September 2014

Bringing External Users Into Your Connections 5 WorldGabriella Davis!Technical Director!The Turtle Partnership

01

Let’s talk about me for a minute

✤ Admin of all things and especially quite complicated things where the fun is!

✤ Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connections and things that they talk to!

✤ Stubborn and relentless problem solver!

✤ Lives in London about half of the time

What’s This All About?

How Does It Work - The Brief Version

What Can An External Person Do?

✤ Be a full member of a Community that allows external users!

✤ Share Files with others as well as Download files shared with you !

✤ See Activity Streams that they are invited into!

✤ Edit Their Profile!

✤ View business cards of anyone who has shared content with them

What Can’t An External Person Do?

✤ See Any Public Content!

✤ Create a community!

✤ Follow people!

✤ See or search the company directory!

✤ Use type-ahead to find people!

✤ See recommended content or people!

✤ Access the Profiles menu!

✤ Access other user profiles!

✤ See @Mentions for them

✤ An existing Community can’t become a Community that allows external users!

✤ Once created as either internal or allowing external user access - a Community cannot be changed!

✤ Only internal users with a specific role can invite and share with external users!

✤ Communites with external users must be restricted

In general an external user is limited to participating in a restricted community they are invited into

This isn’t a bad thing

Let’s set things up or … here comes the technical bit

01

Internal vs External User Directories

✤ Who am I talking to? Who am I sharing with?!

✤ There needs to be a simple way of identifying internal vs external users!

✤ We need to tell Connections how to identify an internal and external user!

✤ There are three ways to do this!

✤ They all involve using TDI scripts

A Quick Catch Up On TDI

✤ To enable external users, the Profile DB must be used as a Directory!

✤ TDISOL found in the Connections install directory!

✤ Updated on Fix Central!

✤ Files we change for External users!

✤ profiles_tdi.properties!

✤ map_dbrepos_from_source.properties!

✤ sync_all_dns

Separate LDAP Branch or Server

✤ In map_dbrepos_from_source.properties!

✤ mode={func_mode_visitor_branch}!

✤ displayName={func_decorate_displayName_if_visitor}!

✤ displayNameLdapAttr=cn!

✤ decorateVisitorDisplayName= - External User!

✤ In profiles_tdi.properties! ! !

✤ source_ldap_url_visitor_confirm!

✤ source_ldap_search_base_visitor_confirm*!

✤ source_ldap_search_filter_visitor_confirm

Separate LDAP Branch or Server

✤ In map_dbrepos_from_source.properties!

✤ mode={func_mode_visitor_branch}!

✤ displayName={func_decorate_displayName_if_visitor}!

✤ displayNameLdapAttr=cn!

✤ decorateVisitorDisplayName= - External User!

✤ In profiles_tdi.properties! ! !

✤ source_ldap_url_visitor_confirm!

✤ source_ldap_search_base_visitor_confirm!

✤ source_ldap_search_filter_visitor_confirm

Separate LDAP Steps

✤ Ensure the External directory is also configured as a Federated Repository in WAS!

✤ otherwise your external users can’t authenticate!

✤ source_ldap_search_base_visitor_confirm must not be empty!

✤ In mapdb_repos_from_source add sync_source_url_enforce=true so TDI doesn’t remove one directory’s entries

LDAP Attribute

✤ This is a bit easier but needs careful managing!

✤ In mapdb_repos_from_source assign an LDAP attribute so that mode=“external”!

✤ displayName={func_decorate_displayName_if_visitor}!

✤ displayNameLdapAttr=cn!

✤ decorateVisitorDisplayName= - External User

LDAP Attribute As A Function

✤ Instead of mapping an LDAP attribute containing “external” to the mode= entry you can use a javascript function!

✤ The function must compute to the word ‘external’ for external users!

✤ It must be placed in profiles_functions.js file

Whatever Method You Choose !

sync_all_dns.bat when done .. on failure check the logs ibmdi.log and SyncUpdates.log

Exployee-Extended Role

✤ Not all internal users / employees can invite external users - they must have the special Connections role!

✤ “Employee-Extended!

✤ The only way to get this role is to be assigned it via wsadmin

Assigning Roles

✤ From /profiles/dmgr01/bin directory!

✤ wsadmin.bat/sh -lang jython -username <wasadmin> -password <password>!

✤ execfile(“profilesAdmin.py”)!

✤ ProfilesService.setRole(“gabriella@turtlepartnership.com, EMPLOYEE_EXTENDED)

Securing the Perimeter

Directory Decisions

✤ How will external users register!

✤ Who will have rights to invite external users!

✤ Password quality

Anonymous Access

✤ Disable Anonymous access for all applications!

✤ Edit each application’s “security role to user group mapping” !

✤ Ensure “reader” is not set to “Everyone”

Public Files

✤ External users can’t see public files!

✤ or can they?!

✤ If you use a caching proxy then the public cache will contain information external users shouldn’t see!

✤ Disable public caching in LotusConnections-config.mxl using <genericProperty name="publicCacheEnabled">false</genericProperty>

Working with Libraries

✤ With CCM installed the URL /dm can provide access to any public Libraries!

✤ External users shouldn’t see public ANYTHING!

✤ Ensure the /dm URL is blocked from public interfaces

Desktop Plugin

✤ When using Connections, the interface constantly warns you if you are going to share with internal users!

✤ The desktop plugin doesn’t do that!

✤ This quote from the documentation says it all!

✤ “In addition, some operations might result in unexpected errors” !

Internal and External (Visitor) Views or.. Spot What’s Missing

Internal - Homepage

Visitor Homepage

Internal Community Page

Visitor Community Page

Internal - My Profile

Visitor My Profile

✤ As A Visitor…!

✤ You can add tags but not see existing tag lists!

✤ You can view partial business cards but not full profiles!

✤ You can search for content but that only finds things that are shared with you!

✤ You can share files but only with the Communities you are part of, not with people directly

✤ All of this is good - it keeps your environment secure!

✤ It protects your users from accidentally sharing something unintended!

✤ It doesn’t give up any information the external user doesn’t already know!

!

!

✤ Some things are a bit buggy but hopefully being fixed

01

Questions?

✤ Gab Davis - Technical Director!

✤ The Turtle Partnership!

✤ gabriella@turtlepartnership.com!

✤ GabriellaDavis on Skype!

✤ gabturtle on twitter