Convert Active Directory DistinguishedName to Domino Name - xpages

We are integrating our lotus notes applications with Active Directory for authentication and mailing.
Authentication works fine and once logged it return the name in the below format
CN=Arumugam, Barath/OU=Users/OU=Region - North America/DC=mhf/DC=mhc
However there is no attribute in active directory which matches the above format. The closest match is attribute called distinguishedName. It is in below format.
CN=Arumugam\, Barath,OU=Users,OU=Region - North America,DC=mhf,DC=mhc
Is there a way I can convert distinguishedName to domino names in SSJS or #formula. I am not sure how domino automatically converts to the first format after login. I hope there should be someway.

Using Directory Assistance you can set up username mapping. See http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_CONFIGURING_DIRECTORY_LOOKUPS_WHEN_DOMINO_HANDLES_AUTHENTICATION_AND_USERS_ARE_MANAGED_PRIMARILY_THROUGH_ACTIVE_DIRECTORY_STEPS.html

I was able to add users and groups from AD to ACL, by replacing all commas "," in distinguishedName with "/". Of course, the name mapping option have to be set up correctly and Notes distinguished name should be mapped to the distinguishedName field in AD. In your case the notes name should looks like this:
CN=Arumugam Barath/OU=Users/OU=Region - North America/DC=mhf/DC=mhc
Domino converts the names in the AD field distinguishedName by itself. You don't need to add Notes names for AD users.
The only thing that did not work for me: if I put the user or group from AD in the Domino group, and then add the Domino group to ACL for a DB, the user from AD still does not have access to DB.

Related

How to register a Web User only (without a lotus notes id file) in Domino Directory

I have a Lotus Notes web application where users are required to be defined in the same database using a custom profile form. Specific roles will be assigned in every user accordingly based on the selected predefined user roles. These users will be populated in the ACL dynamically using lotus script web agent.
My question is, how do I programatically register the user in the domino directory? Can I just create a person document with basic info and internet password and assign an external email like gmail or yahoo? If it's possible, do I still need to certify the user using the Certifier Id?
Your suggestion is very much appreciated. Thanks in advance.
You don’t need to certify the user or create an id file. As you already suggested, you just create the person document in the directory database. Look at Registering users for your Domino Web site for details, e.g. how to avoid duplicate user names.

Azure AD Graph API cannot access Microsoft Account

I have 2 users in Azure AD
Microsoft Account user
Microsoft Azure Active Directory user
User 2 always works in Graph API calls but not the user 1.
https://graph.windows.net/tenantid/users/testmail#hotmail.com?api-version=2013-04-05
(Email actually is url encoded as testmail%40hotmail.com).
This gives the following error
"{\"odata.error\":{\"code\":\"Request_ResourceNotFound\",\"message\":{\"lang\":\"en\",\"value\":\"Resource 'testmail#hotmail.com' does not exist or one of its queried reference-property objects are not present.\"}}}"
Does anyone know how to fix this?
Edited:
Things I figured out trying to fix this. I am using UserPrincipal name in the query above(..users/testmail#hotmail.com?..). For built-in domain accounts userPricipal name is testmail#domain.com(this works) but for a Microsoft account userPrincipal name is testmail_hotmail.com#EXT##domain.com. This was given in the all users list (https://graph.windows.net/tenantid/users?api-version=2013-04-05). But even when I changed the query to '..users/testmail_hotmail.com#EXT##domain.com?..' ofcourse after url encoding(testmail_hotmail.com%23EXT%23%40domain.com), still it does not work. Objectid always works though for all accounts(..users/objectId?..) .
Also tried otherMails. May be the api is wrong as otherMails is an array. "https://graph.windows.net/tenantId/Users?$filter=otherMails eq 'testmail%40hotmail.com'&api-version=2013-04-05"
So the question still remains. if only email is available for an MS account(not objectid) when making the call, how to get user details?
You are missing your domain in the URL you posted. It should be
https://graph.windows.net/[your Azure AD domain]/users
To get the email address for a user you need to add the object Id of the user in the request URL. So, for example, to get an Azure AD user it would be like this:
https://graph.windows.net/[your Azure AD domain]/users/[object ID of user]/mail
For users in the directory sourced from a Microsoft Account, the mail property is null. So, you will have to look in the otherMails property like this:
https://graph.windows.net/[your Azure AD domain]/users/[object ID of user]/otherMails
If you want to access the full user account using a user's UPN, you can do that for users sourced from Azure AD. For example, for a tenant domain contoso.com and a user with a UPN johndoe#contoso.com, the query would look like this:
https://graph.windows.net/contoso.com/users/johndoe#contoso.com
This doesn't work for users sourced from Microsoft Accounts. For these accounts, the UPN contains characters (#, . for example) that break the query. You can filter by the UPN though using the naming convention that is used for users sourced from Microsoft Accounts. Suppose you have a user whose email is jayhamlin#yahoo.com in your directory. The UPN would be something like jayhamlin_yahoo.com#EXT##contoso.com. So, you could use a filter and look for the first part of the UPN like this:
https://graph.windows.net/contoso.com/users?api-version=2013-11-08&$filter=startswith(userPrincipalName, 'jayhamlin_yahoo')
You can easily explore the Graph API and object properties for your directory using https://graphexplorer.cloudapp.net.
That filter can work, but you could also filter on otherMails. Your original query didn't work because otherMails is a multi-valued property- so you need to use "any":
https://graph.windows.net/tenantId/users?api-version=1.5&$filter=otherMails/any(x:startswith(x,'testmail#hotmail.com'))
When are you using this lookup? Is it once the user has signed in or for some people picking scenario?
Cheers,

