Sun Identity Manager 8.1 Resources Reference

Adapter Details

Resource Configuration Notes

This section provides instructions for configuring Domino resources for use with Identity Manager, including:

General instructions for setting up the Domino resource for use with Identity Manager
Instructions for installing the Gateway to support Domino

General Configuration Instructions

Use these procedures to set up a Domino resource adapter:

Setting Up a Domino Resource Adapter

Create the Identity Manager administrator in Domino. Use a certifier ID that has access to all organizations needed to manage users.

Add the user to the access control list (ACL) of the address book for the server, names.nsf.
1. Give the user Editor access.
2. Assign the user the following roles:
  - GroupModifier
    - UserCreator
      - UserModifier

Add the user to the ACL of the registration log, certlog.nsf, with Depositor access.

Add the user to the ACL of the Administration Requests, admin4.nsf, with Depositor access.

Add the newly created user to server security:
1. Open the Security panel to edit the server configuration.
2. If access to the Domino server is restricted, make sure the Identity Manager proxy account has access to the server. This is done by specifying the account name or a group to which the proxy account belongs in the Access Serverfield.
3. If there is a before or after action that calls a Domino agent, the user might need to be added to the Run unrestricted LotusScript/Java agentsor Run restricted LotusScript/Java agentfield, depending on how the agent being called is configured.

Installing the Gateway to Support Domino

For the gateway to talk with Domino, there must be a Notes client already installed on the gateway machine

Add the following string values to HKEY_LOCAL_MACHINE\SOFTWARE\Waveset\Lighthouse\Gateway in the Windows registry to ensure Domino works properly:

notesInstallDir. This is the location where the client is installed and where the notes.dll file is location. Typically, the location is something like C:\Lotus\Notes\.
notesIniFile. The full path to the Lotus Notes initialization file, including the file name. You should copy the file from its default location (such as C:\Lotus\Notes\notes.ini) to the directory containing the Identity Manager gateway. Therefore, you should set the value of this registry key to a value similar to C:\GatewayDir\notes.ini.

Note –

Make sure the Notes client is running with a network-enabled profile. If you change the network connection after you copy the ini file, you must re-copy it or run the client through the command line, as in:

C:\Lotus\Notes\notes.exe=PathToIniFile

Identity Manager Installation Notes

No additional installation procedures are required on this resource.

Usage Notes

This section provides information related to using the Domino resource adapter, which is organized into the following sections:

You can used aliased groups when using Identity Manager to create a Domino group. Names of aliased groups are represented by this syntax: Group1;alias1;alias2. Note that when a group name appears in a list, you will see the primary name only.

Recertification Process

The recertification process is done using the Boolean user attribute named “recertify.” During an update operation the attribute is checked; if enabled, the user ID is recertified.

The recertification process is done through the adminp process, meaning we generate an adminp request and the recertification of the ID gets done at some point afterwards. The timing of the recertification will depend on configuration of the Domino server.

Changing Passwords

Lotus users have two different passwords:

HttpPassword, which is the password that allows a user to access a Notes server from a web browser or other HTTP client.
ID file, which is the password that encrypts the user’s Notes ID file. This password cannot be changed unless the current password is specified. As a result, an Identity Manageradministrator cannot change this password.

See ID File for additional information.

The adapter can be configured to manage one or both of these passwords.

Managing HttpPasswords Only

Configure the Domino Gateway adapter as follows to manage HttpPasswords but not ID file passwords.

Set the User Provides Password On Change resource parameter to 0.
In the schema map, change the password Resource User Attribute to HTTPPassword.
Delete the HTTPPassword Identity System User Attribute from the schema map.

Managing HttpPasswords and ID File Passwords

Configure the Domino Gateway adapter as follows to manage ID file passwords from the User interface and HttpPasswords from the Administrator and User interfaces.

Set the User Provides Password On Change resource parameter to 0.
The ID file password cannot be changed unless the user specifies the current password. The current password must be defined in the schema map as an account attribute named WS_USER_PASSWORD. Make sure this attribute is present and its data type is encrypted.
In the schema map, change the HTTPPassword Resource User Attribute to password. As a result of this change, the password Resource User Attribute will map to password as well as HTTPassword.

