The Hitchhiker‘s Guide To HCL Domino V11 Directory Sync Ulrich Krause, midpoints GmbH

ENGAGE 2020, March 3 – 4 Burgers' Zoo, Arnhem, The Netherlands About: Ulrich Krause • Lotus, IBM, HCL Notes und Domino since 1993

• Developer / Administrator

• IBM Champion 2010 – 2019 • HCL Master 2019 • OpenNTF Contributor • Let‘s Encrypt 4 Domino ( LE4D )

• Working with midpoints GmbH From Beta To General Availability (GA) • HCL Domino V11 Beta – 14-Aug-2019 ( HCL Masters only ) • HCL Domino V11 Public Beta 1 – 06-Sep-2019 • HCL Domino V11 Public Beta 2 – 24-Oct-2019 • HCL Domino V11 GA – 21-Dec-2019 • HCL Domino V11.0.1 preview – 27-Feb-2020 DirSync is a new feature, but …

we'll explain all you need to know to setup and configure DirSync DirSync • New as of Domino 11 • Directory Sync allows you to sync people and group data from an external LDAP directory into the Domino directory. • Currently data FROM can be synced • Directory Sync makes it easy for your HCL Domino users to address to and see details about users in your organization who do not use Notes such as Outlook users registered in Active Directory. • With this feature, Active Directory users automatically have Person documents in the Domino directory so that Notes users can find their addresses and other information. • Without Dirsync, Notes users must know the addresses of the Active Directory users before they can send mail to them, unless Person documents are added for them manually DirSync Components • LDAP directory assistance document that is enabled for Directory Sync created in a directory assistance • Directory Sync Configuration document created in the Directory Sync view of the Domino directory • A server task, “Dirsync”, that runs only on the Domino administration server, that connects to the Active Directory server regularly to pull person and group changes into the Domino directory. • Target directories. names.nsf or other application based on pubnames.nsf. https://help.hcltechsw.com/domino/11.0.0/wn_directory_sync.html DirSync Environment Directory Assistance • For each Active Directory create a configuration document in the Directory Assistance database. On the „Basics“ tab set • Domain Type: LDAP • Make this directory available to: Directory Sync Directory Assistance

• On the „LDAP“ tab leave the DEFAULT values but set „LDAP vendor“ and „Type of search filter to use“ to Active Directory. Directory Assistance

Click Verify to verify that you can connect to the Active Directory server and provided the correct credentials Directory Assistance

Click Suggest to look up the search base of the Active Directory server. SHOW XDIR (RELOAD) • Save Directory Assistance configuration document(s). • Update Domino‘s internal configuration by issuing „show xdir reload“ command on the server console.

• You should see similar output like this DirSync Configuration • Add Directory Sync configuration document

• Open Domino Directory. • Select Configuration > Directory > Directory Sync. • Click Add Directory Sync. DirSync Configuration Sync / ReSync Frequency • How frequently the Dirsync task checks for Active Directory changes to synchronize. Default is once a minute. • How often to resync all data from Active Directory, in minutes. Default is 10,000 minutes or approximately once a week. If you don't want to regularly resync all data, specify 0. • Resync causes the following changes to synchronize which are not otherwise synced: • Deleted users and groups. • Name changes within groups Fields To Sync To Domino • Specify which Active Directory person fields to sync to Domino. • A standard list of fields from Active Directory is shown by default. • You can add or remove fields from the list. • When Active Directory and Domino use different names for a field, the Domino field name is shown in parentheses after the Active Directory field name. For example: mail ( address). • Modifying this field causes a full resync. Fields To Sync To Domino • Specify which Active Directory person fields to sync to Domino. • A standard list of fields from Active Directory is shown by default. • You can add or remove fields from the list. • When Active Directory and Domino use different names for a field, the Domino field name is shown in parentheses after the Active Directory field name. For example: mail (Email address). • Modifying this field causes a full resync. Fields To Sync To Domino ( minimum ) Restore Defaults • „Restore Defaults“ will only reset the DEFAULT fields list. It will not remove any fields that have been added by the Administrator. Restore Defaults • The intended functionality of the button is to add in the fields that you would sync by default, without removing any special ones you added yourself. • As you note, you can get just the default fields by clearing the list first, so the same button lets you do both functions, whereas if we have the button replace the field contents, there's no way to re-add the default fields without overwriting data you might want to keep

