Tag: Domino Directory

HCL Domino V11 – Directory Synchronzation – Part 3

After you have created a Directory Assistance document in part 2 of this tutorial, that is enabled for Directory Sync, create a Directory Sync Configuration document in the Domino® directory. You use this document to select Directory Sync configuration options and then to enable Directory Sync.

Open your Domino Directory (names.nsf) and navigate to Configuration > Directory > Directory Sync .

Click “Add Directory Sync” to create a new document.

Select a Directory Assistance Domain from the list of configurations in da.nsf.

For an initial sync of all users and/or groups from the selected Active Directory set “Sync all Active Directory users” to Yes.
Select No (default) to sync only Active Directory users who are registered in Domino. If previously set to Yes, any unregistered Active Directory users
synced previously are removed from the Domino directory.
For an Active Directory record to sync with Domino, the Active Directory mail field must match theInternet address field in the Domino directory Person document.

Type in the name of the application that is the target for synchronized users and/or groups into the “Domino Directory file name” field. Typically, this is your primary address book (names.nsf)

As you can see, the “Direction” field is not editable by now. At the moment, only a sync from Active Directory is possible.

One of DirSync’s abilities is to rename synced users in the target Domino directory when the when the users’ common name changes in Active Directory.

If the name of an Active Directory user who is not registered in Domino® changes, the name is automatically updated in the Domino® directory Person document during sync, regardless of this option.
If the user is already registered, a standard administration process Rename Person request is initiated for each name processed.

The Sync frequency settings tells DirSync how frequently the Dirsync task checks for Active Directory changes to synchronize. Default is once a minute.
Resync frequency tells DirSync how often to resync all data from Active Directory, in minutes. Default is 10,000 minutes or approximately once a week. If you don’t want to regularly resync all data, specify 0 ( not recommended).

If you want to synchronize groups, select the types of groups to synchronize. If you don’t want to synchronize groups, do not select either option on the “Synchronization” tab of the DirSync configuration document.

Keep in mind that the groups to be synced must be in the global group scope. If you try to sync local groups, you will receive an error on the Domino server console.

DirSync  DirSync  CSyncFromAD::DoModify - Skipping modification because entry = 'CN=Users,CN=Builtin,DC=ad,DC=fritz,DC=box' is not a valid candidate for a 'group' record.

If you only want to sync a subset of all objects under the configured BaseDN, use an LDAp filter.

After you finished your configuration, save and close the document.

Select the saved configuration in the view, click Enable and select Sychronize Data. Select Run in test mode to simulate the actions that Directory Sync would take but without changing any Domino® data.

If not already done, add the DirSync task to the server’s notes.ini

ServerTasks=Replica,Router,Update,AMgr,Adminp,Sched,CalConn,RnRMgr,Dirsync

and issue the following command on the server console: load DirSync.

DirSync will be started automatically on next server restart.

The Dirsync task begins to run when it detects the configuration document and you should now see an entry similar to this on the server console.

[1BE0:0004-1D10] 19.01.2020 15:34:09   DIRSYNC From Active Directory (AD) - Summary (0.128 sec, Start=210711, Adds=0, Modifies=0, Deletes=0, Skips=0, Errors=0, End=234710)

Look at the Status tab of the Directory Sync Configuration document in the Domino® directory in addition to monitoring the output of Dirsync at the server console and in log.nsf.

Congratulation, you have successfully configured DirSync synchronization.
In the next part we will dig deeper into DirSync features and abilities.


HCL Domino V11 – Directory Synchronzation – Part 1

When the Domino® server is installed in a Microsoft Windows domain, as an administrator, you typically need to maintain two separate directories for the same set of people and groups.
Maintaining user and group information involves adding entries to both directories, deleting entries, ensuring that passwords are the same when users use Notes® Single Logon, coordinating group membership in both directories, and ensuring that user or group settings, such as email addresses and telephone numbers, are identical.

