?
Solved

Lotus Notes LDAP

Posted on 2007-07-24
19
Medium Priority
?
1,012 Views
Last Modified: 2013-12-18
Im trying to get a contivity 600 vpn device to use LDAP to authenticate vpn users. Im trying to use the ldap from my Notes server, If I put in the contivity a base dn of o=MYDOMAIN, it works and allows all users to authenticate. I would like to limit it so only users in the Lotus Notes group called VPNClients can connect.

Any ideas on how I could limit this? I am not very familiar with ldap queries.

Below are the fields in the contivity that I can fill out& With the current settings it allows any user in the domino directory to connect, I would like to limit it to the VPNClients group.

Base DN = o=MYDOMAIN
Server = my notes server ip
Username Attribute = uid
User password attribute = I did not set it
LDAP Filter = I did not set it

Thanks in advance for any help!
0
Comment
Question by:unknown45
  • 7
  • 7
  • 3
  • +1
19 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 19562546
I am not sure that you can do thi via a group.

You may have to set up a field in the Person DOC that LDAP uses that can be filtered.

Perhaps by Department or an unused hierarchal Field

You need to check the LDAP schema and see what fields are transferred to LDAP that  you can use.

I hope this helps !
 
0
 

Author Comment

by:unknown45
ID: 19563763
Im sure you could do it by group... But if I was going to use a field, lets say the field name was "vpnuser" how would I do it?
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 19565727
I would look up some sample LDAP filters, it may be something like  field =value.

I'll look around.

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:unknown45
ID: 19565762
Yes I just found it using the "state" field, which we do not need. So using (st=vpn) works.

But is there now a way with a Lotus Agent I can set it up so if I add a user to the VPNClients group the agent will update the person records state field with vpn, and when they are deleted make the state field empty?
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 19565778
I would check the info in the Noes Admin Client help

Search for LDAP

this entry

Examples of using ldapsearch may be useful,, but there is a lot of info available.

It may be easier to see the help for your contivity 600 vpn device, or check their support site for examples.

I hope this helps !

0
 
LVL 63

Expert Comment

by:SysExpert
ID: 19565836
You can do the st=vpn via an agent with no real problem.

Either add the agent to the Address book, or in a blank DB that is just for agents.

I hope this helps !
0
 

Author Comment

by:unknown45
ID: 19565884
Im not really familier with the creation of agents in detail. What would I need to put to have it check if the user is in the database VPNClients and then if so update that person's user record st field with the value of vpn. And if they are not in the group make the value empty.
0
 
LVL 63

Accepted Solution

by:
SysExpert earned 1600 total points
ID: 19566115
Well here is a general agent to change any field in the Address book based on a group. It is designed originally to change the Mail server field but can be adapted to anything.

You can elimiate manual input prompts where needed. This agent would go in the Address book. I would protect it using a hide/when with an ACL role.

Change Mailserver For A 'Group' Of Users Change the Mail server or any field for a group.

Wil Conway
12 May 2000, Rating --- (out of 5)
 
This code allows you to change the mailserver for all users listed in a group.
It could easily be modified to change any field in a person document.

Code
-----------

Sub Initialize
On Error Goto Error_Handler
'===============================================================================
========
' AGENT INTRODUCTION
'===============================================================================
========
Continue = Msgbox ("This agent will change the mailserver entries for all
users in a group" & Chr(13) _
& "that you specify with the server that you specify." & Chr(13) _
& "Do you still wish to continue?",68,"'Change Mailserver for a Group of
Users' Agent")

If Continue = 7 Then
Exit Sub
End If
'===============================================================================
========
' DECLARATIONS
'===============================================================================
========
Dim session As New NotesSession
Dim db As NotesDatabase
Dim view As NotesView
Dim Groupdoc As NotesDocument
Dim Persondoc As NotesDocument
Dim myServerName As String
Dim myGroupName As String
Dim mycounter As Integer
'===============================================================================
========
' USER INPUT 'GROUP'
'===============================================================================
========
Enter_Group:
myGroupName = Inputbox ("What is the name of the group that has the users you
would like to convert?" _
, "Input Required")
'===============================================================================
========
' INPUT VALIDATION 'GROUP'
'===============================================================================
========
If myGroupName = "" Then
Exit Sub
End If
Set db = Session.CurrentDatabase
Set view = db.getview("Groups") 'Get group view
Set Groupdoc = view.getdocumentbykey(myGroupName,True) ' Get group doc
If (Groupdoc Is Nothing) Then
Msgbox "This is not a valid group. Please try again!", 16 ,"PROBLEM:"
Goto Enter_Group
End If
'===============================================================================
========
' USER INPUT 'SERVER'
'===============================================================================
========
Enter_Server:
myServerName = Inputbox ("What is the name of the server that you would like
to set these users to?" _
& Chr(13) & "Note: the server name must be canonicle", "Input Required", _
"CN=YourCN/OU=YourOU/O=YourO")
'===============================================================================
========
' INPUT VALIDATION 'SERVER'
'===============================================================================
========
If myServerName = "" Then
Exit Sub
Else
If Not (myServerName Like "CN=*" And _
myServerName Like "*OU=*" And _
myServerName Like "*O=*") Then
Msgbox "You did not enter the Server Name in the correct format!", 16
,"PROBLEM:"
Goto Enter_Server
End If
End If
'===============================================================================
========
' USER INPUT CHECK
'===============================================================================
========
Continue = Msgbox ("You are about to change the mailserver entry to " &
Chr(13) _
& myServerName & Chr(13) _
& "for all users in the " & "'" & myGroupName & "'" & " group." & Chr(13) _
& "Do you still wish to continue?",36,"'Change Mailserver for a Group of
Users' Agent")

