Monthly Archives: February 2009

A method for LDAP authentication with Lotus Domino

Several years ago, I was asked to configure our Domino servers for LDAP authentication for HTTP and IMAP with our third party LDAP server infrastructure. We had been using the Domino HTTP password for web, IMAP and Sametime authentication, but as an enterprise we were moving in the direction of standardizing on a one user id/one password model for identity management. In our Domino environment, the Domino shortname field also equals our global user id, which also maps to our domain email address: globaluserid@domain.name. Thus, the users could easily remember their global user id as it was part of their email address.

Because I had less than a month to implement the solution and could not purchase additional software for this purpose, my goal was to engineer a process that would be as streamlined as possible to implement and maintain. I also did not want to store the global user id passwords in the Domino directory in order to minimize the overhead on the Domino servers. I determined that to maintain up to the second password synchronization, a tremendous amount of unnecessary replication activity would be required on servers that were already quite busy.

I requested the addition of the following attributes to our enterprise LDAP schema:

DominoUserName      cn=joe e user/ou=ou1/o=o

MailFile                      usermail1/juser.nsf

MailServer                 cn=mailservername/o=o

We included MailFile and MailServer name so that these fields could be passed to the Domino Web Redirect database used as the central login point for HTTP/HTTPS authentication.

On the Domino Server side, we created a Directory Assistance database for each Domino server serving HTTP and IMAP. The Directory Assistance database configuration included the following:

  • Basics Tab:

 

Note – the “Use exclusively for Group Authorization or Credential Authentication” has been added in the 8.0.x version of the Directory Assistance template.

  • Naming Context Rules Tab:

 

  • LDAP Tab:

 

Attribute to be used as Notes Distinguished Name – matches the DominoUserName canonical name attribute stored in the LDAP directory.  Each Server Configuration Document was also changed to use a Directory Assistance database.   Note — When Directory Assistance is enabled for the first time, a Domino restart is required to have it go into effect.

My next task was to find a method to populate the data in the LDAP director. Initially, I built an LDIF file to feed data into our test LDAP server. But I needed a process that would update the entries on a timely basis if a user’s information changed so that web or IMAP authentication would not be affected. I thought I’d try out IBM Tivoli Directory Integrator.  It was exactly the right tool for the job. I’ll include details of the Directory Integrator configuration in a separate post.

Big Brother? Bill proposes ISPs, Wi-Fi keep logs for Police

Check out this pending legislation.  CNET: Bill proposes ISPs, WiFi Logs for Police.

I’m wondering exactly how they assume home networks will manage internet logs?  Another case of Big Brother watching…

Universities and the Cloud

There has been a lot of blogging about cloud computing. I would like to point out that the discussion has been primarily focused on businesses.  But perhaps the focus needs to shift.   For the past several years, at the Gurupalooza and Meet the Developers sessions, someone will inevitably ask “IBM – what are you doing to cultivate the use and training of future Lotus Notes/Domino users/technical staff and leaders?”  And the answer always seems a bit fuzzy.  “We know we need to do more…”  It was so, so encouraging this year that the 2009 Lotusphere Idol winners were two students from the University of Nebraska at Lincoln.  

But wait a minute, the University of Nebraska at Lincoln and many, many other universities are moving to cloud systems for their student email offerings.  Why?  Because the vendors are providing the service for FREE!  Yes, free.   The two primary vendors are Google and Microsoft.  Why would a university want to move to a cloud-based system for email?  Keep in mind that universities and colleges are under the same pressures as private businesses to find cost savings in this economy.  So when a vendor comes along and says “free”, CIOs should examine this offering as an alternative to an in-house solution.  Remember we’re talking about students, not faculty.  Students who graduate and become alumni.  And the hope is that these alumni will donate money.  Think about the costs involved in maintaining life time accounts for hundreds of thousands of alumni with virtually unlimited storage space.  Why would a university want to channel funds into an in-house system if someone would do it for them…at no cost?   

Of course there are pros and cons for this decision.  Those universities who have moved to the cloud have considered all aspects inherent to their particular environments.  Universities are under legal constraints with regards to the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA) and local or state privacy and/or records maintenance requirement s.  Both Microsoft and Google offer solutions to address these concerns.