Add the Password and LoginChange views to the WS_USER_PASSWORD AccountAttribute. Use the [Please define the IDMIDELong text entity] or debug pages to edit the resource definition as follows:

<AccountAttributeType id=’66’ name=’WS_USER_PASSWORD’ syntax=’encrypted’ 
  mapName=’WS_USER_PASSWORD’ mapType=’string’>
   <Views>
      <String>Password</String>
      <String>LoginChange</String>
   </Views>
</AccountAttributeType>

Add the WS_USER_PASSWORD and idFile fields to the following forms:

Change My Password Form
Change Password Form

Expired Login Form

These fields must be must be defined to point to the resourceAccounts view.

<Field name=’resourceAccounts.currentResourceAccounts[ResourceName].
attributes.idFile’>
   <Display class=’Text’>
      <Property name=’title’ value=’idfile’/>
   </Display>
</Field>
<Field name=’resourceAccounts.currentResourceAccounts[ResourceName].
attributes.WS_USER_PASSWORD’>
   <Display class=’Text’>
      <Property name=’title’ value=’WS_USER_PASSWORD’/>
   </Display>
</Field>

Managing ID File Passwords Only

Configure the Domino Gateway adapter as follows to manage ID file passwords from the User interface without managing HttpPasswords.

Set the User Provides Password On Change resource parameter to 1.
The ID file password cannot be changed unless the user specifies the current password. The current password must be defined in the schema map as an account attribute named WS_USER_PASSWORD. Make sure this attribute is present and its data type is encrypted.

Add the idFile field to the following forms:

Change My Password Form
Change Password Form

Expired Login Form

This field must be must be defined to point to the resourceAccounts view.

<Field name=’resourceAccounts.currentResourceAccounts[ResourceName].
attributes.idFile’>
   <Display class=’Text’>
      <Property name=’title’ value=’idfile’/>
   </Display>
</Field>

Disabling and Enabling

In Domino 6.0 and later, the preferred method to disable a user is to set the CheckPassword account attribute to 2. However, the 5.x method of adding a user to a DENY GROUP may still be used.

Early versions of Domino do not implement a native disable flag for each user, so each user disabled is placed in a DENY GROUP. When enabled, they are removed as members of any of the defined groups. DENY GROUP has a maximum number of members threshold so the group has to be specified as an account attribute to the resource. This requires an additional DenyGroups account attribute to be passed to the resource. DenyGroups can be set during a Disable, Enable, or Deprovision, but will not be fetched without additional coding.

When deprovisioning or disabling, you must send a list of DenyGroups that the user will be added to. When enabling, you must send a list of DenyGroups that the user will be removed from.

The available DenyGroups can be fetched from the resource with the following code:

<invoke name=’listResourceObjects’ class=’com.waveset.ui.FormUtil’>
    <ref>:display.session</ref>
    <s>DenyLists</s>
    <s>YourResourceName</s>
    <null/>
    <s>false</s>
 </invoke>

The currently assigned DenyGroups can be fetched on a disable, enable, or deprovision form with this code:

<invoke name=’getList’>
    <invoke name=’getView’>
       <ref>display.session</ref>
       <concat>
          <s>UserViewer:</s>
          <ref>resourceAccounts.id</ref>
       </concat>
       <map>
          <s>TargetResources</s>
          <list>
             <s>YourResourceName</s>
          </list>
       </map>
    </invoke>
    <s>accounts[YourResourceName].DenyGroups</s>
 </invoke>

In the enable, disable, and deprovision forms, you must address the DenyGroups attribute as:

resourceAccounts.currentResourceAccounts [YourResourceName].attributes.DenyGroups

The following example defines a field in the disable form that lists the available DenyGroups in the left hand side of a multi-select box:

<Field name=’resourceAccounts.currentResourceAccounts [
  YourResourceName].attributes.DenyGroups’>
    <Display class=’MultiSelect’>
       <Property name=’title’ value=’Deny Groups’/>
       <Property name=’required’>
          <Boolean>false</Boolean>
       </Property>
       <Property name=’allowedValues’>
          <invoke name=’listResourceObjects’ class=’com.waveset.ui.FormUtil’>
             <ref>:display.session</ref>
             <s>DenyLists</s>
             <s>YourResourceName</s>
             <null/>
             <s>false</s>
          </invoke>
       </Property>
       <Property name=’availableTitle’ value=’Available Deny Groups’/>
       <Property name=’selectedTitle’ value=’Assigned Deny Groups’/>
    </Display>
 </Field>

The following example defines a field in the enable form that lists the assigned DenyGroups in a derivation rule of a hidden field:

<Field name=’resourceAccounts.currentResourceAccounts 
  [YourResourceName].attributes.DenyGroups’>
   <Derivation>
       <invoke name=’getList’>
          <invoke name=’getView’>
             <ref>display.session</ref>
             <concat>
                <s>UserViewer:</s>
                <ref>resourceAccounts.id</ref>
             </concat>
             <map>
                <s>TargetResources</s>
                <list>
                   <s>YourResourceName</s>
                </list>
             </map>
          </invoke>
          <s>accounts[YourResourceName].DenyGroups</s>
       </invoke>
    </Derivation>
 </Field>

ID File

The gateway machine generates new IDs for users that are newly registered. They may be placed on a UNC path that is accessible to the gateway process/service. So, specifying \\machine\ids\myidfile.id would put it on the network share.

There might be a need for the gateway to run as a user when configured as a service to get access to the share specified when a user is created. You can assign SYSTEM to have access to shares, but it depends on how the gateway network environment looks.

You can specify that the ID file be stored in the address book also by setting the Store ID In Addr Book resource attribute to TRUE/FALSE.

Rename/Move

The move/rename actions are also performed by the adminp process. A move can be initiated from the rename form by changing the certifierOrgHierarchy attribute and providing the original certifierId file and password for that id file. The move request will create a “Name Move Request” in the requests database and must be completed by the new certifier that represents the user’s new organization. A move can be initiated by changing the user’s first/last name.

Note –

You cannot perform a rename and a move at the same time; the adminp process will not allow this since the request references the canonical name which will be changed in both cases.

Resource Names

The gateway requires that all Domino resources be named uniquely. If you have multiple Identity Manager deployments and they “point” to the same gateway, all of the Domino resources that exist on the deployments must have unique resource names.

Roaming Support

Identity Manager can create roaming users if the resource is a Domino 7.0 or later server. Identity Manager cannot change a user’s roaming status. Therefore, the RoamingUser account attribute cannot be set on existing users.

Gateway Timeouts

The Domino adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This attribute controls how long before a request to the gateway times out and is considered hung.

You must manually add this attribute to the Resource object as follows:

<ResourceAttribute name=’Hang Timeout’ displayName=’com.waveset.adapter.RAMessages:
  RESATTR_HANGTIMEOUT’ type=’int’ description=’com.waveset.adapter.RAMessages:
  RESATTR_HANGTIMEOUT_HELP’ value=’NewValue’>
 </ResourceAttribute>

The default value for this attribute is 0, indicating that Identity Manager will not check for a hung connection.

Additional Information

This section provides some additional information related to this adapter, including:

ListAllObjects

You can list any object specified in Domino. Pass in the view name as the “type” to the listAllObjects call.

Form Updates

Since some of these operations require additional attributes, default forms must be updated to include these attributes.

The resource definition already defines the attributes that should be passed to the various views.

Enable, Disable forms: DenyGroups
Deprovision form: DenyGroups (optional)
Expired Login, Change Password, Change My Password forms: HTTPPassword (must be secret), ID file
Rename form: certifierIDFile, credentials (must be secret)

searchFilter

The following sample UserForm illustrates how the searchFilter option for the getResourceObjects method can be implemented for Domino. This form finds all users with the last name Smith on the resource MyResource. Users are displayed by internal identifier, such as com.waveset.object.GenericObject%4014a614a6, rather than account IDs.

<DOCTYPE Configuration PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Configuration name='Domino searchFilter Form' wstype=UserForm'"
 <Extension>
  <Form>
   <Display class=’EditForm’/>
   <Field name=’rcwfield’>
      <Display class=’MultiSelect’>
         <Property name=’title’ value=’My Lister’/>
         <Property name=’availableTitle’ value=’Listing available items’/>
         <Property name=’selectedTitle’ value=’Selected Item(s)’/>
         <Property name=’allowedValues’>
         <block trace=’true’>
               <invoke name=’getResourceObjects’ class=’com.waveset.ui.FormUtil’>
                  <ref>:display.session</ref>
                  <s>People</s>
                  <s>MyResource</s>
                  <Map>
                     <MapEntry key=’searchAttrsToGet’>
                        <List>
                           <String>LastName</String>
                           <String>ShortName</String>
                           <String>MailFile</String>
                        </List>
                     </MapEntry>
                     <MapEntry key=’searchFilter’ value=’@IsAvailable(LastName) &amp; 
@Contains(@LowerCase(LastName);"smith")’/>
                  </Map>
               </invoke>
         </block>
         </Property>
        </Display>
        <Disable>
         <i>0</i>
        </Disable>
     </Field>
  </Form>
 </Extension>
</Configuration>

Other Form Issues

Only the HTTPPassword can be changed or reset by the administrator. If you do not want to change only the HTTPPassword, the default tables must filter the Domino adapter.
The Change My Password, Change Password, and Expired Login forms generate a column named “Forgot Old Password?” This column must be removed for Domino resources since Identity Manager does not support administrator password updates.