Prior to HCL Domino® V11 you had to install Domino® Active Directory synchronization as an additional feature. This only worked in a Windows environment. Tools like TDI also work on Linux, but the installation and configuration is not easy and error-prone.

HCL Domino V11 introduces ( and replaces ) a new, integrated task to synchronize users and groups . The task is called Directory Sync or DirSync in short.
DirSync replaces the older Active Directory Synchronization feature, which is now deprecated. The new DirSync feature is a simpler, more effective synchronization tool . In this blog series, I will describe the basic concept and explain, how to setup and configure DirSync.

As an HCL Master, I had the privilege to test DirSync already from the first closed V11 BETA on. The HCL team did a great job answering questions about the feature and also fixing issues as soon as they had been reported in the BETA forum.

A lot of fixes have been included in HCL Domino® V11 GA in 12/2019. There are still a few issues on the list that were not so easy to fix. They will be addressed in HCL Domino® V11.01 and later. If available, I will post case numbers and SPR#.

Also, there are some additional DirSync features in the backlog that will be added in future versions of HCL Domino®.

So, what is DirSync and what can you do with it ?

  • DirSync allows you to sync people and/or group data from an external LDAP directory into the Domino® directory.
  • Currently data from Active Directory can be synced
  • DirSync makes it easy for your HCL Domino® users to address mail to and see details about users in your organization who do not use Notes® such as Microsoft™ Outlook users registered in Active Directory.
  • With this feature, Active Directory users automatically have Person documents in the Domino® directory so that Notes® users can find their addresses and other information.
  • Without Dirsync, Notes® users must know the addresses of the Active Directory users before they can send mail to them, unless Person documents are added for them manually.

DirSync includes the following components:

  • LDAP directory assistance document created in a directory assistance database that is enabled for Directory Sync. A Domino® server uses this document to connect to the Active Directory server for syncing.
  • Directory Sync Configuration document created in the Directory Sync view of the Domino® directory. This document controls which Active Directory fields to sync to Domino® as well as other options.
  • A server task, Dirsync, that runs only on the Domino® administration server, that connects to the Active Directory server regularly to pull person and group changes into the Domino® directory.

What abilities does DirSync provide ?

  • The ability to register Active Directory users in Domino®.
  • The ability for administrators to rename registered Domino® users when their names change in Active Directory. When a user’s common name in Active Directory changes, an administration process request, Rename Common Name is created. Administrators approve the request to initiate a standard administration process rename request.
  • The ability to sync from multiple Active Directory instances into multiple applications that use pubnames.ntf as their template. By today, there are still a couple of issues with this configuration. Hopefully they will be fixed in HCL Domino® V11.0.1. I will come back to that later.

DirSync does not sync the password from an Active Directory into the person document in Domino® directory in HCL Domino® V11. This may or may not change in a future version.

Here is what a DirSync environment could look like

serv01 is the Administration server of the Domino® directory running the DirSync task.
Directory Assistant database (da.nsf) contains configuration documents that describe the configuration for the 2 Active Directory instances to sync users and/or groups from.
Domino® directory database (names.nsf) contains the DirSync configuration documents that are needed for synchronization from the Active Directory instances. (AD)
syncbook.nsf is an additional addressbook. Depending on DirSync configuration in names.nsf, users and/or groups are either synced into the primary Domino® directory names.nsf or the secondary syncbook.nsf.

To access Active Directory and add, delete or modify objects, I use LDAP Admin from http://www.ldapadmin.org and AD Explorer from Microsoft Sysinternals Tools https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer .

In part 2 of this tutorial I will explain, how to setup and configure the Directory assistant database.


AutoPopulateGroup – Scheduled Agent

In yesterdays post about how to automatically populate a group document, I published code to do the job in the foreground only. One of my blog readers complained about this. Maybe I was to naive to think that even an unexperienced java developer like me could modify the given code to run on a scheduled basis on the server.