• Andre Guirard/USA/PNPHCL Restore Defaults • „Restore Defaults“ in DDE Attribute To NotesItem Mapping • DirSync uses schema.nsf but if it is not present it uses a hardcoded standard LDAP mapping. • For example the LDAP standard for FirstName is "givenname". That is always mapped using a hardcoded standard mapping name. • If it is a new attribute and you want to just have a one-one mapping with the Notes name, then you can just make the notes field name the same as AD's. Attribute To NotesItem Mapping • Mapping sometime not well thought.

• On “Person” documents, NotesItem “Comment” is an item of type “Text” that can be used in views. • Changes to the description attribute are synced to the Notes document • On “Group” documents, NotesItem “Comment” is an item of type “RichText” that cannot be used in views. • DirSync recognizes that the description attribute has been altered but changes are NOT synced into the Notes document LDAP Filter • By default, all users and groups starting from the search base in Active Directory are synced. • Use a standard LDAP search filter to sync a subset only. • For example, the filter (|(mail=*@brightside.*)(mail=*@darkside.*)) will only sync records that contain *@brightside.* OR *@darkside.* in the mail attribute.. • Modifying this field causes a full resync LDAP Filter • The documentation says: ‚By default, all users and groups in Active Directory are synced. Optionally use a standard LDAP search filter to sync a subset. ‘

• Why have I included (&(|(objectClass=Group)(objectClass=Person)) in my filter?

• “Without specifying the object class, you will get a lot more objects than you would expect. However, those will get post filtered by checks on valid attributes for person and group.” - Mike O’Brien, HCL Sync Groups • If you want to synchronize groups, select the types of groups to synchronize. If you don't want to synchronize groups, do not select either option. • Global Security groups, to be able to use Active Directory security groups in Notes® access lists. • Global Distribution groups, to be able to use Active Directory distribution groups in Notes® mail addressing. Sync Groups DirSync CSyncFromAD::DoModify - Skipping modification because entry = 'CN=LocalGroup,CN=Sync,DC=ad,DC= fritz,DC=box' is not a valid candidate for a 'group' record. Valid group types are 'Global Security' and 'Global Distribution' Sync groups Sync Groups Only ?

DirSync CSyncFromAD::SyncSpan (NAMEldap_search_ext_s call) : (&(objectClass=Group)(uSNChanged>=242972)) took 0 msec DirSync Modified uSNChanged from '' to '242971' DirSync Modified objectGUID from '' to 'cbc2b888c0a9d7448f3a779e3b8a98c8' DirSync Modified groupType from '' to '1' DirSync 'group' Document updated, Common Name = 'CN=BadGuys' DirSync CSyncFromAD::DoModify - Added New Note for 'CN=BadGuys,CN=Sync,DC=ad,DC=fritz,DC=box' 16.02.2020 09:40:03 DIRSYNC Full Resync From Active Directory (AD) - Summary (0.305 sec, Start=0, Adds=1, Modifies=0, Deletes=0, Skips=0, Errors=0, End=242971) Enable DirSync Configuration

• Select one ore more DirSync configurations and click „Enable“. Enable DirSync Configuration (cont.)

Select Run in test mode to simulate the actions that Directory Sync would take but without changing any Domino data. Troubleshooting • DirSync does not sync changes • Check Directory Assistant configuration for domain

• We have to distinguish between two situations • Directory Assistance status has changed when • DirSync task was not running ( case 1 ) • DirSync task was running ( case 2 ) Case 1 • On DirSync task start, an error is thrown on the Domino server console.

DirSync page size: 5000 [1FEC:0004-0A60] DirSync> SyncFromLDAPToNAB( - 91: Connect error)@addirsync.cpp:269 - 13171:DirSync encounterred LDAP error ./ct> 09.02.2020 08:38:34 DIRSYNC: Customer '', Server 'CN=serv01/O=singultus', Filename 'names.nsf' has error '13171:DirSync encounterred LDAP error - 91: Connect error. [ - 91: Connect error] - 91: Connect error'. Case 2 • Check status of Directory Assistance domain used in DirSync configuration! • No error will be shown. The console output pretends that DirSync is working.

