I’ve setup Domino to use IIS as the HTTP Stack and authentication. My question is regarding whether or not we can use LDAP (Active Directory) for authentication and totally bypass the Domino Directory. We need to authenticate with a Notes database and potentially resolve with readers fields at the document level. I’ve read in Jake Howlett’s article that you must have a person doc in the Directory. Has anyone been able to bypass this with LDAP? Or should I just pursue the Adsync tool instead?
Subject: IIS and Domino Authentication Question
If you use Directory ASssistance to authenticate a user against Active Directory, then you can specify what field AD returns to Domino as the user’s authenticated Notes name. Notes builds a session fot the user using that name, therefore that name has to match what’s in the Readers field. If the Readers field has “CN=Audie Franks/O=DRC” then you need to have that exact form of the name in an AD field. You can extend AD’s schema, or just use some existing field that isn’t needed for other AD purposes. There’s is a place in the DA doc to specify which LDAP field this is.
Subject: RE: IIS and Domino Authentication Question
Thanks Bob! I’ll give this a try.
Subject: RE: IIS and Domino Authentication Question
Will this work for groups in Active Directory as well? In other words, if a group called AllDRC existed in LDAP, could I use that for my ACL in the Notes database, or the readers field too?
Subject: RE: IIS and Domino Authentication Question
You can turn on “Group Authorization” in the DA doc for a maximum of one LDAP directory. Then the names in the group doc must be exactly the same form as the names Domino uses to build the users’ sessions.