SNTT : Using Active Directory to authenticate web users
Sean Cull 10 March 2011 21:24:59
Introduction
This article describes how you can use Active Directory via LDAP and Directory Assistance to authenticate your web users. This is particularly useful in our case where we have an XPages based application running in on a black boxed appliance in a MS shop.
The example uses a Windows Server 2008 R2 for AD and Domino 8.5.2 running on Linux. The scheme is simple enough but I struggled to piece the bits together so I thought a write up would be useful.
Useful tools
I found that the Apache Directory Studio was really useful. This allows you to explore the Active Directory LDAP feed and get a feel for its structure.
Useful debugging parameters
I found the following two parameters very useful because you can see the structures of the names and groups in AD as they are queried by Domino - these settings are for temporary use only as they create overhead and also show users passwords on the console in plain text ( somewhat disconcerting )
Webauth_verbose_trace=1
LDAPDEBUG=1
Setting up an AD test environment
This was very straight froward. I installed a 2008 R2 server as a VM and used the Server Roles Manager wizard to install Active Directory accepting the defaults and dependencies.
I then created a new user ( joe bloggs ) and used that account to authenticate the LDAP feed.
Exploring the LDAP Feed with Apache Directory Studio
Use File New and then choose LDAP Connection
Press the check Authentication button and all should be well
Next you can browse the LDAP tree and see information on the users and groups
The equivalent "Notes name" as used in an ACL would be
CN=joe bloggs/CN=Users/DC=ad/DC=focul/DC=net
Configuring Domino to use the Active Directory LDAP
You need to create a Directory Assistance Database and then list this in the server record
The directory assistance template is an advanced template called called Directory Assistance ( da.ntf )
The server document entry looks like this
In the Directory Assistance Database create a record as follows.
Note that Gabriella Davis and Marie Scott on page 20 of their very useful presentation One DirectoryTo Rule Them All, Yes suggests encrypting the LDAP configuration document - not sure how to do that just yet.
Note that the suggest and verify buttons are very useful, particularly for the Base DN for search
Testing Authentication
Start with the most basic example you can.
With a test database set anaonymous access to No Access and Default Access to reader or higher.
Open the URL and attempt to login - in my case as Joe Bloggs. In the console you will see something similar to this :
Your authentication is working.
You can now test it with a specific name. You can see the shape of the name from the console output
The AD name CN=joe bloggs,CN=Users,DC=ad,DC=focul,DC=net gets mapped to CN=joe bloggs/CN=Users/DC=ad/DC=focul/DC=net for use in the ACL
Groups also work but note that if you put a group into the AD as a peer of "Users" the group name construct includes "Builtin" as in CN=testgroup/CN=Builtin/DC=ad/DC=focul/DC=net so it is better to put the groups within the users branch.
In our case the group name is CN=testgroup4/CN=Users/DC=ad/DC=focul/DC=net
Further Integration
This OpenNTF Active directory name picker project and search by Rishi Sahi looks really interesting. He also has some good blog articles on LDAP integration
Other useful presentations
As mentioned above I found Gabriella Davis and Marie Scott's presentation very useful - One DirectoryTo Rule Them All, Yes
I also attended Warren Elsmore's Directory Integration session at ILUG which was very useful. You can download all of the ILUG slides here => http://www.ilug2010.org/ilug/ilug2010.nsf.
A mild rant
In pulling this material together I have come to the conclusion that it is a real shame that IBM has not published the slide decks from lotussphere 2011.
It would make it a lot easier for developers to make the IBM products more popular if IBM as an organisation was a good citizen of the community in that respect.
I have huge admiration for many individuals within IBM that do their best despite IBM in this regard. I also think it is unfair to expect the community to contribute to the IBM Wikis when they are sitting on hundreds of excellent presentations by the world experts in this area - experts who gave up thousands of hours to prepare those slide decks.
Its hardly what I would describe as a good example of a Social Business.
Admin Tips Appliance Dev Tips Show-n-Tell Thursday Active Directory LDAP Lotus
2Sean Cull 11.03.2011 0:13:20 Thanks Marie Thanks Marie, I thought it was encryption of just that document. Encrypting the whole database makes sense. Thanks for the help, Sean
3Alberto 12.03.2011 8:22:19 Other scenarios Two more scenarios I've tested. They are relevant when you share the same users in domino and AD. 1- Try Tivoli Directory Integrator to synchronize users. There are couple of good papers about that. 2- Try Websphere plugging in IIS for Web Single Logon. Tip: You'll need to duplicate names in Domino to establish the DN equivalence
4Sean Cull 12.03.2011 8:29:46 Thanks alberto Thnaks Alberto - you are correct. I looked at these but quickly discounted them because in this use case the potential customer needs something very simple as they will have no Domino skills at all. TDI is reported to have a steep learning curve and using IIS is complex to set up. I was quite pleased to find that the LDAP / DA method above was so straight forward once you understood the nomenclature of the names and groups.
Please leave a comment
1Marie Scott 10.03.2011 23:59:30 Directory Assistance Database
Sean - to encrypt the Directory Assistance Database you would go to Database properties and select Encryption Settings to locally encrypt the database, so that anyone who may be able to physically access a copy of the database would not be able to review the LDAP password credentials. Additionally, you should enable SSL for the connection to Active Directory. But it does mean that you have to have a secure LDAP port open on the AD side.