Enable LDAP Directory Sync for Domino Directory

Document created by user.oxriBaJeN4 Employee on Sep 3, 2015Last modified by user.oxriBaJeN4 Employee on Mar 27, 2017
Version 5Show Document
  • View in full screen mode

If your organization uses Domino Directory you can use the LDAP Directory Sync feature to automatically add and manage your users and groups, removing the administrative overhead of performing these tasks manually.


In addition to this, opening a connection between Mimecast and your Domino Directory allows your end users to use their primary email address and Domino Directory password to sign-in to Mimecast applications.


What You'll Need


  • An inbound connection from the Mimecast IP Range to a Domino Directory server running the LDAP task.
  • A user account with read permissions to Domino Directory.
  • A Mimecast Administrator account with edit permissions to the Administration | Services | Directory Synchronization menu item.


Prepare Your Environment


  1. Ensure that your firewall is configured to pass LDAP(S) requests from Mimecast to your Domino Directory server.
  2. Create a user that Mimecast will use to connect to your Domino Directory.
    The LDAP task runs automatically by default on the admin server for the primary Domino directory.

Creating the Mimecast Directory Connection


  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Services | Directory Synchronization menu item. A list of directory connections is displayed.
  4. Click the New Directory Connector button.
  5. Complete the dialog as follows:

    Field / OptionDescription
    DescriptionProvide a description to help identify the directory connector.
    Server TypeLeave this set to the "Domino Directory LDAP" option.
    Honor Domino "Allow Foreign Directory Synchronization"If selected, Mimecast will not synchronize groups and addresses that have "Allow Foreign Directory Synchronization" set to "No" on the Domino Directory (LDAP).
    Hostname / IP AddressEnter either the hostname or IP address to be used when the primary host is unavailable. See the Mimecast Gateway page for further details.
    Alternate HostEnter a backup hostname or public IP address of the directory server. If configured, this will be used as a failover connection to the directory.
    Encrypt ConnectionSelect whether the connection should be encrypted using LDAP.
    Encryption Mode

    If the "Encrypt Connection" option is checked, specify one of the following encryption modes:


    Strict - Trust EnforcedThis mode requires a certificate issued by a Mimecast trusted public root certification authority, and a key length greater than 1024 bits to be installed on your Domain Controller.
    RelaxedThis mode must be used if your certificate is self signed, has a key length of less than 1024 bits, or has an incomplete trust chain.

    Certificate Information

    When using a secure connection, ensure that the name on your certificate matches the public host name that you are using for the connection.

    The Strict - Trust Enforced encryption mode requires a certificate issued by a Mimecast trusted, public root certification authority and a key length greater than 1024 bits to be installed on your Domino Directory server. If your certificate:

    • is self-signed,
    • has a key-length of less than 1024 bits,
    • or has an incomplete trust chain

    contact Mimecast support who can define a Relaxed encryption mode for your connection. For your security, we strongly recommend using certificates issued by a public root certification authority with a key length greater than 1024 bits.

    Connection PortSpecify the port Mimecast should use to connect to your Active Directory. Typically this will be 636 for secure connections and 389 for un-secured connections.
    User Distinguished Name

    Specify the distinguished name of the user Mimecast should use to connect to your Active Directory. See the Determining the Distinguished Name section below for further detail.


    Enter the Active Directory password for this user.

    Root Distinguished NameSpecify the Root Distinguished Name for your Active Directory domain (e.g. DC=domain,DC=local) to be used as a filter on the connection. If you only want to expose part of your Active Directory to Mimecast, enter a Root DN higher in your directory tree (e.g. OU=New York,DC=domain,DC=local).
    Acknowledge Disabled Accounts in Active Directory

    If selected user accounts disabled in Active Directory are also disabled in Mimecast.

    Optional Email Domains Filter

    Optionally list the domains the Directory Connector will synchronize with. These can be specified where:

    • There are multiple Directory Connectors, and where each Connector is dedicated to certain domains.
    • The account is part of an Advanced Account Administration setup.

    Entries must be comma separated. No spaces should be used.

  6. Click Save and Exit to save the connection details.


Finding the User's Distinguished Name

    1. On your Domino server or a client machine with the Notes client installed open a Windows Command Prompt.
    2. Change directory to the location where the Domino program files are installed, for example,
      cd "C:\Program Files\IBM\Domino
    3. Run this command, where

                        server_name is the name of your Domino server,

                        domino_domain_name is the name of your Domino domain,

                        username is the user want to find the DN of


               command ldapsearch.exe –h server_name/domino_domain_name (sn=username)


            The following results should be displayed.


            The first result listed is the value that you should use for the Distinguished Name field.


Finalizing the Integration


To complete the Directory Integration, activate the automatic synchronization, and enable users to login using Active Directory passwords:

  1. Select the Administration | Services | Applications menu item.
  2. Click on the Authentication Profiles button.
  3. Click on the Default Authentication Profile to enable you to change it.
  4. Select the LDAP Directory Connector (Active Directory and Domino) option in the Domain Authentication Mechanisms drop down.
  5. Click the Save and Exit button.


Next Steps


Once these steps are complete Mimecast will synchronize with your Domino Directory automatically three times per day at 8am, 1pm, and 11pm.


To validate that your scheduled sync's are completing successfully you can view the status of a Directory Connection in the Administration | Services | Directory Synchronization list view page of the Administration Console.


To test the connection immediately and run an on demand synchronization at any time you can click the Synchronize LDAP Data button on the Services | Directory Synchronization page.