Example of directory assistance for an extended directory catalog and a remote LDAP directory

Company Z uses three domains, Domain A, Domain B, and Domain C. The company builds an extended directory catalog that aggregates all three domain Domino® Directories. Network connections between domains are slow, so Company Z replicates the extended directory catalog to strategic servers in each domain. In Domain A, the directory catalog is replicated to two servers that are members of a cluster.

About this task

Domino® servers in Domain A register Internet users in a remote Active Directory server which they use to authenticate the users. Domain A creates its own directory assistance database because only Domain A servers use the remote Active Directory.

The following tables show the settings in the Directory Assistance documents for the extended directory catalog and for the remote Active Directory server in the directory assistance database that Domain A servers use.

Table 1. Directory Assistance document for the extended directory catalog
Basics tab Contents Comments
Domain type Notes®
Domain name EDC Made-up name that does not correspond to an actual domain name in Domino®.
Company name Company Z
Search order 1 Causes Domain A servers to search the extended directory catalog before the remote Active Directory.
Make this domain available to
  • Notes® Clients & Internet Authentication/Authorization
  • LDAP Clients
Group Authorization Yes Allows servers to use groups from any of the directories aggregated into the directory catalog for database authorization.
Enabled Yes
Naming contexts (rules) tab
N.C.1:
  • */ */ */ */ */ *
  • Enabled - Yes
  • Trusted for Credentials - No
Allows servers to search all entries in the directory. Trusted for Credentials set to No to prevent the extended directory catalog from being used for Internet client authentication, and allow only the remote Active Directory to be used for this purpose.
Replicas tab
N.C.1:
  • Server Name: Server1/DomainA
  • Directory Filename: EDC.NSF
Server1/DomainA is a member of a cluster. Only one replica of the extended directory catalog in the cluster is specified so that cluster failover is used to find an available replica.
Table 2. Directory Assistance document for the remote LDAP Directory
Basics tab Contents Comments
Domain type LDAP
Domain name ActiveDir Made-up name that does not correspond to an actual domain name in Domino®.
Company name Company Z
Search order 2 Causes Domain A servers to search the remote Active Directory after the extended directory catalog.
Make this domain available to Notes® Clients & Internet Authentication/Authorization Domain A does not want its LDAP service to refer LDAP clients to the Active Directory, so it does not select the "LDAP Clients" option.
Group Authorization No Since Domain A servers look up groups used for database authorization in the extended directory catalog, they cannot use the remote Active Directory for this purpose too. All groups used for database authorization are stored in the Domain A primary Domino® Directory and in the domain directories that are aggregated into the extended directory catalog.
Enabled Yes
Naming contexts (rules) tab
N.C.1:
  • */ */ */ */ */ *
  • Enabled - Yes
  • Trusted for Credentials - Yes
The distinguished names of the users registered in the Active Directory do not correspond to the Notes® naming convention of organizational unit (ou), organization (o), and country (c). So Company Z must use an all-asterisk rule to represent the distinguished names of these users.

Trusted for Credentials is enabled for the naming context (rule) so that Domain A can use the user entries in Active Directory for Internet client authentication.

LDAP tab
Hostname ldap1.companyz.com, ldap2.companyz.com To provide failover, two Active Directory servers are specified, each with replicas of the directory and with the same LDAP configurations.
Optional Authentication Credential Username: cn=john doe, cn=recipients, dc=east, dc=renovations, dc=com

Password: adminspass

Base DN for search cn=recipients, dc=east, dc=renovations, dc=com
Channel encryption Yes Since DomainA servers use the Active Directory for client authentication, Company Z selects the "Channel Encryption" so that Domino® servers can use a Transport Layer Security (TLS) certificate to verify the Active Directory server's identity.
Port 636 Necessary for TLS connections.
Accept expired TLS certificates Yes
TLS protocol version Negotiated
Verify server name with remote server's certificate Yes
Timeout 60
Maximum number of entries returned 100
Dereference alias on search Never The Active Directory server does not use alias dereferencing so Company Z selects Never to improve search performance.
Preferred mail format Internet Mail Address
Attribute to be used as Notes® Distinguished Name notesname Company Z uses Notes-style distinguished names, rather than the original LDAP names of the users in the Active Directory, for client authentication and in Notes® database ACLs. The specified attribute, notesname, is defined in Active Directory as the attribute to store the Notes® name. Company Z uses its own tool to add Notes-style distinguished names as values for the notesname attribute in user entries.
Type of search filter to use Active Directory Ensures that the Domain A servers use LDAP search filters that are customized for Active Directory searches.