Well, here is the code for an scheduled agent.

import lotus.domino.*;
import javax.naming.*;
import javax.naming.directory.*;
import java.util.Hashtable;
import java.util.Vector; 

public class LDAPSearchWithFilter extends AgentBase { 

	private static String fldMembers = "Members";

    	public void NotesMain() { 

    	try {
        	Database _db;
        	Document _doc;
        	Session session = getSession();
        	AgentContext agentContext = session.getAgentContext();
        	_db = agentContext.getCurrentDatabase(); 

        	Agent ag1 = agentContext.getCurrentAgent(); 

        	String ldapCF = "com.sun.jndi.ldap.LdapCtxFactory";
        	String ldapURL = "ldap://localhost:389/";
        	String ldapBaseDN = "";
        	String ldapUserID = "";
        	String ldapPassword = ""; 

        	Hashtable env = new Hashtable(4);
        	env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCF);
        	env.put(Context.PROVIDER_URL, ldapURL + ldapBaseDN);
        	env.put(Context.SECURITY_PRINCIPAL, ldapUserID);
        	env.put(Context.SECURITY_CREDENTIALS, ldapPassword); 

      	DocumentCollection _dc = _db.getAllDocuments();
      	Document doc = _dc.getFirstDocument();

      	while (doc != null) {
        	String searchCriteria = doc.getItemValueString("SelectionCriteria");
        	DirContext ctx = new InitialDirContext(env);
        	SearchControls ctls = new SearchControls();
		NamingEnumeration answer = ctx.search("", searchCriteria, ctls);
		PopulateGroup (answer, doc);
     		ctx.close();
        	doc = _dc.getNextDocument();
		} // end of while
	  } // end of try
		catch (Exception e) {
    		e.printStackTrace(); }
	} // end of Main 

	public static void PopulateGroup(NamingEnumeration col, Document doc) { 

    	try {
    	Item item = doc.getFirstItem(fldMembers);
    	Vector v = new Vector();
    	String result;
	if (col.hasMore()) {
        	while (col.hasMore()) {
            	  SearchResult sr = (SearchResult)col.next();
            	  result = (String)sr.getName();
                  v.addElement(result.replace(',','/'));
           	} // end of while
		  doc.replaceItemValue(fldMembers, v);
    		  doc.save(true);
		} // end of if
    	} // end of try
	catch (NamingException e) {
    		e.printStackTrace(); }
	catch (Exception e) {
    		e.printStackTrace(); }
	} // end of PopulateGroup
} // end of class

AutoPopulateGroup (If You Do Not Run Domino 8.5)

A few days ago, I wrote about a new feature of Domino 8.5 to automatically populate groups via a LDAP selectioncriteria. This is a great feature and I have successfully tested it on my sandbox server.
Since we run Domino 8.0.1 on our productive servers, we cannot use this very useful feature. …

But, with a few lines of JAVA and Lotusscript code, you can build your own solution to auto populate groups. Here is what I came out with.

I’ve created a subform with two fields and a button.

  • HiddenMembers, Text, hidden
  • SelectionCriteria, Text, editable

The “Populate Group” button contains the following code

'/* Declaration
Const fldMEMBERS = "Members"
Const fldHIDDEN = "HiddenMembers"
Const agntDOLDAP = "AutoPopulateGroup"

Sub Click(Source As Button)
	Dim s As New NotesSession
	Dim ws As New NotesUIWorkspace
	Dim db As NotesDatabase
	Dim agent As NotesAgent
	Dim doc As NotesDocument
	Dim uidoc As NotesUIDocument
	Dim searchResultItem As NotesItem
	Dim paramid As String 

	Set db = s.CurrentDatabase
	Set uidoc = ws.CurrentDocument
	Set doc = uidoc.Document
	Set agent = db.GetAgent(agntDOLDAP)
	Call doc.save(True, False)
	paramid = doc.NoteID
	Call agent.RunOnServer(paramid)
	Delete doc
	Set doc = db.GetDocumentByID(paramid) 

