Embed Size (px)
Citation preview
The Hitchhiker‘s Guide To HCL Domino V11 Directory SyncUlrich Krause, midpoints GmbH
ENGAGE 2020, March 3 – 4
Burgers' Zoo, Arnhem, The Netherlands
About: Ulrich Krause
• Lotus, IBM, HCL Notes und Domino since 1993
• Developer / Administrator
• IBM Champion 2010 – 2019
• HCL Master 2019
• OpenNTF Contributor
• Let‘s Encrypt 4 Domino ( LE4D )
• Working with midpoints GmbH
From Beta To General Availability (GA)
• HCL Domino V11 Beta – 14-Aug-2019 ( HCL Masters only )
• HCL Domino V11 Public Beta 1 – 06-Sep-2019
• HCL Domino V11 Public Beta 2 – 24-Oct-2019
• HCL Domino V11 GA – 21-Dec-2019
• HCL Domino V11.0.1 preview – 27-Feb-2020
DirSync is a new feature, but …
we'll explain all you need to know to setup and configure DirSync
DirSync• New as of Domino 11
• Directory Sync allows you to sync people and group data from an external LDAP directory into the Domino directory.
• Currently data FROM Active Directory can be synced
• Directory Sync makes it easy for your HCL Domino users to address mail to and see details about users in your organization who do not use Notes such as Microsoft Outlook users registered in Active Directory.
• With this feature, Active Directory users automatically have Person documents in the Domino directory so that Notes users can find their addresses and other information.
• Without Dirsync, Notes users must know the addresses of the Active Directory users before they can send mail to them, unless Person documents are added for them manually
DirSync Components
• LDAP directory assistance document that is enabled for Directory Sync created in a directory assistance database
• Directory Sync Configuration document created in the Directory Sync view of the Domino directory
• A server task, “Dirsync”, that runs only on the Domino administration server, that connects to the Active Directory server regularly to pull person and group changes into the Domino directory.
• Target directories. names.nsf or other application based on pubnames.nsf.
https://help.hcltechsw.com/domino/11.0.0/wn_directory_sync.html
DirSync Environment
Directory Assistance
• For each Active Directory create a configuration document in theDirectory Assistance database. On the „Basics“ tab set
• Domain Type: LDAP
• Make this directory available to: Directory Sync
Directory Assistance
• On the „LDAP“ tableave the DEFAULT values but set„LDAP vendor“ and „Type ofsearch filter touse“ to ActiveDirectory.
Directory Assistance
Click Verify to verify that you can connect to the Active Directory server and provided the correct credentials
Directory Assistance
Click Suggest to look up the search base of the Active Directory server.
SHOW XDIR (RELOAD)
• Save Directory Assistance configuration document(s).
• Update Domino‘s internal configuration by issuing „show xdir reload“ command on the server console.
• You should see similar output like this
DirSync Configuration
• Add Directory Sync configuration document
• Open Domino Directory.• Select Configuration > Directory > Directory Sync.• Click Add Directory Sync.
DirSync Configuration
Sync / ReSync Frequency
• How frequently the Dirsync task checks for Active Directory changes to synchronize. Default is once a minute.
• How often to resync all data from Active Directory, in minutes. Default is 10,000 minutes or approximately once a week. If you don't want to regularly resync all data, specify 0.
• Resync causes the following changes to synchronize which are not otherwise synced:• Deleted users and groups.
• Name changes within groups
Fields To Sync To Domino• Specify which Active Directory
person fields to sync to Domino. • A standard list of fields from Active
Directory is shown by default. • You can add or remove fields from
the list. • When Active Directory and Domino
use different names for a field, the Domino field name is shown in parentheses after the Active Directory field name. For example: mail (Email address).
• Modifying this field causes a full resync.
Fields To Sync To Domino• Specify which Active Directory
person fields to sync to Domino. • A standard list of fields from Active
Directory is shown by default. • You can add or remove fields from
the list. • When Active Directory and Domino
use different names for a field, the Domino field name is shown in parentheses after the Active Directory field name. For example: mail (Email address).
• Modifying this field causes a full resync.
Fields To Sync To Domino ( minimum )
Restore Defaults
• „Restore Defaults“ will only reset the DEFAULT fields list. It will not remove any fields that have been added by the Administrator.
Restore Defaults
• The intended functionality of the button is to add in the fields that you would sync by default, without removing any special ones you added yourself.
