Lotus Domino Administrator 8 Help - Using Notes distinguished names in a remote LDAP directory

DIRECTORY SERVICES

Using Notes distinguished names in a remote LDAP directory
You can set up directory assistance for a remote LDAP directory so that an IBM® Lotus® Domino™ server:

Uses an IBM® Lotus® Notes® distinguished name rather than an LDAP distinguished name for Internet client authentication
Accepts the Notes distinguished name in database ACLs, and in groups used in database ACLs, for database access authorization.

This feature allows organizations that migrate users from a Domino Directory to a remote LDAP directory to continue to use the original Notes distinguished names for users. This feature is also useful as a way to hide complex LDAP distinguished names from users.

To set up this feature, you add an attribute for storing Notes name values to the user entries in the LDAP directory, and then add the Notes distinguished names as values for the attributes. Then you specify the attribute you use for the Notes names in a Directory Assistance document for the LDAP directory.

Once you have set up this feature, clients can authenticate using either their Notes distinguished names or their original LDAP distinguished names. Database ACLs, Server document access control fields, access control groups, and Web server File Protection documents can use only the Notes distinguished names.

To set up the use of Notes distinguished names:

1. To add the Notes distinguished names to the LDAP directory, In the remote LDAP directory, choose an attribute for storing the values of the Notes names in the LDAP directory user entries. The syntax for the attribute must be DN. You can create a new attribute, or use an existing one already defined in the schema.

2. Add Notes names as values for the selected attribute to the remote LDAP directory user entries.

Domino doesn't provide a tool to add the names -- use a tool that is available to you.
Use the LDAP format for the Notes name value. For example, use cn=John Doe,o=Acme and not John Doe/Acme or cn=John Doe/o=Acme.
You can use any distinguished name value, although a distinguished name with multiple parts is recommended because it provides better security.

3. Set up directory assistance to use the Notes distinguished names:

If you haven't created a Directory Assistance document for the LDAP directory, create one.
On the LDAP tab of the Directory Assistance document, in the "Attribute to be used as Notes distinguished name" field, add the name of the attribute used in the LDAP directory to store the Notes names.
On the "Naming contexts (rules) tab" of the Directory Assistance document, make sure there are rules that are "Trusted for Credentials" that match the Notes distinguished names and the LDAP distinguished names. If you do not use an all-asterisk trusted rule and the Notes and LDAP names use different name hierarchies, configure a trusted rule to represent each hierarchy.
Save the Directory Assistance document.

4. Add the Notes distinguished names as necessary to database ACLs, Server document access control fields, access control groups, and Web server File Protection documents. Use the Notes format for the name, for example John Doe/Acme or cn=John Doe/o=Acme and not the LDAP format cn=John Doe, o=Acme.

Note If you enable this feature and some user entries in the LDAP directory do not have a value for the Notes distinguished name attribute, then the users must specify their LDAP distinguished names to authenticate, and Domino database ACLs and other access control lists must use the LDAP distinguished names.

Example of using Notes distinguished names in a remote LDAP directory

Acme corporation uses the LDAP distinguished name uid=675894,ou=boston,o=airius.com for a particular user in a remote LDAP directory. For the same user Acme uses the name Jack Johnson/Boston/Acme in Notes database ACLs and in groups used in database ACLs. The Domino server uses directory assistance to look up user credentials for client authentication in the remote LDAP directory.

An Acme administrator does the following to configure the use of the Notes distinguished name for client authentication and for database access control:

1. In the remote LDAP directory, the administrator adds an attribute called notesname to the user entry for uid=675894,ou=boston,o=airius, and gives the attribute the value cn=Jack Johnson,ou=Boston,o=Acme.

2. On the LDAP tab of the Directory Assistance document for the LDAP directory, the administrator adds the attribute notesname to the field "Attribute to be used as Notes distinguished name."

3. On the "Naming contexts (rules)" tab of the Directory Assistance document, the administrator specifies an all-asterisk trusted rule.

The user can then use any of the following names as the client logon name for authentication:

cn=Jack Johnson/ou=Boston/o=Acme
cn=Jack Johnson,ou=Boston,o=Acme
Jack Johnson/Boston/Acme
uid=675894,ou=boston,o=airius
675894

The Notes name Jack Johnson/Boston/Acme is used in database ACLs and groups.

Setting up directory assistance

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary