Sun Java[TM] System Identity Manager 7.1 Resources Reference |
DominoThe Domino resource adapter is defined in the com.waveset.adapter.DominoResourceAdapter class.
This adapter supports the following versions of Lotus Domino Server:
- 5.0
- 6.5, 6.5.4
- 7.0
Resource Configuration Notes
This section provides instructions for configuring Domino resources for use with Identity Manager, including:
General Configuration Instructions
Use these procedures to set up a Domino resource adapter:
- Create the Identity Manager administrator in Domino. Use a certifier ID that has access to all organizations needed to manage users.
- Add the user to the access control list (ACL) of the address book for the server, names.nsf.
- Add the user to the ACL of the registration log, certlog.nsf, with Depositor access.
- Add the user to the ACL of the Administration Requests, admin4.nsf, with Depositor access.
- Add the newly-created user to server security:
- Open the Security panel to edit the server configuration.
- If access to the Domino server is restricted, make sure the Identity Manager proxy account has access to the server. This is done by specifying the account name or a group to which the proxy account belongs in the Access Server field.
- If there is a before or after action that calls a Domino agent, the user might need to be added to the Run unrestricted LotusScript/Java agents or Run restricted LotusScript/Java agent field, depending on how the agent being called is configured.
Installing the Gateway to Support Domino
For the gateway to talk with Domino there must be a Notes client already installed on the gateway machine
Add the following string values to HKEY_LOCAL_MACHINE\SOFTWARE\
Waveset\Lighthouse\Gateway in the Windows registry to ensure Domino works properly:
- notesInstallDir - This is the location where the client is installed and where the notes.dll file is location. Typically, the location is something like C:\Lotus\Notes\.
- notesIniFile - The full path to the Lotus Notes initialization file, including the file name. You should copy the file from its default location (such as C:\Lotus\Notes\notes.ini) to the directory containing the Identity Manager gateway. Therefore, you should set the value of this registry key to a value similar to C:\GatewayDir\notes.ini.
Identity Manager Installation Notes
No additional installation procedures are required on this resource.
Usage Notes
This section provides information related to using the Domino resource adapter, which is organized into the following sections:
Recertification Process
The recertification process is done using the Boolean user attribute named “recertify.” During an update operation the attribute is checked; if enabled, the user ID is recertified.
The recertification process is done via the adminp process, meaning we generate an adminp request and the recertification of the id gets done at some point afterwards. The timing of the recertification will depend on configuration of the Domino server. In 5.0, if the address book entry gets recertified, then the next time the user logs into the system it will fix up the ID file with the new digest keys.
Changing Passwords
Lotus users have two different passwords:
- HttpPassword — The password that allows a user to access a Notes server from a web browser or other HTTP client.
- ID file — The password that encrypts the user’s Notes ID file. This password cannot be changed unless the current password is specified. As a result, an Identity Manager administrator cannot change this password.
See ID File for additional information.
The adapter can be configured to manage one or both of these passwords.
Managing HttpPasswords Only
Configure the Domino Gateway adapter as follows to manage HttpPasswords but not ID file passwords.
Managing HttpPasswords and ID File Passwords
Configure the Domino Gateway adapter as follows to manage ID file passwords from the User interface and HttpPasswords from the Administrator and User interfaces.
- Set the User Provides Password On Change resource parameter to 0.
- The ID file password cannot be changed unless the user specifies the current password. The current password must be defined in the schema map as an account attribute named WS_USER_PASSWORD. Make sure this attribute is present and its data type is encrypted.
- In the schema map, change the HTTPPassword Resource User Attribute to password. As a result of this change, the password Resource User Attribute will map to password as well as HTTPassword.
- Add the Password and LoginChange views to the WS_USER_PASSWORD AccountAttribute. Use the Identity Manager Integrated Development Environment or debug pages to edit the resource definition as follows:
<AccountAttributeType id='66' name='WS_USER_PASSWORD' syntax='encrypted' mapName='WS_USER_PASSWORD' mapType='string'>
<Views>
<String>Password</String>
<String>LoginChange</String>
</Views>
</AccountAttributeType>- Add the WS_USER_PASSWORD and idFile fields to the following forms:
These fields must be must be defined to point to the resourceAccounts view.