Attributes Configured to be Passed Into Views

idFile. Password, LoginChange
DenyGroups. Enable, Disable, Delete
certifierIdFile, credentials. Rename
HTTPPassword. Password, LoginChange

Actions

The following variables are available for use in before and after actions:

WSUSER_accountId
WSUSER_UNID

The WSUSER_UNID variable refers to the Lotus Notes universal ID. This variable cannot be referenced until after the account has been created.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager uses the Sun Identity Manager Gateway to communicate with Domino.

Required Administrative Privileges

None

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature	Supported?
Enable/disable account	Yes
Rename account	Yes
Pass-through authentication	No
Before/after actions	Yes
Data loading methods	Import from resource Reconciliation Active Sync

Account Attributes

The following table provides information about Domino account attributes. The default data type is string, unless otherwise indicated.

Resource User Attribute	Description
`alternateOrgUnit`	The organizational unit for the user in the alternate language.
`AltFullName`	The user’s full name, in the user’s native language
`AltFullNameLanguage`	The language associated with the alternate full name.
`Assistant`	The name of an assistant.
`CalendarDomain`	The domain name for the calendar.
`CellPhoneNumber`	The user’s cell phone number.
`certifierIDFile`	Path to the certifier ID file relative to the gateway machine (overrides value on resource)
`CertifierOrgHierarchy`	Path of certifier’s organization hierarchy, such as /US1 (overrides value on resource)
`CheckPassword`	Integer. 0 = no check 1 = check 2 = Disable user
`Children`	The name or names of the employee’s children.
`City`	The city of the user’s home address.
`Comment`	A comment about the user.
`CompanyName`	The company the user works for.
`Country`	The country of the user’s home address.
`credentials`	Password for the certifier ID file (overrides value on resource)
`dbQuotaSizeLimit`	Specifies the maximum size of the user’s mail database. If you specify a value less than 1000, then the maximum size is in megabytes (MB). If the value is 1000 or greater, then the maximum size is expressed in bytes. Values between 1001 and 1023 are rounded up to 1024 bytes. The proxy administrator must be listed as an Administrator in the Server document to set this attribute.
`dbQuotaWarningThreshold`	Specifies the size of a user’s mail database at which point a warning about the size of the database is generated. If you specify a value less than 1000, then the threshold is in megabytes (MB). If the value is 1000 or greater, then the threshold is expressed in bytes. Values between 1001 and 1023 are rounded up to 1024 bytes. The proxy administrator must be listed as an Administrator in the Server document to set this attribute.
`defaultPasswordExp`	Number of days for new certificates to be issued (create, recertify operations)
`deleteMailFileOption`	Overrides the resource attribute: 0: Do not delete mail file 1: Delete just mail file specified in person record 2: Delete mail file specified in person record and all replicas Note: If configured to delete the `mailfile` an `adminp` request will be queued and must be approved natively before it is deleted.
`DenyGroups`	A list of users that are to be denied access to the resource.
`Department`	The department name or number of the user.
`DisplayName`	The user’s displayed name.
`EmployeeID`	The unique employee ID for the user.
`firstname`	The user’s first name.
`HomeFAXPhoneNumber`	The user’s home fax/phone number
`HTTPPassword`	Password to be used when accessing a Notes server from a web browser or other HTTP client.
`idFile`	Full qualified path to the ID file relative to the gateway machine.
`gateway machine`
`InternetAddress`
`JobTitle`	The user’s job title.
`lastModified`	A string representation of the last date and time the user was modified.
`lastname`	The user’s last name
`Location`	Office location or mail stop
`MailAddress`	The user’s e-mail address.
`MailDomain`	Domain name of user’s mail server
`MailFile`	The name of the mail file, such as MAIL\JSMITH
`mailOwnerAccess`	Indicates the access control level for the mailbox owner. Possible values are 0 (manager), 1(designer), and 2 (editor). This attribute is not in the schema map by default. The attribute is applicable only when creating users.
`MailServer`	The user’s mail server name.
`MailTemplate`	Name of mail template. Only valid during create.
`Manager`	The user’s manager.
`MiddleInitial`	Middle initial with a trailing period.
`NetUserName`	The user’s network account name.
`NotesGroups`
`objectGUID`	The user’s NotesID.
`OfficeCity`	The city of the user’s work address.
`OfficeCountry`	The country of the user’s work address.
`OfficeFAXPhoneNumber`	The fax number of the user’s work address.
`OfficeNumber`	The office number of the user’s work address.
`OfficePhoneNumber`	The phone number of the user’s work address.
`OfficeState`	The state or province of the user’s work address.
`OfficeStreetAddress`	The street address of the user’s work address.
`OfficeZIP`	The postal code of the user’s work address.
`orgUnit`
`password`	The user’s password
`PasswordChangeInterval`	Integer. The number of days after which the user must supply a new password.
`PasswordGracePeriod`	The number of days after the password has expired before the user is locked out.
`PhoneNumber`	The user’s home telephone number.
`PhoneNumber_6`
`Policy`	The explicit policy for the user. The value of the Explicit Policy Name resource parameter overrides this attribute. This parameter is applicable only for Domino 7.0 or later.
`Profiles`	The profile assigned to the user. This value overrides any profile specified as a resource parameter. This attribute is applicable only for Domino 7.0 and higher.
`Recertify`	Boolean. Flag to indicate you would like to recertify a user.
`RoamCleanPer`	When RoamCleanSetting is 1, the number of days between cleanings.
`RoamCleanSetting`	Specifies when Domino cleans up the user’s roaming files. Valid values are 0 (Never) 1 (Periodically) 2 (When the Domino server shuts down) 3 (Prompt the user)
`RoamingUser`	When set to 1, specifies that the user is a roaming user.
`RoamRplSrvrs`	A list of servers where the user’s roaming files are to be replicated.
`RoamSrvr`	Specifies the server where the user’s roaming files are to be located.
`RoamSubdir`	Specifies the directory that will contain the user’s roaming files.
`SametimeServer`	Hierarchical name of the user’s sametime server.
`ShortName`	Short user name commonly used by a foreign mail system.
`Spouse`	The name of the user’s spouse.
`State`	The state or province in the user’s home address.
`StreetAddress`	The address of the user’s home address.
`Suffix`	The user’s generational qualifier
`Title`	The user’s title
`WebSite`	The user’s web site.
`WS_USER_PASSWORD`	Attribute used to send user’s current password during user change password requests.
`x400Address`
`Zip`	The postal code of the user’s home address.