• DIRSYNC From Active Directory (AD) - Summary (0.000 sec, Start=242144, Adds=0, Modifies=0, Deletes=0, Skips=0, Errors=0, End=242143) Case 2 ( cont.) • Despite the Directory Assistance domain is not enabled in, DirSync recognizes changes in the Active Directory objects. • It will not update the according person document in the configured target directory.

DirSync Entry with mail address '[email protected]' - NoteID 33066 was found in the target directory. DirSync DirSync CSyncFromAD::DoModify(dn = 'CN=Luke Skywalker,CN=Sync,DC=ad,DC=fritz,DC=box', newentry=0) DirSync 09.02.2020 08:20:29 DIRSYNC From Active Directory (AD) - Summary (0.447 sec, Start=242146, Adds=0, Modifies=0, Deletes=0, Skips=0, Errors=0, End=242146) Case 2 ( cont.) • When you enable the Directory Assistance configuration, DirSync will update changes in the person record.

DirSync Entry with mail address '[email protected]' - NoteID 33066 was found in the target directory. DirSync DirSync CSyncFromAD::DoModify(dn = 'CN=Luke Skywalker,CN=Sync,DC=ad,DC=fritz,DC=box', newentry=0) DirSync Modified MiddleInitial from '' to 'B' DirSync Modified uSNChanged from '103050' to '242148' DirSync 'person' Document updated, UTF8 Name = 'CN=Luke Skywalker,CN=Sync,DC=ad,DC=fritz,DC=box' DirSync CSyncFromAD::DoModify - Modified existing Note for 'CN=Luke Skywalker,CN=Sync,DC=ad,DC=fritz,DC=box' DirSync 09.02.2020 08:27:31 DIRSYNC From Active Directory (AD) - Summary (0.040 sec, Start=242148, Adds=0, Modifies=1, Deletes=0, Skips=0, Errors=0, End=242148) Disable DirSync Configuration • Before you can edit the configuration, you must disable it. • Select one ore more DirSync configurations and click „Disable“. • Request action document is being created and processed by DirSync task. Enable DirSync Configuration (cont.) • Resnyc request is created automatically, when DirSync configuration has been changed.

DirSync> 09.02.2020 12:32:36 - Scheduled a Resync due to Config Doc options changing. On Administration Server Only • Enable, Disable and Resync is allowed on the administrative server of the domain. Resync

DirSync Updating SyncAll Request's DirSyncRequestState to 1 10.11.2019 14:06:28 DIRSYNC From Active Directory (MIDPOINTS) - Summary (0.041 sec, Start=14231642, Adds=0, Modifies=0, Deletes=0, Skips=0, Errors=0, End=14231859) 10.11.2019 14:07:17 DIRSYNC From Active Directory (MIDPOINTS) - Summary (0.041 sec, Start=14231860, Adds=0, Modifies=0, Deletes=0, Skips=0, Errors=0, End=14231860) DirSync Sync all request calling SyncFromLDAPToNAB. DirSync resyncall - SyncFromLDAPToNAB completed in: 0.223 seconds DirSync Updating SyncAll Request's DirSyncRequestState to 2 [10.11.2019 14:07:24 DIRSYNC Full Resync From Active Directory (MIDPOINTS) - Summary (0.223 sec, Start=0, Adds=2, Modifies=0, Deletes=0, Skips=0, Errors=0, End=14231860) DirSync Deleting SyncAll Request Register Selected Person • In Admin navigate to People & Groups – Domino Directories – People and right click on the person you want to register. • Click „Register selected person“ in the context menue. Register Selected Person • Type in the password for the certifier • A prefilled registration dialog will appear. Troubleshooting • The registration dialog is empty. FirstName and LastName is not pre- filled.

