Using Notes® distinguished names in a remote LDAP directory

This feature allows organizations that migrate users from a Domino® Directory to a remote LDAP directory to continue to use the original Notes® distinguished names for users. This feature is also useful as a way to hide complex LDAP distinguished names from users.

About this task

You can set up directory assistance for a remote LDAP directory so that a Domino® server:

  • Uses a Notes® distinguished name rather than an LDAP distinguished name for Internet client authentication
  • Accepts the Notes® distinguished name in database ACLs, and in groups used in database ACLs, for database access authorization.

To set up this feature, you add an attribute for storing Notes® name values to the user entries in the LDAP directory, and then add the Notes® distinguished names as values for the attributes. Then you specify the attribute you use for the Notes® names in a Directory Assistance document for the LDAP directory.

Once you have set up this feature, clients can authenticate using either their Notes® distinguished names or their original LDAP distinguished names. Database ACLs, Server document access control fields, access control groups, and Web server File Protection documents can use only the Notes® distinguished names.

Procedure

  1. To add the Notes® distinguished names to the LDAP directory, in the remote LDAP directory, choose an attribute for storing the values of the Notes® names in the LDAP directory user entries. The syntax for the attribute must be DN. You can create a new attribute, or use an existing one already defined in the schema.
  2. Add Notes® names as values for the selected attribute to the remote LDAP directory user entries.
    • Domino® does not provide a tool to add the names -- use a tool that is available to you.
    • Use the LDAP format for the Notes® name value. For example, use cn=John Doe,o=Renovations and not John Doe/Renovations or cn=John Doe/o=Renovations.
    • You can use any distinguished name value, although a distinguished name with multiple parts is recommended because it provides better security.
  3. Set up directory assistance to use the Notes® distinguished names:
    1. If you haven't created a Directory Assistance document for the LDAP directory, create one.
    2. On the LDAP tab of the Directory Assistance document, in the Attribute to be used as Notes distinguished name field, add the name of the attribute used in the LDAP directory to store the Notes® names.
    3. On the Naming contexts (rules) tab of the Directory Assistance document, make sure there are rules that are Trusted for Credentials that match the Notes® distinguished names and the LDAP distinguished names. If you do not use an all-asterisk trusted rule and the Notes® and LDAP names use different name hierarchies, configure a trusted rule to represent each hierarchy.
    4. Save the Directory Assistance document.
  4. Add the Notes® distinguished names as necessary to database ACLs, Server document access control fields, access control groups, and Web server File Protection documents. Use the Notes® format for the name, for example John Doe/Renovations or cn=John Doe/o=Renovations and not the LDAP format cn=John Doe, o=Renovations.

Results

Note: If you enable this feature and some user entries in the LDAP directory do not have a value for the Notes® distinguished name attribute, then the users must specify their LDAP distinguished names to authenticate, and Domino® database ACLs and other access control lists must use the LDAP distinguished names.

Example of using Notes® distinguished names in a remote LDAP directory

About this task

Renovations corporation uses the LDAP distinguished name uid=675894,ou=boston,o=airius.com for a particular user in a remote LDAP directory. For the same user Renovations uses the name Jack Johnson/Boston/Renovations in Notes® database ACLs and in groups used in database ACLs. The Domino® server uses directory assistance to look up user credentials for client authentication in the remote LDAP directory.

An Renovations administrator does the following to configure the use of the Notes® distinguished name for client authentication and for database access control:

Procedure

  1. In the remote LDAP directory, the administrator adds an attribute called notesname to the user entry for uid=675894,ou=boston,o=airius, and gives the attribute the value cn=Jack Johnson,ou=Boston,o=Renovations.
  2. On the LDAP tab of the Directory Assistance document for the LDAP directory, the administrator adds the attribute notesname to the field Attribute to be used as Notes distinguished name.
  3. On the Naming contexts (rules) tab of the Directory Assistance document, the administrator specifies an all-asterisk trusted rule.

Results

The user can then use any of the following names as the client logon name for authentication:

  • cn=Jack Johnson/ou=Boston/o=Renovations
  • cn=Jack Johnson,ou=Boston,o=Renovations
  • Jack Johnson/Boston/Renovations
  • uid=675894,ou=boston,o=airius
  • 675894

The Notes® name Jack Johnson/Boston/Renovations is used in database ACLs and groups.