<Field name='resourceAccounts.currentResourceAccounts[ResourceName].
attributes.idFile'>
<Display class='Text'>
<Property name='title' value='idfile'/>
</Display>
</Field><Field name='resourceAccounts.currentResourceAccounts[ResourceName].
attributes.WS_USER_PASSWORD'>
<Display class='Text'>
<Property name='title' value='WS_USER_PASSWORD'/>
</Display>
</Field>Managing ID File Passwords Only
Configure the Domino Gateway adapter as follows to manage ID file passwords from the User interface without managing HttpPasswords.
- Set the User Provides Password On Change resource parameter to 1.
- The ID file password cannot be changed unless the user specifies the current password. The current password must be defined in the schema map as an account attribute named WS_USER_PASSWORD. Make sure this attribute is present and its data type is encrypted.
- Add the idFile field to the following forms:
Disabling and Enabling
In Domino 6.0 and later, the preferred method to disable a user is to set the CheckPassword account attribute to 2. However, the 5.x method of adding a user to a DENY GROUP may still be used.
In versions of Domino prior to 6.0, there isn’t a native disable flag for each user, so each user disabled is placed in a DENY GROUP. When enabled, they are removed as members of any of the defined groups. DENY GROUP has a maximum number of members threshold so the group has to be specified as an account attribute to the resource. This requires an additional DenyGroups account attribute to be passed to the resource. DenyGroups can be set during a Disable, Enable, or Deprovision, but will not be fetched without additional coding.
When deprovisioning or disabling, you must send a list of DenyGroups that the user will be added to. When enabling, you must send a list of DenyGroups that the user will be removed from.
The available DenyGroups can be fetched from the resource with the following code:
<invoke name='listResourceObjects' class='com.waveset.ui.FormUtil'>
<ref>:display.session</ref>
<s>DenyLists</s>
<s>YourResourceName</s>
<null/>
<s>false</s>
</invoke>The currently assigned DenyGroups can be fetched on a disable, enable, or deprovision form with this code:
<invoke name='getList'>
<invoke name='getView'>
<ref>display.session</ref>
<concat>
<s>UserViewer:</s>
<ref>resourceAccounts.id</ref>
</concat>
<map>
<s>TargetResources</s>
<list>
<s>YourResourceName</s>
</list>
</map>
</invoke>
<s>accounts[YourResourceName].DenyGroups</s>
</invoke>In the enable, disable, and deprovision forms, you must address the DenyGroups attribute as:
resourceAccounts.currentResourceAccounts [YourResourceName].attributes.DenyGroups
The following example defines a field in the disable form that lists the available DenyGroups in the left hand side of a multi-select box:
<Field name='resourceAccounts.currentResourceAccounts [YourResourceName].attributes.DenyGroups'>
<Display class='MultiSelect'>
<Property name='title' value='Deny Groups'/>
<Property name='required'>
<Boolean>false</Boolean>
</Property>
<Property name='allowedValues'>
<invoke name='listResourceObjects' class='com.waveset.ui.FormUtil'>
<ref>:display.session</ref>
<s>DenyLists</s>
<s>YourResourceName</s>
<null/>
<s>false</s>
</invoke>
</Property>
<Property name='availableTitle' value='Available Deny Groups'/>
<Property name='selectedTitle' value='Assigned Deny Groups'/>
</Display>
</Field>The following example defines a field in the enable form that lists the assigned DenyGroups in a derivation rule of a hidden field:
<Field name='resourceAccounts.currentResourceAccounts [YourResourceName].attributes.DenyGroups'>
<Derivation>
<invoke name='getList'>
<invoke name='getView'>
<ref>display.session</ref>
<concat>
<s>UserViewer:</s>
<ref>resourceAccounts.id</ref>
</concat>
<map>
<s>TargetResources</s>
<list>
<s>YourResourceName</s>
</list>
</map>
</invoke>
<s>accounts[YourResourceName].DenyGroups</s>
</invoke>
</Derivation>
</Field>ID File
The gateway machine generates new IDs for users that are newly registered. They may be placed on a UNC path that is accessible to the gateway process/service. So, specifying \\machine\ids\myidfile.id would put it on the network share.
There might be a need for the gateway to run as a user when configured as a service to get access to the share specified when a user is created. You can assign SYSTEM to have access to shares, but it depends on how the gateway network environment looks.
You can specify that the ID file be stored in the address book also by setting the Store ID In Addr Book resource attribute to TRUE/FALSE.
Rename/Move
The move/rename actions are also preformed by the adminp process. A move can be initiated from the rename form by changing the certifierOrgHierarchy attribute and providing the original certifierId file and password for that id file. The move request will create a “Name Move Request” in the requests database and must be completed by the new certifier that represents the user's new organization. A move can be initiated by changing the user's first/last name.