• When the certifier password dialog pops up • ADMIN_REGISTER_NOTEID=< NoteID value of the currently selected document>

• Check notes.ini • NewUserServer=serv06/singultus pointing to the wrong server Register Selected Person • The person will be registered as Domino user. Register Programmatically ? • LotusScript, by now does not have a method to do this using the NotesRegistration class . • Enhancement request • https://domino-ideas.hcltechsw.com/ideas/DDXP-I-547 • Mike O’Brien/USA/PNPHCL – ‘Created Jira Task for 11.0.1 work’ • Latest update: „By the way, the new LotusScript property to set the ContactNoteID field is currently checked into the 11.01 stream. “

• New property in NotesRegistration class as of V11.0.1 preview. Register Programmatically ? Rename Registered Person • The Rename Domino users upon Active Directory rename option must be enabled in the Directory Sync configuration document Change Attribute In AD

DirSync Entry with mail address '[email protected]' - NoteID 33070 was found in the target directory. DirSync CSyncFromAD::DoModify(dn = 'CN=James Kirk,CN=Sync,DC=ad,DC=fritz,DC=box', newentry=0) DirSync Modified uSNChanged from '242188' to '242190' DirSync Modified CellPhoneNumber from '' to '001 555 HOME' DirSync 'person' Document updated, UTF8 Name = 'CN=James Kirk,CN=Sync,DC=ad,DC=fritz,DC=box' DirSync CSyncFromAD::DoModify - Modified existing Note for 'CN=James Kirk,CN=Sync,DC=ad,DC=fritz,DC=box' 09.02.2020 14:22:35 DIRSYNC From Active Directory (AD) - Summary (0.013 sec, Start=242190, Adds=0, Modifies=1, Deletes=0, Skips=0, Errors=0, End=242190) Rename Registered Person When a Domino user's common name changes in Active Directory, a Rename Common Name administration process request is created.

You must approve the request for the rename to be carried out in Domino. Rename Registered Person

DirSync Processing ldap entry (SyncSpan) #1 from page #1, total entries #1: 'CN=James T Kirk,CN=Sync,DC=ad,DC=fritz,DC=box' DirSync Entry with mail address '[email protected]' - NoteID 33810 was found in the target directory. DirSync CSyncFromAD::DoModify(dn = 'CN=James T Kirk,CN=Sync,DC=ad,DC=fritz,DC=box', newentry=0) LLNDirSync CSyncToAdminP::ModifyPerson: FLATFirstFuameValue: CN=James T Kirk/CN=Sync/DC=ad/DC=fritz/DC=box Status: No error.

DirSync Submitted adminp request to rename user CN=James Kirk/O=singultus to CN=James T Kirk/O=singultus

DirSync Modified uSNChanged from '276180' to '276181' DirSync 'person' Document updated, UTF8 Name = 'CN=James T Kirk,CN=Sync,DC=ad,DC=fritz,DC=box' DirSync CSyncFromAD::DoModify - Modified existing Note for 'CN=James T Kirk,CN=Sync,DC=ad,DC=fritz,DC=box‘

DIRSYNC From Active Directory (AD) - Summary (0.281 sec, Start=276181, Adds=0, Modifies=1, Deletes=0, Skips=0, Errors=0, End=276181) Rename Registered Person Rename Registered Person Delete Users And Groups • Registered users are not deleted from Domino Directory when the user entry is deleted from Active Directory • Other synced users that do no longer exist in Active directory are not deleted during the sheduled sync. You need to initiate a resync to remove the person record from the Domino Directory. • Deleted users are also removed from any synced group that they are a member of. SyncFromLDAPToNAB - Deleted existing Note for 'Luke Skywalker'. This is NOT a registered user and could be a deleted orphan DirSync resyncall - SyncFromLDAPToNAB completed in: 0.258 seconds DirSync Updating SyncAll Request's DirSyncRequestState to 2 09.02.2020 15:13:33 DIRSYNC Full Resync From Active Directory (AD) - Summary (0.258 sec, Start=0, Adds=0, Modifies=4, Deletes=1, Skips=0, Errors=0, End=242201) Modify Group Members • If person is added to AD group, the Notes group is updated during next scheduled sync. • If person is removed from AD group, the Notes group is updated during next scheduled sync. • If person in AD is renamed (distinguishedName), the Notes (ACL) group is NOT updated during scheduled sync • If person in AD is renamed (distinguishedName), the Notes (Mail only) group is NOT updated during scheduled sync • In those cases, the documents are updated during resync. Sync Registered Users Only Sync Registered Users Only • Not working in V11 GA ( worked in V11 Beta 2)

