This section provides information related to using the Domino resource adapter, which is organized into the following sections:
You can used aliased groups when using Identity Manager to create a Domino group. Names of aliased groups are represented by this syntax: Group1;alias1;alias2. Note that when a group name appears in a list, you will see the primary name only.
The recertification process is done using the Boolean user attribute named “recertify.” During an update operation the attribute is checked; if enabled, the user ID is recertified.
The recertification process is done through the adminp process, meaning we generate an adminp request and the recertification of the ID gets done at some point afterwards. The timing of the recertification will depend on configuration of the Domino server.
Lotus users have two different passwords:
HttpPassword, which is the password that allows a user to access a Notes server from a web browser or other HTTP client.
ID file, which is the password that encrypts the user’s Notes ID file. This password cannot be changed unless the current password is specified. As a result, an Identity Manageradministrator cannot change this password.
See ID File for additional information.
The adapter can be configured to manage one or both of these passwords.
Configure the Domino Gateway adapter as follows to manage HttpPasswords but not ID file passwords.
Set the User Provides Password On Change resource parameter to 0.
In the schema map, change the password Resource User Attribute to HTTPPassword.
Delete the HTTPPassword Identity System User Attribute from the schema map.
Configure the Domino Gateway adapter as follows to manage ID file passwords from the User interface and HttpPasswords from the Administrator and User interfaces.
Set the User Provides Password On Change resource parameter to 0.
The ID file password cannot be changed unless the user specifies the current password. The current password must be defined in the schema map as an account attribute named WS_USER_PASSWORD. Make sure this attribute is present and its data type is encrypted.
In the schema map, change the HTTPPassword Resource User Attribute to password. As a result of this change, the password Resource User Attribute will map to password as well as HTTPassword.
Add the Password and LoginChange views to the WS_USER_PASSWORD AccountAttribute. Use the [Please define the IDMIDELong text entity] or debug pages to edit the resource definition as follows:
<AccountAttributeType id=’66’ name=’WS_USER_PASSWORD’ syntax=’encrypted’ mapName=’WS_USER_PASSWORD’ mapType=’string’> <Views> <String>Password</String> <String>LoginChange</String> </Views> </AccountAttributeType>
Add the WS_USER_PASSWORD and idFile fields to the following forms:
Change My Password Form
Change Password Form
Expired Login Form
These fields must be must be defined to point to the resourceAccounts view.
<Field name=’resourceAccounts.currentResourceAccounts[ResourceName]. attributes.idFile’> <Display class=’Text’> <Property name=’title’ value=’idfile’/> </Display> </Field> <Field name=’resourceAccounts.currentResourceAccounts[ResourceName]. attributes.WS_USER_PASSWORD’> <Display class=’Text’> <Property name=’title’ value=’WS_USER_PASSWORD’/> </Display> </Field>
Configure the Domino Gateway adapter as follows to manage ID file passwords from the User interface without managing HttpPasswords.
Set the User Provides Password On Change resource parameter to 1.
The ID file password cannot be changed unless the user specifies the current password. The current password must be defined in the schema map as an account attribute named WS_USER_PASSWORD. Make sure this attribute is present and its data type is encrypted.
Add the idFile field to the following forms:
Change My Password Form
Change Password Form
Expired Login Form
This field must be must be defined to point to the resourceAccounts view.
<Field name=’resourceAccounts.currentResourceAccounts[ResourceName]. attributes.idFile’> <Display class=’Text’> <Property name=’title’ value=’idfile’/> </Display> </Field>
In Domino 6.0 and later, the preferred method to disable a user is to set the CheckPassword account attribute to 2. However, the 5.x method of adding a user to a DENY GROUP may still be used.
Early versions of Domino do not implement a native disable flag for each user, so each user disabled is placed in a DENY GROUP. When enabled, they are removed as members of any of the defined groups. DENY GROUP has a maximum number of members threshold so the group has to be specified as an account attribute to the resource. This requires an additional DenyGroups account attribute to be passed to the resource. DenyGroups can be set during a Disable, Enable, or Deprovision, but will not be fetched without additional coding.
When deprovisioning or disabling, you must send a list of DenyGroups that the user will be added to. When enabling, you must send a list of DenyGroups that the user will be removed from.
