Quick Tip: Make IAM play nice with Directory Assistance
We came across the need to have users in a 2nd Domino Directory for a Single Page Application. These are external users, who register themselves and authenticate against IAM to access the application on the web.
While configuring a Directory Assistance configuration for that scenario as described here, we experienced some issues with IAM. The users were able to log into Domino with userid/pw into a Xpages Test app but not through IAM. Looking at the IAM configuration, we came across the definitions for the Identity Provider Configuration. Using Domino LDAP, we configured the hirarchical part of our ID Structure as the Search base DN. In our case, as we have a country code in the Notes Names, the base DN is c=DE. You can easily find that base DN in the Domino Directory in the view "users by organization" (see screenshot):
The first entry (in our case the country code DE) is the base DN for searching.
To make sure that your Directory Assistance configuration is working correct, you can use the "show xdir" command on the Domino Console - for reference, see here.
Output looks like this:
[000662:000010-00007F6055C57700] DomainName DirectoryType ClientProtocol Replica/LDAP Server
[000662:000010-00007F6055C57700] --------------- --------------------- -------------- -----------------------
[000662:000518-00007F6055C57700] 1 SIT GMBH Primary-Notes Notes & LDAP names.nsf
[000662:000518-00007F6055C57700] 2 SIT PARTNER Secondary-Notes Notes & LDAP SITPrtnDir.nsf
[000662:000010-00007F6055C57700] Directory Assistance Database 'da.nsf' in use
Now, if you have an entry in a 2nd Directory that IAM needs to look up, you have to make sure that the entry has a fullname item that contains this structure AND the Domain definition you have set up in the Directory Assistance document !
In our case, the DA Domain name was "SIT Partner" - so the user names had to be names like so: "FirstName LastName/SIT Partner/DE" to make them available to IAM. Depending on your hirarchical naming conventions, this might differ for you.
With these settings, IAM was able to see the users in the 2nd directory and the users are now able to log in using IAM. While this might not be the best way to configure this, I thought it would be worth noting if someone has the same need and can configure the setup accordingly.
Hope this helps,