Note
You cannot perform a rename and a move at the same time; the adminp process will not allow this since the request references the canonical name which will be changed in both cases.
Resource Names
The gateway requires that all Domino resources be named uniquely. If you have multiple Identity Manager deployments and they “point” to the same gateway, all of the Domino resources that exist on the deployments must have unique resource names.
Active Sync Configuration
Before Identity Manager 5.5, if the Active Sync Process deletes as updates check box was selected, Identity Manager would disable a deleted Identity Manager user as well as all resource accounts and mark the user for later deletion. By default, this check box was selected. In Identity Manager 5.5 and beyond, this functionality is configured by setting the Delete Rule set to None.
If the checkbox was previously deselected, then the Delete Rule will be set to ActiveSync has isDeleted set.
Roaming Support
Identity Manager can create roaming users if the resource is a Domino 7.0 server. Identity Manager cannot change a user’s roaming status. Therefore, the RoamingUser account attribute cannot be set on existing users.
Additional Information
This section provides some additional information related to this adapter, including:
ListAllObjects
You can list any object specified in Domino. Pass in the view name as the “type” to the listAllObjects call.
Form Updates
Since some of these operations require additional attributes, default forms must be updated to include these attributes.
The resource definition already defines the attributes that should be passed to the various views.
searchFilter
The following sample UserForm illustrates how the searchFilter option for the getResourceObjects method can be implemented for Domino. This form finds all users with the last name Smith on the resource MyResource.
<Form name='Domino searchFilter Form' objectType=UserForm'>
<Display class='EditForm'/>
<Field name='rcwfield'>
<Display class='MultiSelect'>
<Property name='title' value='My Lister'/>
<Property name='availableTitle' value='Listing available items'/>
<Property name='selectedTitle' value='Selected Item(s)'/>
<Property name='allowedValues'>
<block trace='true'>
<invoke name='getResourceObjects' class='com.waveset.ui.FormUtil'>
<ref>:display.session</ref>
<s>People</s>
<s>MyResource</s>
<Map>
<MapEntry key='searchAttrsToGet'>
<List>
<String>LastName</String>
<String>ShortName</String>
<String>MailFile</String>
</List>
</MapEntry>
<MapEntry key='searchFilter' value='@IsAvailable(LastName) & @Contains(@LowerCase(LastName);"smith")'/>
</Map>
</invoke>
</block>
</Property>
</Display>
<Disable>
<i>0</i>
</Disable>
</Field>
</Form>Other Form Issues
- Only the HTTPPassword can be changed or reset via the administrator. If you do not want to change only the HTTPPassword, the default tables must filter the Domino adapter.
- The Change My Password, Change Password, and Expired Login forms generate a column named “Forgot Old Password?” This column must be removed for Domino resources since Identity Manager does not support administrator password updates.
Attributes Configured to be Passed Into Views
Actions
The following variables are available for use in before and after actions:
The WSUSER_UNID variable refers to the Lotus Notes universal ID. This variable cannot be referenced until after the account has been created.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses the Sun Identity Manager Gateway to communicate with Domino.
Required Administrative Privileges
None
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature
Supported?
Enable/disable account
Yes
Rename account
Yes
Pass-through authentication
No
Before/after actions
Yes
Data loading methods
Account Attributes
The following table provides information about Domino account attributes.
The default data type is string, unless otherwise indicated.
Identity Template
Domino stores the identity of each user in the userid file. However, that same user name is stored in the user record in the FullName attribute. That attribute is multi-valued, and the first one in the list is unique. The first name in the list is stored in canonical format and is similar to the following:
CN=Joe T Smith/O=MyCompany
Using this name we can get to the record of the Name and address book. Identity Manager stores this string on the resourceInfo in its “nice” form, which looks like:
Joe T Smith/MyCompany
Domino has built-in functions to convert names back and forth at the API level. Identity Manager also stores the NOTEID as the GUID attributes, and whenever possible uses this global identifier to look up users in Domino.
The default identity template is:
$firstname$ $MiddleInitial$ $lastname$$CertifierOrgHierarchy$
Depending on the environment, the middle initial may not be not included.
Sample Forms
DominoActiveSyncForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.DominoResourceAdapter
Tracing can also be enabled on the following methods to diagnose problems connecting to the gateway:
Exchange 5.5Support for the Microsoft Exchange resource adapter has been deprecated.
Use the Active Directory resource for Exchange 2000/20003, which is integrated with Exchange.