Example of directory assistance for an extended directory catalog and a remote LDAP directory
Company Z uses three domains, Domain A, Domain B, and Domain C. The company builds an extended directory catalog that aggregates all three domain Domino® Directories. Network connections between domains are slow, so Company Z replicates the extended directory catalog to strategic servers in each domain. In Domain A, the directory catalog is replicated to two servers that are members of a cluster.
About this task
Domino® servers in Domain A register Internet users in a remote Active Directory server which they use to authenticate the users. Domain A creates its own directory assistance database because only Domain A servers use the remote Active Directory.
The following tables show the settings in the Directory Assistance documents for the extended directory catalog and for the remote Active Directory server in the directory assistance database that Domain A servers use.
| Basics tab | Contents | Comments |
|---|---|---|
| Domain type | Notes® | |
| Domain name | EDC | Made-up name that does not correspond to an actual domain name in Domino®. |
| Company name | Company Z | |
| Search order | 1 | Causes Domain A servers to search the extended directory catalog before the remote Active Directory. |
| Make this domain available to |
|
|
| Group Authorization | Yes | Allows servers to use groups from any of the directories aggregated into the directory catalog for database authorization. |
| Enabled | Yes | |
| Naming contexts (rules) tab | ||
| N.C.1: |
|
Allows servers to search all entries in the directory. Trusted for Credentials set to No to prevent the extended directory catalog from being used for Internet client authentication, and allow only the remote Active Directory to be used for this purpose. |
| Replicas tab | ||
| N.C.1: |
|
Server1/DomainA is a member of a cluster. Only one replica of the extended directory catalog in the cluster is specified so that cluster failover is used to find an available replica. |
| Basics tab | Contents | Comments |
|---|---|---|
| Domain type | LDAP | |
| Domain name | ActiveDir | Made-up name that does not correspond to an actual domain name in Domino®. |
| Company name | Company Z | |
| Search order | 2 | Causes Domain A servers to search the remote Active Directory after the extended directory catalog. |
| Make this domain available to | Notes® Clients & Internet Authentication/Authorization | Domain A does not want its LDAP service to refer LDAP clients to the Active Directory, so it does not select the "LDAP Clients" option. |
| Group Authorization | No | Since Domain A servers look up groups used for database authorization in the extended directory catalog, they cannot use the remote Active Directory for this purpose too. All groups used for database authorization are stored in the Domain A primary Domino® Directory and in the domain directories that are aggregated into the extended directory catalog. |
| Enabled | Yes | |
| Naming contexts (rules) tab | ||
| N.C.1: |
|
The distinguished names of the users registered
in the Active Directory do not correspond to the Notes® naming convention of organizational unit
(ou), organization (o), and country (c). So Company Z must use an
all-asterisk rule to represent the distinguished names of these users. Trusted for Credentials is enabled for the naming context (rule) so that Domain A can use the user entries in Active Directory for Internet client authentication. |
| LDAP tab | ||
| Hostname | ldap1.companyz.com, ldap2.companyz.com | To provide failover, two Active Directory servers are specified, each with replicas of the directory and with the same LDAP configurations. |
| Optional Authentication Credential | Username: cn=john doe, cn=recipients, dc=east,
dc=renovations, dc=com Password: adminspass |
|
| Base DN for search | cn=recipients, dc=east, dc=renovations, dc=com | |
| Channel encryption | Yes | Since DomainA servers use the Active Directory for client authentication, Company Z selects the "Channel Encryption" so that Domino® servers can use a Transport Layer Security (TLS) certificate to verify the Active Directory server's identity. |
| Port | 636 | Necessary for TLS connections. |
| Accept expired TLS certificates | Yes | |
| TLS protocol version | Negotiated | |
| Verify server name with remote server's certificate | Yes | |
| Timeout | 60 | |
| Maximum number of entries returned | 100 | |
| Dereference alias on search | Never | The Active Directory server does not use alias dereferencing so Company Z selects Never to improve search performance. |
| Preferred mail format | Internet Mail Address | |
| Attribute to be used as Notes® Distinguished Name | notesname | Company Z uses Notes-style distinguished names, rather than the original LDAP names of the users in the Active Directory, for client authentication and in Notes® database ACLs. The specified attribute, notesname, is defined in Active Directory as the attribute to store the Notes® name. Company Z uses its own tool to add Notes-style distinguished names as values for the notesname attribute in user entries. |
| Type of search filter to use | Active Directory | Ensures that the Domain A servers use LDAP search filters that are customized for Active Directory searches. |