Configuring user name mapping when you manage Domino users through Domino Directory

Follow the steps in this topic to configure user name mapping for a Windows™ single sign-on environment if you manage IBM® Domino® user information primarily through Domino Directory. You might want to use a directory synchronization tool such as IBM Tivoli® Directory Integratorto populate required Active Directory information into Domino.

About this task

If you use a separate IBM application to manage Internet access to Domino, for example IBM Tivoli Access Manager WebSEAL reverse proxy or IBM WebSphere® DataPower® security gateway, the application can be set up to authenticate the Internet user against the user's Active Directory record rather than the Domino Person document. In this case:

Specifying a password in the Internet Password (HTTP Password) field in the Domino Person document is optional in Step 1. Neither Windows single sign-on for Web clients nor Internet authentication managed by the IBM application use this field.
If the IBM application always creates the LTPA token on behalf of the user, completing the LTPA user name field in Step 1 and Step 2 is optional.

Procedure

Make the following edits to participating Web users' Person documents in the Domino Directory.

Table 1. Edits to Person Document for Web Users
Tab	Field	Value	Comment
Basics	User name (FullName)	Two-part Active Directory logon name	Specify the logon name shown in the user's Active Directory account user interface. Specify as the third or subsequent name in this field. Use exact case shown in Active Directory for the first name part. Use uppercase for the second name part, regardless of case shown in Active Directory. For example: bzechman@AD1.SUBNET2.RENOVATIONS.COM Can optionally add name to krbPrincipalName field too. Used to link this Person record to the Active Directory Kerberos identity.
Basics	User name (FullName)	User's distinguished name in Active Directory	Required only if there is an IBM WebSphere SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names. Add this name after the other names that already exist in the field. Use the exact character case that is used in Active Directory. Use IBM Notes® forward slash (/) separators in the Active Directory name rather than LDAP comma (,) separators; for example: `uid=bzechman/ou=marketing/dc=renovations/dc=com` rather than `uid=bzechman,ou=marketing,dc=renovations,dc=com` Used to map Active Directory distinguished names in SSO LTPA tokens to Notes distinguished names for determining user access to Domino resources.
Basics	Internet Password (HTTPPassword)	`password-hash`	If Domino uses directory assistance to connect to the Active Directory server, this user password must be different than the user password in Active Directory. Enables Domino to verify user passwords in the Domino Directory in situations when Windows single sign-on is not available.
Administration (Client Information section)	Active Directory (Kerberos) logon name (krbPrincipalName)	Two-part Active Directory logon name	Optional for this field. Specify the logon name shown in the user's Active Directory account user interface. See the first row in this table for more information on this name. If specified in this field, add the following setting to the server NOTES.INI file to enable the value to be found in this field in Domino Directory or in any secondary directory accessed through directory assistance: `WIDE_SEARCH_FOR_KERBEROS_NAMES=1` If specified in this field, create a full-text index for the Domino Directory to optimize searches of this field.
Administration (Client Information section)	LTPA user name	User's distinguished name in Active Directory	Required only if there is an IBM WebSphere SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names. Used to map Active Directory distinguished names in SSO LTPA tokens to Notes distinguished names for determining user access to Domino resources.

If some SSO servers are authenticating users against Active Directory, specify the following setting in the Web SSO Configuration document:

Table 2. Web SSO Configuration Settings
Tab	Field	Value	Comment
Basics - Token Configuration	Map names in LTPA tokens	Enabled	Ensures proper SSO operation for servers that authenticate users against Active Directory.