WebSphere Portal Server - Clarify Some Security Concepts, please...

Author

Clarify Some Security Concepts, please...

jonjohnston

2004-02-17, 3:33 pm

These are all examples, not real configs, just hyphothesizing:

For most of the sites I'm going to work with are going to have Domino.
All of the examples shown for domino ldap integration show the Notes
domain of the integrated site as an internet domain, i.e., biginsco.com.

Reality is, most Domino sites have a Notes domain that looks something
like - Joe User/Big Insurance Company (with user name, obviously).

Are we going to be able to integrate to these types of domains without
changing them to a .com or other "Internet style" domain? Or is part of
the purpose of the LPTA key to do a "map" between the Notes domain and
the FQDN of the Websphere environment?

Or is this an environment in which we're always better off using an
object pool session... Portletsession. If that's the case, where can I
find more information about this?

If we have a site in which (again, example), we're going to integrate
ISS, Domino, and WAS, at that point, I would assume that we'll have to
have a metadirectory/LDAP server such as Tivoli's Identity Manager, or
IBM's Directory Server to handle the authentication between the
disparate systems, or, again, are we better off in the real word in
establishing sessions within the porlets themselves?

Thanks for any pointers... or any discussion. <G>

Jon J.

LeaMedhurst

2004-02-17, 7:33 pm

Jon

I have installed plenty of portals with Domino. Apart from ongoing issues with quickplace I never have any real problems. In fact I have just finished a similar setup to that you explain IIS\Portal v5.02\Domino 6.5

I might be missing the point but
Joe User/Big Insurance Company is the Notes Domain so you end up with an LDAP user that looks like cn=Joe User,o=Big Insurance Company and that user is used during authentication. Upon authentication an LTPA token is produced for that user and is included
in the browser session.

Now assuming your Portal Server and Domino server are in the same NT domain (ie biginsco.com) then single sign on will work. The NT Domain and Notes Network Domain are different.

I also use DIIOP for my applications that can't be exposed via HTTP and you can use the portal API to get a handle to the current user and pass that through DIIOP and access data that way.

I hope I have helped
Thanks
Lea Medhurst

jonjohnston

2004-02-18, 2:33 am

LeaMedhurst wrote:
> Jon
>
> I have installed plenty of portals with Domino. Apart from ongoing issues with quickplace I never have any real problems.
>
>In fact I have just finished a similar setup to that you explain IIS\Portal v5.02\Domino 6.5
>
> I might be missing the point but
> Joe User/Big Insurance Company is the Notes Domain so you end up with an LDAP user that looks like
>
>cn=Joe User,o=Big Insurance Company and that user is used during authentication.
>
>Upon authentication an LTPA token is produced for that user and is included in the browser session.
>
> Now assuming your Portal Server and Domino server are in the same NT domain (ie biginsco.com)
>
>then single sign on will work. The NT Domain and Notes Network Domain are different.
>
> I also use DIIOP for my applications that can't be exposed via HTTP and you can use the portal API

to get a handle to the current user and pass that through DIIOP and
access data that way.
>
> I hope I have helped
> Thanks
> Lea Medhurst

Lea.... thanks so much for the reply. It helps understand the concepts.

I do have a problem right now in that it looks like SSO is working
properly (I can sign up through portal and create the user in Domino),
but when watching LDAPDebug on the Domino server, the WP server never
actually sends any requests to the Domino server. Never generates an
error, but never gets past the login screen.

I'm guessing that's LTPA related.

Haven't done much with Tivoli's stuff, to be honest, I'd say most of our
sites would be using eDirectory. We'll see what happens. <G>

Thanks again...

Jon J.

Jon J.