IBM Tivoli Identity Manager Lotus Notes Adapter White Paper

Size: px

Start display at page:

Download "IBM Tivoli Identity Manager Lotus Notes Adapter White Paper"

Lauren Summers
6 years ago
Views:

1 IBM Tivoli Identity Manager Lotus Notes Adapter White Paper Version Tenth Edition (August 27, 2006) This edition applies to version 4.6 of this Adapter and to all subsequent releases and modifications until otherwise indicated in new editions. IBM, Tivoli, and WebSphere are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Windows is a trademark of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States, other countries or both. Other company, product, and service names may be the trademarks or service marks of others. U.S. Government Users Restricted Rights Use, duplication, or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Copyright International Business Machines Corporation 2004, All rights reserved. US Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM Tivoli Lotus Notes Agent White Paper 1

2 Version: 2.1 Status Definitive Author: Sunil Rashinkar (Associate Technical Manager, Persistent Systems Pvt.Ltd., India, Pune) - srashink@us.ibm.com Date: 05/04/2006 Reviewer Brian Matthiesen (IBM, US, Irvine) bmatthie@us.ibm.com Shashank Bhatt (Senior Technical Manager, Persistent Systems Pvt. Ltd., India, Pune) shashank@us.ibm.com Gautam Burse (Associate Technical Manager, Persistent Systems Pvt. Ltd., India, Pune) gburse@us.ibm.com Approver Brian Matthiesen (IBM, US, Irvine) Change History No. Version History Date Author Newly Created This version does not contain the following: 1. Unique Org Unit attribute support Added new design for Q3 enhancement release and UOU: Option to NOT to store ERUID in the FullName Field. Support for Group attribute reconciliation. Support for the group of the type Deny List only. Support for overcoming the limitation on the size (32) of the Suspend Group Support for Domino version 7 Set HTTPPassword First. UOU Support Added new design for Q4 enhancement release and UOU: Support for Alternate Full Name and Alternate Full Name Language Support for Password Quality Scale Support for Mail Template Supporting Data Support for Mail File Replication on Replication server in ADD and MODIFY Operation Delete a User using DeleteInNAB AdminP 01/29/2004 Sunil Rashinkar 09/26/2005 Nachiket Vaidya and Sunil Rashinkar 01/24/2006 Sunil Rashinkar IBM Tivoli Lotus Notes Agent White Paper 2

3 4 2.1 Operation Support for Domino+SameTime Account and SameTime Only Account Management Added following functionalities: Support to add Person document only (For Nokia) AdminP attributes to be sent in Modify operation Setting of Code page for Notes Agent Expiration Date issue in Password Change Operation Using Notes Adapter for ITIM 4.6 with ITIM /04/2006 Mukesh Vijayvargia, Ashish Choudhary and Uday Acharya IBM Tivoli Lotus Notes Agent White Paper 3

4 Preface The IBM Tivoli Identity Manager Lotus Notes Agent enables connectivity between the Tivoli Identity Manager Server and a network of systems running the Lotus Domino Server. The Lotus Notes Agent must be installed on a machine where the Lotus Notes Client (Notes Client) is running. After you install and configure the agent, Tivoli Identity Manager manages access to Lotus Domino Server resources, using the Lotus Domino Administrator s ID. Who should read this book? This book is primarily intended for system administrators who are responsible for installing software on their computer systems. It is also intended for security administrators, who are familiar with the security standards for their network environment. Readers are expected to understand system and security administration concepts. Readers should be able to perform routine security administration tasks. IBM Tivoli Lotus Notes Agent White Paper 4

5 1. Introduction Features of Notes Agent Software and OS Requirements Supported Configurations Un-Supported Configurations Contents 2. Communication between the agent and the Tivoli Identity Manager Server Data Transfer from Tivoli Identity Manager Server to Agent Basic configuration for server-to-agent SSL communication 3. Notes Agent interaction with the Domino Server Principles of Operations Internal processing of requests from the ITIM Server Basic Information about ID files 4. Deployment of Notes Agent on Tivoli Identity Manager Server Creating a Service on Tivoli Identity Manager Server Using Notes Adapter for ITIM 4.6 with ITIM 4.5 Adding Notes Provisioning Policy on Tivoli Identity Manager Server Verifying the Installations Verifying the Notes Profile Installation. Verifying the Notes Agent Installation. Verifying the Notes Shadow Agent Installation. Setting your Deployment for Notes Agent Password Change Operation Examples of Domino Deployments with respect to User s ID file Storage Example Storage of created User s ID file by Lotus Notes Agents Why to use Notes Shadow Agent Password Change action on Domino Server: Password Change through the Notes Administrator Password Change by the User using his Notes Client ID file Password recovery through the Notes Administrator Password Change operation on ID file through Notes Agent Password Change without using Old Password. Password Change operation using Old Password Why to use Notes Shadow Agent Recommended Notes Agent Deployment for Existing Domino Deployment Recommended Notes Agent Deployment for Fresh Domino Deployment Executing the Notes Shadow Utility. Executing the Notes Agent for Reconciliation operation Test Connectivity of ITIM Server with Notes Agent Execute reconciliation Operation through ITIM server View the Reconciled accounts on ITIM Server Adopting orphan Lotus Notes user accounts IBM Tivoli Lotus Notes Agent White Paper 5

6 5 Checklist Before Running The Notes Agent Adding Path of nnotes.dll file to PATH system environment variable Verification of Notes Agents Registry Settings Setting required on Domino for Notes Agent Operation Creation of Groups on Domino Resource Giving server access to Groups Creation of Notes Databases on Domino Resource Setting required for Mail Quota Size Transformation File (xforms.xml) DLL files used by Notes Agent Last Logged in User on Notes Client Supported configurations for Notes Agent Code Page setting for the Notes Agent 6. Notes Agent Functionality ADD Operation Functionality Certifier ID and Certifier ID Password in Registry Specifying Certification Expiry Date Attribute Valid values to be specified for First Name and Last Name attributes Using Full name field for storing User Id from ITIM Using Short name field for storing User Id from ITIM Using Custom Eruid field for storing User Id from ITIM Using "Use ITIM_ERUID" registry key Using "Refresh ITIM_ERUID" registry key Brief Overview of Notes Agent design for ERUID value: Using Synchronize HTTPPassword resgistry setting Specifying Mail File Owner Access Attribute Specifying Mail Template Name Attribute Specifying Mail File Name Attribute Creation of User ID files Replication Conflict Attribute Support for Unique Organization Unit (UOU) Support for Alternate Full Name and Alternate Full Name Language Support for Password Quality Scale Support for Mail Template Supporting Data Support for Mail File Replication Support to add Person document only MODIFY Operation Modifying User Id Attribute Modifying Full Name Attribute Modifying Short Name Attribute Modifying HTTP/Internet Password Attribute Modifying User ID file path Attribute Modifying Mail File Owner Access Attribute Modifying Certification Expiry Date for User Modifying Replication Conflict Attribute Non-Modifiable Attributes on Notes Account Form IBM Tivoli Lotus Notes Agent White Paper 6

7 Mail File Replication Modifying a user with a Person document only SUSPEND Operation Functionality Suspend Group registry key Suspend HTTPPassword registry key HTTP/Internet Access of User Log DB RESTORE Operation Functionality Suspend Group registry key Suspend HTTPPassword registry key HTTP/Internet Access of User Log DB PASSWORD Change Operation Functionality Deployment Assumptions Before Password Change Operation Password Change Settings Password Changes on ID file at various locations Password Change for a user having Person document only Certificate Expiration Date in Password Change operation DELETE Operation Functionality Delete Group Log DB Delete Mail DB User s Person Document Removal from groups Delete a User using DeleteInNAB AdminP Operation RECONLICIATION Operation Functionality Using Short name field for ERUID for Reconciliation operation Using Full name field for ERUID for Reconciliation operation Using Custom Notes field for ERUID for Reconciliation operation Account Status Attribute Mail File Owner Access Attribute Replication Conflict Attribute Attributes not sent back on TIM server after reconciliation Operation Mail Template File Names as Supporting Data 7 SameTime Only Account Management Scenarios and Requirements Software and Hardware Requirement Supported Setup SameTime Account Attributes SameTime - ADD Operation Functionality Add a User with Domino + SameTime Account. Add a User with Only SameTime Account. Examples Creation of only SameTime Account for a user SameTime - MODIFY Operation Modifying attributes of a user having Domino+SameTime Account. Modifying attributes of a user having only SameTime Account. Modifying SameTime Server Attribute for a user having a IBM Tivoli Lotus Notes Agent White Paper 7

8 Domino+SameTime Account OR Only SameTime Account. Modifying SameTime Server and SameTime ACL Attributes in single modify operation for a user having a Domino+SameTime Account OR Only SameTime Account. SameTime - SUSPEND Operation Functionality SameTime - RESTORE Operation Functionality SameTime - LOCKING SAMETIME ACCESS Locking SameTime Server Access for a user having Domino+SameTime Account. Unlocking SameTime Server Access for a user having Domino+SameTime Account. Locking SameTime Server Access for a user having Only Domino account OR Only SameTime Account. SameTime - PASSWORD Change Operation Functionality Password Change Operation of a User having Only SameTime Account. SameTime - DELETE Operation Functionality Deleting a User having only SameTime account. Deleting a User having Domino+SameTime account. SameTime - RECONLICIATION Operation Functionality SameTime - Existing Domino/ITIM Deployment 8. ADMINP Operation Administration servers The Administration Requests database Lotus Notes features for execute AdminP Commands: Sending AdminP Command attributes in modify operation Executing Rename AdminP Command Executing ReCertify AdminP Command Executing Move User In Hierarchy AdminP Command Executing Move User Complete AdminP Command Executing New Replica AdminP Command Executing Move Replica AdminP Command Executing Delete In ACL AdminP Command Summary of AdminP command execution with the necessary Attributes 9. Configuring the Notes Agent to use Custom Attributes 10. Configuring the Notes Agent to use Custom ERUID 11. Configuring the Notes Agent to use ITIM only Attributes 12. Configuring the Notes Agent to use ERUID location 13. Troubleshooting the Lotus Notes Agent Deployment 14. Troubleshooting the Lotus Notes Shadow Utility Errors 15. FAQs IBM Tivoli Lotus Notes Agent White Paper 8

