Usage Notes
This section provides information related to using the Domino resource adapter, which is organized into the following sections:
You can used aliased groups when using Waveset to create a Domino group. Names of aliased groups are represented by this syntax: Group1;alias1;alias2. Note that when a group name appears in a list, you will see the primary name only.
Recertification Process
The recertification process is done using the Boolean user attribute named “recertify.” During an update operation the attribute is checked; if enabled, the user ID is recertified.
The recertification process is done through the adminp process, meaning you generate an adminp request and the recertification of the ID gets done at some point afterwards. The timing of the recertification will depend on configuration of the Domino server.
Changing Passwords
Lotus users have two different passwords:
-
HttpPassword, which is the password that allows a user to access a Notes server from a web browser or other HTTP client.
-
ID file, which is the password that encrypts the user’s Notes ID file. This password cannot be changed unless the current password is specified. As a result, an Wavesetadministrator cannot change this password.
See ID File for additional information.
The adapter can be configured to manage one or both of these passwords.
Managing HttpPasswords Only
Configure the Domino Gateway adapter as follows to manage HttpPasswords but not ID file passwords.
-
Set the User Provides Password On Change resource parameter to 0.
-
In the schema map, change the password Resource User Attribute to HTTPPassword.
-
Delete the HTTPPassword Identity System User Attribute from the schema map.
Managing HttpPasswords and ID File Passwords
Configure the Domino Gateway adapter as follows to manage ID file passwords from the User interface and HttpPasswords from the Administrator and User interfaces.
-
Set the User Provides Password On Change resource parameter to 0.
-
The ID file password cannot be changed unless the user specifies the current password. The current password must be defined in the schema map as an account attribute named WS_USER_PASSWORD. Make sure this attribute is present and its data type is encrypted.
-
In the schema map, change the HTTPPassword Resource User Attribute to password. As a result of this change, the password Resource User Attribute will map to password as well as HTTPassword.
-
Add the Password and LoginChange views to the WS_USER_PASSWORD AccountAttribute. Use the Waveset IDE or debug pages to edit the resource definition as follows:
<AccountAttributeType id=’66’ name=’WS_USER_PASSWORD’ syntax=’encrypted’ mapName=’WS_USER_PASSWORD’ mapType=’string’> <Views> <String>Password</String> <String>LoginChange</String> </Views> </AccountAttributeType> -
Add the WS_USER_PASSWORD and idFile fields to the following forms:
-
Change My Password Form
-
Change Password Form
-
Expired Login Form
These fields must be must be defined to point to the resourceAccounts view.
<Field name=’resourceAccounts.currentResourceAccounts[ResourceName]. attributes.idFile’> <Display class=’Text’> <Property name=’title’ value=’idfile’/> </Display> </Field> <Field name=’resourceAccounts.currentResourceAccounts[ResourceName]. attributes.WS_USER_PASSWORD’> <Display class=’Text’> <Property name=’title’ value=’WS_USER_PASSWORD’/> </Display> </Field>
-
Managing ID File Passwords Only
Configure the Domino Gateway adapter as follows to manage ID file passwords from the User interface without managing HttpPasswords.
-
Set the User Provides Password On Change resource parameter to 1.
-
The ID file password cannot be changed unless the user specifies the current password. The current password must be defined in the schema map as an account attribute named WS_USER_PASSWORD. Make sure this attribute is present and its data type is encrypted.
-
Add the idFile field to the following forms:
-
Change My Password Form
-
Change Password Form
-
Expired Login Form
This field must be must be defined to point to the resourceAccounts view.
<Field name=’resourceAccounts.currentResourceAccounts[ResourceName]. attributes.idFile’> <Display class=’Text’> <Property name=’title’ value=’idfile’/> </Display> </Field>
-
Disabling and Enabling
In Domino 6.0 and later, the preferred method to disable a user is to set the CheckPassword account attribute to 2. However, the 5.x method of adding a user to a DENY GROUP may still be used.
Early versions of Domino do not implement a native disable flag for each user, so each user disabled is placed in a DENY GROUP. When enabled, they are removed as members of any of the defined groups. DENY GROUP has a maximum number of members threshold so the group has to be specified as an account attribute to the resource. This requires an additional DenyGroups account attribute to be passed to the resource. DenyGroups can be set during a Disable, Enable, or Deprovision, but will not be fetched without additional coding.
When deprovisioning or disabling, you must send a list of DenyGroups that the user will be added to. When enabling, you must send a list of DenyGroups that the user will be removed from.