	Set searchResultItem = doc.getFirstItem(fldHIDDEN)
	Call uidoc.FieldSettext( fldMEMBERS,  "")
	Forall values In searchResultItem.Values
		Call uidoc.FieldAppendText(fldMEMBERS,  values)
		Call uidoc.FieldAppendText(fldMEMBERS, Chr(10))
	End Forall
	Call uidoc.Refresh
	doc.Remove(True)
End Sub

Like in Domino 8.5 you’ll have to run LDAP on your server. To access LDAP and do a search according to the SelectionCriteria, you need an agent with the following piece of Java code.

import lotus.domino.*;
import javax.naming.*;
import javax.naming.directory.*;
import java.util.Hashtable;
import java.util.Vector; 

public class LDAPSearchWithFilter extends AgentBase { 

	private static String fldTmpMembers = "HiddenMembers";

    	public void NotesMain() { 

    	try {
        Database _db;
        Document _doc;
        Session session = getSession();
        AgentContext agentContext = session.getAgentContext();
        _db = agentContext.getCurrentDatabase(); 

        Agent ag1 = agentContext.getCurrentAgent();
        String paramid = ag1.getParameterDocID();
        Document doc = _db.getDocumentByID(paramid); 

        String searchCriteria = doc.getItemValueString("SelectionCriteria"); 

        String ldapCF = "com.sun.jndi.ldap.LdapCtxFactory";
        String ldapURL = "ldap://localhost:389/";
        String ldapBaseDN = "";
        String ldapUserID = "";
        String ldapPassword = ""; 

        Hashtable env = new Hashtable(4);
        env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCF);
        env.put(Context.PROVIDER_URL, ldapURL + ldapBaseDN);
        env.put(Context.SECURITY_PRINCIPAL, ldapUserID);
        env.put(Context.SECURITY_CREDENTIALS, ldapPassword); 

    try {
       	DirContext ctx = new InitialDirContext(env);
        	SearchControls ctls = new SearchControls();
		NamingEnumeration answer = ctx.search("", searchCriteria, ctls);
		PopulateGroup (answer, doc);
        	ctx.close(); 

	    		} catch(NamingException e) {
     	   		e.printStackTrace();
    		} 

	    } catch (Exception e) {
    		e.printStackTrace();
    }
} // end of Main 

public static void PopulateGroup(NamingEnumeration col, Document doc) { 

    try {
    Item item = doc.getFirstItem(fldTmpMembers);
    Vector v = new Vector();
    String result;    

	if (col.hasMore()) { 

        		while (col.hasMore()) {
            		SearchResult sr = (SearchResult)col.next();
            		result = (String)sr.getName();
                	v.addElement(result.replace(',','/'));
           	} // end of while

			doc.replaceItemValue(fldTmpMembers, v);
    			doc.save(true);
		}
    }
	catch (NamingException e) {
    		e.printStackTrace();
    		} catch (Exception e) {
    			e.printStackTrace();
    			}
	} // end of PopulateGroup
} // end of class

Set the agent’s runtime security to “2”, to allow restricted operations. When you have all code in place, you can test the function by typing a selection criteria and clicking the button.

The members field in your form should now show all persons that have “serv01” as their mailserver.

Download sample database


Auto-Populated Groups in Domino 8.5

Domino 8.5 comes with a new feature to use predefined criteria to automatically determine and update group membership.

Complete these steps to set up an auto-populated home server group.

  • Set up a Home Server auto-populated group in a Group document.
  • Specify the update interval for auto-populated groups in the Domino Directory Profile document.

and ( this is not in the administrator help for 8.5 )

  • You must have LDAP enabled on the server.

Why LDAP ? Take a look at the “SelectionCriteria” field in the recently created group document.