9 APPENDIX A. Notes Agent Attributes Variable Descriptions Variables by Lotus Notes Account From on ITIM Attributes on PERSOANL TAB (On Notes Account Form) Attributes on MAIL TAB (On Notes Account Form) Attributes on WORK TAB (On Notes Account Form) Attributes on PERSONAL HOME TAB (On Notes Account Form) Attributes on COMPANY TAB (On Notes Account Form) Attributes on ADMINISTRATION TAB (On Notes Account Form) Attributes on MISC. TAB (On Notes Account Form) Attributes on ADMINP TAB (On Notes Account Form) Hidden Attributes Variables by Lotus Notes Agent Actions System Login Add System Login Change System Login Delete System Login Suspend System Login Restore Reconciliation APPENDIX B. Registry keys Synchronize HTTPPassword Registry Setting Usage APPENDIX C. Lotus Notes APIs used by Notes Agent IBM Tivoli Lotus Notes Agent White Paper 9

10 Chapter 1 - Introduction An agent is a program that provides an interface between a managed resource and the Tivoli Identity Manager Server. Agents reside on the managed resource and the Tivoli Identity Manager Server manages access to the resource by using your security system. Agents function as trusted virtual administrators on the target platform, performing such tasks as creating login IDs, suspending IDs, and performing other functions administrators normally run manually. The agent runs as a service, independent of whether or not a user is logged on to the Tivoli Identity Manager Server. The IBM Tivoli Identity Manager Lotus Notes Agent enables connectivity between the Tivoli Identity Manager Server and a network of systems running the Lotus Domino Server. The Lotus Notes Agent must be installed on a machine where the Lotus Notes Client (Notes Client) is running. After you install and configure the agent, Tivoli Identity Manager manages access to Lotus Domino Server resources, using the Lotus Domino Administrator (Domino Administrator) Features of the Lotus Notes Agent You can use the Lotus Notes Agent for the following administrative tasks: Creating Domino Account on the Domino Server (Acting as registration and server) o Registering a user with only Domino Account. o Registering a user with Domino Account and a SameTime Account. o Registering a user with only SameTime Accounts. Creating Domino Account on the Domino Registration Server by specifying a different Domino Server for its mail file. o Registering users with only Domino Account. o Registering users with Domino Account and a SameTime Account. Modifying Domino Account User attributes o Modifying user attributes for only Domino Account. o Modifying user attributes for Domino Account and SameTime Account. o Modifying user attributes for only SameTime Account. Modifying Domino Account User Password o Modification of User Password for only Domino Account. (User ID Management) o Modification of User Password for Domino Account and SameTime Account. (User ID Management) o Modification of User Password for only SameTime Account. (No User ID Management) Suspending a Domino Account o Suspending a user having only Domino Account. o Suspending a user having Domino Account and a SameTime Account. o Suspending a user having only SameTime Account. Restoring Domino Account o Restoring a user having only Domino Account. o Restoring a user having Domino Account and a SameTime Account. o Restoring a user having only SameTime Account. Deleting a Domino Account IBM Tivoli Lotus Notes Agent White Paper 10

11 o Delete a Domino Account Deleting a user having only Domino Account. Deleting a user having Domino Account and SameTime Account. Deleting a user having only SameTime Account o Delete a Domino Account through Delete in NAB AdminP command. Deleting a user having only Domino Account. Deleting a user having Domino Account and SameTime Account. Deleting a user having only SameTime Account Looking up user operations for Lotus Notes User accounts o UserLookup of only Domino Account. o UserLookup of Domino Account and SameTime Account. o UserLookup of only SameTime Account. Reconciliation of Domino User accounts o Reconciliation of users with only Domino Account. o Reconciliation of users with Domino Account and SameTime Account. o Reconciliation of users with only SameTime Account. Executing Administration Process (AdminP) Commands o Renaming a User account The agent can be used to rename all references to a user account in the Lotus Domino Server. o Re-certifying a user account The agent can be used to re-certify a specific user account in the Lotus Domino Server. o Move User in Hierarchy The agent can be used to move a user to a new hierarchy in the organization s hierarchal name scheme. o Move User Complete When used with Move User in Hierarchy, the move of a user to a new hierarchy is completed. o Creating a New Replica of Database The agent can be used to create a new replica of a database on another Lotus Domino Server. o Moving a Replica of Database The agent can be used to move a replica of a database from one Lotus Domino Server to another. o Deleting in ACL The agent can be used to delete the name of a user from the ACLs list of the mail database files on the Lotus Domino Server o Deleting in NAB The agent can be used to delete the user from the Domino Address book and also delete the users mail file from all the replicas. The ID file and password information for newly created users is stored in a database file (NSF, by default). To add information for existing users, the Lotus Notes Agent includes a NotesShadowAgent utility (Shadow utility) that you can use to incorporate the user s information into this database file. For more information on this utility, see the IBM Tivoli Identity ManagerLotus Notes Agent Installation Guide. IBM Tivoli Lotus Notes Agent White Paper 11

12 Software and OS Requirements The following table lists the Software and the Operating requirements for the Notes agent. Table 1: Software and OS Requirements Software and OS Requirements Version Lotus Domino Server R5, 6.0, 6.5, 7 Lotus Notes Client/Administrator R5, 6.0, 6.5, 7 Operating System Windows 2000/2003 ITIM 4.5 and above IBM Tivoli Lotus Notes Agent White Paper 12

In each configuration, the Lotus Notes Agent uses the Notes Client to communicate with the Lotus Domino Server.

13 Supported Configurations You can install the Lotus Notes Agent in 4 different configurations. The fundamental components in each environment are a Tivoli Identity Manager Server, a Notes Client, a Lotus Notes Agent, and a Lotus Domino Server. In each configuration, the Lotus Notes Agent uses the Notes Client to communicate with the Lotus Domino Server. Note: The following schematics show the Notes Client and Lotus Notes Agent on a separate machine from the Lotus Domino Server. Both components can reside on the same machine as the Lotus Domino Server. Scenario 1: Running a single Lotus Notes Agent The first supported configuration includes a single Tivoli Identity Manager Server, a single machine running the Notes Client with one instance of the Lotus Notes Agent, and a single Lotus Domino Server. Scenario 2: Running multiple instances of the Lotus Notes Agent The second supported configuration includes a single Tivoli Identity Manager Server, a single machine running the Notes Client with multiple instances of the Lotus Notes Agent on different ports, and a single Lotus Domino Server. IBM Tivoli Lotus Notes Agent White Paper 13

Scenario 3: Configuring multiple instances of the Tivoli Identity Manager Server The third supported configuration includes multiple Tivoli Identity Manager Servers communicating with a single

Scenario 4: Running multiple Lotus Domino Servers The fourth supported configuration includes a single Tivoli Identity Manager Server, a single machine running the Notes Client with one instance of

14 Scenario 3: Configuring multiple instances of the Tivoli Identity Manager Server The third supported configuration includes multiple Tivoli Identity Manager Servers communicating with a single machine running the Notes Client with one instance of the Lotus Notes Agent, and a single Lotus Domino Server. Scenario 4: Running multiple Lotus Domino Servers The fourth supported configuration includes a single Tivoli Identity Manager Server, a single machine running the Notes Client with one instance of the Lotus Notes Agent, and multiple Lotus Domino Servers. While the Lotus Notes Agent can work with multiple Lotus Domino Servers, it cannot do so simultaneously. For more information on configuring the Lotus Notes Agent to work with multiple instances of the Lotus Domino Server, see the IBM Tivoli Identity Manager Lotus Notes Agent Installation Guide. Figure 4: Multiple Domino Registration Server Configuration IBM Tivoli Lotus Notes Agent White Paper 14

Scenario 5: Running Single instance of Lotus Domino Registration Server and single instance of Lotus Domino Email Server The fifth supported configuration includes a single Tivoli Identity Manager

Fugure 5: Single Domino Registration server and single Domino Email Server Configuration Scenario 6: Running Single instance of Lotus Domino Registration Server and multiple instances Lotus Domino

15 Scenario 5: Running Single instance of Lotus Domino Registration Server and single instance of Lotus Domino Server The fifth supported configuration includes a single Tivoli Identity Manager Server, a single machine running the Notes Client with one instance of the Lotus Notes Agent, and single Lotus Domino Registration Server and single Lotus Domino Servers. Fugure 5: Single Domino Registration server and single Domino Server Configuration Scenario 6: Running Single instance of Lotus Domino Registration Server and multiple instances Lotus Domino Servers The sixth supported configuration includes a single Tivoli Identity Manager Server, a single machine running the Notes Client with one instance of the Lotus Notes Agent, and single Lotus Domino Registration Server and multiple Lotus Domino Servers. Figure 6 IBM Tivoli Lotus Notes Agent White Paper 15

