Connect Lotus Quickr to LDAP based on Active Directory

Below you find the QPCONFIG.XML which I used at a customer site to connect Lotus Quickr (Domino Services) to an Active Directory LDAP source for authentication.

Although this configuration worked in my environment you might need to adapt some parts to fit in your environment (especially some of the LDAP attributes used). You easily can check what attributes are used in your environment with a freeware tool called “Softerra Ldap Browser“.

[codesyntax lang=”xml” title=”qpconfig.xml”]

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<server_settings>

<offline enabled="true" use_login_passwords="true" >

<name_translation enabled="true">
<from_directory_name>
<translate from="CN=(.+)/(.+)/DC=acme/DC=com" to="CN=\1/\2/O=acme_com" />
</from_directory_name>
<to_directory_name>
<translate from="CN=(.+)/(.+)/O=acme_com" to="CN=\1/\2/DC=acme/DC=com" />
</to_directory_name>
</name_translation>

</offline>

<super_user enabled="true">
<dn>CN=IT_WindowsServer_Admins,OU=acme (Organisation),OU=acme Groups,DC=acme,DC=com</dn>
</super_user>

<user_directory>

<ldap>

<base_dn>
<group>DC=acme,DC=com</group>
</base_dn>

<schema>

<ldap_is_active_directory enabled="false" />
<do_not_deref_for_groups enabled="true" />
<dn_delimiter robust_compare="false"/>
<dn_incoming_is_native enabled="true"/>
<secondary_cn_component enabled="true"/>
<maintain_escape_character enabled="false"/>

<object_class>objectClass</object_class>
<user>
<object_class_value>person</object_class_value>
<common_name>cn</common_name>
<display_name>cn</display_name>
<first_name>givenname</first_name>
<last_name>sn</last_name>
<email>mail</email>
<phone>telephoneNumber</phone>
</user>
<group>
<object_class_value>group</object_class_value>
<common_name>cn</common_name>
<display_name>cn</display_name>
<member>member</member>
</group>
</schema>

<search_filters>
<authentication>
<![CDATA[
(|(sAMAccountName={0})(cn={0}))
]]>
</authentication>
<user_lookup>
<![CDATA[
(&(objectclass=person)(sn={0})(givenname={1}))
]]>
</user_lookup>

<group_lookup>
<![CDATA[
(&(objectclass=group)(cn={0}))
]]>
</group_lookup>

<group_membership>
<![CDATA[
(&(objectclass=group)(member={0}))
]]>
</group_membership>

</search_filters>

<member_lookup_ui>

<column_name>
<person>sn, givenname</person>
</column_name>

<column_disambiguate>
<person>dn</person>
</column_disambiguate>

</member_lookup_ui>

<search_ui_hint>
<![CDATA[
( enter <B>last name, first name</B>)
0; ]]>
</search_ui_hint>

<search_ui_index>sn</search_ui_index>

</ldap>

</user_directory>

</server_settings>

[/codesyntax]

 

In addition to the above configuration you need to add the root point of your LDAP tree (see above) in corresponding field in the Quickr Site Administration:

Quickr Directoiry Config

You also need to do some work to get the Quickr offline capability working with Active Directory. I will describe how to do this in a later post.

Update:

David Byrd has just published a very good article in the Quickr wiki regarding AD integration.

Lotus Quickr: “Create a place” link visible without logging in

At a customer site we did have the problem that the “Create a place” link of Lotus Quickr (Domino) was visible even if no user was logged into Quickr. So every user was able to create a place even if this functionality was restricted to special users/groups.

[More:]

In the database “….\lotusquickr\lotusquickr\main.nsf” there is a document with the title “Create a place”. In this document there is a field “h_Readers” which contains all users/groups which are able to create new places. This field contained, among other entries, also the entry “Anonymous”. Because of that the “Create a place” link is visible even if no user is logged in.

The question was why this field contained this entry. After some investigation I found out that Quickr adds all entries of the ACL of the MAIN.NSF to this field (and in addition all users and groups you add to “Who can create new places on this server?” within the Quickr site administration).

