Embed Size (px)
Citation preview
© Copyright IBM Corporation 2007, 2009 TrademarksIntegrating IBM Lotus Domino Directory with Microsoft ActiveDirectory using ADSync
Page 1 of 14
Integrating IBM Lotus Domino Directory with MicrosoftActive Directory using ADSyncTony Patton July 28, 2009
(First published January 02, 2007)
An enterprise IT environment with multiple directory platforms is a common scenario, and IBMLotus Domino Directory and Microsoft Active Directory are popular choices within this scenario.This article explains one way to get these two directories to communicate easily using the LotusDomino Active Directory Synchronization tool (ADSync).
Working with disparate systems is a common theme in most organizations, but different systemscan be problematic when you're maintaining enterprise directories. A common scenario includesboth the Microsoft Active Directory and IBM Lotus Domino within the corporate IT infrastructure.Lotus Domino is often used for enterprise messaging, whereas Active Directory handles networkusers. To simplify system administration, it's advantageous to maintain both directories from asingle point. IBM recognized this need with the inclusion of the Lotus Domino Active DirectorySynchronization tool, or ADSync, first available in Lotus Domino V6. It works with MicrosoftWindows 2000 and later versions.
ADSync allows administrators to keep Domino Directory and Active Directory users and groups insynch. Administrators can register, synchronize properties and passwords, and rename and deleteusers and groups in the Domino Directory when such actions are performed in Active Directoryand vice versa. Features include container and property mappings between the two directoriesand the use of policies for registering users. Setup and usage are straightforward, but there arecaveats to consider.
The following products are used in this article:
• Microsoft Windows Server 2003• Lotus Domino V7.0.1• Lotus Domino Administrator V7.0.1
Installation and setupADSync is included with the IBM Lotus Domino Administrator client as an installation option. Itisn’t installed by default, but is available as one of the optional program files, so you must select itduring installation (see figure 1). In the Custom Setup window of the IBM Lotus Notes installation
developerWorks® ibm.com/developerWorks/
Integrating IBM Lotus Domino Directory with Microsoft ActiveDirectory using ADSync
Page 2 of 14
wizard, select the Domino Administrator option and the Domino Directory W2000 Sync Servicessub-option.
Figure 1. ADSync option selected during Domino Administrator clientinstallation
Once installed, ADSync consists of one DLL file (nadsync.dll) along with a help file (adsynch.chm).When you install ADSync on a Windows platform, you must complete installation with the followingline:
Regsvr32 nadsync.dll
This registers ADSync as a Microsoft Management Console (MMC) snap-in, which makes itavailable in the Active Directory Users and Computers tool. Another installation issue involvesestablishing the appropriate security for both Lotus Domino and Active Directory administrators.
Setting up securityA key aspect of using ADSync is security. Active Directory administrators need administrativeaccess to the appropriate Domino Directory, and Domino administrators require appropriateActive Directory access. Active Directory administrators require a properly certified Notes ID andnecessary access to work with the Domino Directory. In addition, policies must be created for allDomino certifiers in which users are created. On the flip side, Domino administrators must havethe necessary rights in Active Directory to perform all functions, such as adding users and groups.IBM recommends copying the certifier ID file (cert.id) from the Domino server to the DominoAdministrator data directory.
The final installation step involves initializing the ADSync tool from the Active Directory Users andComputers tool. To do this, double-click the Domino Directory synchronization object to initiate the
ibm.com/developerWorks/ developerWorks®
Integrating IBM Lotus Domino Directory with Microsoft ActiveDirectory using ADSync
Page 3 of 14
process (see figure 2). You're asked for the Domino server followed by the password prompt forthe administrator (admin.id in the Domino server data directory). A dialog box appears to confirmsuccessful setup.
Figure 2. Initializing the ADSync tool
The Lotus ADSync Options dialog box
After initialization is complete, the Lotus ADSync Options dialog box opens. (To access thiswindow after initialization, double-click the Domino Directory synchronization selection in figure 2.)The Lotus ADSync Options dialog box contains the following four tabs:
• Notes Synchronization Options. You can use this tab to enable or disable allsynchronization options as well as selectively enable/disable options. In addition, you mayspecify when prompts are displayed (for all operations, deletions only, or no operations) aswell as choose to use a Certificate Authority for certification (see figure 3).