16 Non-supported configurations The Lotus Notes Agent has 2 non-supported configuration scenarios. Scenario 1: Running multiple Lotus Domino Servers and configuring multiple instances of the Tivoli Identity Manager Server The first non-supported configuration includes multiple Tivoli Identity Manager Servers, a single machine running the Notes Client with one instance of the Lotus Notes Agent, and multiple Lotus Domino Servers. Scenario 2: Running the Universal Provisioning Agent on the same server as the Lotus Notes Agent The second non-supported configuration includes a Tivoli Identity Manager Server, a single machine running the Notes Client with one instance of the Universal Provisioning Agent and one instance of the Lotus Notes Agent, and one Lotus Domino Server. The Universal Provisioning Agent can be used to send using the Notes Client, therefore both agents require the use of an ID file. Scenarios in which both agents have the same ID file, or in which both agents are installed on the same server, have not been tested and as such remain unsupported. IBM Tivoli Lotus Notes Agent White Paper 16

17 Chapter 2 - Communication between the agent and the Tivoli Identity Manager Server Data Transfer from Tivoli Identity Manager Server to Agent The Lotus Notes Agent is an individual Tivoli Identity Manager software program that must reside on a machine where the Notes Client is installed. That machine may be the Lotus Domino Server. Data is transferred between the Lotus Notes Agent and the Tivoli Identity Manager Server using the Directory Access Markup Language (DAML) protocol. DAML uses Secure Sockets Layer (SSL) to send XML-formatted messages between the agent and the server. Tivoli Identity Manager communicates with the Lotus Notes Agent in order to administer user accounts. When the Tivoli Identity Manager Server issues a request to the Lotus Notes Agent, the server opens a TCP/IP connection. This connection stays open until the agent completes the request and responds back to the server with an acknowledgement message. Once the Tivoli Identity Manager Server receives the anticipated response, it drops the connection to the agent Basic configuration for server-to-agent SSL communication The following information pertains to a Tivoli Identity Manager deployment on either the WebSphere or the WebLogic application server. In this scenario, the Tivoli Identity Manager Server initiates communication with the agent (server-to-agent) using one-way authentication over SSL. The version of the SSL protocol that is used is either RSA SSL-C or Open SSL. For more information on SSL, see the IBM Tivoli Identity Manager Lotus Notes Agent Installation Guide. IBM Tivoli Lotus Notes Agent White Paper 17

18 Chapter 3 Notes Agent Interaction the with Domino Server The Tivoli Identity Manager Server manages the Lotus Domino Server, using the Lotus Notes Agent. The Tivoli Identity Manager Server issues generic resource management requests, which the agent converts to Lotus Domino Server specific commands that the server will run. Before you can use the Lotus Notes Agent to automate administrative tasks, the agent must be deployed in the Tivoli Identity Manager environment. This process will get users from the Lotus Domino Server to the Tivoli Identity Manager Server. For more information on deploying the Lotus Notes Agent, see Chapter 4, Deploying the agent on the Tivoli Identity Manager Server Principles of Operation The Lotus Notes Agent connects to the Lotus Domino Server, using either the Notes Client or the Domino Administrator. The Notes Client is required for the agent to run and it manages , while the Domino Administrator is required to manage the Lotus Domino Server and perform administrative tasks. The agent uses the administrator s ID file to logon to the Lotus Domino Server since it needs administrative privileges, such as the ability to read and write to server documents and databases Internal processing of requests from the Tivoli Identity Manager Server The Lotus Notes Agent uses a configurable port to listen for requests from the Tivoli Identity Manager Server. Once a request is received from the server, the agent completes the following steps: 1. The agent gathers the server name, administrator ID file path, and administrator password from the registry. 2. Next, the agent initializes a session with the Lotus Domino Server. 3. Once the administrator ID is authenticated, using the password that was found in the registry, the agent opens the address book on the Lotus Domino Server. 4. Then, the agent executes the operation that the Tivoli Identity Manager Server requested and sends the status of the operation to the Tivoli Identity Manager Server. 5. Lastly, the agent ends the session with the Lotus Domino Server. IBM Tivoli Lotus Notes Agent White Paper 18

19 Basic information about ID files The Lotus Domino Server uses ID files to identify users and to control access to the documents and databases on the server. Every Lotus Domino Server, Lotus Notes certifier, and Lotus Notes user must have an ID. There are 3 basic ID file types: Administrator ID file Certifier ID file General user ID file Administrator ID file The ID file and password for the administrator ID are used by the Lotus Notes Agent and the Lotus Domino Server for authentication purposes. The Lotus Notes Agent uses the Extension Manager to pass the administrator s password to the Lotus Domino Server to authenticate the ID. The NotesAuth.dll file, which is copied to the system32 directory by the Lotus Notes Agent installer, acts as the Extension manager DLL for the Lotus Notes Agent. Certifier ID file Within the Lotus Domino Server, there are 3 types of certifier ID files: Certifier ID and certificate Organization certifier ID Organizational unit certifier ID Certifier ID and certificate Certifier IDs and certificates form the basis of the Lotus Domino security. To place servers and users correctly within your organization s hierarchical name scheme, you create a certifier ID for each branch on the name tree. You use the certifiers during server and user registration to associate each server ID and user ID with a certificate that defines where each belongs in the organization. Servers and users who belong to the same name tree can communicate with each other; servers and users who belong to different name trees need a cross-certificate to communicate with each other. Note: You can register servers and users without associating each server ID and user ID if you have migrated the certifier to a Domino server-based Certification Authority (CA). Each time you create a certifier ID, Domino creates a certifier ID file and a certifier document. The ID file contains the ID that you use to register servers and users. The Certifier document serves as a record of the certifier ID and stores, among other things, its hierarchical name, the name of the certifier ID that issued it, and the names of certificates associated with it. There are two types of certifier IDs: organization and organizational unit. Organization certifier ID The organization certifier appears at the top of the name tree and is usually the name of the company, for example, Acme. During the server setup, the Server Setup program creates the organization certifier and stores the organization certifier ID file in the Domino data directory, giving it the name CERT.ID. During this setup, this organization IBM Tivoli Lotus Notes Agent White Paper 19

20 certifier ID automatically certifies the first Lotus Domino Server ID and the administrator s user ID. If your company is large and decentralized, you might want to use the Domino Administrator after server setup to create a second organization certifier ID to allow for further name differentiation, for example, to differentiate between company subsidiaries. Organizational unit certifier Ids The organizational unit certifiers are at all the branches of the tree and usually represent geographical or departmental names, for example, East/Acme or Sales/East/Acme. If you choose to, you can create a first-level organizational unit certifier ID during server setup, which will result in the server ID and administrator s user ID being associated with the organizational unit certifier rather than with the organization certifier. If you choose not to create this organizational unit certifier during server setup, you can always use the Domino Administrator to do it later. If you choose to do this later, remember that you must re-certify the server ID and administrator s user ID. You can create up to four levels of organizational unit certifiers. To create first-level organizational unit certifier IDs, you use the organization certifier ID. To create secondlevel organizational unit certifier IDs, you use the first-level organizational unit certifier IDs, and so on. Using organizational unit certifier IDs, you can decentralize certification by distributing individual certifier IDs to administrators who manage users and servers in specific branches of the company. For example, the Acme Company has two administrators. One administers servers and users in West/Acme and has access to only the West/Acme certifier ID, and the other administers servers and users in East/Acme and has access to only the East/Acme certifier ID. General user ID file The Lotus Domino Server uses ID files to identify users and to control access to servers. When you register users and servers, Domino will automatically create a user ID. The default name for this file is usually shortname.id. For example, Bob Smith s user ID would be bsmith.id. Contents of an ID file: Table 2: Contents of User ID file Attribute Description Owner s name The user s name. A user ID file may also contain one alternate name. A certifier ID may contain multiple alternate names. Permanent This number indicates that the owner is legal and license number specifies whether the owner has a North American or international license to run a Domino or Lotus Notes Notes certificate from a certifier server. A Notes certificate is a digital signature added to a user ID or server ID. This signature, which is IBM Tivoli Lotus Notes Agent White Paper 20

21 ID Private key Internet certificates Secret encryption keys generated from the private key of a certifier ID, verifies that the name of the owner of the ID is correctly associated with a specific public key. Each user ID must have at least one certificate. Notes uses the private key to sign messages sent by the owner of the private key, to decrypt messages sent to its owner, and to sign certificates, if the ID belongs to a certifier. An Internet certificate is used to secure SSL connections and encrypt and sign S/MIME mail messages. An Internet certificate is issued by a Certification Authority (CA) and verifies the identity of the user. The user s private key associated with an Internet certificate is stored with that certificate. This is optional for Lotus Notes clients. One or more secret encryption keys can be created and distributed by users to allow other users to encrypt and decrypt fields in a document. This is optional. Note: If a user is in the process of requesting a new private key or a name change, the pending information is also stored in the ID file. If a Notes private key is changed, then the obsolete information is also stored in the ID file for backwards compatibility. For example, you would need the obsolete information to read old encrypted . IBM Tivoli Lotus Notes Agent White Paper 21

