LDAP, Domino and Windows: Making it work

In this Q&A, Michael Lazar, SearchDomino.com's resident expert for our Domino Administration Ask the Experts category, answers a handful of member questions about using LDAP in a mixed Domino and Windows environment.

SearchDomino.com member: We are trying to link two mail servers together (Domino 6.5 and Microsoft Exchange 2000) to share addresses (LDAP) without having to use Exchange connectors to share addresses. Is this possible?

Lazar: You certainly can use LDAP to allow addressing between your Domino and Exchange systems. You simply need to configure your Domino server to be an LDAP server via Directory Assistance, and you need to make sure your Active Directory (AD) server is acting as an LDAP server.

You will have to tweak the Outlook clients to be able to see the Domino LDAP server. And, if your Notes clients are local users, you will have to change the Notes clients to be aware of the AD LDAP server. Outside of these minor concerns, it should be simple to do.

SearchDomino.com member: I would like to have single sign-on using an LDAP directory in an environment that includes Windows NT and Domino. Is it possible for users to log onto NT using LDAP authentication and for their passwords to be synchronized with Notes? Would the clients need to keep their Notes ID files, or would it be possible to include the hierarchical name and certificate in the LDAP directory for authentication with the Domino server?

Lazar: You could only do this with HTTP-based applications using a Domino/IIS engine. To synchronize NT/2000 and Domino passwords, as well as allow for single-sign on, all work must be done from the Notes client and ID file. You cannot use a Notes client without a valid Notes ID file. Also, if you change your passwords, it must be done in Notes. Notes will synchronize the NT password, but NT will not synchronize with Notes. This is a limitation/choice of Microsoft for Windows NT/2000.

SearchDomino.com member: How do I set up Directory Assistance to use Active Directory as the third-party LDAP directory? My users need the ability to authenticate on Web Domino sites using their logon credentials from Active Directory. When I try to set up Directory Assistance, it appears to be accessing AD, but I can't log anyone onto the Domino Web pages.

Lazar: Unfortunately, Active Directory does not allow passwords to be passed for credential usage outside its infrastructure. The only way you can do this is via the AD Sync tool, installed with the Domino admin client. It must reside on a machine that has the AD MMC snap-in. From this interface, you can synchronize the AD and Domino directories (both ways) for your needs. I advise you to get the AD entries into a secondary directory that's used only by Directory Assistance for credentials.

SearchDomino.com member: We want to use the same login name for Web apps hosted on our Domino domain and AD domain. We would also like to use AD groups in our ACLs, not Fully Distinguished names. We have a fairly distributed AD OU structure.

Lazar: This can be very tricky. For authentication of your Web apps, you can try two things. First would be running IIS as your HTTP stack on top of Domino. This is a very complicated setup, which requires an experienced administrator to install and configure properly. Your second option is to try Directory Assistance with your AD as a trusted LDAP directory. I haven't tried option two for ACL lists. I don't know if it will work.

>>Want to ask Mike a question? Click here.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Domino How DirLint verifies data in Lotus Notes Domino 8 directories An introduction to Lotus Notes password options and essentials Tivoli Directory Integrator synchronizes Notes Domino 8 directories Setting up RSS feeds in Lotus Notes Domino 8 Secure Lotus Notes 8 with the Internet password lockout feature Troubleshoot Lotus Notes Out of Office (OOO) agent error messages A batch file for Lotus Notes Domino maintenance on Windows Server 2003 Avoid Lotus Notes Domino email archiving ACL issues with AdminP Send pop-up admin messages to Lotus Notes users from Domino Server Protect Lotus Notes from malicious code with the Domino ECL Lotus Notes Domino and LDAP Sending mail to Exchange LDAP or eDirectory for Sametime and Domino Adding a sendmail e-mail list to Domino directory Perform an AD lookup from a Notes Web app Creating real-time lookup to AD Selecting a name from Active Directory to appear on a Domino form New LDAP directory doesn't recognize passwords after move from another LDAP server Can we link Domino and Exchange mail servers without using Exchange connectors? Authentication failing when short name values are duplicated Can Domino pass authentication to an external directory via LDAP? RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.