How to implement Field Level Security in Microsoft Dynamics CRM 2011

I am getting a problem in implementing Field Level Security in CRM 2011. I am very new to this technology hence not able to resolve this problem.
This is the steps i have done -
1.Created an Entity names Inquiry.
2.On Form Under Entity created a field named 'Password' with EnableSecurity set to 'true'.
3.Then Moved to Administration -> Field Security Profiles -> Created a Profile named 'Inquiry'. Under Users Tab selected a User(Mike) and kept the Field Permissions as it is i.e 'No'.
4.Now on Login for User(Mike) the 'Password' should be seen encrypted. but it does not display as encrypted.
Steps used to Create User -
1.Under Users & groups created new user and assigned 'Service administrator'.
Please tell me if i missed out sum step or if i have done something wrong.
I think user Mike has System Administrator security role.
This security gives always full access to all secured fields, you can find more information here:
How Field Security Can Be Used to Control Access to Field Values in Microsoft Dynamics CRM
section Which Security Roles Allow You to See Secured Fields?
Hey i got the solution to my question.Posting it so that it may help the beginners like me.
All i did was -
Steps used to Create User -
1.Under Users & groups created new user and did not give the user administrator permissions.
2.Then Under Settings->Administration-> Users -> Selected the user and opened the Form.
3.Then choose Manage Roles from Ribbon menus and selected 'System Customizer' as the Security Role.
Rest process same for applying field security.
5.In the end logged in as a System Customizer and was able to see the changes.
Thank you #Guido Preito for the help.

Unable to add users into sharepoint if i am Using emails as account name in Active Directory

I am using moss 2007 version 12.0.0.6421. and Active directory version 6.0.. . my AD domain is siamint so if i add a user as vikas. it gets added in AD with logon name as vikas#siamint.com now if i add a user sahil#yahoo.com into ad. it gets added as sahil#yahoo.com#siamint. now when i try to add user from peoples and groups,site settings in a sharepoint site; i gets user siamint\sahil in people picker. rather it should be siamint\sahil#yahoo.com. it means the name is truncated from #. Is this a sharepoint error or what. Ultimately i think it means we cannot add users with # in their usernames.
When you add a user to Active-Directory you give a "user session Name" (1) which is composed with the domain name (2) to give an attribute which is the real login name stored in an attribute called "userPrincipalName".
So "jpb#dom.fr" in the preceding picture IS NOT a mail adress but the UPN (userPrincipalName) of your user in Active-Directory.
Since Windows 2000 UPN is supposed to replace the old login string (3)
Edited
Sorry, it's in french, but as you can see '#' is allowed in the logon part of the UPN. Look in Microsoft documentation (Active directory naming) for more information.

Can SharePoint's Select People and Groups dialog box's Title and Department fields be customized with a custom membership provider?

I have created a custom membership provider for a SharePoint application but would like to populate the Title and Department columns for the MembershipUsers that are displayed with data from my user repository.
Is this possible? How can it be done?
I don't see anything in the System.Web.Security.MembershipUser class that could store this information. How does the Windows AD MembershipProvider have a different Display Name than the Account Name? Are some of these values coming from someplace else?
What happens in the AD is that, SharePoint runs the User Profile Sync Job that will pull all the required information from AD and updated the SharePoint UserProfile DB which In turn pushes to Each of the Site. Whereas in the case of the Custom Membership we don't have a direct option to update the Profile Information.
One method you can do is to update those information using code.There are two options you can update the User Profile information in the SSP so that it will be displayed in all the Site Collection or to Update the SPWeb.SiteUserInfo List. Please refer these link1 , link2 on how to do that. In case you want to update in SiteUserInfo list it is just another list just search for Item based on the user account name and update that item.

Resources