22 Chapter 4 Deployment of Notes Agent on Tivoli Identity Manager Server To configure the Tivoli Identity Manager Server to run the Lotus Notes Agent, complete the following steps: 1. Install the Notes Agent profile. For more information on installing the Notes agent profile see the IBM Tivoli Identity Manager Lotus Notes Agent Installation Guide. 2. Create a Lotus Notes Agent service. For more information on creating an agent service, see section Creating a service on the Tivoli Identity Manager Server of this user guide 3. Create a provisioning policy for the Lotus Notes Agent service. For more information on creating a provisioning policy, see the Creating a provisioning policy on the Tivoli Identity Manager Server of this user guide. 4. Install the Lotus Notes Agent. For more information on installing the agent, see the IBM Tivoli Identity Manager Lotus Notes Agent Installation Guide. 5. Install the NotesShadowAgent utility (Shadow utility). For more information on installing the utility, see the IBM Tivoli Identity Manager Lotus Notes Agent Installation Guide. 6. Run the Shadow utility; see section Executing the Notes Shadow Utility of this user guide. For more information on running the utility, see the IBM Tivoli Identity Manager Lotus Notes Agent Installation Guide. 7. Perform a reconciliation operation. For more information on reconciling accounts, see Reconciling accounts using the Lotus Notes Agent of this user guide. 8. Adopt orphan Lotus Notes Agent accounts. For more information on adopting accounts, see Adopting orphan Lotus Notes user accounts of this user guide 9. Creating accounts on the Tivoli Identity Manager Application Server. For more information on accounts, see Creating accounts of this user guide. 10. Set the Lotus Notes Agent deployment for Password Change operations. IBM Tivoli Lotus Notes Agent White Paper 22

23 Creating a Service on Tivoli Identity Manager Server A service is a managed resource that a user periodically accesses, but does not physically obtain. Once the Lotus Notes Agent and it s profile are installed, the agent can then be utilized by the Tivoli Identity Manager Server. As a system administrator, you can provision users with the service that you create. Before you can add the Lotus Notes Agent as a service on the Tivoli Identity Manager Server, the server must have a service profile installed. This profile will allow the server to recognize the agent as a service. Refer to IBM Tivoli Identity Manager Lotus Notes Agent Installation Guide for more information on installing the agent profile. When adding a service, you must complete the Add New Service form. This form is accessed through the Tivoli Identity Manager Server GUI. To add a service, complete the following steps: 1. Logon to the Tivoli Identity Manager Server GUI, using an account that has the authority to perform administrative tasks. 2. Select Provisioning from the Main Menu Navigation Bar. 3. Navigate through the organization tree and click the name of the branch to which the service will be added. 4. On the Services List page, click Add. 5. On the Select Type of Service page, select the NotesR6Profile/NotesProfile (whichever as appropriate, depending on the version of the Domino Server) service type from the Service Type drop-down menu and click Continue. 6. On the Add New Service page, enter the information requested in the corresponding text fields. You must enter the information denoted by the red asterisk (*). All other fields are optional. The Owner and Service Prerequisite fields require you to use the Search feature to select an entry. See Table 3 below, for a description of each field. Table 3. Service field names and descriptions Field Name Description Service Name Name assigned to the service. URL URL used to connect to the remote resource hosting the service. Format: [protocol]://[ipaddress]:[portnumber] User Id User ID used to log into the remote resource. Password Password assigned to the user ID used to log into the remote resource. CA certificate store Location of the CA certificate on the Tivoli Identity Manager Server. location Certificate file location Location of the certificate file on the Tivoli Identity Manager Server. Private key file Location of the private key file on the Tivoli Identity location Manager Server. Owner Name of the service owner. Service Prerequisite Any prerequisite required before the service can be utilized (accounts for service must already exist). A service can be a prerequisite for another service only if the prerequisite service is a member of an enabled automatic provisioning policy. IBM Tivoli Lotus Notes Agent White Paper 23

24 7. Click Test to verify the connection information. The Test button tests communication between the Tivoli Identity Manager Server and the Lotus Notes client, where the Lotus Notes Agent is installed. If the test connection is successful, proceed to step 8. If the test connection fails, verify that you have correctly entered in the above information and that the agent is running. 8. Click Submit to add the service to the Tivoli Identity Manager Server. The Service List page reappears with the new service listed Using Notes Adapter for ITIM 4.6 with ITIM 4.5 NotesAdapter 4.6 have an additional flag in agent configuration which decides whether the agent will run in secure SSL mode or not. The flag is USE_SSL, default value for this flag is FALSE. 1. To use NotesAdapter in Non-secure mode with ITIM 4.5 By default the value of flag USE_SSL is FALSE. To run agent non-secure mode, while creating a service from ITIM 4.5 specify the agent URL with " instead of " 2. To use NotesAdapter in secure mode with ITIM 4.5 For using Notes Adapter 4.6 in secure mode with ITIM 4.5 release follow the steps mentioned below. a. Run agentcfg.exe for the Notes Adapter. b. Select option "B. Protocol Configuration." c. Select option "C. Configure Protocol." d. Select option "A. DAML" e. Set USE_SSL flag to TRUE f. Install certificate through CertTool.exe g. Restart Notes Adapter IBM Tivoli Lotus Notes Agent White Paper 24

25 Adding Notes Provisioning Policy on Tivoli Identity Manager Server A Provisioning Policy grants a person access to many types of managed resources, such as the ITIM server, Windows NT servers, Solaris servers, and so on. Access to a resource defined as a target on a provisioning policy is guaranteed for a person as long as the person is a member of the policy. The membership types for a policy are categorized as one of the following: All persons in an organization A person s organizational role Other (people not in an organizational role that is directly associated with a Provisioning Policy) If the Provisioning Policy grants access to all people in an organization, then all people in the Organization have access to the service. If the Provisioning Policy grants access to an Organizational Role, then those people who belong to a particular Organizational Role are granted access to the service. As soon as a person has an account and can access the managed resource, the functions that can be performed within the managed resource are administered by the service. Tivoli Identity Manager allows you to manage Provisioning Policies from one location the Provisioning tab of the Main Menu Navigation Bar under Define Provisioning Policies in the task bar. Each Provisioning Policy consists of three components: General Information Membership Entitlements All three of these components must be in place before a Provisioning Policy can take effect. Adding Provisioning Policies requires three steps: Defining a Provisioning Policy IBM Tivoli Lotus Notes Agent White Paper 25

26 Adding a Membership Adding an Entitlement You must define a policy before adding a Provisioning Policy. Important: Organizational roles and services to be used in the Provisioning Policy must be in place before adding the Provisioning Policy. To define a provisioning policy: 1. Click Provisioning in the Main Menu Navigation Bar. 2. Navigate through the Organization Tree and click the name of the branch to which the Provisioning Policy will be added. 3. Click Define Provisioning Policies in the task bar. The Provisioning Policies page opens. 4. Click Add. The General tab for the Provisioning Policy appears. 5. Complete the required name and the optional caption and description fields. 6. Select the Enabled radio button to make your Provisioning Policy active. 7. OPTIONAL: Enter Keywords in the optional Keywords text box. 8. Enter a Priority in the Priority field. 9. Click either the Membership tab or the Entitlements tab to continue. Adding a Membership: You must add a membership before a Provisioning Policy can take effect. To add a membership: 1. Click Provisioning in the Main Menu Navigation Bar. 2. Navigate through the Organization Tree and click the name of the branch in which the desired Provisioning Policy is located. 3. Click Define Provisioning Policies in the task bar. 4. Click the name of the Provisioning Policy to which you want to add a membership. 5. Click the Membership tab. The Membership tab for the Provisioning Policy appears. 6. Click Add. 7. Select Organizational Role, All People, or Other from the drop-down menu and click Continue. If you select All People and click Continue, the Membership tab reappears with All(*) listed. If you select Organizational Role and click Continue, the Search feature to locate the Organizational Role appears. Search for the desired organizational role and add it to the membership. After adding the desired organizational role, the Membership tab reappears with the selected organizational roles listed. If you select Other and click Continue, the Membership tab reappears with Others listed. 8. Click Submit. The changes to the provisioning policy are saved. Adding an Entitlement You must add an entitlement before a Provisioning Policy can take effect. IBM Tivoli Lotus Notes Agent White Paper 26

27 To add an entitlement: 1. Click Provisioning in the Main Menu Navigation Bar. 2. Navigate through the Organization Tree and click the name of the branch in which the desired Provisioning Policy is located. 3. Click Define Provisioning Policies in the task bar. 4. Click the name of the Provisioning Policy to which you want to add an Entitlement. 5. Click the Entitlements tab. The Entitlements tab for the Provisioning Policy appears. 6. Click Add. 7. Fill in the data on the Entitlement Detail page: Select the Entitlement Type, either Manual or Automatic. Select the Target Type as Service. Select the Service Type as NotesProfile/NotesR6Profile. Note: The Service Selection Policy used will be the policy with a matching service profile. If more than one Service Selection Policy is defined for a service profile, the policy with the higher priority takes precedence. Select the Service Name if you selected Service. Select the Default Attributes, either Standard or Advanced. Select the Process Definition. 8. Click Submit. The Entitlement Detail page reappears and informs you that the Entitlement has been added. 9. Click the General tab to return to the main page of the policy. 10. Click Submit. 11. Select an Effective Date/Time and click Submit. The Provisioning Policy List page reappears. 12. Click Refresh to update the page. If you selected Schedule Immediately or an Effective Date/Time in the past, the new policy should now be listed. IBM Tivoli Lotus Notes Agent White Paper 27

