Below you find the QPCONFIG.XML which I used at a customer site to connect Lotus Quickr (Domino Services) to an Active Directory LDAP source for authentication.
Although this configuration worked in my environment you might need to adapt some parts to fit in your environment (especially some of the LDAP attributes used). You easily can check what attributes are used in your environment with a freeware tool called “Softerra Ldap Browser“.
[codesyntax lang=”xml” title=”qpconfig.xml”]
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 |
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <server_settings> <offline enabled="true" use_login_passwords="true" > <name_translation enabled="true"> <from_directory_name> <translate from="CN=(.+)/(.+)/DC=acme/DC=com" to="CN=\1/\2/O=acme_com" /> </from_directory_name> <to_directory_name> <translate from="CN=(.+)/(.+)/O=acme_com" to="CN=\1/\2/DC=acme/DC=com" /> </to_directory_name> </name_translation> </offline> <super_user enabled="true"> <dn>CN=IT_WindowsServer_Admins,OU=acme (Organisation),OU=acme Groups,DC=acme,DC=com</dn> </super_user> <user_directory> <ldap> <base_dn> <group>DC=acme,DC=com</group> </base_dn> <schema> <ldap_is_active_directory enabled="false" /> <do_not_deref_for_groups enabled="true" /> <dn_delimiter robust_compare="false"/> <dn_incoming_is_native enabled="true"/> <secondary_cn_component enabled="true"/> <maintain_escape_character enabled="false"/> <object_class>objectClass</object_class> <user> <object_class_value>person</object_class_value> <common_name>cn</common_name> <display_name>cn</display_name> <first_name>givenname</first_name> <last_name>sn</last_name> <email>mail</email> <phone>telephoneNumber</phone> </user> <group> <object_class_value>group</object_class_value> <common_name>cn</common_name> <display_name>cn</display_name> <member>member</member> </group> </schema> <search_filters> <authentication> <![CDATA[ (|(sAMAccountName={0})(cn={0})) ]]> </authentication> <user_lookup> <![CDATA[ (&(objectclass=person)(sn={0})(givenname={1})) ]]> </user_lookup> <group_lookup> <![CDATA[ (&(objectclass=group)(cn={0})) ]]> </group_lookup> <group_membership> <![CDATA[ (&(objectclass=group)(member={0})) ]]> </group_membership> </search_filters> <member_lookup_ui> <column_name> <person>sn, givenname</person> </column_name> <column_disambiguate> <person>dn</person> </column_disambiguate> </member_lookup_ui> <search_ui_hint> <![CDATA[ ( enter <B>last name, first name</B>) 0; ]]> </search_ui_hint> <search_ui_index>sn</search_ui_index> </ldap> </user_directory> </server_settings> |
[/codesyntax]
In addition to the above configuration you need to add the root point of your LDAP tree (see above) in corresponding field in the Quickr Site Administration:
You also need to do some work to get the Quickr offline capability working with Active Directory. I will describe how to do this in a later post.
Update:
David Byrd has just published a very good article in the Quickr wiki regarding AD integration.
Great info, Michael. Many thanks!
Michael,
Thanks for the great detail of this post. I have been struggling to learn LDAP just to get Quickr going, and this qpconfig.xml example has gone a long way toward helping me get it working.
Does this qpconfig.xml allow your users to login with their shortname (sAMAccountName)? I cannot get that to work, yet to me it looks like you’ve set it up that way.
I’m forced to login with my full name.
Cheers,
bu11frogg
very nice
Try Apache directory (http://directory.apache.org/studio/), much more features than Softerra LDAP Browser.
Same question :
Does this qpconfig.xml allow your users to login with their shortname (sAMAccountName)? I cannot get that to work, yet to me it looks like you’ve set it up that way.
Thank you
Yes. Normally it should allow you to login with that attribute. See the CDATA parameter in the authentication section which tells Quickr to use either the attribute “sAMAccountName” or “cn” as login attribute.