1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use IBM Lotus Notes and Domino either as a managed (target) resource or as an authoritative (trusted) source of identity data for Oracle Identity Manager.

Note:

At some places in this guide, IBM Lotus Notes and Domino has been referred to as the target system.

In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.

In the identity reconciliation (trusted source) configuration of the connector, users are created or modified only on the target system and information about these users is reconciled into Oracle Identity Manager.

Note:

It is recommended that you do not configure the target system as both an authoritative (trusted) source and a managed (target) resource.

This chapter contains the following sections:

1.1 Certified Components

Table 1-1 lists the certified components for this connector.

Table 1-1 Certified Components

Item Requirement

Oracle Identity Manager

You can use one of the following releases of Oracle Identity Manager:

  • Oracle Identity Manager release 9.1.0.2 and any later BP in this release track

    Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.1 and future releases in the 9.1.0.x series that the connector supports.

  • Oracle Identity Manager 11g release 1 (11.1.1.3.0) and any later BP in this release track

    Note: In this guide, Oracle Identity Manager release 11.1.1 has been used to denote Oracle Identity Manager 11g release 1 (11.1.1) and future releases in the 11.1.1.x series that the connector supports.

  • Oracle Identity Manager 11g release 1 PS1 (11.1.1.5.0) and any later BP in this release track

Target systems

IBM Lotus Notes/Domino 6.5, 7.x, 8.0.x, 8.5, 8.5.1, 8.5.2

External code

NCSO.jar

Notes.jar

See Section 2.1.3, "Using External Code Files" for more information about these files.

JDK

The JDK version can be one of the following:

  • For Oracle Identity Manager release 9.1.0.x, use JDK 1.5 or a later release in the 1.5 series.

  • For Oracle Identity Manager release 11.1.1, use JDK 1.6 or a later release in the 1.6 series.

1.2 Usage Recommendation

Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:

  • If you are using an Oracle Identity Manager release that is 9.1.0.1 or later and earlier than Oracle Identity Manager 11g Release 1 (11.1.1.5.4), then use the 9.0.4.x version of this connector.

  • If you are using Oracle Identity Manager 11g Release 1 (11.1.1.5.4) or later, or Oracle Identity Manager 11g Release 2 BP04 (11.1.2.0.4) or later then use the latest 11.1.1.x version of this connector.

  • If the IBM Lotus Notes and Domino target systems are deployed on any of the following operating system platforms, then use the latest 11.1.1.x version of this connector:

    • Oracle Enterprise Linux later than 5.2+x86 (32-bit) and x64 (64-bit)

    • Solaris 11

1.3 Certified Languages

The connector supports the following languages:

  • Arabic

  • Chinese (Simplified)

  • Chinese (Traditional)

  • Danish

  • English

  • French

  • German

  • Italian

  • Japanese

  • Korean

  • Portuguese (Brazilian)

  • Spanish

See Also:

For information about supported special characters:

  • For Oracle Identity Manager release 9.1.0.x, see Oracle Identity Manager Globalization Guide.

  • For Oracle Identity Manager release 11.1.1, see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

1.4 Connector Architecture

Figure 1-1 shows the architecture of the connector for IBM Lotus Notes and Domino.

Figure 1-1 Architecture of the Connector

Description of Figure 1-1 follows
Description of "Figure 1-1 Architecture of the Connector"

Note:

The connector does not use the Certificate Authority (CA) process.

The connector can be configured to run in one of the following modes:

  • Identity reconciliation

    Identity reconciliation is also known as authoritative or trusted source reconciliation. In this form of reconciliation, OIM Users are created or updated corresponding to the creation of and updates to users on the target system.

  • Account Management

    Account management is also known as target resource management. This mode of the connector enables the following operations:

    • Provisioning

      Provisioning involves creating or updating users on the target system through Oracle Identity Manager. When you allocate (or provision) a Lotus Notes resource to an OIM User, the operation results in the creation of an account on IBM Lotus Notes and Domino for that user. In the Oracle Identity Manager context, the term provisioning also covers updates made to the target system account through Oracle Identity Manager.

    • Target resource reconciliation

      In target resource reconciliation, data related to newly created and modified target system accounts can be reconciled and linked with existing OIM Users and provisioned resources. A scheduled task is used for reconciliation.

      Note:

      In Oracle Identity Manager release 11.1.1, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1.

      See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.