28 Verifying the Installations Verifying the Notes Profile Installation The following checks will ensure that the Notes profile is installed properly: 1. If the agent profile installation was successful, an agent profile directory is created in the remote_resources directory of ITIM. Refer Verifying the agent profile installation in the Notes Agent installation guide for the profile files installation directory details. 2. If the creation of Notes Service and its respective Provisioning Policy is successful, then Notes Profile is installed successfully. 3. Try to open a Notes Account form on ITIM for a user creation and if the form opens without any error, then Notes Profile is installed successfully. Perform the following steps to open the Notes Account form on ITIM: i. Logon to the Tivoli Identity Manager Server, using an account that has the authority to perform administrative tasks. ii. Select Provisioning from the Main Menu Navigation Bar. iii. Navigate through the organization tree and click the name of the branch to which the service was added. iv. On the Services List page, select the appropriate Service Name for the NotesR6Profile Service Type. v. On the Service Submenu page, select Accounts from the menu. The Account Management page opens, allowing you to view the accounts that have been provisioned by the Tivoli Identity Manager Server. vi. On the Notes User Account Form page. IBM Tivoli Lotus Notes Agent White Paper 28

29 Verifying the Notes Agent Installation Refer Verification of the Lotus Notes Agent installation in the Notes Agent installation guide. Verifying the Notes Shadow Utility Installation The following checks will ensure that the Notes Shadow Utility is installed properly: 1. If the registry entries for the Notes Shadow Utility are present, then the agent is installed. Registry entries for Shadow utility are under the key HKEY_LOCAL_MACHINE\SOFTWARE\Access360\NotesShadowAgent. Notes Shadow Agent imports registry keys of Notes Agent to create its own registry under the name NotesShadowAgent in the registry. Use one of the following method to check the registry settings: a. Open the windows registry and check the entries under the above-specified path. b. Use regis.exe utility to check the registry entries. 2. Check the installation directory for the Notes Shadow utility. If the Shadow utility is installed in C:\ directory, then following will be the directory structure for the Notes Shadow utility: Figure 7: Notes Shadow Agent Install Directories 3. All the required files should be present in above directory structure. Following are the files installed: Table 4: Contents of Directories of Notes Shadow Utility Directory Name Files Use Bin NotesShadowDb.exe Main NotesShadowAgent exe regis.exe Used by installer to write to registry DelRegKey.exe Used by uninstaller to delete registry keys License License Files Contains various licenses IBM Tivoli Lotus Notes Agent White Paper 29

Figure 8: Creation of User on Domino Administrator The user is created through the Domino Administrator and the ID files are stored at following locations: a. In the User s Person document. b.

30 LOG Log Files Used for logging all the activities _uninst Uninstallation Files Used for uninstallation Setting the Notes Deployment for Password Change Operation Example of Domino Deployment with respect to User s ID file Storage Example Step 1: Figure 8: Creation of User on Domino Administrator The user is created through the Domino Administrator and the ID files are stored at following locations: a. In the User s Person document. b. On a remote machine on a shared folder. a. The ID file is attached to the User s person document. Figure 9: User s ID File Attached to Person Document b. All the User s ID files are also stored in a shared folder on a remote machine. IBM Tivoli Lotus Notes Agent White Paper 30

31 Figure 10: Copy of ID file on Remote Machine Step 2: The Administrator then sends a mail (with the user s ID file and password) to the User s Manager. Figure 11: Administrator send User s ID file and password to his manager Step 3: The Manager then forwards this mail (with the user s ID file and password) to the actual user. Manager forwards this mail to the actual User Figure 12: Manager Forwards User s ID file and password to the actual User Storage of Created User s ID file by Lotus Notes Agents The Lotus Notes Agent creates the ID file for a User as a part of registration of Notes Account on Domino. The Lotus Notes Agent has the capability to create the ID file at the following locations: 1. On the path specified from ITIM server at the time of user registration. (Example, c:\id\user.id). a. On Local Drive (Example, c:\id\user.id ) b. On Remote machine (Example, \\machinename\id\user.id ) Refer section Creation of User ID files of this guide and also the details of the Path of User ID File attribute on TIM Account form. IBM Tivoli Lotus Notes Agent White Paper 31

32 2. Saves a copy of created ID file to the User s person document. Refer section Creation of User ID files and also the details of the SaveIDInAddressBook attribute on TIM Account form. 3. Saves a copy of User s ID file in the Notes Shadow Address Book. This is a notes database created by the Administrator. The name of this notes shadow address book is specified in the Notes Agent registry from where the Notes Agent picks the name. Refer section Refer section Verification of Notes Agents Registry Settings, m. NoteIDsAddressBook of this user guide for more details. 4. Saves a copy of User s ID file in the Certlog.nsf database file. 5. Use the ID creation method through Notes Agent only with either of the following: a. Step 1, 2, 3 OR b. Step 1, 2, 4 6. Recommended method of ID file creation is step 5. a Why to use Notes Shadow Agent Password Change action on Domino Server: Passwords on Users ID file can be changed on the Domino Server by following methods: 1. By the Notes Administrator <Requires old Password> 2. By the Notes Users using his Notes Client <Requires old Password> Password Change through the Notes Administrator The following are the screen shots that shows the way a password in changed for an User s ID file through Notes Client (Administrator): Step 1: Logon to Notes Administrator using the Administrator s ID file and go to the Configuration TAB and open the Tools option on the right hand side. IBM Tivoli Lotus Notes Agent White Paper 32

33 Figure 13: Configuration TAB of Domino Administrator Step 2: Select the ID file on which you want to change the password and click the Open button. Figure 14: Choose ID File Dialog IBM Tivoli Lotus Notes Agent White Paper 33

34 Step 3: Enter the user s old password and click the OK button. Figure 15: Enter User s Current Password Dialog Step 4: Click on Change Password button to change the password. IBM Tivoli Lotus Notes Agent White Paper 34

35 Figure 16: User s ID Properties Dialog Step 5: Reenter the user s old password and press the OK button. Figure 17: Re-enter User s Current Password Dialog Step 6: Enter the New password for the user and Click OK button. IBM Tivoli Lotus Notes Agent White Paper 35

36 Figure 18: Enter User s New Password Dialog Step 7: Click OK button Figure 19: Password Change Success Dialog Step 8: Now this ID file with the new password is given to the user. IBM Tivoli Lotus Notes Agent White Paper 36

37 Password Change by the User using his Notes Client The following are the screen shots shows the way a password in changed by the user using his Notes Client: Step 1: Log on to the Notes Client with the User s ID file. Figure 20: Normal User Logged into Notes Client IBM Tivoli Lotus Notes Agent White Paper 37

38 Step 2: Select File Security User Security. Figure 21: Selecting the User Security Dialog Step 2: Click on the Change Password Button. Figure 22: User Security Dialog for User IBM Tivoli Lotus Notes Agent White Paper 38

Step 3: Enter the user s old password and press the OK button.

password for the user s ID file and press the OK button.

Figure 25: Password Change Success Dialog Thus in the above two cases the

39 Step 3: Enter the user s old password and press the OK button. Figure 23: Enter User s Current Password Dialog Step 4: Enter the new password for the user s ID file and press the OK button. Figure 24: Enter User s New Password Dialog Step 5: Press the OK button. Figure 25: Password Change Success Dialog Thus in the above two cases the password change operation works only when the users old password is available. IBM Tivoli Lotus Notes Agent White Paper 39

40 ID file Password recovery through the Notes Administrator If the user forgets his password on the ID file and needs to know it, then the password recovery mechanism is used by the Notes Administrator to recover the User s password on the ID file Password Change operation on User's ID file through Notes Agent The Lotus Notes Agent also has the password change functionality as follows: 1. Password change without the old password. 2. Password change using the old password Password Change without using Old Password The Lotus Notes agent has the capability of changing the password on the user s ID file without the old password being used. The mechanism used by the Lotus Notes agent to do this is as follows: 1. When a password change operation is executed through Notes Agent (assuming that the Notes Agent does not know the old password of the user), the Notes Agent re-registers the user with a new ID file. 2. In this case, a new ID file is regenerated with a new password. 3. The old ID file is no more in use now, as the user has a new ID file. In this way the password is changed on the ID file by re-registering the user and regenerating a new ID file for the user. Now, there is a problem in this mechanism. Assume that the User has encrypted mails in his mailbox and has some encrypted databases that were encrypted using the old ID file. Then, with the newly generated ID file, the user may not be able to access the old encrypted mails and databases. (The private key generated on this newly generated ID file is different from the original User s ID file.) So, to avoid the problem, the Notes Agent uses another mechanism in that, the old password is stored by the agent in a Notes database (known as Notes ShadowDB) at the time when the user is created and this stored password is used as the old password for the password change operation. By using this mechanism, the user is able to access his old encrypted mails and databases. To achieve this, the Agent needs to deploy the Shadow database (ShadowDB) with the User s ID file and password (The password is stored in ADK encrypted format and can be decrypted only the Notes Agent) and then execute the Shadow Agent. IBM Tivoli Lotus Notes Agent White Paper 40

41 Password Change operation using Old Password The following is the mechanism used by the Notes Agent to do a password change on an ID file of a User: 1. The Notes ShadowDb (example, NoteIDsAddressBook.nsf) has to be deployed with the all the Users ID file and password information. 2. To do this, execute the Notes Shadow Agent. The Notes Shadow Agent imports the user information (User s ID file and Password in ADK encrypted format) into the ShadowDB. 3. Once, the ShadowDD is deployed with the all the users old password (ADK Encrypted) and the ID file, the Password change operation can be fired. 4. When a password change operation is fired through Notes Agent, the Agent uses the old password from the ShadowDB and changes the new password on the specified ID file location. This mechanism of password change resolves the issue of accessing encrypted mails and databases. IBM Tivoli Lotus Notes Agent White Paper 41

