Domino AppDev Pack

1.0.0

LDAP Configuration

IAM does user authentication through integration with IDPs. Currently IAM supports two kinds of IdPs:

  • Domino LDAP: IAM supports using Domino through LDAP as IDP, which means you can configure IAM to use user information in Domino directory to login IAM.
  • Microsoft Active Directory: IAM supports using Active Directory through LDAP as IDP.

IDP Configuration

You can configure IDP in IAM Admin server by configure below settings:

FieldDescriptionExample
URLThe URL of the LDAP server, including the full qualified DNS name and the port. You can skip the port part if LDAP server uses the default port(389 for ldap, 636 for ldaps)ldaps://domino.server:636
Base DNThe base DN from which to search for the provided user credentialso=myorg
Search FieldsThe field to search for the provided user credentialsmail
Bind DNThe DN to bind to for performing ldapsearchcn=ldapAdmin,dc=company,dc=com
PasswordThe password for the LDAP Bind DN
Test userUsed for LDAP verification. Input an existing user in LDAP directorytestuser@myorg.com

1. Domino LDAP

1.1 URL

The protocol part should be LDAP or LDAPS (LDAP over SSL), you can check whether SSL is enabled for your LDAP to choose the correct protocol prefix:

  • From the Domino Administrator, click the Configuration tab.
  • On the left pane, double click the server document to open it.
  • Click Ports... tab -> Internet Ports... tab -> Directory tab

Domino LDAP URL Domino LDAP URL

The host name part should be your Domino’s fully qualified internet host name, You can omit the port number if your LDAP or LDAPS service uses the default port number. The default port number for LDAP is 389, and for LDAPS is 636.

Domino LDAP URL

Example

1.2 Base DN

Base DN fields should be filled with the base DN from which to search for the provided user credentials. You can check the Domino LDAP base DN by Domino Administrator:

  • From the Domino Administrator, click the People & Groups tab.
  • On the left pane, click Domino Directories, and find the Domino server which is your IAM's LDAP server, click the server’s Directory -> People -> by Organization.
  • In the right view, select the organization. For example, you can input 'O=gyorg' in the base DN field if you want to search user in gyorg organization.

Domino LDAP Base DN

Also, you can check the base DN by using a third-party software such as LDAP browser.

Domino LDAP Base DN

1.3 Search Fields

Search fields should be filled with the field to search for the provided user credentials, if you want to search for multi fields, please separate them by commas.

You can check the search fields by Domino Administrator:

  • From the Domino Administrator, click the Configuration tab.
  • On the left pane, click Directory -> LDAP -> Domino LDAP Schema -> LDAP – Attribute Types
  • In the right view, select LDAP name to search for the user credentials, for example, mail, cn, uid, displayName.

Domino LDAP Search Fields

Almost all Notes fields are displayed in the LDAP attribute types view, we recommend you check the search fields by a third-party software such as LDAP browser.

Domino LDAP Search Fields

1.4 Bind DN

The DN to bind for performing ldapsearch.

You can use any user whose internet password is enabled to bind Domino LDAP, and you can use any one of the following name formats for authentication:

  • a. Short name, e.g. admin
  • b. Notes format Distinguished Name, e.g. cn=admin/o=gyorg
  • c. LDAP format Distinguished Name, e.g. cn=admin,o=gyorg
  • d. Hierarchical name, e.g. admin/gyorg

If you select Yes on ‘DN Required on Bind’ option in LDAP settings view, you should use the fully qualified distinguished name to bind, which is above [c].

Domino LDAP Bind DN

1.5 Password

The internet password for the LDAP Bind DN.

1.6 Test User

Test User is used for LDAP verification. Input an existing user in LDAP directory, and click the 'Verify' button to check whether the user exists in this LDAP directory.

1.6.1 Example 1

Domino LDAP Test User

This equals to below Domino ldapsearch utility command. You will get a success notification when finding the first entry.

ldapsearch -h test-ldap-server.com -p 636 -b "O=gyorg" \
  -D "CN=ldapadmin,O=gyorg" -w "passw0rd" "(|(mail=user01)(cn=user01))"

1.6.2 Example 2

Domino LDAP Test User

This equals to below Domino ldapsearch utility command. You will get a success notification when finding the first entry.

ldapsearch -h test-ldap-server.com -p 636 -b "O=gyorg" \
  -D "CN=ldapadmin,O=gyorg" -w "passw0rd" "(|(mail=*)(cn=*))"

1.7 LDAPS

If LDAPS is enabled for Domino, please make sure server certificate for LDAPS connections is signed by a well-known CA, or you will need to put the CA certificates into IAM's trust store.

Domino stores certificates in a key ring file. You can find the key ring file name in Server Document (Ports... -> Internet Ports.. -> Directory -> SSL Settings).

Then you can use kyrtool tool to check the certificates used by LDAPS connections:

/opt/ibm/domino/bin/tools/startup kyrtool show certs -k <SSL keyfile>

Example:

/opt/ibm/domino/bin/tools/startup kyrtool show certs -k keyring.kyr

This command will display all the certificates in Domino keyring. Please find the content of root CA certificate from the output and copy it into a PEM file. Then you will need to copy the PEM file into IAM's trust store. (config/certs/ca).

Note: you only need to copy the content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

An example PEM file constructed from kyrtool output:

-----BEGIN CERTIFICATE-----
[content of root CA certificate]
-----END CERTIFICATE-----
...

Please refer to Installing and Running the Domino keyring tool for the usage of kyrtool.

2. Microsoft Active Directory(aka AD)

2.1 URL

The host should be the DNS name, you can check it from the 'Active Directory Users and Computers' program.

AD LDAP URL

2.2 Base DN

You can check base DN using LDAP Browser.

AD LDAP Base DN

2.3 Search Fields

You can check search field using LDAP Browser.

2.4 Bind DN

You can use any user to bind AD LDAP, and you can use any one of the following name formats for authentication:

  • a. User logon name, e.g. AD User01
  • b. Pre-Windows 2000 user logon name, e.g. prod\user01
  • c. Distinguished name, e.g. CN=AD User01,CN=Users,DC=prod,DC=hclpnp,DC=com
  • d. User principal name, e.g. user01@prod.hclpnp.com

2.5 Password

The password for the LDAP Bind DN

2.6 Test User

The same with Domino LDAP guide.

2.7 LDAPS

If LDAPS is enabled for Active Directory, contact your AD Admin to check whether the certificate for LDAPS connections is signed by a well-known CA. If not, you will need to copy the root CA certificate into one PEM file and copy it to IAM trust store ( (config/certs/ca).

An example PEM file:

-----BEGIN CERTIFICATE-----
[content of root CA certificate]
-----END CERTIFICATE-----
...

References

For Domino LDAP service, please refer to The Domino LDAP Directory

IAM ManagementClient Library