• As you note, you can get just the default fields by clearing the list first, so the same button lets you do both functions, whereas if we have the button replace the field contents, there's no way to re-add the default fields without overwriting data you might want to keep
• Andre Guirard/USA/PNPHCL
Restore Defaults
• „Restore Defaults“ in DDE
Attribute To NotesItem Mapping
• DirSync uses schema.nsf but if it is not present it uses a hardcoded standard LDAP mapping.
• For example the LDAP standard for FirstName is "givenname". That is always mapped using a hardcoded standard mapping name.
• If it is a new attribute and you want to just have a one-one mapping with the Notes name, then you can just make the notes field name the same as AD's.
Attribute To NotesItem Mapping
• Mapping sometime not well thought.
• On “Person” documents, NotesItem “Comment” is an item of type “Text” that can be used in views. • Changes to the description attribute are synced to the Notes document
• On “Group” documents, NotesItem “Comment” is an item of type “RichText” that cannot be used in views. • DirSync recognizes that the description attribute has been altered but
changes are NOT synced into the Notes document
LDAP Filter
• By default, all users and groups starting from the search base in Active Directory are synced.
• Use a standard LDAP search filter to sync a subset only.
• For example, the filter (|(mail=*@brightside.*)(mail=*@darkside.*)) will only sync records that contain *@brightside.* OR *@darkside.* in the mail attribute..
• Modifying this field causes a full resync
LDAP Filter
• The documentation says: ‚By default, all users and groups in Active Directory are synced. Optionally use a standard LDAP search filter to sync a subset. ‘
• Why have I included (&(|(objectClass=Group)(objectClass=Person)) in my filter?
• “Without specifying the object class, you will get a lot more objects than you would expect. However, those will get post filtered by checks on valid attributes for person and group.” - Mike O’Brien, HCL
Sync Groups
• If you want to synchronize groups, select the types of groups to synchronize. If you don't want to synchronize groups, do not select either option.• Global Security groups, to be able to use Active Directory security groups in
Notes® access lists.
• Global Distribution groups, to be able to use Active Directory distribution groups in Notes® mail addressing.
Sync Groups
DirSync <AD> CSyncFromAD::DoModify - Skippingmodification because entry = 'CN=LocalGroup,CN=Sync,DC=ad,DC=fritz,DC=box' is not a valid candidatefor a 'group' record. Valid grouptypes are 'Global Security' and 'Global Distribution'
Sync groups
Sync Groups Only ?
DirSync <AD> CSyncFromAD::SyncSpan (NAMEldap_search_ext_s call) : (&(objectClass=Group)(uSNChanged>=242972)) took0 msecDirSync <AD> Modified uSNChanged from '' to '242971'DirSync <AD> Modified objectGUID from '' to 'cbc2b888c0a9d7448f3a779e3b8a98c8'DirSync <AD> Modified groupType from '' to '1'DirSync <AD> 'group' Document updated, Common Name = 'CN=BadGuys' DirSync <AD> CSyncFromAD::DoModify - Added New Note for 'CN=BadGuys,CN=Sync,DC=ad,DC=fritz,DC=box'16.02.2020 09:40:03 DIRSYNC Full Resync From Active Directory (AD) - Summary (0.305 sec, Start=0, Adds=1, Modifies=0, Deletes=0, Skips=0, Errors=0, End=242971)
Enable DirSync Configuration
• Select one ore more DirSync configurations and click „Enable“.
Enable DirSync Configuration (cont.)
Select Run in test mode to simulate the actions that Directory Sync would take but without changing any Domino data.
Troubleshooting
• DirSync does not sync changes
• Check Directory Assistant configuration for domain
• We have to distinguish between two situations• Directory Assistance status has changed when
• DirSync task was not running ( case 1 )
• DirSync task was running ( case 2 )
Case 1
• On DirSync task start, an error is thrown on the Domino serverconsole.
DirSync <AD> page size: 5000<ct sq="00002A26" ti="0029FA3E-C1258509" ex="ndirsync" pi="1FEC" tr="0004-0A60" co="7">[1FEC:0004-0A60] DirSync> SyncFromLDAPToNAB( - 91: Connect error)@addirsync.cpp:269 - 13171:DirSync encounterred LDAP error ./ct>09.02.2020 08:38:34 DIRSYNC: Customer '', Server 'CN=serv01/O=singultus', Filename 'names.nsf' has error'13171:DirSync encounterred LDAP error - 91: Connect error. [ - 91: Connect error] - 91: Connect error'.