developerWorks® ibm.com/developerWorks/
Integrating IBM Lotus Domino Directory with Microsoft ActiveDirectory using ADSync
Page 4 of 14
Figure 3. Notes Synchronization Options tab
• Notes Settings. On this tab, you identify the Domino server to use for all operations orspecific servers for individual operations such as registration, synchronization, and deletion.In addition, you can specify Domino settings, including an administration ID, what happensduring user deletion, a default certifier name, and policy along with Domino groups (see figure4).
ibm.com/developerWorks/ developerWorks®
Integrating IBM Lotus Domino Directory with Microsoft ActiveDirectory using ADSync
Page 5 of 14
Figure 4. Notes Settings tab
• Field Mappings. Use this tab to map Active Directory fields to Domino Directory fields. Selecta row (Active Directory field), and choose the Domino field to map to it (see figure 5).
developerWorks® ibm.com/developerWorks/
Integrating IBM Lotus Domino Directory with Microsoft ActiveDirectory using ADSync
Page 6 of 14
Figure 5. Field Mappings tab
• Container Mappings. Use this tab to map Active Directory containers to specific Dominocertifiers and/or policies (see figure 6). By default, the certifier and policy selected duringsetup are used for all operations.
ibm.com/developerWorks/ developerWorks®
Integrating IBM Lotus Domino Directory with Microsoft ActiveDirectory using ADSync
Page 7 of 14
Figure 6. Container Mappings tab
The Help button is available on all tabs in the Lotus ADSync Options dialog box. It providesaccess to general MMC help as well as ADSync-specific topics. You can easily enable or disablesynchronization and access the options and Help windows by right-clicking Domino Directorysynchronization, as shown in figure 7, or by using the Action menu.
Figure 7. Enabling Domino Directory synchronization
With the options properly configured, you are ready to synchronize users between Active Directoryand Domino Directory. You begin with the Domino Administrator client.
developerWorks® ibm.com/developerWorks/
Integrating IBM Lotus Domino Directory with Microsoft ActiveDirectory using ADSync
Page 8 of 14
Using the Domino Administrator client
ADSync adds an Advanced option (see figure 8) to the Register Person dialog box. Selecting thisoption provides access to Active Directory options with the Windows User Options button in theOther tab of the Register Person dialog box.
Figure 8. Register Person dialog box in Lotus Domino
Figure 9 shows the window that opens when you click the Windows User Options button. Here youcan specify whether or not a corresponding Active Directory user is created, which Active Directoryto use, and the following Active Directory options: full name, logon name, and groups.
ibm.com/developerWorks/ developerWorks®
Integrating IBM Lotus Domino Directory with Microsoft ActiveDirectory using ADSync
Page 9 of 14
Figure 9. Active Directory options for a new Domino user
The Lotus Domino side of the process ends with user maintenance. Next, you work in ActiveDirectory.
Using Active Directory
The Active Directory Users and Computers tool is available in Administrative Tools in Windows byselecting Administrative Tools - Active Directory Users and Computers. With ADSync initializedand set up, Domino Directory is now an option when you add Active Directory objects (people orgroups). The New Object dialog box includes a "Register in Domino Directory" option; select thisoption to create the new object in Lotus Domino with the information entered in the fields.
In addition, you can add or synchronize an existing user in Lotus Domino by right-clicking theobject in Active Directory and selecting the appropriate option. The dialog box shown in figure 10opens when you select the Register in Domino option for an existing Active Directory user. Youcan use the default values and complete the user registration without prompts or supply a nameand password for each selected user. An option lets you choose if registration should be attemptedlater if errors occur. After specifying the options, you can choose to register now, register later, orabort the process.
developerWorks® ibm.com/developerWorks/
Integrating IBM Lotus Domino Directory with Microsoft ActiveDirectory using ADSync
Page 10 of 14
Figure 10. Registration options for Windows users and groups
In addition to working with individual users, you can also create groups from Active Directory. Todo this, follow the user synchronization process, choosing to register or synchronize from the listof groups. You can also choose to create a group in Lotus Domino when it's created in ActiveDirectory as shown in figure 11. In the New Object - Group dialog box, you enter a name for thegroup, select the group type, and add a description.
Figure 11. Creating a Domino Directory group from Active Directory
The newly created group appears in Lotus Domino as shown in figure 12. The Group name, Grouptype, and Description field are completed with the input from the New Object dialog box. Noticethat the new group has no characteristics that signal it was created using Active Directory.
ibm.com/developerWorks/ developerWorks®
Integrating IBM Lotus Domino Directory with Microsoft ActiveDirectory using ADSync
Page 11 of 14
Figure 12. Domino group created using Active Directory and ADSync
As you can see, using the ADSync tool is straightforward, but as with any tool, you must considercertain caveats when you use ADSync from either Lotus Domino or Active Directory.
