Configuring user name mapping when you manage Domino® users through Domino® Directory

Follow the steps in this topic to configure user name mapping for a Windows single sign-on environment if you manage IBM® Domino® user information primarily through Domino® Directory. You might want to use a directory synchronization tool such as IBM® Tivoli® Directory Integratorto populate required Active Directory information into Domino®.

About this task

If you use a separate IBM® application to manage Internet access to Domino®, for example IBM® Tivoli® Access Manager WebSEAL reverse proxy or IBM® WebSphere® DataPower® security gateway, the application can be set up to authenticate the Internet user against the user's Active Directory record rather than the Domino® Person document. In this case:
  • Specifying a password in the Internet Password (HTTP Password) field in the Domino® Person document is optional in Step 1. Neither Windows single sign-on for Web clients nor Internet authentication managed by the IBM® application use this field.
  • If the IBM® application always creates the LTPA token on behalf of the user, completing the LTPA user name field in Step 1 and Step 2 is optional.

Procedure

  1. Make the following edits to participating Web users' Person documents in the Domino® Directory.
    Table 1. Edits to Person Document for Web Users

    Tab

    Field

    Value

    Comment

    Basics

    User name

    (FullName)

    Two-part Active Directory logon name

    • Specify the logon name shown in the user's Active Directory account user interface.
    • Specify as the third or subsequent name in this field.
    • Use exact case shown in Active Directory for the first name part. Use uppercase for the second name part, regardless of case shown in Active Directory.

    For example: bzechman@AD1.SUBNET2.RENOVATIONS.COM

    • Can optionally add name to krbPrincipalName field too.
    • Used to link this Person record to the Active Directory Kerberos identity.

    Basics

    User name (FullName)

    User's distinguished name in Active Directory

    • Required only if there is an IBM® WebSphere® SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names.
    • Add this name after the other names that already exist in the field.
    • Use the exact character case that is used in Active Directory.
    • Use IBM® Notes® forward slash (/) separators in the Active Directory name rather than LDAP comma (,) separators; for example:
    uid=bzechman/ou=marketing/dc=renovations/dc=com

    rather than

    uid=bzechman,ou=marketing,dc=renovations,dc=com
    • Used to map Active Directory distinguished names in SSO LTPA tokens to Notes® distinguished names for determining user access to Domino® resources.

    Basics

    Internet Password (HTTPPassword)

    password-hash
    • If Domino® uses directory assistance to connect to the Active Directory server, this user password must be different than the user password in Active Directory.
    • Enables Domino® to verify user passwords in the Domino® Directory in situations when Windows single sign-on is not available.

    Administration (Client Information section)

    Active Directory (Kerberos) logon name

    (krbPrincipalName)

    Two-part Active Directory logon name

    • Optional for this field.
    • Specify the logon name shown in the user's Active Directory account user interface.
    • See the first row in this table for more information on this name.
    • If specified in this field, add the following setting to the server NOTES.INI file to enable the value to be found in this field in Domino® Directory or in any secondary directory accessed through directory assistance:
    WIDE_SEARCH_FOR_KERBEROS_NAMES=1
    • If specified in this field, create a full-text index for the Domino® Directory to optimize searches of this field.

    Administration (Client Information section)

    LTPA user name

    User's distinguished name in Active Directory

    • Required only if there is an IBM® WebSphere® SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names.
    • Used to map Active Directory distinguished names in SSO LTPA tokens to Notes® distinguished names for determining user access to Domino® resources.
  2. If some SSO servers are authenticating users against Active Directory, specify the following setting in the Web SSO Configuration document:
    Table 2. Web SSO Configuration Settings

    Tab

    Field

    Value

    Comment

    Basics - Token Configuration

    Map names in LTPA tokens

    Enabled

    • Ensures proper SSO operation for servers that authenticate users against Active Directory.