Directory Synchronization - LDAP Sync for Domino Directory

Updated

 

 

This article contains information on using LDAP Directory Sync with Domino Directory to manage users and groups in Mimecast, detailing setup, integration creation, testing, and synchronization processes.

If your organization uses Domino Directory, you can use the LDAP Directory Sync feature to automatically add and manage your users and groups, removing the administrative overhead of performing these tasks manually. In addition, opening a connection between Mimecast and your Domino Directory allows end users to use their primary email address and Domino Directory password to sign in to Mimecast applications.

 

What You'll Need

  • An inbound connection from the Mimecast IP Range to a Domino Directory server running the LDAP task.
  • A user account with Read permissions to Domino Directory.
  • A Mimecast Administrator account with edit permissions to the Users & Groups | Directory Synchronization menu item.

 

Preparing Your Environment

  1. Ensure that your firewall is configured to pass LDAP(S) requests from Mimecast to your Domino Directory server.

  2. Create a user that Mimecast will use to connect to your Domino Directory.

    The LDAP task runs automatically by default on the admin server for the primary Domino Directory.

 

Creating the Directory Connection

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Directory Synchronization menu item.
  3. Click on the Create New Integration button.
  4. Complete the dialog as follows:

Details

Field / Option Description
Name Provide a name to help identify the directory integration.
Description Provide a description to help identify the directory integration.
Type Leave this set to the "Domino Directory (LDAP)" option.
  1. Click Next.

 

Settings

Domino Foreign Directory Synchronization If selected, Mimecast will not synchronize groups and addresses that have "Allow Foreign Directory Synchronization" set to "No" on the Domino Directory (LDAP).
Hostname / IP Address Enter the hostname or IP address to be used and ensure the Mimecast regional ranges can connect to this host. See the Mimecast Gateway page for further details.
Alternate Host Enter a backup hostname or public IP address of the directory server. This will be used as a failover connection to the directory if configured.
Encrypt Connection Select whether the connection should be encrypted using LDAPS.
Encryption Mode

If the "Encrypt Connection" option is checked, specify one of the following encryption modes:

  • Strict-Trust Enforced: This mode requires a certificate issued by a Mimecast trusted public root certification authority and a key length greater than 1024 bits to be installed on your Domain Controller.

  • Relaxed: This mode must be used if your certificate is self-signed, has a key length of fewer than 1024 bits, or has an incomplete trust chain.

    Certificate Information: When using a secure connection, ensure that the name on your certificate matches the public hostname you use for the connection. The Strict-Trust Enforced encryption mode requires a certificate issued by a Mimecast trusted public root certification authority and a key length greater than 1024 bits to be installed on your Domino Directory server. If your certificate is self-signed, has a key length of fewer than 1024 bits, or has an incomplete trust chain, contact Mimecast support, who can define a Relaxed encryption mode for your connection. For security, we strongly recommend using certificates issued by a public root certification authority with a key length greater than 1024 bits.
Connection Port Specify the port Mimecast should use to connect to your Domino Directory. Typically, this will be 636 for encrypted connections and 389 for unencrypted connections.
User Distinguished Name Specify the distinguished name of the user Mimecast should use to connect to your Domino Directory. See the Determining the Distinguished Name section below for further details.
Password Enter the Domino Directory password for this user.
Root Distinguished Name Specify the Root Distinguished Name for your Domino Directory domain (e.g., DC=domain, DC=local) to be used as a filter on the connection. For example, if you only want to expose part of your Domino Directory to Mimecast, enter a Root DN higher in your directory tree (e.g., OU=New York, DC=domain, DC=local).
  1. Click Next.

 

Options

Field / Option Description
Acknowledge Disabled Accounts If selected user accounts that are disabled in the Domino Directory also get disabled in Mimecast.
(Default Setting - Disabled)
Filter Email Domains

Optionally list the domains the Directory Integration will synchronize with. For example, these can be specified where:

  • There are multiple Directory Integrations, and each Integration is dedicated to specific domains.
  • The account is part of an Advanced Account Administration setup.

(Default Setting - Disabled)

Entries must be comma-separated. No spaces should be used.
Maximum Sync Deletions This is the maximum number of accounts that will be updated to "created in transit" when they are no longer part of the synchronization result. See Maximum Sync Deletions & Deleted Users for more information.
Delete Users This allows the deletion of accounts that are no longer part of the synchronization result. See Maximum Sync Deletions & Deleted Users for more information.
  1. Click Next.

 

Summary

Field / Option Description
Status Set the status of the Directory Integration upon creation; this toggle switch can be left as Enabled, so it will begin to function immediately, or be set to Disabled and left for future activation.
(Default Setting - Enabled)
  1. Clicking Next will automatically perform a Test on the connection using the details entered.  If satisfied with the test results, click Create Integration to complete the process.

 

Finding the User's Distinguished Name

  1. On your Domino server or a client machine with the Notes client installed, open a Windows Command prompt.
  2. Change the directory to the location where the Domino program files are installed. For example:
cd "C:\Program Files\IBM\Domino
  1. Run the following command:
command ldapsearch.exe -h server_name/domino_domain_name (sn=username)

Where:

  • server_name is the name of your Domino server.
    • domino_domain_name is the name of your Domino domain.
    • The username is the user of who you want to find the DN.
  1. The following results should be displayed. 
Enable LDAP Directory Sync

The first result listed is the value you should use for the Distinguished Name field.

 

Testing Your Configuration

To test your settings:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Directory Synchronization menu item.
4. Select the Directory Integration entry you wish to test.
5. On the slide-out panel, select the Test Connection tab, which will begin the test itself, and a series of tests will be performed. They include:

  • Hostname/IP address checks.
  • Connectivity tests.
  • Certificate tests.
  • Authentication tests.

  • Sample address tests.

    A tooltip will display additional information, including possible solutions if a test fails.

    When an Alternate Host has been configured for the connection and the connectivity test to the primary Hostname/IP Address results in an error, it will continue with the tests for the Alternate Host. However, if a test partly succeeds (e.g., only one Mimecast data center can connect), the other tests will continue using the functioning connection.

    The test option can be used while your settings haven't been saved. You can select the option before saving your changes.

 

Finalizing the Integration

To enable users to log in using their Directory password: 

  1. Select the Users & Groups | Applications menu item.
  2. Click on the Authentication Profiles button.
  3. Click on the Default Authentication Profile to enable you to change it.
  4. Select the LDAP Directory Integration (Active Directory and Domino) option in the Domain Authentication Mechanisms drop-down.
  5. Click the Save and Exit button.

 

Next Steps

Once these steps are complete, Mimecast will synchronize with your Domino Directory automatically three times per day at 8 am, 1 pm, and 11 pm.

  • To validate that your scheduled syncs are completing successfully, you can view the status of the Directory Integration in the Users & Groups | Directory Synchronization list view page of the Administration Console.
  • To test the connection immediately and run an on-demand synchronization anytime, you can click the Sync All button on the Users & Groups | Directory Synchronization page.

 

See Also...

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.