Several years ago, I was asked to configure our Domino servers for LDAP authentication for HTTP and IMAP with our third party LDAP server infrastructure. We had been using the Domino HTTP password for web, IMAP and Sametime authentication, but as an enterprise we were moving in the direction of standardizing on a one user id/one password model for identity management. In our Domino environment, the Domino shortname field also equals our global user id, which also maps to our domain email address: email@example.com. Thus, the users could easily remember their global user id as it was part of their email address.
Because I had less than a month to implement the solution and could not purchase additional software for this purpose, my goal was to engineer a process that would be as streamlined as possible to implement and maintain. I also did not want to store the global user id passwords in the Domino directory in order to minimize the overhead on the Domino servers. I determined that to maintain up to the second password synchronization, a tremendous amount of unnecessary replication activity would be required on servers that were already quite busy.
I requested the addition of the following attributes to our enterprise LDAP schema:
DominoUserName cn=joe e user/ou=ou1/o=o
We included MailFile and MailServer name so that these fields could be passed to the Domino Web Redirect database used as the central login point for HTTP/HTTPS authentication.
On the Domino Server side, we created a Directory Assistance database for each Domino server serving HTTP and IMAP. The Directory Assistance database configuration included the following:
Note – the “Use exclusively for Group Authorization or Credential Authentication” has been added in the 8.0.x version of the Directory Assistance template.
- Naming Context Rules Tab:
Attribute to be used as Notes Distinguished Name – matches the DominoUserName canonical name attribute stored in the LDAP directory. Each Server Configuration Document was also changed to use a Directory Assistance database. Note — When Directory Assistance is enabled for the first time, a Domino restart is required to have it go into effect.
My next task was to find a method to populate the data in the LDAP director. Initially, I built an LDIF file to feed data into our test LDAP server. But I needed a process that would update the entries on a timely basis if a user’s information changed so that web or IMAP authentication would not be affected. I thought I’d try out IBM Tivoli Directory Integrator. It was exactly the right tool for the job. I’ll include details of the Directory Integrator configuration in a separate post.
Check out this pending legislation. CNET: Bill proposes ISPs, WiFi Logs for Police.
I’m wondering exactly how they assume home networks will manage internet logs? Another case of Big Brother watching…
There has been a lot of blogging about cloud computing. I would like to point out that the discussion has been primarily focused on businesses. But perhaps the focus needs to shift. For the past several years, at the Gurupalooza and Meet the Developers sessions, someone will inevitably ask “IBM – what are you doing to cultivate the use and training of future Lotus Notes/Domino users/technical staff and leaders?” And the answer always seems a bit fuzzy. “We know we need to do more…” It was so, so encouraging this year that the 2009 Lotusphere Idol winners were two students from the University of Nebraska at Lincoln.
But wait a minute, the University of Nebraska at Lincoln and many, many other universities are moving to cloud systems for their student email offerings. Why? Because the vendors are providing the service for FREE! Yes, free. The two primary vendors are Google and Microsoft. Why would a university want to move to a cloud-based system for email? Keep in mind that universities and colleges are under the same pressures as private businesses to find cost savings in this economy. So when a vendor comes along and says “free”, CIOs should examine this offering as an alternative to an in-house solution. Remember we’re talking about students, not faculty. Students who graduate and become alumni. And the hope is that these alumni will donate money. Think about the costs involved in maintaining life time accounts for hundreds of thousands of alumni with virtually unlimited storage space. Why would a university want to channel funds into an in-house system if someone would do it for them…at no cost?
Of course there are pros and cons for this decision. Those universities who have moved to the cloud have considered all aspects inherent to their particular environments. Universities are under legal constraints with regards to the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA) and local or state privacy and/or records maintenance requirement s. Both Microsoft and Google offer solutions to address these concerns.
At Lotusphere this year, I had an opportunity to talk to several individuals about cloud computing and the trend of universities to move student email to cloud-based systems. Comments included, “how can Google afford to offer free email?” or “how will Microsoft make money by offering a university a free email system?” Not being privy to either Google or Microsoft’s thought process, I can only guess that they have indeed found a way. But does that really matter? Perhaps the more important fact is that the next wave of students will be graduating with cloud email accounts intact (as many schools are offering this as a service for alumni), and those same students will one day be managers and decision makers. “What email system are you familiar with?” And the response most likely would be Google!
As IBM announces its SaaS offering for Lotus Notes/Domino management and LotusLive, it occurred to me that the focus was still on fee for service. Universities do receive Lotus products for free under academic licensing agreements for faculty and staff. But with the spiraling costs of hardware, hardware maintenance, document retention, backup systems, etc., the opportunity to move students to a cloud-system as a cost savings seems too good an opportunity to pass up.
Perhaps IBM is missing an opportunity as well. Why not offer some derivation of LotusLive free to universities as a central meeting place for students and faculty? Why not offer some form of hosting for student/alumni email as well? So when these students become managers and are asked the question- “What email/collaboration system are you familiar with?” The answer would be Lotus Notes!