Supported
directory services configurations
You can set up IBM® Lotus® Quickr™ to control directory
services or set up the underlying Lotus Domino® server to control directory
services. This scenario only shows how to configure Lotus Domino control
of directory services: Setting up the underlying IBM® Lotus® Domino® to
control directory services enables you to take advantage of the directory
services and authentication methods that Lotus Domino supports.
CAUTION Switching from Domino control of directory services to Lotus
Quickr control is not supported because members added to places during
Domino control of directory services are not recognized after the switch.
Perform the following steps to set up Lotus Domino to control directory
services.
1. If
users are located in a secondary directory rather than the Domino server's
primary Domino Directory, set up directory assistance for the secondary
directory. For instructions, refer to Directory
Services > Directory Assistance in the Lotus
Domino Administrator information center. Keep the following points in mind:
- Create a Directory Assistance document for each directory
that contains Lotus Quickr users.
- To use groups from a directory as place members, specify
"Group Authorization" in the Directory Assistance document. Locate
all such groups in one directory because you can enable this option for
one directory only.
If the secondary directory is an LDAP directory and there are distinguished
names in the directory that don't conform to the Domino naming convention,
use an all-asterisk naming rule in the Directory Assistance document.
2. Perform
the following steps:
1. Log
in to the Lotus Quickr server as an administrator.
2. Click
Site Administration.
3. Click
User Directory.
4. Click
Change Directory.
5. In
the Type list select
Domino Server.
6. Select
one of the following options:
- To allow place managers to create local members, click
Allow managers to create new users in each place.
- To prevent place managers from creating local members
and require them to select members from a user directory, click Disallow
new users.
- In order to enable SSL later, be sure the option Check
for SSL connection with LDAP user directory is selected.
3. Click
Next. Make sure to complete this step so your changes take effect.
Note When Domino controls directory services, you cannot use expanded
membership.
For information on setting up directory services on the Domino server,
see the Directory Services section in the Contents view of Domino Administrator
Help.
The following table highlights some of the benefits and limitations of
these directory services configurations and compares the supported directory
services configurations:
|
|
Feature support
|
|
Lotus Quickr control of directory services
|
|
Lotus Domino control of directory services
|
|
|
|
| User Authentication
|
| Supports only Domino basic name-and-password authentication
or multi-server session-based (single sign-on) authentication.
|
| Supports any user authentication method configured on
the Lotus Domino server
|
|
|
|
| Domino Internet Site documents
|
| Not supported and Domino server cannot use
|
| Supported
|
|
|
|
| Directory
|
| Supports one LDAP directory, and an optional additional
LDAP directory for Lotus Quickr expanded membership use
|
| Supports access to any directory that Lotus Domino server
can access, including multiple directories accessed through Domino directory
assistance
|
|
|
|
| Lotus Quickr expanded membership
|
| Supported
|
| Not supported
|
| |
4. Test
access to an LDAP directory server. If the connection is done to the LDAP
directory server anonymously (that is, without supplying credentials),
the LDAP directory server must allow anonymous access to the attributes
used by Lotus Quickr. You can use the Lotus Domino® ldapsearch tool to
test the server access to LDAP attributes.
To test access to attributes, from the program directory on the Lotus Quickr
server, enter a command such as the following one:
ldapsearch -h ldap.acme.com cn=arch*
In this example, ldap.acme.com is the LDAP directory server.
The command returns the list of accessible users with common names that
begin with the string "arch". If your LDAP directory server is
configured to allow access only with specific credentials, you can use
the same search, supplying the credentials on the command line:
ldapsearch -h ldap.acme.com -D [username] -w [password]
cn=arch*
Using the ldapsearch tool is one of the first steps to
take when troubleshooting LDAP directory problems. If you cannot do lookups
using ldapsearch there is an underlying network or directory server problem.
For more information on ldapsearch, see Domino Administrator Help.
Access
to the Domino Directory through LDAP
If you use the Domino Directory as your LDAP directory,
fields in the Domino Directory are mapped to LDAP attributes. To view the
mapping, open the Domino LDAP Schema database (schema.nsf) on the server.
Lotus Quickr and ldapsearch use the attribute names rather than field names.
For example, the field OfficePhoneNumber in the Domino Person document
is mapped to the LDAP attribute telephonenumber. Telephonenumber is the
name used in ldapsearch and in Lotus Quickr.
If Domino is your LDAP directory and Lotus Quickr connects to it anonymously,
you can edit the Domain Configuration Settings document in the Domino Directory
to update the list of attributes allowed for anonymous access. For more
information on setting access to a Domino LDAP directory, see Directory
assistance for the LDAP service .