Domino Consulting - HCL Domino Administrator 11.0.1 Help

CONFIGURING

Creating a Directory Assistance document enabled for Directory Sync

The first step to configure Directory Sync is creating a Directory Sync-enabled Directory Assistance document in the directory assistance database.

Before you begin

This procedure assumes that you have completed the following steps:

Creating and replicating a directory assistance databaseCreate a directory assistance database on one server, and then create a replica of the database on each server in the domain that will use it for directory assistance. .
Setting up servers to use a directory assistance databaseAfter you create a directory assistance database and replicate it to servers, set up the servers to use the database. To set up a server to use a directory assistance database, add the file name of the server's replica of the database to the Directory assistance database name field of the server's Server document in the primary Domino Directory..

Note: If you are using an existing directory assistance database, replace its design with theda.ntf template provided being with Domino 11. For example, from Notes®, open the database and choose File -> Application -> Replace Design.

About this task

This procedure describes only the fields in the directory assistance document that apply to Directory Sync.

Procedure

1. Using an ldpsearch client or some other tool, test that the HCL Domino servers can connect to the Active Directory server.

2. From the Domino Administrator, choose File -> Open Server to open the Domino administration server for the domain. Click OK.

3. Click the Configuration tab.

4. In the navigation pane, expand Directory -> Directory Assistance. If you see Server Error: File does not exist, the administration server is not set up to use the directory assistance database.

5. Click Add Directory Assistance.

6. On the Basics tab, complete these fields:

Table 1. Basics tab

Field	Enter
Domain type	Select LDAP.
Domain name	A domain name of your choice that is different from the domain name specified for any other Directory Assistance document (HCL Notes or LDAP) in the directory assistance database. For example, `Renovations AD`.
Make this domain available to	Select Directory Sync. Note: Do not select Notes clients and Internet Authentication/Authorization or LDAP Clients unless you are also using the LDAP directory for these purposes.
Group authorization	Select No.
Enabled	Select Yes Note: You can also enable and disable directory assistance for this directory from the main view of the Directory Assistance database. Select the directory assistance record for the directory and, on the toolbar, click Enable/Disable.

7. (Optional) On the Naming Contexts (Rules) tab, for each rule you want to define for the directory, complete the following fields. For more information on naming rules, see https://www.ibm.com/support/knowledgecenter/en/SSKTMJ_10.0.1/admin/conf_directoryassistanceandnamingrules_c.html.

Table 2. Naming Contexts (Rules) tab

Field	Enter
N.C. #	Enter a naming context (rule) that describes the user names in the LDAP directory.
Enabled	Choose one: Yes to enable a rule No (default) to disable a rule
Trusted for Credentials	Choose one: Yes to allow servers to use credentials in the LDAP directory to authenticate Internet clients whose distinguished names in the directory correspond to the rule. If you want to add Active Directory users or groups to the ACLs of Notes databases that are accessed over HTTP, select Yes. No (default) to prevent servers from using this directory to authenticate Internet clients whose distinguished names in the directory correspond to the rule.

8. On the LDAP tab, complete these fields:

Table 3. LDAP tab

Field	Enter
LDAP Configuration section
Hostname	The host name for the Active Directory server, for example,`ad.renovations.com`. A Domino server uses this host name to connect to the directory server. Click Suggest to look up the host names of LDAP servers listed in your DNS. Click Verify to verify that a host name is an active LDAP server. Or Enter an additional host name or host names so that a Domino server can use an alternate LDAP directory server if the directory server represented by the first host name specified is unavailable. Separate host names with commas, semicolons, or by entering each host name on a new line. If you specify more than one directory server and each listens on a different port, specify the ports after the host names. For example: `ad1.renovations.com:390, ad2.renovations.com:391` Port values entered in this field override those specified in the Portfield. If no port is specified in this field, then the value specified in thePort field is used.
LDAP Vendor	Select Active Directory.
Optional authentication credential for search	For Optional Authentication Credential enter a user name and a password for a Domino server to present when it connects to the Active Directory server. The Active Directory server uses the name and password to authenticate the Domino server. If you don't specify a name and password, a Domino server attempts to connect anonymously. Click Verify to verify that the user name and password you entered is valid on each host name. This setting may affect change detection for LDAP servers.
Base DN for search	A search base, if the LDAP directory server requires one. For example: `o=Renovations` `o=Renovations,c=US` Click Suggest to search each host name for likely search bases. Click Verify to verify that the search base is accessible on each host name using the configured credentials. This setting may affect change detection for LDAP servers.
Connection Configuration section
Channel encryption	Choose one: SSL (the default) to use SSL when a Domino server connects to the Active Directory server None to prevent SSL from being used. If you choose SSL, make selections in these associated fields: Accept expired SSL certificates SSL protocol version Verify server name with remote server's certificate
Port	The port number Domino servers use to connect to the Active Directory server. If you choose SSL in the Channel encryption field, the default port is 636. If you choose None in the Channel encryptionfield, the default port is 389. If the directory server doesn't use one of these default ports, enter a different port number manually.
Advanced Options section
Timeout	The maximum number of seconds allowed for a search of the directory; default is 60 seconds. If the Active Directory server is also configured with a timeout value, the smaller value takes precedence.
Maximum number of entries returned	The maximum number of entries the Active Directory server can return for a name for which a Domino server searches. If the directory server also has a maximum setting, the smaller value takes precedence. If the directory server times out, it returns the number of names found up to that point. Default is 100.
Dereference alias on search	Choose one to control the extent to which alias dereferencing occurs during searches of the directory: Never Only for subordinate entries Only for search base entries Always (default) If aliases are not used in the directory, selecting Never can improve search performance.
Preferred mail format	Select Internet Mail Address.
Enable name mapping	Do not select.
Type of search filter to use	Select Active Directory.

9. Click Save & Close.

10. From the server console of the Domino administration server, run the following command to confirm that the Directory Sync configuration in the Directory Assistance document is set up correctly:

show xdir

You should see console output with the string SYNC similar to the following example:
Console with SYNC output

Related concepts
Example: Base DN for search
Directory Sync

Help on Help

All Help Contents

Help on Help

All Help Contents