Skip to main content
This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

Notes/Domino 6 and 7 Forum

Notes/Domino 6 and 7 Forum

  

PreviousPrevious NextNext


~Ned Frowepuletsi 2.Oct.03 01:45 PM a Web browser
Domino Server All Releases Windows 2000


We're using Active Directory for web authentication and don't have web users' names in the NAB. Internet Authentication (server configuration security tab) is set to 'fewer names, higher security'.

We have found that the predefined AD search filter doesn't allow everyone to login, though that may have been because of a clash with a NAB entry when Internet authentication was set to 'more names, lower security'.

A custom filter like
(|(cn=%*))

as suggested in the admin help file is accepted and seemed to reduce clashes but prevents someone with a login like 'physj' from authenticating if AD has other logins beginning with the same letters, 'physjb' for example.

I just wondered if anyone has any useful stories or sources of info about how you've made this work. For example -
- how do people cope with / prevent clashes between AD & the NAB or don't you get any?
- does anyone know the form of the predefined AD filter?
- what do the %l %z %a and so on mean in LDAP search filters?
- do you amend your database designs to cope with LDAP distinguishedNames from Active Directory? (see formula below)

We'd put Notes users' Windows logins as aliases in their Person document user name field (as a hangover from when we used to use R5 with IIS) but it looks like thats a bad idea if you use an external LDAP. Thats because Domino always looks in the NAB first & uses the NAB Internet password setting with the login - in many cases the Internet pswd is different to the pswd in LDAP - so the authentication fails.

This formula gives the users real name from an LDAP authenticated login - the list processing is to cope with the list of names you can get from looking up a name like 'michael' - many of our windows logins are like this.

ln:=@Name([CN];@UserName);
rn:=@Implode(@Replace(ln; @NameLookup( [Exhaustive]; ln; "cn");
@NameLookup( [Exhaustive]; ln; "displayName"));"/");
@If(@Contains(rn;","); @Trim(@Right(rn;",")+" "+@Left(rn;",")); ln )

We're using 602Cf1 on Windows2000.

Thanks.

Mark




  Document options
Print this pagePrint this page

 Search this forum

  Forum views and search
Date (threaded)
Date (flat)
With excerpt
Category
Platform
Release
Advanced search

 RSS feedsRSS
All forum posts RSS
All main topics RSS