42 Recommended Notes Agent Deployment for Existing Domino Deployment Perform the following steps to make sure that the password change operations works properly for the existing Domino Deployments using Notes Agent through ITIM Server: 1. Create a Mail account to collect mails from all the users. 2. All users should send a mail with their ID file, password and CN name to this Mail Account. 3. The mail file of this Mail Account acts as a central repository for deploying the User information (ID file, password and CN name) into another database (well known as the ShadowNAB) for the use of Notes Agent. 4. Create a normal notes database (ShadowNAB) on Domino for importing all user information from mail file of the Mail Account into it. The name of this database file is configurable and can be specified anything as per need. (Refer section Creation of Databases on Domino Resource of this user guide for more details) 5. Make sure that the Notes User ID used by the Notes Agent to manage Domino User s should have Manager access on this ShadowNAB. 6. Execute the Notes Shadow Agent to import all the User information (ID file, password and CN name) from the mail file of the created Mail account in the ShadowNAB. Now this database ShadowNAB will be used by the Notes Agent to get the old password for any password change operation. Refer section Executing the Notes Shadow Utility of this user guide for more details 7. Before running the Notes Agent for Password change operation, make sure that the registry setting for ShadowDb (Refer section Verification of Notes Agents Registry Settings, m. NoteIDsAddressBook of this user guide for more details) is properly pointing to the ShadowNAB. 8. Once, all the above steps are performed use Notes Agent to execute Password Change operation through ITIM server. IBM Tivoli Lotus Notes Agent White Paper 42

43 Recommended Notes Agent Deployment for Fresh Domino Deployment Perform the following steps to make sure that the password change operation works properly for the fresh Domino Deployments using Notes Agent through ITIM Server: 1. Create a normal notes database (well known as ShadowNAB) on Domino through Notes Administrator client in the data directory of Domino server. The name of this database file is configurable and can be specified anything as per need. (Refer section Creation of Databases on Domino Resource of this user guide for more details) 2. Make sure that the Notes User ID used by the Notes Agent to manage Domino User s should have Manager access on this ShadowNAB. 3. Before running the Notes Agent for Password change operation, make sure that the registry setting for ShadowDb (Refer section Verification of Notes Agents Registry Settings, m. NoteIDsAddressBook of this user guide for more details) is properly pointing to the ShadowNAB. 4. Once, all the above steps are performed use Notes Agent to execute Password Change operation through ITIM server. IBM Tivoli Lotus Notes Agent White Paper 43

44 Executing the Notes Shadow Utility. Before you execute the Notes Shadow utility, make sure that the following are in place: 1. Make sure that all the Users have ed their information (CN Name, password and ID file as attachment) to the <ITIM> account in the following format: CN=fn mn ln /O=company password fn is the user s first name, mn is the user s middle name, ln is the user s last name, company is your company name, and password is the user s ID file password. Note: Avoid adding a space before and after the = sign in the CN value. 2. Make sure that the <NotesIDsAddressBook.nsf> is present on Domino server. 3. Make sure that the Lotus Notes account <ITIM> that is used by the Shadow utility must have manager plus delete documents access to the account. 4. Make sure that the Notes Shadow Utility s registry settings are created properly. Now, execute the Notes Shadow utility: Refer section Storing existing data using the Shadow utility of Notes Agent Installation Guide for executing the Notes Shadow utility. Once the Notes Shadow utility is executed, all the users information (Common name of the user, ID file and its password) is stored in <NoteIDsAddressbook.nsf> database file. The Notes Agent will use this database file for the user information. IBM Tivoli Lotus Notes Agent White Paper 44

45 Executing the Notes Agent for Reconciliation operation Before you execute the Notes Agent, make sure that the following are in place: 1. Verify the Checklist before executing the Notes Agent. Refer Chapter 5 - Checklist before Running the Notes Agent Checklist before executing the Notes Agent of this document. 2. Make sure that the required setting for the Notes Agents are done. (example, registry settings, log file settings, etc.) 3. Make sure that Notes Service and its corresponding Provisioning policy in place on ITIM server. Now run the Notes Agent either from the DOS console or from the Windows Service Control Manager. Test Connectivity of ITIM Server with Notes Agent To test the connectivity of ITIM server with Notes Agent, perform the following steps: 1. Logon to the Tivoli Identity Manager Server, using an account that has the authority to perform administrative tasks. 2. Select Provisioning from the Main Menu Navigation Bar. 3. Click on the created Notes <Service Name> service. 4. Click on Detailed Information on the Service <Service Name> menu. 5. Add Modify Service form will be displayed, fill all the required attributes on this form and click the Test button. 6. A new window will open displaying Test Successful, indicating existence of connectivity. Execute reconciliation Operation through ITIM server To execute the Reconciliation operation through ITIM server, perform the following steps: 1. Logon to the Tivoli Identity Manager Server, using an account that has the authority to perform administrative tasks. 2. Select Provisioning from the Main Menu Navigation Bar. 3. Click on the created Notes <Service Name> service. 4. Click on Reconciliation on the Service <Service Name> menu. 5. If there are no Reconciliation units, create one, by clicking the Add button. 6. The Submit Reconciliation Schedule menu will appear, select the default settings and click the Submit button. 7. Check the check box for the created Reconciliation unit and press the Run button. 8. The Run Reconciliation Schedule menu will appear and press the Run button. All the Notes accounts will be reconciled on ITIM server as Orphan accounts. View the Reconciled accounts on ITIM Server To view all the reconciled accounts, perform the following steps: 1. Logon to the Tivoli Identity Manager Server, using an account that has the authority to perform administrative tasks. 2. Select Provisioning from the Main Menu Navigation Bar. 3. Click on the created Notes <Service Name> service. 4. Click on Accounts on the Service <Service Name> menu. IBM Tivoli Lotus Notes Agent White Paper 45

46 Adopting Notes Account to Tivoli Identity Manager Users System administrators can assign orphan accounts to an existing person in Tivoli Identity Manager. If the person is not eligible to adopt the orphan account, an error message appears and you are prompted to search for another account with valid permissions. To adopt an orphan account: 1. Select Provisioning in the Main Menu Navigation Bar. 2. Navigate through the organization tree to the container in which the desired service is located. 3. Click Manage Services in the task bar. The service list page opens 4. Click the name of the desired service. The Service Menu page opens. 5. Click Orphan Accounts. The Search Orphan Accounts page opens. 6. Search for the desired orphan accounts. The Orphan Accounts List page opens with the orphaned accounts listed. 7. Select the check box next to the accounts you want to adopt and click Adopt. You must search for a Tivoli Identity Manager person to adopt the account. The Adopt Orphan Account(s) Search page opens. 8. Click Search. The Search window appears. 9. Select a category, class, and attribute to search and click Search. The Search Results appear in the Search window. 10. Select the radio button next to the desired persons and click Add. The selected persons appear in the Person to Adopt Account(s) text field. 11. Click Done in the Search window. The Search window closes. 12. Click Submit. The Adopt Orphan Account(s) page opens with the orphan account and the select account owner listed. 13. Click Submit. The Orphan Accounts List page reappears and the adopted account is no longer listed. If the adopted account is still listed, click Refresh. IBM Tivoli Lotus Notes Agent White Paper 46

Chapter 5 Checklist Before Running The Notes Agent The following sections lists all the important checkpoints to be evaluated before running the Agent:

47 Chapter 5 Checklist Before Running The Notes Agent The following sections lists all the important checkpoints to be evaluated before running the Agent: Adding Path of nnotes.dll file to PATH system environment variable Make sure that the path of nnotes.dll is included in the PATH System variable. This path is required by the Notes Agent to initialize the Notes session. A dynamic link library (nnotes.dll) is installed with the Lotus Domino or Lotus Client installation. Notes Agent uses this dll for its execution. Make sure that this dll is not placed in Agent bin directory or Windows System32 directory. Suppose your Notes Client is installed in C:\Lotus\Notes and its data directory is C:\Lotus\Notes\data Perform following steps for adding the nnotes.dll path to the environment path. STEP 1: Make sure that nnotes.dll is not present in Agent bin directory or Windows System32 directory. If present remove the nnotes.dll from this path STEP 2: Open the System Properties dialog by right clicking on My Computer icon on desktop and click Properties from the menu. Figure 26: Opening System Properties Dialog IBM Tivoli Lotus Notes Agent White Paper 47

Advanced TAB: Figure 28: System Properties Dialog

48 STEP 3: Following dialog will appear Figure 27: System Properties Dialog General TAB STEP 4: Go to Advanced TAB: Figure 28: System Properties Dialog Advanced TAB IBM Tivoli Lotus Notes Agent White Paper 48

$Figure 29: Environment Variables Dialog STEP 6: Click the Edit button on the above dialog and add the path C:\Lotus\Notes to$ the path system variable.

