Manage Learn to apply best practices and optimize your operations.

LDAP, Domino and Windows: Making it work

In this Q&A, Michael Lazar,'s resident Domino administration expert, answers questions about using LDAP in a mixed Domino and Windows environment.

In this Q&A, Michael Lazar,'s resident expert for our Domino Administration Ask the Experts category, answers a handful of member questions about using LDAP in a mixed Domino and Windows environment. member: We are trying to link two mail servers together (Domino 6.5 and Microsoft Exchange 2000) to share addresses (LDAP) without having to use Exchange connectors to share addresses. Is this possible?

Lazar: You certainly can use LDAP to allow addressing between your Domino and Exchange systems. You simply need to configure your Domino server to be an LDAP server via Directory Assistance, and you need to make sure your Active Directory (AD) server is acting as an LDAP server.

You will have to tweak the Outlook clients to be able to see the Domino LDAP server. And, if your Notes clients are local users, you will have to change the Notes clients to be aware of the AD LDAP server. Outside of these minor concerns, it should be simple to do. member: I would like to have single sign-on using an LDAP directory in an environment that includes Windows NT and Domino. Is it possible for users to log onto NT using LDAP authentication and for their passwords to be synchronized with Notes? Would the clients need to keep their Notes ID files, or would it be possible to include the hierarchical name and certificate in the LDAP directory for authentication with the Domino server?

Lazar: You could only do this with HTTP-based applications using a Domino/IIS engine. To synchronize NT/2000 and Domino passwords, as well as allow for single-sign on, all work must be done from the Notes client and ID file. You cannot use a Notes client without a valid Notes ID file. Also, if you change your passwords, it must be done in Notes. Notes will synchronize the NT password, but NT will not synchronize with Notes. This is a limitation/choice of Microsoft for Windows NT/2000. member: How do I set up Directory Assistance to use Active Directory as the third-party LDAP directory? My users need the ability to authenticate on Web Domino sites using their logon credentials from Active Directory. When I try to set up Directory Assistance, it appears to be accessing AD, but I can't log anyone onto the Domino Web pages.

Lazar: Unfortunately, Active Directory does not allow passwords to be passed for credential usage outside its infrastructure. The only way you can do this is via the AD Sync tool, installed with the Domino admin client. It must reside on a machine that has the AD MMC snap-in. From this interface, you can synchronize the AD and Domino directories (both ways) for your needs. I advise you to get the AD entries into a secondary directory that's used only by Directory Assistance for credentials. member: We want to use the same login name for Web apps hosted on our Domino domain and AD domain. We would also like to use AD groups in our ACLs, not Fully Distinguished names. We have a fairly distributed AD OU structure.

Lazar: This can be very tricky. For authentication of your Web apps, you can try two things. First would be running IIS as your HTTP stack on top of Domino. This is a very complicated setup, which requires an experienced administrator to install and configure properly. Your second option is to try Directory Assistance with your AD as a trusted LDAP directory. I haven't tried option two for ACL lists. I don't know if it will work.

>>Want to ask Mike a question? Click here.

Dig Deeper on Lotus Notes Domino and LDAP



  • Favorite iSeries cheat sheets

    Here you'll find a collection of valuable cheat sheets gathered from across the iSeries/ community. These cheat ...

  • HTML cheat sheet

    This is a really cool cheat sheet if you're looking to learn more about HTML. You'll find just about everything you every wanted ...

  • Carol Woodbury: Security

    Carol Woodbury