At Lotusphere this year, I had an opportunity to talk to several individuals about cloud computing and the trend of universities to move student email to cloud-based systems.  Comments included, “how can Google afford to offer free email?”  or “how will Microsoft make money by offering a university a free email system?”  Not being privy to either Google or Microsoft’s thought process, I can only guess that they have indeed found a way.  But does that really matter?  Perhaps the more important fact is that the next wave of students will be graduating with cloud email accounts intact (as many schools are offering this as a service for alumni), and those same students will one day be managers and decision makers.  “What email system are you familiar with?”  And the response most likely would be Google!  

As IBM announces its SaaS offering for Lotus Notes/Domino management and LotusLive, it occurred to me that the focus was still on fee for service.  Universities do receive Lotus products for free under academic licensing agreements for faculty and staff.  But with the spiraling costs of hardware, hardware maintenance, document retention, backup systems, etc., the opportunity to move students to a cloud-system as a cost savings seems too good an opportunity to pass up.  

Perhaps IBM is missing an opportunity as well.  Why not offer some derivation of LotusLive free to universities as a central meeting place for students and faculty?  Why not offer some form of hosting for student/alumni email as well?  So when these students become managers and are asked the question- “What email/collaboration system are you familiar with?”  The answer would be Lotus Notes!

Crash Test Results: Domino Configuration Tuner – Five Stars

I thought I’d give the Domino Configuration Tuner a crash test in our environment – which includes mixture of 7.0.3 and 8.0.x servers on Windows 2000, 2003, and Solaris 10.  Per Technote 4019358, I created the database locally on a Notes 8.02 client workstation.  I ran the scan against 50 servers in the domain.  The scan completed in less than 15 minutes, with no impact to the servers or the local workstation.  The database provided a very useful visual summary of the critical, warning (high), warning (low), normal, and exception items it found within each server configuration.   Each server’s report provided a list of those found items with findings, explanations, and links to further information.  In our case, one critical item was the recommendation that the Solaris servers be tuned with DEBUG_PD_NAGLE_OFF=1 and provided the corresponding information to justify that finding.  

In my opinion, Domino Configuration tuner is a five star tool to quickly tune and/or validate changes in your Domino setting.

LotusLive: Something of value – Sametime!

I’ve been testing LotusLive to see what all the buzz is about.  A couple general observations.

Finding people is not as easy as it should be.  Name searches and group searches are a little quirky in the results they return.  I did try several options and found that wildcard searches may be the most handy until something changes.

Locating public groups should be easier as well.  A central directory would be welcome addition to the dashboard.

BUT…there is one gleaming feature!  Sametime connect within LotusLive actually works.

From within LotusLive – click Instant Messaging from the Dashboard.

On your client go to your Sametime Preferences if you are using the Sametime 7.5.1 or 8.0.x.  In the Lotus Notes 8.0.x client go to

File – Preferences – Sametime Preferences, then click Communities > Add New Community.  Next make sure you add the following:

  • Community type:  Sametime
  • Community name:  LotusLive Engage
  • On the Log in tab enter your LotusLive Engage User Name and Password
  • On the Server tab enter the Host Server:   im.lotuslive.com

Using this I was able to chat away with a colleague in another country with a great response time.
You will need to add your contacts using their names listed in LotusLive using the Sametime person lookup once you’ve set up the LotusLive Engage community.  I can see this being useful if you don’t have a Sametime gateway and want to keep a secure connect within the context of Sametime and LotusLive Engage.  Take a minute to check it out.

Cloud Watch: Googling the Students by Bus

From Campus Technology – Googling the Students by Bus: An Interview with Google’s Jeff Keltner

We think the following lends itself to not only Google, but all end user systems.

  • “And the last thing I’d say from a developer’s perspective brings to mind an old quote from Henry Ford: “If I had asked my customers what they wanted, they would have asked for a faster horse.” So we will focus more on what the user needs to do, than on what the user asks for from a feature perspective. What is the user trying to do and how can we make it easier for them, even easier than they’d expect? “

Cloud Watch: Google Updates App Engine

Information Week, John Foley posts:  Google Updates App Engine in advance of ¨Big Announcements¨

Note that Best Buy used the App Engine for its Giftag browser applet.