Proton, IAM, OAuth, LDAP - nothing so see here, yet

Thursday, February 14, 2019 at 8:30 PM UTC

This is just a small update on my journey to Node with Domino, Proton, IAM and OAuth. It was a fight, but in the end I won.

Thanks to the support of Heiko Voigt, who already startet a blog series that helped me out a lot today (esp. part 2) I was able to set all up. There were lots of caveats to overcome and changes I had to make. I am currently putting all together to also start a blog series. In the meantime join the OpenNTF Slack channel "dominonodejs" for help. There is also Stefano Pogliani, who is the creator of the Node-RED nodes and he's also willing to assist.

Finally I got assistance from Dan Dumont of HCL. Though I already finished my environment just before our session in the evening, we discussed several things that could be improved in the docs and in the IAM service scripts. For example, you cannot run the IAM service as a real service as the script forces you to enter a password - that cannot be omitted or left blank. As the service has to run all the time, it isn't suitable as a service on your machine. You have to open a SSH console and start the script - and have the console to stay open.

From the Domino admin's point of view it's all bread-and-butter: ID Vault, person registration, client certificates and LDAP. The OAuth part may be unfamiliar but also works without issues. The tough part is understanding the docs regarding Proton's certificates, where to store them and how to sign them. The IAM service Node app also is challenging. There is also room for improvement regarding usability. The app itself (running in the browser) is pretty straight forward. Setting up a new app for OAuth is easy and does not involve any console commands etc.

Anyhow, It's just too much to write in a single blog post. I guess my goal is to evaporate the docs into a small subset with only the important parts - and with hints of things, you can leave alone. Yes, there are actually parts you have to omit or you are forced to omit as they won't work for you. Crazy, I tell you...


As a small overview of "specials" consider to check if some of these apply to your scenario:

  • the docs assume you set up HTTP without using Internet Sites. If you use Internet Sites things work a bit different
  • the docs assume that you set up IAM on a different machine than your Domino is on. If you run IAM on the same machine, it's all about hostnames and esp. port binding!
  • if you are using a self-cert for Proton, then keep in mind to use a browser that allows to access unsigned HTTP sources - like Chrome does

That's it for today, I hope I can continue asap. Cheers! Cool

Leave a comment right here

Latest comments

Lars Berntrop-Bos on The end of an era
Hogne B. Pettersen on The end of an era
Christian Brandlehner on Notes/Domino 12.0.2 FP1 is here