|
| AD to Domino Synchronisation |
 |
Thu, 17 Apr 2008 08:06:11 +010 |
I am looking at TDI for the first time. My requirement is to synchronise
Users in an Active Directory into the user directory in a Community in
Domino in its Hosted Organisation (xSP) mode.
The Active Directory will be used to add, delete and modify users and these
changes need to be reflected in the Users in the Community. Active Directory
will always be used for managing users and therefore there is no requirement
to synchronise back from Domino to AD.
I have gone through the AD Sync tutorial and this is pointing me in the
right diection.
I have some specific questions I would welcome some feedback on:
1. It is not clear that the AD sync tutorial example synchronises
passwords - is it capable of this?
2. I require that a new user created by TDI in Domino has a notes ID and an
optional mailfile - is this possible using the tutorial example as a
starter?
3. I require this to be performed on a remote Domino server - is IIOP the
only way of achieving this and if so what Domino settings are required to
get this going?
4. If I also need to use the password synchronisation plug-ins to sync
passwords, then which ones do I require and can I do this in a one-way
operation as described above without creating a TDI password store or is the
password store a necessary element in the design for password
synchronisation?
Any help would be appreciated.
Regards, Mac.
|
| Post Reply
|
| Re: AD to Domino Synchronisation |
 |
Thu, 17 Apr 2008 10:29:47 +020 |
Hi Mac,
1. The AD/Domino Sync tutorial does not deal with passwords
(or groups for that matter). I just posted a blog entry
on the topic of password sync (http://tdiiingoutloud.blogspot.com)
to give you an overview of options. It looks to me like
you need the password-catcher plugin for AD. This will
grab the clear-text password before it is encrypted and
then either a) write it to a special container in an LDAP
directory, or b) drop a message on to MQe (MQ everyplace).
Either way, you then use an AL to either detect this new entry
pwd-change in the LDAP, or to subscribe to messages on MQe. The
AL picks up this clear-text password and can then write it to
your targets. In the case of Domino, the only password that TDI
can catch or set is the HTTP Password -- except for when
a Notes users if first provisioned - then the id file is
created and an initial password can be set.
Note that this will work for new users created in AD, as well
as password changes happening later; of course, you may have
to design your solution to ensure that the user is provisioned
to Domino/Notes first before the password is set.
Also note that since you will be using at least two ALs here --
one to catch password changes and one to detect AD user
adds/updates/deletes -- you may want to wait with provisioning
a user until you have caught the initial password value, which
you can then use to set to HTTP Password and the new Id file.
In this case you will need to stow this password away someplace
(e.g. the TDI System Store) until you are ready to provision
them.
Or you could just go the more commonly used route of using a
default password (e.g. "pa88w0rd") when provisioning new
users, and then just keeping the HTTP Password in sync as
things are changed in AD.
2. This tutorial does not go into detail on how to control
mailfile creation, specify templates, set ACLs etc. We
here in the TDI lab have just completed a HowTo Guide
that covers the various connection points TDI has to
Domino/Notes, including the aforementioned operations.
Look for a notice here in the newsgroup as soon as it
is available for download.
3. The Domino Users Connector, which is the only TDI component
that can be used to provision Notes users, does not support
IIOP. In fact, since the Java api lacks required functionality,
our component must use some calls from the Notes C api. As a result,
the TDI Server that is working with Notes users must be running on
a Windows pc using either a Local Client or Local Server connection.
4. You don't need any additional password store to use the
plugins, but you must choose which transport mechanism you
plan to use: LDAP or MQe. I hear that LDAP is the preferrable
option (but will leave it to someone with more experience here
to explain why).
Hope this helps!
-Eddie
Mac Craigmyle wrote:
> I am looking at TDI for the first time. My requirement is to synchronise
> Users in an Active Directory into the user directory in a Community in
> Domino in its Hosted Organisation (xSP) mode.
>
> The Active Directory will be used to add, delete and modify users and
> these changes need to be reflected in the Users in the Community. Active
> Directory will always be used for managing users and therefore there is
> no requirement to synchronise back from Domino to AD.
>
> I have gone through the AD Sync tutorial and this is pointing me in the
> right diection.
>
> I have some specific questions I would welcome some feedback on:
>
> 1. It is not clear that the AD sync tutorial example synchronises
> passwords - is it capable of this?
> 2. I require that a new user created by TDI in Domino has a notes ID and
> an optional mailfile - is this possible using the tutorial example as a
> starter?
> 3. I require this to be performed on a remote Domino server - is IIOP
> the only way of achieving this and if so what Domino settings are
> required to get this going?
> 4. If I also need to use the password synchronisation plug-ins to sync
> passwords, then which ones do I require and can I do this in a one-way
> operation as described above without creating a TDI password store or is
> the password store a necessary element in the design for password
> synchronisation?
>
> Any help would be appreciated.
>
|
| Post Reply
|
|
|
|
|
|
|
|
|
|