49 STEP 5: Click on Environment Variables button in the above dialog and select the Path variable. Figure 29: Environment Variables Dialog STEP 6: Click the Edit button on the above dialog and add the path C:\Lotus\Notes to the path system variable. Figure 30: System Variable Editing Dialog STEP 7: Press OK on the above dialog STEP 8: Press OK on the Environment Variables dialog. (STEP 5) STEP 9: Press Apply and OK on the System Properties dialog. (STEP 4) IBM Tivoli Lotus Notes Agent White Paper 49

50 NOTE: If the above setting is not done properly, the agent might return with the following error: Error: InitSession Initialization FAILURE Return code: 0x1007 Cause: (no errormessage available) Cause: Notes Agent uses the "nnotes.dll" file for its execution. This error occurs when "nnotes.dll" file is present in the "System32" directory of windows. The Agent will pick this file from "System32" directory, but it won t find the notes.ini file in the "System32" directory. Thus the agent won t initialize the session and fail with the above error. Solution: Assuming that the Lotus Notes client is installed in the path c:\lotus\notes... The "nnotes.dll " and "notes.ini" files reside in "c:\lotus\notes". The Notes Agent requires both these files to be in the same directory. The path of these files needs to be put in the environment path variable. This error can occur if the file "nnotes.dll" is also found in some another path like "\Windows\System32" Before running the Notes Agent 1. Ensure that the path of "nnotes.dll" (c:\lotus\notes) is added to the path environment variable. 2. Remove the "nnotes.dll" file if it exists in any path other than the above. IBM Tivoli Lotus Notes Agent White Paper 50

51 Verification of Notes Agents Registry Settings Figure 31: Non-Encrypted Registry Setting of Notes Agent IBM Tivoli Lotus Notes Agent White Paper 51

Encrypted Registry Setting of Notes Agent Make sure that all the following registry settings have the required values for the deployment. a. Notes Address Book This registry setting will have the name of the Domino Notes Address Book.

52 Encrypted Registry Setting of Notes Agent Make sure that all the following registry settings have the required values for the deployment. a. Notes Address Book This registry setting will have the name of the Domino Notes Address Book. If the name of the Domino Notes Address Book is any other than names.nsf then specify the name of the Domino Notes Address Book database file as value to this registry key. The Domino Notes Address Book database file is different from the NoteIdsAddressBook <NoteIdsAddressBook.nsf> database file. b. Domino Server Make sure that the Domino Server name is correctly specified in your Notes Agent registry. c. Domino Version Number Make sure that the Domino Version number must be the one that is used in your deployment. Also make sure that the right profile has been installed for your Domino Version. It should be either 5 or 6. IBM Tivoli Lotus Notes Agent White Paper 52

53 d. Workstation ID File Location Make sure that only one ID file of the Administrator is present on the Notes Agent machine. The path of this ID file should be correctly specified as the value for this registry key. e. Workstation Password (Encrypted registry key) Make sure that the right ADK encrypted password is specified as the value for this registry key. Use AgentCfg tool only to modify the value of this registry key f. Use ShortName If your Notes Agent deployment needs shortname value as the unique ID on ITIM server, then set the value of this registry key to TRUE, else set it to FALSE. If the value of this registry key is TRUE, then DO NOT use the Short Name attribute on the Notes Account form on ITIM (PERSONAL TAB). The Notes Agent ignores the specified value of Short Name attribute from ITIM in ADD or MODIFY request. g. AuditShortName If your Notes Agent deployment needs internet address to be the unique ID on ITIM server in case when shortname value is NULL, then set the value of this registry key to TRUE, else set it to FALSE. Use this registry key only when Use ShortName registry key s value is TRUE, else keep it FALSE. h. Suspend Group This registry key contains the base name of the groups that are used by the Notes Agent to keep the CN values of the suspended users. Make sure that suspend groups is present created on Domino Server. All the suspend groups must have names that are started with value specified in this registry. Refer section Group creation on the Lotus Domino Server in the Notes Agent installation guide to create groups on Domino Server. i. Synchronize HTTPPassword If your Notes agent deployment requires the User Password to be set as Internet Password in a Add or Modify request, then set the value of this registry entry to TRUE, else keep it FASLE. j. Suspend HTTPPassword This registry key contains the base name of the groups that are used by the Notes Agent to keep the CN values of the suspended users for restricting Internet access. Make sure that suspend HTTP groups is present created on Domino Server. All the suspend HTTP groups must have names that are started with value specified in this registry. Refer section Group creation on the Lotus Domino Server in the Notes Agent installation guide to create groups on Domino Server. IBM Tivoli Lotus Notes Agent White Paper 53

54 k. Delete Group This registry key contains the name of the group that is used by the Notes Agent to keep the CN values of the deleted users. Make sure that delete groups is present created on Domino Server. All the delete groups must have names that are started with value specified in this registry. Refer section Group creation on the Lotus Domino Server in the Notes Agent installation guide to create groups on Domino Server. l. Delete Mail DB If your Notes Agent deployment requires to delete the mail database file on user deletion, then set the value of this registry key to TRUE, else keep it FALSE. m. NoteIDsAddressBook The value of this key is a database file <NoteIdsAddressBook.nsf>, which has to be manually created on Domino Server. This <NoteIdsAddressBook.nsf> database file is different from the Domino Notes Address Book database file. If your Notes deployment is using this database file, then DO NOT use the User ID in CertLog attribute from the Notes Account From (ADMINISTRATION TAB). If this registry entry is not present, Notes Agent uses CERTLOG.NSF file for storing user information (ID file and password). This database file is used to store user information (user s ADK encrypted password and the user s ID file) for each ADD operation. In Modify operation (password change), the old password of the use is picked from this database file and the password is changed and the new ID file is re-attached to this database file. On a delete operation, user info, user s password and id file is removed from this file. Refer section Database creation on the Lotus Domino Server in the Notes Agent installation guide to create groups on Domino Server. n. Log DB The value of this key is a database file <LogDB.nsf>, which has to be manually created on Domino Server. This database file <LogDB.nsf> contains the entries of the suspended and deleted users. Refer section Database creation on the Lotus Domino Server in the Notes Agent installation guide to create groups on Domino Server. o. Attributes not RECONCILED This key will have a list of attributes names separated by semicolon which are excluded from the reconciliation/userlookup process. Separate the attributes with a semi-colon if you list more than one attribute. Example for value of this key Certificate;$UpdatedBy;$Revisions p. Attributes Reconciled Specify a list of attributes to include in the reconciliation/userlookup process. Separate the attributes with a semi-colon if you list more than one Attribute, for example, Certificate;$UpdatedBy;$Revisions. IBM Tivoli Lotus Notes Agent White Paper 54

55 If you leave the Attributes Reconciled key blank, all attributes except the ones specified in the Attributes not RECONCILED list will be returned during reconciliation. q. CustomEruid This Notes Agent installer creates this registry key an empty value. The value of this key will be the resource name of the attribute to be used as Custom ERUID. Only the following field/attribute types are supported for Custom ERUID: a. Single value STRING attribute b. Multivalue STRING attribute c. Single value NUMERIC attribute. r. Use ITIM_ERUID The value of this registry key can either be TRUE or FALSE. This Notes Agent installer creates this registry key with default FALSE value. The default value for this registry key is FALSE. The Lotus Notes Agent uses this registry key (If set to TRUE) for the following reasons: i. Lotus Notes Agent creates a new field ITIM_ERUID in the person document of each user when a user/account is created. ii. Lotus Notes Agent will also save the value of Eruid from ITIM into ITIM_ERUID field in each user s person document. iii. If you are executing the Reconciliation operation for the first time with the registry key "Use ITIM_ERUID" set to TRUE, the Lotus Notes Agent creates a new field ITIM_ERUID in the person document for each user with the value from the 'Full name' or 'Short name' or 'Custom' field used for Eruid. s. Refresh ITIM_ERUID The value of this registry key can either be TRUE or FALSE. This Notes Agent installer creates this registry key with default FALSE value. The Lotus Notes Agent uses this registry key (If set to TRUE) for the following reasons: i. This registry key is used by the Lotus Notes Agent in reconciliation operation for deleting the ITIM_ERUID field from the person document for all the users. ii. This reconciliation operation will use the value for Eruid from the 'Full name' or 'Short name' or 'Custom' field used for Eruid. t. Store ERUID in FullName If your Notes agent deployment requires the value of ERUID/User Id to be stored in FullName field of user s personal document, set the value of this registry key to TRUE, else keep it FALSE. This registry key can only be used when the following fields are used as ERUID: ShortName, Custom attribute or ITIM_ERUID. IBM Tivoli Lotus Notes Agent White Paper 55

56 u. Change HTTPPassword First In password change operation, if your Notes agent deployment requires changing the value of HTTP password before changing the user password, set the value of this registry entry to TRUE, else keep it FALSE. v. Update Server Doc If your Notes agent deployment requires populating the Not access server field of Server Document with all suspend groups, set the value of this registry entry to TRUE, else keep it FALSE. w. Certification File Location x. Certification Password (Encrypted registry key) Notes Agent now provides a provision of specifying the Certification ID file name and its password in the Notes Agent registry. So if your Notes Agent deployment wants to avoid specifying the Certification ID file name and its password on the Notes Account form in ADD operation, then specify their values in these registry keys. If the Notes Agent receives the values of Certification ID file name and its password from ITIM in an ADD operation, then the agent ignore these two registry key values (whether they are empty/blank or with some values) For Example, specify the values of these registry keys as follows: Certification File Location as C:\Lotus\Domino\cert.id Certification Password as passwordofcertifier Note: Use AgentCfg tool to modify the values of Certification Password registry key. y. Execute AdminP Operation If your Notes Agent deployment requires to delete a user using DeleteInNAB adminp operation in an deprovisioning ITIM request, then set the value of this registry key to TRUE, else keep it FALSE. z. Mail Template Server Notes Agent now support Mail Templates file names as supporting data. So if your Notes Agent deployment requires mail templates files to be picked from a specific mail server, then specify the value of Domino Server name as the value for this registry key. If the value of this registry key is empty then, the Notes Agent will pick the mail template file names from the Domino Registration Server specified in the registry key Domino Server. IBM Tivoli Lotus Notes Agent White Paper 56