Case 2
• Check status of Directory Assistance domain used in DirSyncconfiguration!
• No error will be shown. The console output pretends that DirSync isworking.
• DIRSYNC From Active Directory (AD) - Summary (0.000 sec, Start=242144, Adds=0, Modifies=0, Deletes=0, Skips=0, Errors=0, End=242143)
Case 2 ( cont.)
• Despite the Directory Assistance domain is not enabled in, DirSyncrecognizes changes in the Active Directory objects.
• It will not update the according person document in the configuredtarget directory.
DirSync <AD> Entry with mail address '[email protected]' - NoteID 33066 was found in the target directory.DirSync <AD> DirSync <AD> CSyncFromAD::DoModify(dn = 'CN=Luke Skywalker,CN=Sync,DC=ad,DC=fritz,DC=box', newentry=0)DirSync <AD> 09.02.2020 08:20:29 DIRSYNC From Active Directory (AD) - Summary (0.447 sec, Start=242146, Adds=0, Modifies=0, Deletes=0, Skips=0, Errors=0, End=242146)
Case 2 ( cont.)
• When you enable the Directory Assistance configuration, DirSync will update changes in the person record.
DirSync <AD> Entry with mail address '[email protected]' - NoteID 33066 was found in the target directory.DirSync <AD> DirSync <AD> CSyncFromAD::DoModify(dn = 'CN=Luke Skywalker,CN=Sync,DC=ad,DC=fritz,DC=box', newentry=0)DirSync <AD> Modified MiddleInitial from '' to 'B'DirSync <AD> Modified uSNChanged from '103050' to '242148'DirSync <AD> 'person' Document updated, UTF8 Name = 'CN=Luke Skywalker,CN=Sync,DC=ad,DC=fritz,DC=box' DirSync <AD> CSyncFromAD::DoModify - Modified existing Note for 'CN=Luke Skywalker,CN=Sync,DC=ad,DC=fritz,DC=box'DirSync <AD> 09.02.2020 08:27:31 DIRSYNC From Active Directory (AD) - Summary (0.040 sec, Start=242148, Adds=0, Modifies=1, Deletes=0, Skips=0, Errors=0, End=242148)
Disable DirSync Configuration
• Before you can edit the configuration, you must disable it.
• Select one ore more DirSync configurations and click „Disable“.
• Request action document is being created and processed by DirSynctask.
Enable DirSync Configuration (cont.)
• Resnyc request is created automatically, when DirSync configurationhas been changed.
DirSync> 09.02.2020 12:32:36 - Scheduled a Resync due to Config Doc options changing.
On Administration Server Only
• Enable, Disable and Resync is allowed on the administrative server ofthe domain.
Resync
DirSync <names.nsf> Updating SyncAll Request's DirSyncRequestState to 110.11.2019 14:06:28 DIRSYNC From Active Directory (MIDPOINTS) - Summary (0.041 sec, Start=14231642, Adds=0, Modifies=0, Deletes=0, Skips=0, Errors=0, End=14231859)10.11.2019 14:07:17 DIRSYNC From Active Directory (MIDPOINTS) - Summary (0.041 sec, Start=14231860, Adds=0, Modifies=0, Deletes=0, Skips=0, Errors=0, End=14231860)DirSync <names.nsf> Sync all request calling SyncFromLDAPToNAB.DirSync <MIDPOINTS> resyncall - SyncFromLDAPToNAB completed in: 0.223 secondsDirSync <names.nsf> Updating SyncAll Request's DirSyncRequestState to 2[10.11.2019 14:07:24 DIRSYNC Full Resync From Active Directory (MIDPOINTS) - Summary (0.223 sec, Start=0, Adds=2, Modifies=0, Deletes=0, Skips=0, Errors=0, End=14231860)DirSync <names.nsf> Deleting SyncAll Request
Register Selected Person
• In Admin Client navigate to People & Groups – Domino Directories –People and right click on the person you want to register.
• Click „Register selected person“ in the context menue.
Register Selected Person
• Type in the password for the certifier
• A prefilled registration dialog will appear.
Troubleshooting
• The registration dialog is empty. FirstName and LastName is not pre-filled.