If Continue = 7 Then
Exit Sub
End If
'===============================================================================
========
' MAIN CODE
'===============================================================================
========
Set view = db.getview("($Users)") ' Get user view

Forall x In Groupdoc.members
Set Persondoc = view.getdocumentbykey(x,True) ' Get user doc
If Not(Persondoc Is Nothing) Then
Persondoc.mailserver = myServerName 'Set new MailServer value
Call Persondoc.save (True,True) 'Save doc
Print "Modifying Person Doc For: " & x <WHATL  
 -----------------------
0
 

Author Comment

by:unknown45
ID: 19566797
When I cut and paste the code into a new agent , most of it is in red (it does like it), I tried to cut it up and modify it some but it did not work.
0
 
LVL 20

Expert Comment

by:brwwiggins
ID: 19569443
let me throw a twist in it....as we use our Cisco ACS server for similar function.

Groups in domino LDAP do not fall under the base O= as the users do. You can see this with an LDAP browser so when you set O=mydomain you will not find the groups in there.

We ended up creating our groups such as "VPNAccess/VPN" in the directory (even though the client warns you about it) then in your LDAP search you can filter to o=VPN to find your groups. We have not had any problems but also do not try to send mail to these groups. These groups are used only for LDAP lookup.

If you still want to set a field value, you will also need to add this to the LDAP schema otherwise domino will not present this field via LDAP. By default it will only present certain fields in LDAP queries.
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 19569548
A better avenue overall, is if you can configure Contivity to check group membership.  That way, rather than a single query to verify that the user password matches, you instead first 1) check that the user is in the correct group, a trivial query, then 2) do the standard password check.

If you insist on coding it into the user, you have several choices:
1) have a specific OU for allowed users, then recertofy the users into that OU
2) set a known attribute like Department
3) set a custom attribute, then you have to modify the schema.  Non-trivial, I would not go that way.
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 19569973
Heh, brwwiggins and I are saying the same thing, posted about same time, I guess my typing has slowed :)

I shoudl point out, this is not a Domino-specific problem.  LDAP doe snot require any special "group member query" handling other than querying a groupOfNames object (you query the name and/or the member attributes of the object).  There is an "virtual" (calculated) attribute called memberOf that Active Directory implements that allows you to find users who have membership in a group.  This feature is, I thin, at this point, not required in LDAP, though the definition for how it should work has been specified for a few years now.  Even in the AD implementation, it only returns immediate group membership, not nested group membership.

Because it is not universally implemented, I'm pretty sure Contivity supports the separate querying for group membership by querying against the group object.
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 19570384
regarding the agent, Some of the lines are continued, so you may need to recombine them.
COmments can be cut out as needed especially the == lines.

I would also turn on option explicit and declare any missing variabels.


I hope this helps !
0
 

Author Comment

by:unknown45
ID: 19573810
Ok. For the LDAP to work Im using the state field which is servered by LDAP. I've modified the code provided by Sage and it works part of the way.... If the users are in the group it updates the state field with "VPN", but I also want it to check to see if they are not in the group, then set the state field to be empty. I imagine some type of If statement I tried a few combinations but did not get any working.
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 19574403
Actually, the second part is not going to be easy.

I would do the following.

1) Create a second group for people you want to remove from the VPN access
2) Create a second agent that goes through the second group and sets the field to ""

later, you may be able to put both agents into the same button after proper testing.

I hope this helps !
0
 
LVL 20

Assisted Solution

by:brwwiggins
brwwiggins earned 400 total points
ID: 19575055
Can you just set everyone by default to ""? Then you only have to deal with add/remove from the group and can do like sysexpert mentioned or someother manner

I don't think you want to be looping through the entire directory each night and setting the VPN field.
0
 

Author Comment

by:unknown45
ID: 19575201
Thanks guys for all the help!
0
 
LVL 20

Expert Comment

by:brwwiggins
ID: 19575257
did you get it all working like you wanted?
0
 

Author Comment

by:unknown45
ID: 19575296
I did not create the group yet to set it to "", but that should not be a problem.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I thought it will be a good idea to make a post as it will help in case someone else faces these issues. I trust this gives an idea how each entry in Notes.ini can mean a lot for the Domino Server to be functioning properly. This article discusses t…
Problem "Can you help me recover my changes?  I double-clicked the attachment, made changes, and then hit Save before closing it.  But when I try to re-open it, my changes are missing!"    Solution This solution opens the Outlook Secure Temp Fold…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question