Resource Object Management

Identity Manager manages the following native Domino objects

Table 12–1 Native Domino Objects


Resource Object	Supported Features	Attributes Managed
Group	create, delete, list, rename, saveas, update	ConflictAction, Group_Main, AvailableForDirSync,DeleteNTUserAccount, DocumentAccess, Form, GroupName, GroupTitle, GroupType, InternetAddress, ListCategory, ListDescription, ListName, ListOwner, LocalAdmin, MailDomain, MailVerify, Owner, Type, Members, MemberPeople, MemberGroups

Identity Template

Domino stores the identity of each user in the userid file. However, that same user name is stored in the user record in the FullName attribute. That attribute is multi-valued, and the first one in the list is unique. The first name in the list is stored in canonical format and is similar to the following:

CN=Joe T Smith/O=MyCompany

Using this name we can get to the record of the Name and address book. Identity Manager stores this string on the resourceInfo in its “nice” form, which looks like:

Joe T Smith/MyCompany

Domino has built-in functions to convert names back and forth at the API level. Identity Manager also stores the NOTEID as the GUID attributes, and whenever possible uses this global identifier to look up users in Domino.

The default identity template is:

$firstname$ $MiddleInitial$ $lastname$$CertifierOrgHierarchy$

Depending on the environment, the middle initial may not be not included.

Sample Forms

DominoActiveSyncForm.xml

Dominogroupcreate.xml

Dominogroupupdate.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following class:

com.waveset.adapter.DominoResourceAdapter

Tracing can also be enabled on the following methods to diagnose problems connecting to the gateway:

com.waveset.adapter.AgentResourceAdapter#sendRequest
com.waveset.adapter.AgentResourceAdapter#getResponse