• When the certifier password dialog pops up• ADMIN_REGISTER_NOTEID=< NoteID value of the currently selected document>
• Check notes.ini • NewUserServer=serv06/singultus pointing to the wrong server
Register Selected Person
• The person will be registered as Domino user.
Register Programmatically ?
• LotusScript, by now does not have a method to do this using theNotesRegistration class .
• Enhancement request• https://domino-ideas.hcltechsw.com/ideas/DDXP-I-547
• Mike O’Brien/USA/PNPHCL – ‘Created Jira Task for 11.0.1 work’• Latest update: „By the way, the new LotusScript property to set the
ContactNoteID field is currently checked into the 11.01 stream. “
• New property in NotesRegistration class as of V11.0.1 preview.
Register Programmatically ?
Rename Registered Person
• The Rename Domino users upon Active Directory rename option must be enabled in the Directory Sync configuration document
Change Attribute In AD
DirSync <AD> Entry with mail address '[email protected]' - NoteID 33070 was found in the target directory.DirSync <AD> CSyncFromAD::DoModify(dn = 'CN=James Kirk,CN=Sync,DC=ad,DC=fritz,DC=box', newentry=0)DirSync <AD> Modified uSNChanged from '242188' to '242190'DirSync <AD> Modified CellPhoneNumber from '' to '001 555 HOME'DirSync <AD> 'person' Document updated, UTF8 Name = 'CN=James Kirk,CN=Sync,DC=ad,DC=fritz,DC=box' DirSync <AD> CSyncFromAD::DoModify - Modified existing Note for 'CN=James Kirk,CN=Sync,DC=ad,DC=fritz,DC=box'09.02.2020 14:22:35 DIRSYNC From Active Directory (AD) - Summary (0.013 sec, Start=242190, Adds=0, Modifies=1, Deletes=0, Skips=0, Errors=0, End=242190)
Rename Registered Person
When a Domino user'scommon name changesin Active Directory, aRename Common Nameadministration processrequest is created.
You must approve therequest for the rename tobe carried out in Domino.
Rename Registered PersonDirSync <AD> Processing ldap entry (SyncSpan) #1 from page #1, total entries #1: 'CN=James T Kirk,CN=Sync,DC=ad,DC=fritz,DC=box'DirSync <AD> Entry with mail address '[email protected]' - NoteID 33810 was found in the target directory.DirSync <AD> CSyncFromAD::DoModify(dn = 'CN=James T Kirk,CN=Sync,DC=ad,DC=fritz,DC=box', newentry=0)LLNDirSync CSyncToAdminP::ModifyPerson: FLATFirstFuameValue: <pii>CN=James T Kirk/CN=Sync/DC=ad/DC=fritz/DC=box</pii> Status: No error.
DirSync Submitted adminp request to rename user CN=James Kirk/O=singultus to CN=James T Kirk/O=singultus
DirSync <AD> Modified uSNChanged from '276180' to '276181'DirSync <AD> 'person' Document updated, UTF8 Name = 'CN=James T Kirk,CN=Sync,DC=ad,DC=fritz,DC=box' DirSync <AD> CSyncFromAD::DoModify - Modified existing Note for 'CN=James T Kirk,CN=Sync,DC=ad,DC=fritz,DC=box‘
DIRSYNC From Active Directory (AD) - Summary (0.281 sec, Start=276181, Adds=0, Modifies=1, Deletes=0, Skips=0, Errors=0, End=276181)
Rename Registered Person
Rename Registered Person
Delete Users And Groups
• Registered users are not deleted from Domino Directory when theuser entry is deleted from Active Directory
• Other synced users that do no longer exist in Active directory are not deleted during the sheduled sync. You need to initiate a resync toremove the person record from the Domino Directory.
• Deleted users are also removed from any synced group that they area member of.
SyncFromLDAPToNAB - Deleted existing Note for 'Luke Skywalker'. This is NOT a registered user and could be a deleted orphanDirSync <AD> resyncall - SyncFromLDAPToNAB completed in: 0.258 secondsDirSync <names.nsf> Updating SyncAll Request's DirSyncRequestState to 209.02.2020 15:13:33 DIRSYNC Full Resync From Active Directory (AD) - Summary (0.258 sec, Start=0, Adds=0, Modifies=4, Deletes=1, Skips=0, Errors=0, End=242201)
Modify Group Members
• If person is added to AD group, the Notes group is updated duringnext scheduled sync.
• If person is removed from AD group, the Notes group is updatedduring next scheduled sync.
