Lotus what? Nah mate, the world has moved on.

Wednesday, 13 August 2014

Sean Cull - SNTT : Using Active Directory to authenticate web users

Sean Cull - SNTT : Using Active Directory to authenticate web users:



'via Blog this'



It took me ages to find this on Sean's old blog so just saving it in case. Thanks for the good writeup Sean.



Sean Cull  10 March 2011 21:24:59

Introduction



This article describes how you can use Active Directory via LDAP and Directory Assistance to authenticate your web users. This is particularly useful in our case where we have an XPages based application running in on a black boxed  appliance in a MS shop. 
The example uses a Windows Server 2008 R2 for AD and Domino 8.5.2 running on Linux. The scheme is simple enough but I struggled to piece the bits together so I thought a write up would be useful. 


Useful tools



I found that the Apache Directory Studio was really useful. This allows you to explore the Active Directory LDAP feed and get a feel for its structure. 



Useful debugging parameters



I found the following two parameters very useful because you can see the structures of the names and groups in AD as they are queried by Domino - these settings are for temporary use only as they create overhead and also show users passwords on the console in plain text ( somewhat disconcerting ) 

Webauth_verbose_trace=1 
LDAPDEBUG=1 


Setting up an AD test environment



This was very straight froward. I installed a 2008 R2 server as a VM and used the Server Roles Manager wizard to install Active Directory accepting the defaults and dependencies. 
I then created a new user ( joe bloggs ) and used that account to authenticate the LDAP feed.

Image:SNTT : Using Active Directory to authenticate web users


Exploring the LDAP Feed with Apache Directory Studio



Use File New and then choose LDAP Connection 

Image:SNTT : Using Active Directory to authenticate web users

Image:SNTT : Using Active Directory to authenticate web users

Image:SNTT : Using Active Directory to authenticate web users

Press the check Authentication button and all should be well 

Next you can browse the LDAP tree and see information on the users and groups 

Image:SNTT : Using Active Directory to authenticate web users
The equivalent "Notes name" as used in an ACL would be 

CN=joe bloggs/CN=Users/DC=ad/DC=focul/DC=net 


Image:SNTT : Using Active Directory to authenticate web users


Configuring Domino to use the Active Directory LDAP



You need to create a Directory Assistance Database and then list this in the server record 
The directory assistance template is an advanced template called called Directory Assistance ( da.ntf ) 

The server document entry looks like this 

Image:SNTT : Using Active Directory to authenticate web users

In the Directory Assistance Database create a record as follows. 

Note that Gabriella Davis and Marie Scott  on page 20 of their very useful presentationOne DirectoryTo Rule Them All, Yes suggests encrypting the LDAP configuration document - not sure how to do that just yet. 


Image:SNTT : Using Active Directory to authenticate web users

Image:SNTT : Using Active Directory to authenticate web users

Note that the suggest and verify buttons are very useful, particularly for the Base DN for search 

Image:SNTT : Using Active Directory to authenticate web users


Testing Authentication



Start with the most basic example you can. 
With a test database set anaonymous access to No Access and Default Access to reader or higher. 

Open the URL and attempt to login - in my case as Joe Bloggs. In the console you will see something similar to this : 

Image:SNTT : Using Active Directory to authenticate web users
Your authentication is working. 

You can now test it with a specific name. You can see the shape of the name from the console output 

The AD name CN=joe bloggs,CN=Users,DC=ad,DC=focul,DC=net gets mapped to CN=joe bloggs/CN=Users/DC=ad/DC=focul/DC=net for use in the ACL 
Groups also work but note that if you put a group into the AD as a peer of "Users" the group name construct includes "Builtin" as in CN=testgroup/CN=Builtin/DC=ad/DC=focul/DC=net so it is better to put the groups within the users branch. 

Image:SNTT : Using Active Directory to authenticate web users

In our case the group name is CN=testgroup4/CN=Users/DC=ad/DC=focul/DC=net 

Image:SNTT : Using Active Directory to authenticate web users



Further Integration



This OpenNTF  Active directory name picker project and search by Rishi Sahi looks really interesting. He also has some good blog articles on LDAP integration 


Other useful presentations



As mentioned above I found Gabriella Davis and Marie Scott's presentation very useful - One DirectoryTo Rule Them All, Yes 

I also attended Warren Elsmore's Directory Integration session at ILUG which was very useful. You can download all of the ILUG slides here => http://www.ilug2010.org/ilug/ilug2010.nsf



A mild rant



In pulling this material together I have come to the conclusion that it is a real shame that IBM has not published the slide decks from lotussphere 2011. 

It would make it a lot easier for developers to make the IBM products more popular if IBM asan organisation was a good citizen of the community in that respect. 

I have huge admiration for many individuals within  IBM that do their best despite IBM in this regard. I also think it is unfair to expect the community to contribute to the IBM Wikis when they are sitting on hundreds of excellent presentations by the world experts in this area - experts who gave up thousands of hours to prepare those slide decks. 

Its hardly what I would describe as a good example of a Social Business. 





 Admin Tips  Appliance  Dev Tips  Show-n-Tell Thursday  Active Directory  LDAP  Lotus 




1Marie Scott  10.03.2011 23:59:30  Directory Assistance Database
Sean - to encrypt the Directory Assistance Database you would go to Database properties and select Encryption Settings to locally encrypt the database, so that anyone who may be able to physically access a copy of the database would not be able to review the LDAP password credentials. Additionally, you should enable SSL for the connection to Active Directory. But it does mean that you have to have a secure LDAP port open on the AD side.

2Sean Cull  11.03.2011 0:13:20  Thanks Marie
Thanks Marie, I thought it was encryption of just that document. Encrypting the whole database makes sense.
Thanks for the help, Sean

3Alberto  12.03.2011 8:22:19  Other scenarios
Two more scenarios I've tested. They are relevant when you share the same users in domino and AD.
1- Try Tivoli Directory Integrator to synchronize users. There are couple of good papers about that.
2- Try Websphere plugging in IIS for Web Single Logon. Tip: You'll need to duplicate names in Domino to establish the DN equivalence

4Sean Cull  12.03.2011 8:29:46  Thanks alberto
Thnaks Alberto - you are correct.
I looked at these but quickly discounted them because in this use case the potential customer needs something very simple as they will have no Domino skills at all. TDI is reported to have a steep learning curve and using IIS is complex to set up.
I was quite pleased to find that the LDAP / DA method above was so straight forward once you understood the nomenclature of the names and groups.



5Nick Wall  12.09.2013 10:55:41  LDAP
Just done proof of concept integration of AD on one of our Test servers, works great. Thanks for reference to Apache Directory Studio, nice tool. If anyone is following install instructions here: directory.apache.org/studio/users-guide/ldap_browser/gettingstarted_download_install.html ...and you are as slow on the uptake as me(!)...the bit where adding new remote site, it has the url: directory.apache.org/studio/update/1.x which obviously doesn't exist, so you will get a 404, go here: { Link } click link on one of the versions, e.g. { Link } and use that as url for remote site.
Thanks again for "rounding up" this LDAP info, saved me a bunch of time.

1 comment :

  1. Hi, thanks for that. It is on my current blog but without the comments and not so easy to find in the search for some reason - link

    ReplyDelete

Thank you for taking the time to comment. Your opinion is important and of value and we appreciate the positive feedback! If you are "Negative Nancy" then please do us, and humanity, a favor, and piss off.

Total Pageviews

Google+ Followers

Pages

Blog Archive

Popular Posts

Recent Comments

Rays Twitter feed

Ads

Web sites come and go and information is lost and therefore some pages are archived. @rayd123 . Powered by Blogger.