After deleting the “Anonymous” entry from the ACL (and in addition deleting it from the ACL of “CreateHaiku.nsf” too which also contained this entry) and then re-adding the persons and groups to “Who can create new places on this server?” again the field was populated correctly.

Afterwards the link to “Create a place” was no longer visible if no user was logged in.

Unfortunately I was not able to find out why the two databases did contain “Anonymous” in their ACLs. I am quite sure that we did not add these entries manually…

Update:

I just found out when “Anonymous” is added to the ACL: It happens every time you issue the command “load qptool upgrade -f -server” as you are e.g. doing when implementing a new hotfix.

The “Anonymous” entry in MAIN.NSF with reader access seems to be ok for me. But you should make sure that “Anonymous” has “No Access” in the database “CreateHaiku.NSF” in the LotusQuickr directory (it does not need to be deleted!).

Unattended installation of Lotus Quickr connectors

I was asked several times if there is an unattended installation available for the Lotus Quickr connectors please find here the link to a corresponding IBM technote which describes how to do that.

With an unattended (quiet) installation you should also be able to install Lotus Quickr connectors via your software distribution system even if your users do not have administrative rights on their machins.

I was not able to test it with a distribution system until now but did some tests with an unattended installation via the Windows scheduler task (running with an user who has admin rights) and this worked perfectly.

If you want to pre-configure connector settings (e.g. the name of your Quickr servers)you can do that by adding the corresponding registry keys which are saved under

[HKEY_CURRENT_USER\Software\IBM\Lotus Quickr\Desktop Integration\Servers]

Update [2009-02-19]:

After you perform a silent installation of the Lotus Quickr Connectors, the connectors are installed successfully but might not be listed in the Add/Remove programs list in Microsoft Windows. To resolve this issue, add the following switch to the command line for the silent install: ALLUSERS=2

Update [2009-10-22]:

See also this posting for upgrading an existing installation.

Gute Vorsätze …

… gibt es, wie üblich, hier bei mir keine … meistens werden sie ja doch nicht eingehalten.

Einen großen Jahresrückblick gibt es auch nicht. Es gibt eigentlich eh nur 2 Highlights in 2007: Unser erstes Jahr in der neuen Wohnung und mein Wechsel von IBM SO zur IBM Software Group. Beide Entscheidungen waren auf jeden Fall richtig und seit langem überfällig. In der Wohnung incl. dem Umfeld fühlen wir uns wieder richtig wohl und der Job macht auch wieder Spaß, was ja schon länger nicht mehr wirklich der Fall war.

In diesem Sinne hoffe ich mal, daß es auch in 2008 so weitergeht und wünsche allen, die ich in den letzten Tagen nicht getroffen, gesprochen oder geschrieben habe, einen guten Rutsch und ein frohes und glückliches Jahr 2008!

Faxen mit der Fritz!Box 7170

Seit einiger Zeit kann man über die Fritz!Box auch FAxe versenden, ohne dass man zusätzlich eine ISDN-Karte eingebaut haben muss.

Genaueres hierzu findet sich auf dieser Webseite.

Bei mir gab es aber nach der Installation der Software das Problem, daß die Faxsoftware nach dem Starten erst einmal eine Kunstpause eingelegt hat, während der sie die Fritz!Box im LAN gesucht hat. Nach einigen Minuten wurde die Box dann auch problemlos gefunden und die Software startete auch korrekt. Beim nächsten Aufruf war aber wieder Warten angesagt.

Um diese Wartezeit zu verhindern, habe ich folgenden Registry-Key eingetragen (und damit die IP-Adresse meiner Box der Software bekannt gemacht, damit sie nicht mehr suchen musste):

[HKEY_LOCAL_MACHINE\SOFTWARE\AVM\AVMIGDCTRL]
“FoundFritzBoxes”=”192.168.1.1”

Danach läuft nun alles ganz ohne Wartezeit ab und funktioniert auch einwandfrei.

