We are working to integrate Domino LDAP as the authentication mechanism for the Cognos BI server. We run into problems with Domino groups. Having set the LDAP Base Distinguished Name to O=TipTop, groups do not show up as part of the LDAP tree since there is no O associated with group names. Cognos does not accept a blank base dn. We can move groups into the TipTop tree by adding /TipTop to the group name. This stores as CN=Region1/O=TipTop, but Notes complains about slashes not being recommended in group names.
Question: Will adding an O to a group name break any of the normal group functionality in Notes / Domino, e.g. ACL, Reader & Author fields, Roles, mail routing, hide-when formulas, etc.?
Subject: base DN and domino groups
I’ve ran into similar problems in the past where my ldap client wouldn’t allow a blank base DN, but found this workaround much easier than attempting to add Bases to my existing groups
set the following in the notes.ini before the next ldap restart
LdapPre55Outlook=1
then we can use C=us as a base on the ldap client
when domino sees this, itll send us to the root, where we will be able to search your (flat) domino groups
Title: Domino LDAP server returns ‘Invalid DN Syntax’ message for previously working searches
Doc #: 1256436
URL: http://www.ibm.com/support/docview.wss?rs=899&uid=swg21256436
Subject: Doesn’t really get me any closer
I’ve implemented the suggested settings. Here are the results.
-
I can authenticate in Cognos as an LDAP user - good so far.
-
The LDAP hierarchy browser in Cognos is empty - I assume that this is because there are no nodes under c=US.
-
I can search and see all users and groups in the search results, but cannot access the groups - returns a message that I am not authorized.
As far as I can tell, this brings me back to the original approach of adding O= hierarchy to the group names. I’ve noticed that the group name is a multivalue field, so including the hierarchical and flat group names should take care of any downstream issues with Security.
Thanks!
Ravi Har
Subject: That gets me closer
Thanks for the tip. Making the suggested changes gets me into the directory and allows me to search and find all users and groups. The problem is that my directory tree is blank in the LDAP browser. I’ll have to fiddle with it some more tomorrow.