Directory Assistance and Active Directory Groups

hcl-bot · October 31, 2010, 4:05am

We have a Directory Assistance document that points to our Microsoft Active Directory. When we add individual Active Directory usernames to a Notes database ACL, the web-based authentication works perfectly and users can access the Notes database over the web successfully.

However, we have never been able to add an Active Directory Group name to a Notes database ACL and make it work for the members of that group. As we want to extend the accessibility of some of our apps using AD Groups, this is becoming very frustrating.

We cannot work out why the expansion/enumeration of individual names from an AD group should not work.

(BTW for internal security policy reasons we can’t use the alternative ADSync technique.)

Any suggestions?

David Clover

IT Development Manager

MCT Faculty

The Open University

d.a.clover@open.ac.uk

hcl-bot · October 31, 2010, 4:26am

Subject: AD LDAP Syntax

As a rider to the previous posting, a sample name we are looking to authenticate for a Domino ACL resides in this part of the LDAP tree (as seen using Softerra LDAP Browser 2.6):

CN=MCS-Users,OU=Groups,OU=MCT,DC=open,DC=ac,DC=uk

We have tried everything in the Notes ACL even including that exact string, but still no joy.

All advice appreciated.

David Clover

hcl-bot · November 2, 2010, 11:34am

Subject: We have fixed it and it works perfectly!

We have solved this and our solution may help others. Here’s how we tackled it.

We have an Active Directory with subsidiary OU - Organisational Units - very very many of them.

We wanted to authenticate against a user whose ID was held in an Active Directory Group in this part of the LDAP tree (we used Softerra LDAP Browser to enumerate the tree):

CN=MCS-Users,OU=Groups,OU=MCT,DC=open,DC=ac,DC=uk

For the Notes Database ACL therefore we re-expressed this as:

cn=mcs-users/ou=groups/ou=mct/dc=open/dc=ac/dc=uk

and created a ‘Person Group’ entry on the Notes dB.

The trick to making this resolve lies in the Directory Assistance settings document of course. We had to include these 2 Directory Assistance settings documents to ensure that everything works properly both for individuals and for groups. The key lies in the very complex expressions for enumerating the lookup int he ‘Authentication Filter’ and Authorization Filter sections of the first item:

ITEM 1

Basics

Domain type: LDAP

Domain name: nnnnnnn

Company name: nn nnnnn nnnnnnnnn

Search order: 2

Make this domain available to: Notes Clients & Internet Authentication/ Authorization; LDAP Clients

Group authorization: Yes

Use exclusively for group authorization or credential authentication: Yes

Nested group expansion: Yes

Enabled: Yes

SSO Configuration

Attribute to be used as name in an SSO token (map to Notes LTPA_UsrNm):

Windows single sign-on for Web clients

Tab 2

Use the first rule to configure the Base for this LDAP server

OrgUnit4

OrgUnit3

OrgUnit2

OrgUnit1

Organization

Country

Enabled

Trusted for Credentials

N.C. 1: */ */ */ */ */ * Yes Yes

N.C. 2: / / / / / No No

N.C. 3: / / / / / No No

N.C. 4: / / / / / No No

N.C. 5: / / / / / No No

Configure Directory Assistance access to a remote LDAP server.

LDAP Configuration

Hostname: server.domain.uk

LDAP vendor: Active Directory

Optional authentication credential for search:

Username: CN=username,OU=Users,OU=mct,DC=open,DC=ac,DC=uk

Password: **********

Base DN for search: dc=open,dc=ac,dc=uk

Connection Configuration

Channel encryption: None

Port: 389

Advanced Options

Timeout: 60 seconds

Maximum number of entries returned: 100

Dereference alias on search: Always

Preferred mail format: Internet Mail Address

Type of search filter to use: Custom

Customized Filters

Mail filter:

Authentication filter: (|(sAMAccountName=%)(cn=%)(|(&(sn=%a)(givenname=%z))(&(sn=%z)(givenname=%a))))

Authorization filter: (|(&(objectclass=group)(Member=%))(&(objectclass=groupOfUniqueNames)(UniqueMember=%))(&(objectclass=groupOfNames)(Member=%*)))

Comments:

ITEM 2