Frohe Weihnachten

Allen Lesern meiner Seiten wünsche ich ein frohes und geruhsames Weihnachtsfest.

Dieses Jahr wird’s bei uns ganz sicher etwas ruhiger, da mich rechtzeitig zu den freien Tagen eine starke Erkältung erwischt hat und ich seit 3 Tagen schon im Bett stecke. Heute musste ich dann doch den ärztlichen Notdienst bemühen und mir eine Dosis Antibiotika abholen, da es eher schlimmer als besser wird.

Melde mich dann wieder, wenn ich einigermaßen auf dem Damm bin.

Lotus Quickr (Domino) Hotfix 6Hotfix 7

This time I just modify my last post from yesterday evening …. instead of Hotfix 6 it now reads simply Hotfix 7 🙂

This time I am a little bit late…. Hotfix 6 Hotfix 7 for Lotus Quickr (Domino Services) is out since yesterday. BTW: There was no public Hotfix 5 as far as I know …

[More:]

In the hotfix documentation you now will also find some instructions what to do after applying the fix.

I am not sure if the comamnds are in the correct order as they write:
• Upgrade all the places and Placetypes:
load qptool upgrade -f –a
• Upgrade all the databases on the server:
load qptool upgrade -f –server
I am quite sure that you should do it the other way round (as it was decsribed in the past) but I am still trying to verify this.

They now have corrected the order in the readme of Hotfix 7.

In addition to the commands you have to run in the past you now should also unregister and register all places again afterwards:

load qptool unregister -a -placecatalog
load qptool register -a -placecatalog

Using SSL with Lotus Quickr (Domino)

If you want to use SSL for Lotus Quickr (Domino Services) you have to do three four different things:

[More:]

1. Configure the Domino HTTP task correctly for HTTPS

2. Activate SSL for the Domain catalog server and set the correct port numberi n QPCONFIG.XML:

 <search_places …..”> 
   <domain_catalog_server ssl=”true”> 
      <port>443</port> 
      <domino_server_name>………<domino_server_name> 
      <hostname>………..</hostname> 
   </domain_catalog_server> 
</search_places> 

3. Activate SSL for cluster

 <cluster> 
   <master ….. ssl=”true”> 
      <port>443</port> 
      <hostname>……….</hostname> 
      <path_prefix></path_prefix> 
   </master> 
</cluster> 

Important: It is not quite obvious that you have to do step 3 also in a non-clustered environment. But if you do not add this configuration option you end up with connector links which do no longer work. Instead of links like “https://servername.domain/……” you get links like “https://servername.domain:80/……” which will not work because of the wrong port number.

Update:

There is another thing to do:

4. Unregister and register the server again:

On the Domino server console run the following commands:

load qptool unregister -server
load qptool register -server

Otherwise the links in MyPlaces will still point to “http://” instead of “https://”.

Some issues while upgrading Lotus Quickr (Domino)

While upgrading Lotus Quickr 8.0 to 8.0.0.2 (HF4) at a customer site we experienced two problems:

The first thing was that the command “l qptool upgrade -f -a”, which you have to do in order to get all places upgraded to the new version, promotes all place managers to super users. So you should check your places afterwards and correct them if necessary. A PMR is opened and currently under investigation. You can see a corresponding message also in the Domino server logs (“Upgrade: Upgrading Place ‘Main.nsf’, promoting ‘CN=xxx yyy’ to SuperUser.”) if you set a higher log level for the upgrade process (set the variable “QuickPlaceUpgradeLogging=4” in the NOES.INI before running the upgrade command; attention: you will get many messages if you do have many places to upgrade, so be careful by using this parameter).

The other issue was that after upgrading all places the users did not see any documents in the Quickr connectors. The reasons seems to be that “l qptool upgrade -f -a” did not upgrade the places correctly. What worked for us was to issue the command “l qptool upgrade -f -a” again. after the second run all places worked correctly with the connector again. Another PMR was opened for that as well.