1.5 Features of the connector

This section discusses the following topics:

1.5.1 Support for Both Target Resource and Trusted Source Reconciliation

You can use the connector to configure Oracle Internet Directory as either a target resource or trusted source of Oracle Identity Manager.

See Section 3.3, "Configuring Reconciliation" for more information.

1.5.2 Support for Limited Reconciliation

For a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.

See Section 3.3.2, "Limited Reconciliation" for more information.

1.5.3 Support for Batched Reconciliation

Batched reconciliation is the reconciliation of a specified number of target system records at a time, within a reconciliation run. Multiple batches of records are fetched to complete the reconciliation run. This feature helps reduce memory issues that might arise when there are a large number of records to be reconciled.

See Section 3.3.3, "Batched Reconciliation" for more information.

1.5.4 Support for Reconciliation of Deleted User Records

You can configure the connector for reconciliation of deleted user records. In target resource mode, if a record is deleted on the target system, then the corresponding IBM Lotus Notes and Domino resource is revoked from the OIM User. In trusted source mode, if a record is deleted on the target system, then the corresponding OIM User is deleted.

See Section 3.3.4.2, "Scheduled Task for Reconciliation of Deleted Users" for more information about scheduled tasks used for reconciling deleted user records.

1.5.5 Support for Both Full and Incremental Reconciliation

After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, change-based or incremental reconciliation is automatically enabled from the next run of the user reconciliation.

You can perform a full reconciliation run at any time.

See Section 3.3.1, "Full Reconciliation vs. Incremental Reconciliation" for more information.

1.5.6 Support for Adding New Single-Valued Attributes for Reconciliation and Provisioning

You can add to the standard set of single-valued attributes for reconciliation and provisioning. Chapter 4, "Extending the Functionality of the Connector" describes the procedure.

1.6 Connector Objects Used in the Target Resource Mode

See Also:

The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Concepts Guide for conceptual information about reconciliation configurations

This section discusses the following topics:

1.6.1 User Attributes for Target Resource Reconciliation and Provisioning

Table 1-2 provides information about user attribute mappings for target resource reconciliation and provisioning.

Table 1-2 User Attributes for Target Resource Reconciliation and Provisioning

Process Form Field IBM Lotus Notes and Domino Attribute Description

First Name

FirstName

First name

Middle Name

MiddleInitial

Middle name

Last Name

LastName

Last name

Short Name

ShortName

Short name

Password

UserPassword

Password

Security Type

License

Security type for user (North American or International)

End Date

ExpirationDate

Expiration date of certificate

Organizational Unit

OU

Organization to which user belongs

Mail Internet Address

InternetAddress

E-mail address.

Location

Location

Location

Comment

Comment

Comment

Forward Domain

MailAddress

Forwarding e-mail address

GRP Name

GROUPLIST

Group to which user belongs

UniqueID

Full hierarchical name of a user

Full hierarchical name that uniquely identifies each user account on the target system.

For example:

G=FIRST_NAME/I=MIDDLEINITIAL/S=LASTNAME/CN= FIRSTNAME MIDDLEINITIAL LASTNAME/OU=ORGANIZATIONUNIT/O=ORGANIZATION

Universal ID

Universal Id

16-bit alphanumeric ID that uniquely identifies a user

Note: At the end of a Create User provisioning operation, the Universal Id is created on the target system and then fetched to Oracle Identity Manager.

1.6.2 Lookup Definitions

The Lookup.Lotus.Grp lookup definition is used to hold values for the Group lookup field on the process form. Similarly, the Lookup.Lotus.OU lookup definition is used to hold values for the OU lookup field on the process form. Lookup field synchronization involves fetching group and OU names from the target system and storing them in these lookup definitions.

1.6.3 Provisioning Functions

Table 1-3 lists the provisioning functions that are available with this connector.

Table 1-3 Provisioning Functions

Function Description Adapter

Create User

Creates a user

LNCreateUser

Delete User

Deletes a user

Note: This function is implemented using the DeleteUser Administration Process (AdminP) function of IBM Lotus Notes and Domino.

LNDeleteUser

Update User Last Name

Updates the last name of a user

Note: This function is implemented using the RenameNotesUser AdminP function of IBM Lotus Notes and Domino.

LNUpdateUserName

Update User First Name

Updates the first name of a user

Note: This function is implemented using the RenameNotesUser AdminP function of IBM Lotus Notes and Domino.

