HTTPPassword)
password-hash - If Domino® uses directory assistance to connect to the Active Directory server, this user password must be different than the user password in Active Directory.
- Enables Domino® to verify user passwords in the Domino® Directory in situations when Windows™ single sign-on is not available.
Administration (Client Information section)
Active Directory (Kerberos) logon name
(krbPrincipalName)
Two-part Active Directory logon name
- Optional for this field.
- Specify the logon name shown in the user's Active Directory account user interface.
- See the first row in this table for more information on this name.
- If specified in this field, add the following setting to the server NOTES.INI file to enable the value to be found in this field in Domino® Directory or in any secondary directory accessed through directory assistance:
WIDE_SEARCH_FOR_KERBEROS_NAMES=1
- If specified in this field, create a full-text index for the Domino® Directory to optimize searches of this field.
Administration (Client Information section)
LTPA user name
User's distinguished name in Active Directory
- Required only if there is an IBM® WebSphere® SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names.
- Used to map Active Directory distinguished names in SSO LTPA tokens to Notes® distinguished names for determining user access to Domino® resources.
- If some SSO servers are authenticating users against Active
Directory, specify the following setting in the Web SSO Configuration
document:
Table 2. Web SSO Configuration Settings Tab
Field
Value
Comment
Basics - Token Configuration
Map names in LTPA tokens
Enabled
- Ensures proper SSO operation for servers that authenticate users against Active Directory.