Switching the LDAP from Domino to Active Directory in Connections without nightmares

Transcript

1. Switching the LDAP from Domino to Active Directory in Connections

   without nightmares Andreas Weinbrecht, Martin Schmidt Beck et al. GmbH @beck_et_al

2. Social Connections 15 Munich, September 16-18 2019

3. Social Connections 15 Munich, September 16-18 2019 Andreas Weinbrecht Account

   Manager [email protected] Martin Schmidt Senior IT Architect [email protected]

4. Social Connections 15 Munich, September 16-18 2019 Continental AG

5. Social Connections 15 Munich, September 16-18 2019 Continental AG

6. Social Connections 15 Munich, September 16-18 2019 ConNext - ESN

   based on HCL Connections • Implementation in 2013 • Beck et al. as implementation partner and provider • Adoption Rate • More than 130.000 enabled profiles • More than 70.000 unique users per week • Success • Easy access – everyone is enabled • Keep colleagues on the same page • Share ideas, knowledge and experience faster • Connect with people and teams across the organization • Find experts faster • Information can go viral

7. Social Connections 15 Munich, September 16-18 2019 Beck et al.

   GmbH

8. Social Connections 15 Munich, September 16-18 2019 Beck et al.

   GmbH

9. Social Connections 15 Munich, September 16-18 2019 Beck et al.

   and Continental

10. Social Connections 15 Munich, September 16-18 2019 Why switching from

    Domino LDAP to AD?

11. Social Connections 15 Munich, September 16-18 2019 Domino is no

    longer single source of truth • Customer has switched its messaging system from IBM Domino to MS O365 • Domino accounts should only exist for access to Domino applications • No need for Single-Sign-On setup anymore

12. Social Connections 15 Munich, September 16-18 2019 Depending systems and

    special setup

13. Social Connections 15 Munich, September 16-18 2019 Corporate Phonebook as

    data broker • Corp. Phonebook is a Domino application • Corp. Phonebook is getting its data from Domino Directories, SAP GHR and user updates • Corp. Phonebook is the source for many systems including Connections • Data available in Corp. Phonebook and required for Connections need to be available in Active Directory

14. Social Connections 15 Munich, September 16-18 2019 Data required for

    Connections • Schema Extension required in AD for • Contact Address (not maintained in SAP GHR) • Manager Information (hierarch. and functional) • Dedicates attributes used in Connections backend • New process to be established for updating the contact address and manager information

15. Social Connections 15 Munich, September 16-18 2019 LDAP Infrastructure Current

    and Future

16. Social Connections 15 Munich, September 16-18 2019 Current LDAP Infrastructure

    • LDAP Cluster is build from 4 Domino NAB via directory assistance • Phonebook is getting its data from 4 Domino Directories and SAP HR via Lotus Script Agent

17. Social Connections 15 Munich, September 16-18 2019 Future LDAP Infrastructure

    • LDAP Cluster is build from 4 Active Directory Servers, presenting the Global Catalog

18. Social Connections 15 Munich, September 16-18 2019 Current Authentication and

    Profile Data • Authentication against Domino LDAP Cluster • Profiles Data from Phonebook via TDI • Phonebook due to Attributes not in Domino NAB • Custom TDI AL as Notes Change Connector is used • Extension Attributes are heavily used • SSO with Active Directory is possible - match of Domino Short Name - samAccountName required

19. Social Connections 15 Munich, September 16-18 2019 Future Authentication and

    Profile Data • Authentication against Active Directory LDAP Cluster - Global Catalog • Profiles Data from Active Directory via TDI • Schema Extenstion due to attributes not in standard AD User.

