02-28-2008 02:56 PM
Hello,
Is there a way to ask if a username or email is a member of a particuliar group on domino ldap server ?
(When there have only CN in group "member" attribute)
02-28-2008 03:42 PM
No, by default, Lotus Notes uses a group structure that is not compatible with the ESA's group query mechanism.
If you wish to use groups with Lotus Notes you MUST add an attribute to the user object to query against. Typically, users have used the description field to store group information. You can modify the schema to include a new one.
An example of an entry that would work for a domino server:
User Entry
dn:cn=FnameLname,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Fname Lname
sn: Lname
givenName: Fname
uid: FLastname
mail: FLastname@example.com
description: AVONLY
Example Filter
(&(mail={a})(description={g}))
Hello,
Is there a way to ask if a username or email is a member of a particuliar group on domino ldap server ?
(When there have only CN in group "member" attribute)
02-28-2008 03:44 PM
Also, on a similar note concenring Lotus "O" groups....
If you have several "O" groups to query, so how can you do it?
You have several "O" groups on the server. E.g.,
o=example
o=example2
o=example3
Solution:
Log into the UI, and go to System Administration > LDAP > Add LDAP Server Profile. Under the Base DN field, do not type anything. Keep this field blank so you can query all available "O" groups.
Hello,
Is there a way to ask if a username or email is a member of a particuliar group on domino ldap server ?
(When there have only CN in group "member" attribute)
03-06-2008 08:50 AM
We are running an agent which update each user's person doc with the 'MemberOf' information. The agent build a list of groups where user is member of and this field (in our case 'MemberOf') is added in a new subform which is then imported into "LDAP Aware" $PersonExtensibleSchema subform
More details how to extend LDAP schema from IBM site: http://www.ibm.com/developerworks/lotus/library/ls-Exploring_LDAP_features/
(see section 'Extending existing object classes', it's for Domino 5 but the LDAP hasn't really changed after since)
The following agent update the 'MemberOf' field in users' person doc. Please keep in mind this doesn't include possible Mail-In databases, if you want to get MemberOf info for Mail-In DBs you can create similar agent with 'Set view = thisdb.getview("Mail-In Databases")'.
Sub Initialize
Dim session As New NotesSession
Dim thisdb As NotesDatabase
Dim db As notesdatabase
Dim col As NotesDocumentCollection
Dim view As NotesView
Dim server As String
Set thisdb = session.CurrentDatabase
thisdb.DelayUpdates = True
If session.IsOnServer Then
server = ""
Else
server = thisdb.Server
End If
Print("Start updating MemberOf information")
Set view = thisdb.getview("People")
Call ProcessComputeWithForm(thisdb, view)
Print("Finished updating MemberOf information")
End Sub
Sub ProcessComputeWithForm(thisdb As notesdatabase, view As notesview)
Dim origdoc As notesdocument
Set origdoc = view.GetFirstDocument()
Do While Not origdoc Is Nothing
If origdoc.hasitem("MemberOf") Then
prevmemberof = origdoc.MemberOf
success = origdoc.ComputeWithForm( False, False )
If Not ArrayEqual(prevmemberOf, origdoc.MemberOf) Then
Call origdoc.Save( False, False)
End If
Else
success = origdoc.ComputeWithForm( False, False )
Call origdoc.Save( False, False)
End If
Set origdoc = view.GetNextDocument(origdoc)
Loop
End Sub
Function ArrayEqual(array1, array2) As Integer
If Ubound(array1) <> Ubound(array2) Then
ArrayEqual = False
Exit Function
Else
For a=0 To Ubound(array1)
If array1(a) <> array2(a) Then
arrayequal = False
Exit Function
End If
Next
End If
arrayequal = True
End Function
03-05-2009 03:52 PM
Is this information alos correct for 6.5.x?
I found Ironport LDAP group query for Lotus Domino in the Domino FAQ.
Can't test it, but perhaps anyone here could say that it is working?
06-22-2009 11:00 PM
The Domino FAQ states "Queries are only possible for valid email addresse e.g. name@domain.com ...", thus you would need to create new groups on your Domino server that contain their email addresses instead of their Notes names (CN=...).
I've set up a few of these groups as ACL groups (so they could not be used for mailing) to accomplish some group specific filters on the ESA, but maintaining the groups is a manual process.
I'd be curious into how effective/reliable the altering the DB schema to add "MemberOf" and running a scheduled script would work in a large organization.
06-22-2009 11:01 PM
:)
07-06-2009 08:51 AM
I'd be curious into how effective/reliable the altering the DB schema to add "MemberOf" and running a scheduled script would work in a large organization.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide