Last week I did a presentation at Icon UK on the new Connections 5 feature that allows you to add external users into your Connections environment. To write the presentation I built my own environment multiple times using different techniques for adding external users and discovered some interesting stuff along the way. Since the presentation doesn’t have my commentary on it i’ll try and summarise that here
1. On page 6 are a list of things an external user can do according to IBM documentation. Some of the items on that page (in italics) actually didn’t, in any of my testing, work. This is because there are conflicting security limitations on what a user can’t do (see items in bold on page 7)
So for example although the documentation states that an external user can share files with people or communities, it also states that they can’t use type ahead or directory lookups. Preventing type ahead and directory lookups actually disables the ability to share files with a user since there’s no way to lookup a user. Sharing files with a Community works fine.
2. The external users can be added via an LDAP attribute from your LDAP server or by a separate LDAP server or branch. Although an entirely separate LDAP server is more secure and in my opinion preferable, it must use a search base which means flat names in Domino can’t be part of the external LDAP source.
To counteract this in one instance I faked a hierarchy as the users were created (using a simple Xpages app to allow people to self register and manage their own passwords and setting a fake hierarchical name for them in the background). In the other instance I used the same LDAP source as for internal users but with a specific attribute set to the word “external”
In general the external users feature has been locked down securely enough that i’d highly recommend it for inviting people to work with your Connections communities .