LNUpdateUserName

Update User Middle Name

Updates the middle name of a user

Note: This function is implemented using the RenameNotesUser AdminP function of IBM Lotus Notes and Domino.

LNUpdateUserName

Update User Organizational Unit

Updates the organizational unit of a user

Note: This function is implemented using the RenameNotesUser AdminP function of IBM Lotus Notes and Domino.

LNUpdateUserName

Update User Short Name

Updates the short name of a user

LNUpdateUserInfo

Update User Mail Internet Address

Updates the e-mail address of a user

LNUpdateUserInfo

Update User Location

Updates the location of a user

LNUpdateUserInfo

Update User Comment

Updates the comment of a user

LNUpdateUserInfo

Update User Forward Domain

Updates the e-mail address to which e-mail for the user must be forwarded

LNUpdateUserInfo

Update User Password

Updates the user password and resets (or updates) the ID file

Note: This connector changes password only in Lotus Notes. If the password synchronization between Lotus Notes and Domino Internet/HTTP passwords is not enabled, then the password change made from Oracle Identity Manager to Lotus Notes is not reflected in the Internet/HTTP password.

To synchronize passwords between Lotus Notes and Domino Internet/HTTP:

  • Enable the password synchronization feature in the target system.

  • Set the sync flag to "true" in the user record.

LNUpdatePassword

Disable User

Disables a user

LNEnableDisable

Enable User

Enables a user

LNEnableDisable

1.6.4 Reconciliation Rule for Target Resource Reconciliation

See Also:

Oracle Identity Manager Connector Concepts for generic information about reconciliation matching and action rules

The following is the process matching rule:

Rule name: Reconcile Lotus User

Rule element: (Last Name Equals Users.OldLastName) AND (First Name Equals Users.OldFirstName)

After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for Reconcile Lotus User. Figure 1-2 shows the reconciliation rule for target resource reconciliation.

    Figure 1-2 Reconciliation Rule for Target Resource Reconciliation

    Description of Figure 1-2 follows
    Description of "Figure 1-2 Reconciliation Rule for Target Resource Reconciliation"

1.6.5 Reconciliation Action Rules for Target Resource Reconciliation

Table 1-4 lists the action rules for target resource reconciliation.

Table 1-4 Action Rules for Target Resource Reconciliation

Rule Condition Action

No Matches Found

Assign to Administrator With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Identity Manager Design Console Guide for information about modifying or creating reconciliation action rules.

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management.

  3. Double-click Resource Objects.

  4. Search for and open the LOTUSRO resource object.

  5. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-3 shows the reconciliation action rule for target resource reconciliation.

    Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation

    Description of Figure 1-3 follows
    Description of "Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation"

1.7 Connector Objects Used in the Trusted Source Mode

This section discusses the following topics:

1.7.1 User Attributes for Trusted Source Reconciliation

Table 1-5 lists attribute mappings for trusted source reconciliation.

Table 1-5 User Attributes for Trusted Source Reconciliation

OIM User Form Field IBM Lotus Notes and Domino Attribute

User ID

LastName

First Name

FirstName

Last Name

LastName

Employee Type

Full-Time

User Type

End-User

Organization

XellerateOrganization

Email

InternetAddress

1.7.2 Reconciliation Rule for Trusted Source Reconciliation

See Also:

Oracle Identity Manager Connector Concepts for generic information about reconciliation matching and action rules

The following is the process matching rule:

Rule name: Lotus Notes XellerateUser Rule

Rule element: User Login Equals Users.LoginName

After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for Lotus Notes XellerateUser Rule. Figure 1-4 shows the reconciliation rule for target resource reconciliation.

    Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation

    Description of Figure 1-4 follows
    Description of "Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation"

1.7.3 Reconciliation Action Rules for Trusted Source Reconciliation

Table 1-6 lists the action rules for trusted source reconciliation.

Table 1-6 Action Rules for Trusted Source Reconciliation

Rule Condition Action

No Matches Found

Create User

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Identity Manager Design Console Guide for information about modifying or creating reconciliation action rules.

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management.

  3. Double-click Resource Objects.

  4. Search for and open the Xellerate User resource object.

  5. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-5 shows the reconciliation action rule for target resource reconciliation.

    Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation

    Description of Figure 1-5 follows
    Description of "Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation"

1.8 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of this guide: