Lotus Domino Active Directory Integration - Possible and Practical?
Solution 1
I personally don't have experience in with the Domino / AD integration, but I've long thought about it and hope to try implementing it this year. The things I do know is that IBM has a service built to synchronize Domino and AD user/group info in both directions, and that there is a company called PistolStar that appears to specialize in this area.
I would definitely start with the IBM integration service first and see where that gets you. In fact, I'm going to check it out today too.
http://www.ibm.com/developerworks/lotus/library/domino-adsync/index.html
Solution 2
11 Years.... Although I don't know about your SSO goals, I would have to deffiently say that it's time for a fresh install on a new/virtual server and to move everything over then create the users you need (or if you find out about SSO, setting that up).
That current setup sounds like it's covered in security issues.
Solution 3
Since 2009 IBM Lotus Domino comes with a licence for the IBM Tivoli Directory Integrator.
So you could do something like that here:
- Synchronizing users between Microsoft Active Directory Server and IBM Domino Server using Tivoli Directory Integrator
- IBM Lotus Domino Integration Using IBM Tivoli Directory Integrator
Related videos on Youtube
23 : 51
11 : 25
38 : 42
02 : 11
04 : 40
Comments
-
Maximus Minimus over 1 year
So about 3 months ago I "inherited" a Lotus Domino setup, and quite frankly, it's a mess. Historically, it's had 10 years of the primary focus being on development rather than on management and housekeeping (none of the latter was actually done, I had guys who'd left the place 11 years back still in admin groups), with a predictable end result.
Now, I know how to clean up a mess, but while I'm doing that I'm also keeping one eye on the future, and something that I'm interested in investigating is the possibility of Active Directory integration. It doesn't make sense to me - in 2009 - to have yet another bunch of systems that require yet another username and password, inviting people down the route of yellow-sticky-note-syndrome (not to mention doubling our user/password management overhead).
With clients being a mixture of browser-based and trad-client-based, I'm wondering how practical this is. Has anyone done it, and how well does it work? Do we get completely transparent authentication without requiring to even re-enter network credentials, do we still have to fool around with ID files (gack), can we add AD users to Domino groups, that kinda stuff.
The server is 8.0.2 (on 2003 Server), clients mostly 8.0.1 and IE6, database applications but not Notes Mail are used. What little info I've seen on IBM is incredibly vague on the whole topic.
-
Maximus Minimus almost 15 yearsI've read about the PistolStar stuff, and it seems to promise great things. I don't really like the look of the IBM solution - way too much jiggery-pokery required, it's still hung up on ID files, and it means not being able to segregate Domino admin from AD admin. But I'm going to award this "accepted" anyway, as it seems a good indication of the current state of play.
-
Ken Pespisa almost 15 yearsAfter reviewing the IBM solution, I agree it's less than ideal. I have found no other solutions, unfortunately, other than 3rd-party SSO options like what PistolStar offers. I believe Notes 8.5 has made some steps toward better AD integration, but I've only read that in marketing materials and haven't dug deep into how it works.
