HCL Domino – Directory Assistance – Access to Active Directory via LDAPs

In order to re-configure the existing HCL Domino Directory Assistance document for accessing the user data over encrypted LDAP connection or LDAPs you have to do the following:

  1. Create a Domino keyring file for the source Domino server.

Generally there are many good guides on the internet for doing this, personally, I like the following articles:

Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation
Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool

Personally, I advise you to always use an official certificate, any well known third party CA or Let’s Encrypt certificates, which by the way are free, will do. This will save you some pain in the long run.

2. Add the personal certificate and/or CA certificate to the Domino keyring file of the Active Directory server you want to access.

You can do this in the same manner as adding the Domino root or personal certificate in the guides mentioned above. If possible, I would always add the personal and the root certificate of the AD target server, just to be sure that the trust will be established successfully. Just make sure to set a reminder to change the certificates mentioned before they expire. 🙂

3. Add the newly created Domino keyring file to the Domino Server document

Copy the Domino keyring file, including the stash file (.sth) to the Domino Data folder and reference it in the Domino server document.

4. Import the root and personal certificate of the Active Directory server to the Domino Directory

Export the Active Directory root and personal certificates as “.cert”, Base-64 encoded, and import them to the Domino Directory.

5. Activate encryption in the Domino Directory Assistance document.

Set the “Channel encryption” to “SSL”, I advise you to set the other settings to be “less restrictive”, you can fine tune those after you made sure that basics are working.

Do not worry if clicking the “Verify” button returns an error. I think that there is a bug in the Domino 11 DA Template. I was always getting the following error “Connection to host ‘<hostname>:636’ failed”.

6. Restart the Domino Server and verify.

After the Domino Server restart you can verify that the Microsoft Active Directory user data can be accessed via HCL Domino Directory Assistance by issuing the command “show xdir“, the result should be something like the following:

This is everything you have to do to access the user data over encrypted LDAP connection using HCL Domino Directory Assistance. I hope this helps.


6 thoughts on “HCL Domino – Directory Assistance – Access to Active Directory via LDAPs

  1. Thanks Milan,
    i followed all your instructions but it still doesn’t work.
    I am using a non self-signed certificate.
    Without SSL everything works perfectly but with SSL it does not find the LDAP server which does not appear in the show xdir.
    Does the personal certificate have to have special characteristics?
    is cross-certification of the internet certifier necessary?
    Any other suggestions?

    Best Regards


    • Hello Antonio,

      the personal certificate does not need any special characteristics, at least I am not aware of it.
      I would do a cross-certification and restart the server afterwards.
      You can also try adding the personal certificate of the LDAP Server to the Domino keyring file.



      • hello milan,

        i cannot understand HOW you “imported” the .CERT-files (exported out of the ActiveDirectory) into the Domino Directory”…?! –> see your step 4.

        you wrote as an answer to antonio “I would do a cross-certification” – but this can only be done between certifiers, so that means .ID-files! but i have .CERT-files ..?!

        thx 4 your answer!



      • Hello Martin,

        sorry, I missed this comment… 😦

        You can import the Base64 .crt or .cer files, amoung others, by navigating to certificates view, in the Domino directory, then selecting “Actions” –> “Import Internet Certificates”.
        Then you will be able to cross certify the newly imported certificate.

        Let me know if that helps.

        Best regards,



  2. Hi, it is also possible to import the AD root and intermediate certificates into the servers keyring file.

    > kyrtool import roots -i c:\certs\root.pem -k c:\certs\domino-keyring.kyr

    And check:
    > kyrtool show roots -k c:\certs\domino-keyring.kyr

    Keep in mind to renew them if the AD-Certs are updated!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s