20. Social Connections 15 Munich, September 16-18 2019 Technical Details

21. Social Connections 15 Munich, September 16-18 2019 People DB -

    Technical Keys • PROF_KEY - Internal Key, Instance specific • PROF_UID - Organization Key, LDAP unique • PROF_MAIL - Organization Key, LDAP unique • PROF_GUID - LDAP Key, LDAP unique • PROF_LOGIN - Organization Key, LDAP unique • PROF_SOURCE_UID - LDAP, LDAP unique • PROF_SOURCE_URL - TDI, Source LDAP

22. Social Connections 15 Munich, September 16-18 2019 Profiles Configuration •

    https://xxx.beaslabs.com/profiles/html/profileView.do?userid=2E96885470B 28BBCC1258412003840B1 • profiles-config.xml <!-- Directory integration configuration --> <directory> <!-- Specifies the profiles field that is used to resolve person records via WALTZ / Javelin --> <lconnUserIdField>guid</lconnUserIdField> <!-- Lists fields that will be used to resolve user at login time --> <loginAttributes> <loginAttribute>email</loginAttribute> <loginAttribute>uid</loginAttribute> <loginAttribute>loginId</loginAttribute> </loginAttributes> </directory> • https://www.ibm.com/support/knowledgecenter/en/SSYGQH_6.0.0/admin/a dmin/t_admin_profiles_manage_users.html

23. Social Connections 15 Munich, September 16-18 2019 TDI - Synchronisation

    • TDI uses • PROF_SOURCE_URL and one of PROF_MAIL, PROF_UID, PROF_GUID to match source and destination • Updates all configured attributes • Important Attributes • distinguishedName - PROF_SOURCE_UID • email - PROF_MAIL • calculated guid - PROF_GUID • uid (shortName, samAccountName, ...) - PROF_UID • loginId - PROF_LOGIN (could be multivalue - must be unique) • sn – PROF_SURNAME (must exist)

24. Social Connections 15 Munich, September 16-18 2019 Authentication • WebSphere

    • WIM - Virtual Member Manager • Uses 1 unique key to identfy users within LDAP • Domino: DominoUNID • AD: objectGUID • Customization possible • Connections • WALZ - Profiles directory services extension *) * IBM Lotus Connections 2.5: Planning and Implementing Social Software for Your Enterprise

25. Social Connections 15 Munich, September 16-18 2019 LDAP Switch Documentation

    • Updating Profiles when changing LDAP directory https://www.ibm.com/support/knowledgecenter/en/SSYGQH_6.0.0/admin/admin/t_admin_profiles_change_ldaps.html • Change LDAP directory syncing with Connections https://www.ibm.com/developerworks/community/blogs/4021cbfe-77ed-4a39-89de- 59b2fd63adb5/entry/change_ldap_directory_syncing_with_connections?lang=en • Social Connections 9: https://de.slideshare.net/soccnx/managing-ldap-changes-in-connections-54924817 • Specifying a custom ID attribute for users or groups: https://www.ibm.com/support/knowledgecenter/en/SSYGQH_6.0.0/admin/install/t_specify_dif_guid.html

26. Social Connections 15 Munich, September 16-18 2019 Other information regarding

    LDAP • IBM Connections using Active Directory and Nested Groups http://www.infoware.eu/ibm-connections-using-active-directory-and-nested- groups • Christoph Stoettner (panagenda) My presentations at IBM Connect 2016 https://stoeps.de/my-presentations-at-ibm-connect-2016/

27. Social Connections 15 Munich, September 16-18 2019 Switch procedure

28. Social Connections 15 Munich, September 16-18 2019 • User Accounts

    must exist on both sides and must have a 1:1 relationship • Common Attribute: email • Accounts must meet requirements • Must have access to Connections • Must have a unique Key • Mismatch must below accepted rate • Checking both sides, some accounts are not found in AD or do not meet the minimum requirements. • Wrong user data is ignored Before starting

29. Social Connections 15 Munich, September 16-18 2019 Switch • The

    switch procedure is executed as lined out by IBM. • New LDAP and admin accounts are configured • As all users exist in both LDAP directories, a one time move must take place • Current expected downtime is 2 days • Rollback: Restore from backup

30. Social Connections 15 Munich, September 16-18 2019 Problems and findings

    • When following the IBM guideline, @Mentions will fail in Blog entries, Wiki pages and in some entries in the Activity Stream – GUID/EXID/UserID must not get changed.

31. Social Connections 15 Munich, September 16-18 2019 Post switch tasks

    • Some users were not migrated successfully - fix to add them • New users need to be added • Some users will complain about wrong data - find root cause and organize fix • Used groups need to be corrected
32. None
33. None