title: Synchronizing Domino and Active Directory link: https://onemoretech.wordpress.com/2009/02/12/synchronizing-domino-and-active-directory/ author: lembobro description: post_id: 379 created: 2009/02/12 22:34:05 created_gmt: 2009/02/12 22:34:05 comment_status: open post_name: synchronizing-domino-and-active-directory status: publish post_type: post

Synchronizing Domino and Active Directory

This post will highlight some “free” solutions that can be employed to synchronize user data between IBM’s Lotus Domino and Microsoft’s Active Directory.

The Domino ADSync tool is an mmc plugin that comes with the Lotus Domino Administrator Client. It can be used by administrators to make changes simultaneously to Notes and Active Directory for a particular user.

Microsoft Exchange Server 2003 also ships with connectors for synchronizing Active Directory (AD) with Lotus Domino. These are discussed in Exchange Server 2003 Coexistence and Migration for Lotus Domino Mail. This documentation is also available as a download here.

The csvde tool that comes with Microsoft Windows Server can be used to export and import user data out of and in to AD (thinkExchange GAL here). Wrap a bit of VBScript code around it to control program flow and you can build a nice export/import facility. The disadvantage of this approach is that you’ll need to know a lot more about how your user entries are structured and what you need to have on the Domino side.

On the Domino side, csv export and import of user data is usually done using LotusScript agent. Code samples for this come with the Notes server software and are available on the Internet.

Most complex and time-consuming of all these would be building a custom script or scripts using perl’s Net::LDAP module to synchronize with LDAP protocol operations. Here the problem is the fact that neither Domino nor AD are generic LDAP directories. They both contain lots of proprietary “stuff” that make using LDAP only ops a challenge. For one thing, passwords on AD can’t be modified without some additional gymnastics (enabling of SSL on AD). Because of its unique security structure passwords can’t be modified on Domino at all over LDAP. In addition, there is quite a bit of customization that needs to be done to make Domino data writable by an LDAP client. Some of this customization is easily undone during upgrades. On the Microsoft side there are a lot of operational attributes, like those used by Exchange for routing mail, that have to be manually set through your program — they’re not automatically configured by the server. As a result of all this, I don’t recommend using the LDAP protocol method to synchronize data between Domino and AD.

Of course if you really want to do this right you’ll deploy an enterprise-grade provisioning server like Oracle’s Identity Manager or Microsoft’s Metadirectory Services. The major advantages of a real provisioning platform are: 1) the connectors for each type of “directory” are prebuilt; 2) they use a common scheduler; 3) logging of operations is already provided for; 4) all the data is stored in a relational database rather than less efficient flat files; and, most importantly, 5) the whole thing is supported by a big commercial vendor.

Copyright 2004-2019 Phil Lembo