By default, Lotus Notes Traveler uses the Domino directory as the authentication source, therefore, users must authenticate using their Lotus Notes name and internet password as stored in their person document within the Domino directory. It is also possible to configure Lotus Notes Traveler to use an alternative Lightweight Directory Access Protocol (LDAP) directory as the authentication source. The LDAP authentication approach has the advantage of enabling you to use a directory other than the Domino directory for authentication purposes. For example, if you have another LDAP directory in your organization that you already use for user authentications, you can configure Lotus Notes Traveler to use that rather than the default Domino directory. The difference between the two types of authenticating are shown in the following figures:
Lotus Notes Traveler using default Domino Directory authentication
Lotus Notes Traveler using LDAP authentication
To configure Lotus Notes Traveler to use an alternative LDAP directory for authentication, it is necessary to set up the under lying Lotus Domino server to use a feature called Directory Assistance (DA). DA is a standard Lotus Domino feature that is used to extend a Lotus Domino server to connect to other directories beyond the local Domino directory. This can include using other directories for user addressing purposes (for example, the ability to look up the email address of user who is not in the local Domino directory) and/or to authenticate the credentials of HTTP users against an alternative directory. It is this alternative authentication capability that Lotus Notes Traveler can utilize.
The LDAP directory that you want to authenticate with must contain the user’s internet email address, in the same format as it is stored in the Domino directory. This is because it is this address that the Domino server will retrieve from the LDAP directory if the user completes the authentication process correctly (that is, enters a valid user ID and password). It will then match that address to the user’s person document in the Domino directory to establish their native Lotus Notes name. Lotus Notes Traveler then uses their "fully qualified" Lotus Notes name (for example, Joe Bloggs/ITSO/IBM) to validate that they have access to Lotus Notes Traveler and establish the location of their mail server.
Directory Assistance optionally supports the use of secure sockets layer (SSL) to encrypt the connection to the LDAP server, if the LDAP server also supports it. All of the communication between the Lotus Notes Traveler server and the LDAP server is encrypted if SSL is enable in DA. This is a useful security measure to consider using because it helps protect the user ID and password credentials submitted by the users as part of the authentication process. It is especially important to consider using this feature if your Lotus Notes Traveler server is deployed in a "direct connection" network topology (as discussed in 2.3 Planning your server and network topology
Configuring Directory Assistance to enable LDAP authentication
Use the following steps to configure Directory Assistance and enable Lotus Notes Traveler to authenticate users against an LDAP directory:
- Using a Lotus Notes client, open the New Application dialogue window
- In the "Specify New Application Name and Location" section, set the "Server Name field to be your Lotus Notes Traveler server. Set the Title field to be Directory Assistance and set the File name field to be da.nsf
- In the "Specify Template for New Application" section, set the "Server Name" field to be your Lotus Notes Traveler server again and select Show Advanced Templates. The template section should now populate with a list of available templates from your Lotus Notes Traveler server. Scroll through the list and select Directory Assistance.
- Now click OK in the New Application dialogue window to create the new Directory Assistance database.
- Once the Directory Assistance database finishes creating, it should automatically open and display the "About" window. Press Escape to exit this and display the main DA database content.
- Click Add Directory Assistance.
- Click the Naming Contexts (Rules) tab and change the "Trusted for Credentials" setting for the first row to Yes. Everything else on this tab can be left as per their defaults.
- Click the Basics tab.
Now click the LDAP tab. The exact settings you use on this tab depend on the type of LDAP server you have in your environment so the following examples are for illustrative purposes only.
- Change the Domain Type to be LDAP.
- Set the Domain name to be that of your LDAP directory.
- Set the Company name to an appropriate value, but it can actually be any value.
- Set the search order to 1, assuming this is the only entry in the DA database. If you have other entries in the DA database then set the order number to an appropriate value for your environment.
- In the "Make this domain available to" field, make sure only Notes Clients & Internet Authentication is selected.
- Set the "Group authorization" field to No.
- Set the "Use exclusively for group authorization or credential authentication" field to Yes.
- Set the "Enabled" field to Yes.
- Leave the two fields in the SSO configuration field blank.
- You can add some explanatory text in the "Comments" field. The completed Basics tab should look similar to the following example:
Click Save and Close to save your new DA configuration.
Open the Domino directory (NAMES.NSF) on your Lotus Notes Traveler server, go to Configuration --
- Set the "hostname" field to be the address of the LDAP server you wish to connect to. You can use the Verify button to check the connection.
- In the "LDAP vendor" field, choose the type of LDAP server that best matches your environment from the drop down list.
- If necessary for your environment, specify the user name and password that should be used to connect to your LDAP server. Click Verify to check the connection works.
- If necessary for your environment, specify the appropriate value in the "Base DN for search" field that should be used to connect to your LDAP server. Use Suggest or check with the administrator of your LDAP server to see if this is necessary. Click Verify to check the connection works.
- In the "Connection Configuration" section, set the "Channel encryption" field to SSL if you are going to enable encryption or None if not. Note that if you enable SSL, the Domino server must have a SSL certificate installed and configured for use.
- Set the "Port" field to use the correct port number for your LDAP server.
- In the "Advanced Options" section, set the values that are appropriate for your LDAP server if required, otherwise, accept the defaults. Ensure that the "Preferred mail format" field is set to the Internet Mail Address, and the "Type of search filter to use" field is set to the correct value that best matches your LDAP server.
- The completed LDAP tab should look similar to the following example, but with the correct settings where appropriate for your environment:
All Server Documents and then edit the server document for your Lotus Notes Traveler server.
On the Basics tab of the server document, set the "Directory assistance database name" field to da.nsf and then save and close the document.
Restart your Lotus Domino server to pick up the changes and have DA enabled.
Once the Lotus Domino server completes its restart, run show xdir on the Domino server console to verify that DA is enabled (it should list the LDAP server in the output).
Further reading on LDAP integration
The following article provides more information about how to configure Directory Assistance to enable Lotus Notes Traveler to use an alternative LDAP directory for authentication:
Creating a Directory Assistance document for a remote LDAP directory