A customer is currently using a iPlanet Messaging Server but might be migratin to Domino. The iPlanet server has some functionality that the Domino server doesn’t seem to have.The customer maintains all person and group information in a LDAP directory. I have set up directory assistance on the Domino server to use the LDAP server for mail-routing. This works OK for persons, but not for (all) groups. The iPlanet server has the possibility of using dynamic groups. These are special LDAP objects (iNetMailGroup) and attributes that can f.i. contain a LDAP url.
For example:
mgrpDeliverTo: ldap:/// ou=Accounting,o=iPlanet,c=US??sub?(& (objectClass=inetMailUser)(objectClass=inetOrgPerson))
The Domino server however doesn’t know these objects and attributes.
Questions:
if I add all objects and attributes needes to the Domino LDAP Schema database, would this functionality then also work on a Domino server
if not: does anyone know how to enable this functionality on the Domino server
Subject: Question on iPlanet LDAP functionality. Is this possible on a Domino server?
To answer your questions very quickly, you are right in that Domino will not support the GroupOfURL’s object class that iPlanet supports. The reason for this is that this object is not an LDAP standard object and to my knowledge is only supported by the Sun One Directory server (saying that it is a good idea and should be supported by more LDAP servers).
However, you may be able to use the functionality by using Directory Assistance and choosing the group expansion option to “yes”. This may not work for mailing because the Domino Server may not be able to resolve the values in the group, but I would suspect that it would work for security.
Your last question, can you duplicate this functionality in Domino, the quick answer is no, you can’t.
I hope that this helps you - please post again if you have any more questions.
Subject: Question on iPlanet LDAP functionality. Is this possible on a Domino server?
In order for Sun ONE dynamic groups to work properly, Sun requires the LDAP client (e.g., Domino DA) recognize the groupOfURLs/memberURL object/attribute and make a subsequent query using the criteria represented by memberURL to determine the members. Domino DA is only currently engineered to recognized static group represented by groupOfNames/member and groupOfUniqueNames/uniqueMember objects/attributes.
So unfortunately, you are currently out of luck with out-of-the-box solutions. If you wouldn’t mind, could you put this request in through formal channels (include your original posting, which clearly states the reasoning). Thanks!
You could however, if you have some LDAP programmers, write an app that periodically makes the memberURL queries and writes the results into the Domino directory’s corresponding Group document’s (static) Members field (possibly as an LDAP app). You wouldn’t have true dynamic groups, but maybe it would be good enough. Note that with this approach, the app overwrites any changes to the Members field made elsewhere.
Subject: RE: Question on iPlanet LDAP functionality. Is this possible on a Domino server?
Hey Ken,
thanks for the response. I will post it as a Wish List item through the proper channels.
In the mean time, could we use IBM Directory Integrator to synchronize the dynamic groups to static groups in a Domino Directory?
Subject: RE: Question on iPlanet LDAP functionality. Is this possible on a Domino server?
In the mean time, could we use IBM Directory Integrator to synchronize the dynamic groups to static groups in a Domino Directory?
I don’t know enough details about IDI to know if it has an off-the-shelf dynamic group evaluator which you can slide in, or if you’d have to write that code for its assembly line. Off hand it sounds like a good fit.
Here’s the IDI homepage with a newsgroup in the lower right, if you want to pass your query to the experts there.
http://www-3.ibm.com/software/network/directory/integrator/index.html