• If person in AD is renamed (distinguishedName), the Notes (ACL) group is NOT updated during scheduled sync
• If person in AD is renamed (distinguishedName), the Notes (Mail only) group is NOT updated during scheduled sync• In those cases, the documents are updated during resync.
Sync Registered Users Only
Sync Registered Users Only
• Not working in V11 GA ( worked in V11 Beta 2)
• Will be fixed Fixed in V11.01 (preview) (SPR# MOBNBL9R2P)
DirSync <AD> Processing ldap entry #1 from page #1, total entries = 1: CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=boxDirSync <AD> Ignoring Contact'CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box'. Option is set to ignoreDirSync <AD> CSyncFromAD::ProcessEntry IGNORING dn: CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box
Sync From Different AD
• By now, we only sync from 1 AD. What happens, when we addanother AD?
• Does NOT WORK in V11.
Sync From Different ADLDAPDN:CN=Gaby Schmidt,OU=Sales,OU=Users,OU=midpoints,DC=ad,DC=demopoints,DC=net'[1CC4:0005-1F84] DirSync <names.nsf> DirEntryID dump ...[1CC4:0005-1F84] 00000000: 6C 64 61 70 3A 2F 2F 53 45 52 56 30 34 2E 41 44 'ldap://SERV04.AD' [1CC4:0005-1F84] 00000010: 2E 46 52 49 54 5A 2E 42 4F 58 3A 33 38 39 2F 43 '.FRITZ.BOX:389/C' [1CC4:0005-1F84] 00000020: 4E 3D 47 61 62 79 20 53 63 68 6D 69 64 74 2C 4F 'N=Gaby Schmidt,O' [1CC4:0005-1F84] 00000030: 55 3D 53 61 6C 65 73 2C 4F 55 3D 55 73 65 72 73 'U=Sales,OU=Users' [1CC4:0005-1F84] 00000040: 2C 4F 55 3D 6D 69 64 70 6F 69 6E 74 73 2C 44 43 ',OU=midpoints,DC' [1CC4:0005-1F84] 00000050: 3D 61 64 2C 44 43 3D 64 65 6D 6F 70 6F 69 6E 74 '=ad,DC=demopoint' [1CC4:0005-1F84] 00000060: 73 2C 44 43 3D 6E 65 74 09 4C 44 41 50 44 4E 3A 's,DC=net.LDAPDN:' [1CC4:0005-1F84] 00000070: 43 4E 3D 47 61 62 79 20 53 63 68 6D 69 64 74 2C 'CN=Gaby Schmidt,' [1CC4:0005-1F84] 00000080: 4F 55 3D 53 61 6C 65 73 2C 4F 55 3D 55 73 65 72 'OU=Sales,OU=User' [1CC4:0005-1F84] 00000090: 73 2C 4F 55 3D 6D 69 64 70 6F 69 6E 74 73 2C 44 's,OU=midpoints,D' [1CC4:0005-1F84] 000000A0: 43 3D 61 64 2C 44 43 3D 64 65 6D 6F 70 6F 69 6E 'C=ad,DC=demopoin' [1CC4:0005-1F84] 000000B0: 74 73 2C 44 43 3D 6E 65 74 'ts,DC=net' [1CC4:0005-1F84] DirSync <names.nsf> Begin retrying DirCtxGetEntryByID with WebAuth_Verbose_Trace=1[1CC4:0005-1F84] DirSync <names.nsf> End retrying DirCtxGetEntryByID with WebAuth_Verbose_Trace=1[1CC4:0005-1F84] DirSync <names.nsf> Please email this DIRSYNC_STRICT_ASSERTEX failure to 'Domino DirSync Dev'
Issue With Empty Attributes
• All tested editors remove empty attributes from AD object. Notes item will not be updated.
• Workaround: Use SPACE instead
Monitoring Directory Sync
DirSync DEBUG mode
Domino server console:restart task dirsync
notes.ini:DIRSYNC_DEFAULT_ARGS=-v
Statistics
Items To Identify Synced Objects
NotesView ($LDAPGuid)
ScriptLib DirSyncUtil
How To Contact Me
• Mail: [email protected]
• Mail: [email protected]
• Twitter: @eknori
• Blog: https://www.eknori.de
• LinkedIn: https://www.linkedin.com/in/eknori/
Download This Presentation
https://eknori.de/_data/dirsync.pdf