The available DenyGroups can be fetched from the resource with the following code:
<invoke name=’listResourceObjects’ class=’com.waveset.ui.FormUtil’>
<ref>:display.session</ref>
<s>DenyLists</s>
<s>YourResourceName</s>
<null/>
<s>false</s>
</invoke>
The currently assigned DenyGroups can be fetched on a disable, enable, or deprovision form with this code:
<invoke name=’getList’>
<invoke name=’getView’>
<ref>display.session</ref>
<concat>
<s>UserViewer:</s>
<ref>resourceAccounts.id</ref>
</concat>
<map>
<s>TargetResources</s>
<list>
<s>YourResourceName</s>
</list>
</map>
</invoke>
<s>accounts[YourResourceName].DenyGroups</s>
</invoke>
In the enable, disable, and deprovision forms, you must address the DenyGroups attribute as:
resourceAccounts.currentResourceAccounts [YourResourceName].attributes.DenyGroups
The following example defines a field in the disable form that lists the available DenyGroups in the left hand side of a multi-select box:
<Field name=’resourceAccounts.currentResourceAccounts [
YourResourceName].attributes.DenyGroups’>
<Display class=’MultiSelect’>
<Property name=’title’ value=’Deny Groups’/>
<Property name=’required’>
<Boolean>false</Boolean>
</Property>
<Property name=’allowedValues’>
<invoke name=’listResourceObjects’ class=’com.waveset.ui.FormUtil’>
<ref>:display.session</ref>
<s>DenyLists</s>
<s>YourResourceName</s>
<null/>
<s>false</s>
</invoke>
</Property>
<Property name=’availableTitle’ value=’Available Deny Groups’/>
<Property name=’selectedTitle’ value=’Assigned Deny Groups’/>
</Display>
</Field>
The following example defines a field in the enable form that lists the assigned DenyGroups in a derivation rule of a hidden field:
<Field name=’resourceAccounts.currentResourceAccounts
[YourResourceName].attributes.DenyGroups’>
<Derivation>
<invoke name=’getList’>
<invoke name=’getView’>
<ref>display.session</ref>
<concat>
<s>UserViewer:</s>
<ref>resourceAccounts.id</ref>
</concat>
<map>
<s>TargetResources</s>
<list>
<s>YourResourceName</s>
</list>
</map>
</invoke>
<s>accounts[YourResourceName].DenyGroups</s>
</invoke>
</Derivation>
</Field>
ID File
The gateway machine generates new IDs for users that are newly registered. They may be placed on a UNC path that is accessible to the gateway process/service. So, specifying \\machine\ids\myidfile.id would put it on the network share.
There might be a need for the gateway to run as a user when configured as a service to get access to the share specified when a user is created. You can assign SYSTEM to have access to shares, but it depends on how the gateway network environment looks.
You can specify that the ID file be stored in the address book also by setting the Store ID In Addr Book resource attribute to TRUE/FALSE.
Rename/Move
The move/rename actions are also performed by the adminp process. A move can be initiated from the rename form by changing the certifierOrgHierarchy attribute and providing the original certifierId file and password for that id file. The move request will create a “Name Move Request” in the requests database and must be completed by the new certifier that represents the user’s new organization. A move can be initiated by changing the user’s first/last name.
Note –
You cannot perform a rename and a move at the same time; the adminp process will not allow this since the request references the canonical name which will be changed in both cases.
Resource Names
The gateway requires that all Domino resources be named uniquely. If you have multiple Waveset deployments and they “point” to the same gateway, all of the Domino resources that exist on the deployments must have unique resource names.
Roaming Support
Waveset can create roaming users if the resource is a Domino 7.0 or later server. Waveset cannot change a user’s roaming status. Therefore, the RoamingUser account attribute cannot be set on existing users.
Gateway Timeouts
The Domino adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This attribute controls how long before a request to the gateway times out and is considered hung.
You must manually add this attribute to the Resource object as follows:
<ResourceAttribute name=’Hang Timeout’ displayName=’com.waveset.adapter.RAMessages: RESATTR_HANGTIMEOUT’ type=’int’ description=’com.waveset.adapter.RAMessages: RESATTR_HANGTIMEOUT_HELP’ value=’NewValue’> </ResourceAttribute>
The default value for this attribute is 0, indicating that Waveset will not check for a hung connection.
- © 2010, Oracle Corporation and/or its affiliates