Configuring user name mapping when you manage Domino users through Active Directory

Follow the steps in this topic to configure user name mapping for a Windows™ single sign-on environment if you manage IBM® Domino® user information primarily through Active Directory. This configuration requires you to add users' IBM Notes® distinguished names to Active Directory user accounts.

Procedure

  1. In a directory assistance database, create an LDAP directory assistance document to use to connect to the Active Directory server.
    Table 1. Important Fields in an LDAP Directory Assistance Document

    Tab

    Field

    Value

    Comment

    Basics

    Make this domain available to

    Notes clients and Internet Authentication/Authorization
    • Required
    • LDAP Clients is optional

    Basics

    Group Authorization

    Yes or No

    Select Yes if you want to use Active Directory groups in database ACLs.

    Basics

    Attribute to be used as name in an SSO token

    $DN
    • Required only if there is an IBM WebSphere® SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names.
    • Requires Map names in LTPA token to be enabled in the Web SSO Configuration document.
    • Ensures proper SSO operation for servers that authenticate users against Active Directory.

    Basics - SSO configuration

    Windows single sign-on for Web clients

    Enabled

    Enables efficient name lookups based on users' Active Directory logon (Kerberos) names. In combination with Attribute to be used as Notes Distinguished Name, allows the user's Kerberos identity to be associated with the Domino name.

    Basics - SSO configuration

    Kerberos realm

    Active Directory domain

    Specify in uppercase characters, for example, AD.RENOVATIONS.COM.

    Naming Contexts (Rules)

    Trusted for Credentials

    Yes

    LDAP

    Attribute to be used as Notes Distinguished Name

    		 attribute
    • Attribute in Active Directory that stores users' Notes distinguished names.
    • A directory administrator may need to extend the Active Directory schema to add an attribute for this name if there is no existing attribute that already contains the Notes distinguished name. Alternatively it may be feasible to use the altSecurityIdentities attribute, if not already in use for another purpose.
    • A directory synchronization tool such asIBM Tivoli® Directory Integrator can be used to populate the attribute with the Notes names.
    • The value stored in the attribute must adhere to valid distinguished name syntax. In Active Directory use LDAP comma (,) separators in the Notes names rather than the Notes forward slash (/) separators; for example:
    cn=Betty Zechman,ou=Marketing,o=Renovations

    rather than

    cn=Betty Zechman/ou=Marketing/o=Renovations
    • Used to link this Active Directory record to a Notes distinguished name for determining user access to Domino resources.

    LDAP

    Type of search filter to use

    Active Directory
  2. If users have Person documents in the Domino Directory, make the following edits to them. Person documents are optional for Web users who are not IBM iNotes® users.
    Table 2. Edits Needed in Person Documents

    Tab

    Field

    Value

    Comment

    Basics

    Internet Password

    (HTTPPassword)

    None (recommended)

    Or

    password-hash
    • If desired, remove the password to use user's Active Directory passwords for Internet access that requires user password verification.
    • When password removed, set directory access to prevent users from adding passwords themselves.
    • When password removed, Domino verifies user passwords in Active Directory in situations when Windows single sign-on is not available.
  3. If users have Domino Person documents but you do not include their Domino Internet passwords in them, disable the following Internet password settings in users' effective Security Settings policy document:
    Table 3. Settings to Disable in Users' Effective Security Settings Policy Document

    Tab

    Field

    Value

    Comment

    Password Management Basics

    Allow Users to Change Internet Password over HTTP

    No

    The default behavior is Yes. If there is no Security Settings policy document specified for users, create one in order to change the default behavior.

    Password Management Basics

    Update Internet Password When Notes client Password Changes

    No

    Password Management Basics

    Enforce Password Expiration

    Disabled or Notes Only
  4. On the Security > Internet Access tab of the Server documents of participating Domino servers, for Internet authentication, select Fewer name variations with higher security.
  5. If some SSO servers are authenticating users against Active Directory, specify the following setting in the Web SSO Configuration document:
    Table 4. Web SSO Configuration Settings

    Tab

    Field

    Value

    Comment

    Basics - Token Configuration

    Map names in LTPA tokens

    Enabled
    • Used to map Active Directory distinguished names in SSO LTPA tokens to Notes distinguished names for determining user access to Domino resources.
    • Used to ensure functioning SSO at servers that authenticate the user against Active Directory.