DirSync Processing ldap entry #1 from page #1, total entries = 1: CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box DirSync Ignoring Contact'CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box'. Option is set to ignore DirSync CSyncFromAD::ProcessEntry IGNORING dn: CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box • Will be fixed Fixed in V11.01 (preview) (SPR# MOBNBL9R2P) Sync From Different AD • By now, we only sync from 1 AD. What happens, when we add another AD?

• Does NOT WORK in V11. Sync From Different AD

LDAPDN:CN=Gaby Schmidt,OU=Sales,OU=Users,OU=midpoints,DC=ad,DC=demopoints,DC=net' [1CC4:0005-1F84] DirSync DirEntryID dump ... [1CC4:0005-1F84] 00000000: 6C 64 61 70 3A 2F 2F 53 45 52 56 30 34 2E 41 44 'ldap://SERV04.AD' [1CC4:0005-1F84] 00000010: 2E 46 52 49 54 5A 2E 42 4F 58 3A 33 38 39 2F 43 '.FRITZ.BOX:389/' [1CC4:0005-1F84] 00000020: 4E 3D 47 61 62 79 20 53 63 68 6D 69 64 74 2C 4F 'N=Gaby Schmidt,O' [1CC4:0005-1F84] 00000030: 55 3D 53 61 6C 65 73 2C 4F 55 3D 55 73 65 72 73 'U=Sales,OU=Users' [1CC4:0005-1F84] 00000040: 2C 4F 55 3D 6D 69 64 70 6F 69 6E 74 73 2C 44 43 ',OU=midpoints,DC' [1CC4:0005-1F84] 00000050: 3D 61 64 2C 44 43 3D 64 65 6D 6F 70 6F 69 6E 74 '=ad,DC=demopoint' [1CC4:0005-1F84] 00000060: 73 2C 44 43 3D 6E 65 74 09 4C 44 41 50 44 4E 3A 's,DC=net.LDAPDN:' [1CC4:0005-1F84] 00000070: 43 4E 3D 47 61 62 79 20 53 63 68 6D 69 64 74 2C 'CN=Gaby Schmidt,' [1CC4:0005-1F84] 00000080: 4F 55 3D 53 61 6C 65 73 2C 4F 55 3D 55 73 65 72 'OU=Sales,OU=User' [1CC4:0005-1F84] 00000090: 73 2C 4F 55 3D 6D 69 64 70 6F 69 6E 74 73 2C 44 's,OU=midpoints,D' [1CC4:0005-1F84] 000000A0: 43 3D 61 64 2C 44 43 3D 64 65 6D 6F 70 6F 69 6E 'C=ad,DC=demopoin' [1CC4:0005-1F84] 000000B0: 74 73 2C 44 43 3D 6E 65 74 'ts,DC=net' [1CC4:0005-1F84] DirSync Begin retrying DirCtxGetEntryByID with WebAuth_Verbose_Trace=1 [1CC4:0005-1F84] DirSync End retrying DirCtxGetEntryByID with WebAuth_Verbose_Trace=1 [1CC4:0005-1F84] DirSync Please email this DIRSYNC_STRICT_ASSERTEX failure to 'Domino DirSync Dev' Issue With Empty Attributes • All tested editors remove empty attributes from AD object. Notes item will not be updated.

• Workaround: Use SPACE instead Monitoring Directory Sync DirSync DEBUG mode notes.ini: Domino server console: DIRSYNC_DEFAULT_ARGS=-v restart task dirsync Statistics Items To Identify Synced Objects NotesView ($LDAPGuid) ScriptLib DirSyncUtil

How To Contact Me • Mail: [email protected]

• Mail: [email protected]

• Twitter: @eknori

: https://www.eknori.de

• LinkedIn: https://www.linkedin.com/in/eknori/ Download This Presentation

https://eknori.de/_data/dirsync.pdf