Skip to main content
This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

HCL Notes/Domino 8.5 Forum (includes Notes Traveler)

HCL Notes/Domino 8.5 Forum (includes Notes Traveler)
Previous Next

We have fixed it and it works perfectly!

We have solved this and our solution may help others. Here's how we tackled it.

We have an Active Directory with subsidiary OU - Organisational Units - very very many of them.

We wanted to authenticate against a user whose ID was held in an Active Directory Group in this part of the LDAP tree (we used Softerra LDAP Browser to enumerate the tree):
CN=MCS-Users,OU=Groups,OU=MCT,DC=open,DC=ac,DC=uk

For the Notes Database ACL therefore we re-expressed this as:

cn=mcs-users/ou=groups/ou=mct/dc=open/dc=ac/dc=uk

and created a 'Person Group' entry on the Notes dB.

The trick to making this resolve lies in the Directory Assistance settings document of course. We had to include these 2 Directory Assistance settings documents to ensure that everything works properly both for individuals and for groups. The key lies in the very complex expressions for enumerating the lookup int he 'Authentication Filter' and Authorization Filter sections of the first item:

ITEM 1

Basics

Domain type: LDAP
Domain name: nnnnnnn
Company name: nn nnnnn nnnnnnnnn
Search order: 2
Make this domain available to: Notes Clients & Internet Authentication/ Authorization; LDAP Clients
Group authorization: Yes
Use exclusively for group authorization or credential authentication: Yes
Nested group expansion: Yes
Enabled: Yes


SSO Configuration

Attribute to be used as name in an SSO token (map to Notes LTPA_UsrNm):

Windows single sign-on for Web clients

Tab 2

- Use the first rule to configure the Base for this LDAP server


OrgUnit4

OrgUnit3

OrgUnit2

OrgUnit1

Organization

Country

Enabled
Trusted for Credentials
N.C. 1: */ */ */ */ */ * Yes Yes
N.C. 2: / / / / / No No
N.C. 3: / / / / / No No
N.C. 4: / / / / / No No
N.C. 5: / / / / / No No
 

Configure Directory Assistance access to a remote LDAP server.

LDAP Configuration



Hostname: server.domain.uk


LDAP vendor: Active Directory


Optional authentication credential for search:

Username: CN=username,OU=Users,OU=mct,DC=open,DC=ac,DC=uk
Password: **********

Base DN for search: dc=open,dc=ac,dc=uk


Connection Configuration

Channel encryption: None

Port: 389


Advanced Options

Timeout: 60 seconds

Maximum number of entries returned: 100


Dereference alias on search: Always

Preferred mail format: Internet Mail Address

Type of search filter to use: Custom

Customized Filters

Mail filter:

Authentication filter: (|(sAMAccountName=%*)(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)(givenname=%a))))
Authorization filter: (|(&(objectclass=group)(Member=%*))(&(objectclass=groupOfUniqueNames)(UniqueMember=%*))(&(objectclass=groupOfNames)(Member=%*)))

Comments:

----------------
ITEM 2
 
Basics

Domain type: LDAP
Domain name: OULDAP
Company name: nnnnnnnnnn
Search order: 3
Make this domain available to: Notes Clients & Internet Authentication/ Authorization
Group authorization: No
Use exclusively for group authorization or credential authentication: Yes
Enabled: Yes


SSO Configuration

Attribute to be used as name in an SSO token (map to Notes LTPA_UsrNm):

Windows single sign-on for Web clients


- Use the first rule to configure the Base for this LDAP server


OrgUnit4

OrgUnit3

OrgUnit2

OrgUnit1

Organization

Country

Enabled
Trusted for Credentials
N.C. 1: */ */ */ */ */ * Yes Yes
N.C. 2: / / / / / No No
N.C. 3: / / / / / No No
N.C. 4: / / / / / No No
N.C. 5: / / / / / No No
 
Configure Directory Assistance access to a remote LDAP server.

LDAP Configuration



Hostname: server.domain

LDAP vendor: Domino LDAP


Optional authentication credential for search:

Username: CN=username,OU=Users,OU=mct,DC=open,DC=ac,DC=uk
Password: *******


Base DN for search: dc=open,dc=ac,dc=uk


Connection Configuration

Channel encryption: None

Port: 389


Advanced Options


Timeout: 20 seconds

Maximum number of entries returned: 100

Dereference alias on search: Always
Preferred mail format:Internet Mail Address

Type of search filter to use: Domino LDAP

Comments:


Feedback response number WEBB8ATMFB created by ~Tony Reponezenlen on 11/02/2010

Directory Assistance and Active Dir... (~Tony Reponezen... 31.Oct.10)
. . We have fixed it and it works perfe... (~Tony Reponezen... 2.Nov.10)
. . AD LDAP Syntax (~Tony Reponezen... 31.Oct.10)




Printer-friendly

Search this forum

Member Tools


RSS Feeds

 RSS feedsRSS
All forum posts RSS
All main topics RSS