Welcome to the #dominoforever Product Ideas Lab! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated jointly by the IBM & HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino page.


active directory syncronization

make active directory synchronization easy and documented

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Jul 17 2018
  • Investigating
  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    18 Jul 14:35

    Get rid of the Domino Directory (for users) and move the user management to AD/LDAP completely.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    18 Jul 14:42

    Yes Please, syncronize password is important.

    Or a feafure for sync automatically from AD

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    19 Jul 10:28

    I don't think getting rid of the domino directory is a great idea - but fixing it so it actually works like a decent LDAP server would make integration and synching way easier between systems

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    28 Jul 15:59

    I don't know if this is discouraging, but IBM had proved many times in the past they refuse to provide good experience when client is using competitor's products like AD/Outlook, some important features will be broken. Named a few: ADSync, DAMO, IMSMO, SPNEGO authentication..

    Leave it to 3rd party vendor solutions.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    31 Jul 06:27

    >>> Leave it to 3rd party vendor solutions.

    Sorry, I don't agree.  Only a small minority of customers will purchase 3rd party solutions. The lack of integration with AD makes Notes/Domino vulnerable to being replaced, and customers will get rid of Notes rather than investigate & purchase 3rd party solutions.

    We need easy to implement SSO for Notes client and for web access on Domino (what would you think if you had to put in a password to use Excel every day!!)

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    02 Aug 12:01

    SAML should remove the need for password synch.

    As for 3rd party vendor solutions - IBM have their own offering (ESSO) which ironically, in my experience at least, doesn't play nice with the Notes client

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    06 Aug 06:36

    Yes syncronize is important!

    all company use AD as primary for user!

    we need a simple feature for sync (not TDI or other complex tool)

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    11 Aug 06:16

    Password synchronisation is a nightmare from a security point. Additional to the timing this means AD needs write access to Domino or Domino read access to AD passwords,this is with TDI only possible by replacing Windows DLLs to write the password in a second store, because the hashes within ID are not possible to be decrypted. 

     

    You can today use the AD password for all HTTP password requests through Directory assistance or using SAML and ADFS. ID passwords can be replaced with SAML. So authentication is done by AD and Domino has no need to know the password. It just need to trust the backend service. 

     

    Using open and standardized protocols like saml is way better than writing passwords from one service to another! I support an idea to implement more IDPs and getting offline support for ID SAML. 

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    13 Aug 08:04

    +1 for the above comment in general but to also point out SAML is NOT yet available for ICAA client.  This should be top of the priorityy list.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    02 Sep 12:15

    Seamless AD integration is very important. I have a lot of customers that is moving to Sharepoint/Office 365 but still uses Notes as a web platform. When a user is created in the AD - the same user must have automatic and instant access to Notes Web applications without logging in (SSO) 

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    25 Sep 06:28

    When a user is created in the AD - the same user must have automatic and instant access to Notes Web applications without logging in (SSO) 

    That's already possible with SAML / SPNEGO / Directory Assistance

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    15 Oct 00:10

    Definitely a good idea. Currently manage this though in house bespoke solution. Painful to keep in sync with environmental changes. Has management rethinking association with Domino/IBM.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    23 Oct 10:01

    Many of customers think that synchronizing is an easy task. It can be easy for someone who have worked on it for many hours, however customers should understand the complexity of this task. I will highlight some aspects about synchronization.

     

    1. Mobile users running IBM Verse application on mobile devices cannot decrypt encrypted emails after SAML is enabled for ID management. 

    2. Domino Traveler task utilizes Domino HTTP that can authenticate users from MS AD LDAP.  However this solution is only good without usage of mail encryption because Domino does not allow to use MS AD for ID management in Traveler (IBM Verse on mobile device).

    3.Password synchronization can be done from MS AD to Domino by Tivoli Directory Integrator, this includes HTTP and ID passwords with one exception: Notes API functions for IDVault stop working after SAML is enabled for user by policy.  Thus Password synchronization MS AD -> Domino cannot be achieved if SAML is enforced.

    4. Tivoli Directory Integrator allows to synchronize MS AD users, groups, contacts and any other objects to Domino directory persons, groups, mailin databases and vice versa. 

    5. Normal synchronization is not possible unless IBM fixes the issue when IBM Notes user cannot be renamed unless he has IBM Notes workstation configured and running. Otherwise only initial administration request is generated and others are not. Person will not be renamed in ACLs, in IDVault and in other places.,   Synchronization will allways fail once MS AD administrator renames MS AD users if IBM Notes users does not use his IBM Notes workstation for any reason (for example on maternity leave).

    6. Customers must understand that there's no 1 correct way to synchronize MS AD to Domino. One customer will want to sync 1 AD forest to 5 Domino domains, another customer will want to sync 5 AD forests to 1 Domino domain. One customer will treat users deleted when they are deleted in MS AD, another will want to treat them as deleted whenever they are moved to MS AD OU=Retired,DC=organization,DC=com . One customer will want to create mail database for users, another to forward to Outlook cloud. So customer must understand that proper documentation, examples and product sample can fit no more than x% cases and then the solution needs to be customized.

     

    -----------------------

    Summarized conclusion:

    1. IBM should resolve rename issue (5) and api issue (3) and mail decryption in IBM Verse issue (1).

    2. Then IBM or IBM BP or customer can share the knowledge how to configure most typical scenarios of synchronization.