While I was working on the upgrade of our existing Sametime environment to Sametime 8.5.1 (soon 8.5.2) I have run across an interesting question that I considered worth sharing: Will I use Domino LDAP or connect to Active Directory.
There are good and not so good reasons for either option:
- To get the discussion started there seems to be the obvious choice to keep on using the Domino Directory when switching to LDAP. This way users can work in their familiar directory structure without the need to impose the rather technical structure of (our) AD.
- On the other hand it appears to be quite reasonable to also implement SPNEGO. This however requires the use of Active Directory as a LDAP source.
- On the flip-side there is the obvious issue of the non-hierarchic structure of the Domino groups. Combine this with the requirement to have a base entry for LDAP defined as mentioned by Gabriella Davis and you are left with yet another point for consideration. Especially if you are reluctant to make existing groups in the Domino Directory hierarchic – who is doing that anyhow?
I am wondering how other environments have designed their solution. Did you really append an organisation to the name of groups just to make them available in an LDAP tree?
How did you maintain group entries in the vpuserinfo.nsf when moving between directories? Person entries are easily managed utilising the name change task but groups are rarely replicated between directories, hence the benefit of previously added public groups to the contact list is just gone.
Is there any way to use Domino as a LDAP source but still provide SSO in a Windows environment? I am wondering whether there is the possibility to have the Websphere server connecting to two directories, one for authentication, the other one for online awareness. Similar to the portal configuration described here. Or maybe utilising a Domino server for authentication with shared LTPA keys between Websphere and Domino?
I am sorry for everyone who expected any answers to their own questions in here. Do not hesitate though to leave a comment if you are having a suggestion for any of the questions raised in here or below.