ADSync caveatsOne of the trickier aspects of using ADSync is gaining a thorough understanding of what worksfrom which side; that is, which operations can be performed from Active Directory and what canbe handled from the Domino Administrator client. However, this is easy to understand if you usethe information in table 1. The first column contains the task, and the next two columns designatewhether or not the task works based on its origin.
Table 1. ADSync operations initiated from both Active Directory and LotusDomino
Operation From Active Directory From Lotus Domino
Register user Yes Yes
Rename user created in Active Directory Renames Active Directory user only Renames Active Directory user only
Rename user created in Lotus Domino Yes Yes
Synchronize user data Yes No
Delete user Yes Yes
Create group Yes No
Rename group Yes No
Synchronize group data Overwrites the Domino Directory Membersfield with the membership defined in ActiveDirectory
No
Delete group No Yes
A quick look at the table tells you that users can be created and deleted from either side, butregistering a user depends upon where he was created. User data is easily synchronized between
developerWorks® ibm.com/developerWorks/
Integrating IBM Lotus Domino Directory with Microsoft ActiveDirectory using ADSync
Page 12 of 14
the systems from Active Directory, but not Lotus Domino. Finally, group creation is solely an ActiveDirectory task. So putting ADSync to use in your environment requires familiarity with this table.Another issue involves dealing with passwords.
Consistent passwordsWhen registering a new user in Active Directory Users and Computers, the password is enteredtwice, and ADSync takes the password information at that time from AD and populates thatinformation in to the Domino Directory. Once the password has been set during the initial userregistration, the password is then encrypted in AD and therefore ADSync cannot read the existingpassword to perform further updates to either the Notes ID nor the HTTP password in Domino.
A better approach to keep user passwords synchronized is available through the single sign-on(SSO) feature during installation of the Lotus Notes client (see figure 13). When you install LotusNotes, select the Client Single Logon Feature sub-option to enable SSO, and a security policycan change the HTTP password when the Notes password is changed. Outside of Lotus Domino,IBM offers a Tivoli Directory Integration tool that can provide some password synchronizationfunctionality between the Domino Directory and Active Directory.
The SSO feature lets users use one logon for both Lotus Notes and the operating system. It’sadvantageous for users because it presents only one authentication mechanism, but it requiresmore administrative legwork due to the client installation and configuration.
Figure 13. Installing SSO during Lotus Notes installation
ProgrammingA common question about using ADSync has to do with programmatic support: Can you useADSync when you create Domino users using scripts? The short answer is no. ADSync is an MMC
ibm.com/developerWorks/ developerWorks®
Integrating IBM Lotus Domino Directory with Microsoft ActiveDirectory using ADSync
Page 13 of 14
snap-in meant to simplify the life of a system administrator. However, it provides no programmaticoptions for simplifying user or group creation and/or synchronization.
You can use ADSync to register Domino users at the time of Active Directory user creation or afterthe fact and vice versa. At a low level, the ability to create Active Directory users is available inLotus Notes, but it isn't exposed to developers by way of any available API in C, in Java, or inLotusScript. You may think that Active Directory interaction is available through the Microsoft .NETplatform, but it doesn’t provide access to ADSync features. You must use the Active Directory orDomino Directory interface to use ADSync functionality.
Conclusion
As any system administrator can tell you, managing enterprise users and groups is a time-consuming process. It can be even more grueling when the enterprise uses multiple, disparatesystems. It’s advantageous to have a single interface for tackling administrative chores likecreating, deleting, and configuring users and groups. ADSync provides the answer by simplifyingthe process of keeping Active Directory and Domino Directory users and groups in sync. However,both sides of the ADSync process have caveats, so be prepared when you use the tool to ensurethe results match your expectations.
developerWorks® ibm.com/developerWorks/
Integrating IBM Lotus Domino Directory with Microsoft ActiveDirectory using ADSync
Page 14 of 14
Related topics
• IBM Redbook, "Migrating from Microsoft Exchange 2000/2003 to Lotus Notes and Domino 7"• IBM Redbook, "Active Directory Synchronization With Lotus ADSync"• IBM Redbook, "Getting the Most From Your Domino Directory"• Download a trial version of Lotus Domino from developerWorks.• Download a trial version of Lotus Notes from developerWorks.
© Copyright IBM Corporation 2007, 2009(www.ibm.com/legal/copytrade.shtml)Trademarks(www.ibm.com/developerworks/ibm/trademarks/)