The available DenyGroups can be fetched from the resource with the following code:
<invoke name=’listResourceObjects’ class=’com.waveset.ui.FormUtil’> <ref>:display.session</ref> <s>DenyLists</s> <s>YourResourceName</s> <null/> <s>false</s> </invoke>
The currently assigned DenyGroups can be fetched on a disable, enable, or deprovision form with this code:
<invoke name=’getList’> <invoke name=’getView’> <ref>display.session</ref> <concat> <s>UserViewer:</s> <ref>resourceAccounts.id</ref> </concat> <map> <s>TargetResources</s> <list> <s>YourResourceName</s> </list> </map> </invoke> <s>accounts[YourResourceName].DenyGroups</s> </invoke>
In the enable, disable, and deprovision forms, you must address the DenyGroups attribute as:
resourceAccounts.currentResourceAccounts [YourResourceName].attributes.DenyGroups
The following example defines a field in the disable form that lists the available DenyGroups in the left hand side of a multi-select box:
<Field name=’resourceAccounts.currentResourceAccounts [ YourResourceName].attributes.DenyGroups’> <Display class=’MultiSelect’> <Property name=’title’ value=’Deny Groups’/> <Property name=’required’> <Boolean>false</Boolean> </Property> <Property name=’allowedValues’> <invoke name=’listResourceObjects’ class=’com.waveset.ui.FormUtil’> <ref>:display.session</ref> <s>DenyLists</s> <s>YourResourceName</s> <null/> <s>false</s> </invoke> </Property> <Property name=’availableTitle’ value=’Available Deny Groups’/> <Property name=’selectedTitle’ value=’Assigned Deny Groups’/> </Display> </Field>
The following example defines a field in the enable form that lists the assigned DenyGroups in a derivation rule of a hidden field:
<Field name=’resourceAccounts.currentResourceAccounts [YourResourceName].attributes.DenyGroups’> <Derivation> <invoke name=’getList’> <invoke name=’getView’> <ref>display.session</ref> <concat> <s>UserViewer:</s> <ref>resourceAccounts.id</ref> </concat> <map> <s>TargetResources</s> <list> <s>YourResourceName</s> </list> </map> </invoke> <s>accounts[YourResourceName].DenyGroups</s> </invoke> </Derivation> </Field>
The gateway machine generates new IDs for users that are newly registered. They may be placed on a UNC path that is accessible to the gateway process/service. So, specifying \\machine\ids\myidfile.id would put it on the network share.
There might be a need for the gateway to run as a user when configured as a service to get access to the share specified when a user is created. You can assign SYSTEM to have access to shares, but it depends on how the gateway network environment looks.
You can specify that the ID file be stored in the address book also by setting the Store ID In Addr Book resource attribute to TRUE/FALSE.
The move/rename actions are also performed by the adminp process. A move can be initiated from the rename form by changing the certifierOrgHierarchy attribute and providing the original certifierId file and password for that id file. The move request will create a “Name Move Request” in the requests database and must be completed by the new certifier that represents the user’s new organization. A move can be initiated by changing the user’s first/last name.
You cannot perform a rename and a move at the same time; the adminp process will not allow this since the request references the canonical name which will be changed in both cases.
The gateway requires that all Domino resources be named uniquely. If you have multiple Identity Manager deployments and they “point” to the same gateway, all of the Domino resources that exist on the deployments must have unique resource names.
Identity Manager can create roaming users if the resource is a Domino 7.0 or later server. Identity Manager cannot change a user’s roaming status. Therefore, the RoamingUser account attribute cannot be set on existing users.
The Domino adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This attribute controls how long before a request to the gateway times out and is considered hung.
You must manually add this attribute to the Resource object as follows:
<ResourceAttribute name=’Hang Timeout’ displayName=’com.waveset.adapter.RAMessages: RESATTR_HANGTIMEOUT’ type=’int’ description=’com.waveset.adapter.RAMessages: RESATTR_HANGTIMEOUT_HELP’ value=’NewValue’> </ResourceAttribute>
The default value for this attribute is 0, indicating that Identity Manager will not check for a hung connection.