57 Setting required on Domino Before running the Notes Agent, the following settings must be done on Domino resource so as to make sure that the Notes Agent functions without any problem: 1. Create the required groups for the Notes Agent. 2. Create the required databases (Shadow NAB and Log DB) for the Notes Agent. 3. Do the setting required for setting the mail quota size attribute of a user by Notes Agent Creation of Groups on Domino Resource Assume you have installed the Notes Agent and the following is the registry settings: Figure 32: Registry Setting of a Sample Installed Notes Agent - Groups The figure shows the group names Deleted Users, Suspended users and HTTPSuspended Users. The groups having names starting with these registry key values should be created on the Domino using the Lotus Notes Administrator client as shown below: IBM Tivoli Lotus Notes Agent White Paper 57

58 Step 1: Login to the Lotus Notes Administrator client and click on Groups view as shown below Click Groups view Figure 33: Administrator Logged In and Peoples View IBM Tivoli Lotus Notes Agent White Paper 58

59 Step 2: Click on the Add Group button to create a new group. Click Add Group Figure 34: Administrator Logged In and Groups View IBM Tivoli Lotus Notes Agent White Paper 59

60 Step 3: Click on the Groups View in the above figure Any of the following can be selected:,,,, Enter the description of this group Enter the name of the group to be created Figure 35: Adding a new Group IBM Tivoli Lotus Notes Agent White Paper 60

Step 3: Enter the Group name, its description and click Save and Close button create the group Click Save and Close to save the created group Figure 36: Saving and

61 Step 3: Enter the Group name, its description and click Save and Close button create the group Click Save and Close to save the created group Figure 36: Saving and Closing the Newly Added Group Similarly create the other groups ( Deleted Users and HTTPSuspended Users ) as per the above 3 steps. IBM Tivoli Lotus Notes Agent White Paper 61

62 Giving server access to Groups Step 1: Login to the Lotus Notes Administrator client and click on Configuration tab: Click on Configuration tab Figure 37: Administrator Logged in and Configuration TAB IBM Tivoli Lotus Notes Agent White Paper 62

63 Step 2: Double Click on Server view as shown below: Double Click Server view Figure 38: Configuration TAB and Server View IBM Tivoli Lotus Notes Agent White Paper 63

64 Step 3: Click on Current Server Document view to open the Server Document and then go to Security tab as shown below: 1. Click on Current Server Document 2. Click Security tab. Figure 39: Current Server Document IBM Tivoli Lotus Notes Agent White Paper 64

65 Step 4: Scroll the screen down to see the Not Access Server setting as shown below: Scroll down to see the Not Access Server field Figure 40: Security TAB of Current Server Document I IBM Tivoli Lotus Notes Agent White Paper 65

Step 5: Add the name of the Suspended Users groups to the Not Access Server option and then click Save & Close button to save the server document. 2. Click Save & Close 1.

66 Step 5: Add the name of the Suspended Users groups to the Not Access Server option and then click Save & Close button to save the server document. 2. Click Save & Close 1. Add the Suspended Users group name Figure 41: Not Access Server option of Current Server Document Note: The above screen shots are given for Lotus Notes Administrator version 6. Similar settings are also for Lotus Notes Administrator version 6. Refer Notes Agent installation guide section Group creation on the Lotus Domino Server for IBM Tivoli Lotus Notes Agent White Paper 66

67 Creation of Notes Databases on Domino Resource Assume you have installed the Notes Agent and the following is the registry settings: Figure 42: Registry Setting of a Sample Installed Notes Agent Databases The above figure shows the database names LogDB.nsf and NoteIDsAddressBook.nsf that should be created on the Domino using the Lotus Notes Administrator client as shown below: IBM Tivoli Lotus Notes Agent White Paper 67

68 Step 1: Login to the Lotus Notes Administrator and click on Files tab as shown below: Click on Files tab Figure 43: Administrator Logged in and Peoples View IBM Tivoli Lotus Notes Agent White Paper 68

69 Step 2: Click File Database New to create a new database as shown below: Figure 44: Administrator Logged in and Data TAB IBM Tivoli Lotus Notes Agent White Paper 69

Step 3: Enter the values as shown below for the new database to be created: 1. Specify the Server name on which this database is to be created 2. Specify the title of the database to be created. 3. Specify the name of the database to be created (LogDb.

70 Step 3: Enter the values as shown below for the new database to be created: 1. Specify the Server name on which this database is to be created 2. Specify the title of the database to be created. 3. Specify the name of the database to be created (LogDb.nsf OR NoteIDsAddressBook.nsf) 4. Specify the server name from which to get the templates. You can keep it Local. 5. Select a template for the database to be created. Figure 45: Create a New Database For LogDb.nsf Recommended template for LogDB.nsf is Personal Address Book template. For NoteIDsAddressBook.nsf Recommended template for NoteIDsAddressBook.nsf is Blank template. Customers can use the Personal Address Book template if this database file needs to be edited. Note: The above screen shots are given for Lotus Notes Administrator version 6. Similar settings are also for Lotus Notes Administrator version 6. Refer Notes Agent installation guide section Database creation on the Lotus Domino Server for brief description of creation of database IBM Tivoli Lotus Notes Agent White Paper 70

71 Setting required for Mail Quota Size Make sure that the required setting is done for the Mail Quota size depending on the Domino version (5 or 6) in use. Refer sections Mail quota size requirements for Lotus Notes R5 and Mail quota size requirements for Lotus Notes 6 in the Notes Agent installation guide to do the mail quota size setting Transformation File (xforms.xml) Make sure that the xforms.xml file is same on ITIM (notesprofile) profile directory and in the Notes Agent s data directory DLL files used by Notes Agent Following are the files, which are used by the Notes Agent, which are mandatory NotesAuth.dll Notes Agent internally uses this dynamic link library, which uses the following registry key values for authorizing with the Domino Server. a. Workstation ID File Location. b. Workstation Password. This file is stored in windows System32 directory at the time of Agent installation. Do not keep this NotesAuth.dll file in Agents bin directory. Refer - Extension Manager details in help file for C Notes Library api60ref.nsf, which comes with Lotus C API Toolkit for Notes_Domino W9.x_2K_NT_XP_English c50gdna.exe. lncpp21.dll This is the C++ Notes dynamic link library used by the Notes Agent for executing Notes APIs. This file is stored in windows System32 directory at the time of Agent installation. Do not keep this lncpp21.dll file in Agents bin directory Last Logged in User on Notes Client For execution of Notes Agent, it is required that the Administrator had to be logged in using the Lotus Client/Lotus Administrator on the same machine where the Agent is running. The agent requires that the last logged in User on Notes Client on which the agent is running should always be Administrator. Following are the scenarios, which can be done for the Agent to be running: IBM Tivoli Lotus Notes Agent White Paper 71

72 1. The Administrator is always logged in using Lotus Notes Client/Lotus Administrator while the Agent is running. 2. The Administrator is once logged on and logged off immediately and then the agent is running. (Make sure that no other user is logged in while running the agent, after the administrator is logged off) 3. Log in as Administrator, log off immediately and restart the machine where the agent is supposed to run. After the machine is restarted start the Agent. (Make sure that no other user is logged in while running the agent, after the administrator is logged off) Note: Always make sure that the Administrator is logged in properly with its ID file and not using any other id file. There are cases that the id file used for logging may be server.id or dolcert.id or any other user s id file. Avoid logging into with these ID files before running the agent Supported configurations for Notes Agent. Make sure that the Notes Agent you are deploying is setup that is supported. Refer section Supported configurations and Non-supported configuration in the Notes Agent installation guide for more details on setup/configuration for Notes Agent Code Page setting for the Notes Agent To use Notes Adapter for Non-English (For example, Japanese) version of Notes Administrator and Domino Server on Non-English (for example, Japanese) OS you need to first set the Code Page for the agent. After successfully installing the Agent following steps should be performed a. Run agentcfg.exe for the agent Eg: agentcfg.exe -a NotesAgent b. Select option "I. Codepage Support" c. Select option "A Codepage Configure" d. Enter appropriate codepage. Eg: "ibm-943_p14a-1999" e. Restart Notes Adapter. NOTE: List of supported codepages can be found by using -codepage option of agentcfg. Eg: agentcfg.exe -a NotesAgent -codepage IBM Tivoli Lotus Notes Agent White Paper 72

73 Chapter 6 - Notes Agent Functionality Add Operation Functionality You can use the Tivoli Identity Manager Server GUI to create accounts, by completing the following steps: 1. Logon to the Tivoli Identity Manager Server, using an account that has the authority to perform administrative tasks. 2. Select Provisioning from the Main Menu Navigation Bar. 3. Navigate through the organization tree and click the name of the branch to which the service was added. 4. On the Services List page, select the appropriate Service Name for the NotesR6Profile Service Type. 5. On the Service Submenu page, select Accounts from the menu. The Account Management page opens, allowing you to view the accounts that have been provisioned by the Tivoli Identity Manager Server. 6. On the Notes User Account Form page, enter the information requested in the corresponding text fields as given in the Table below: Table 5: Required fields for Notes Accounts creation No Field Name Description 1 Login ID Login ID of the account. 2 Last Name Last name of the account holder. 3 Path of Certifier ID File Location of the cert.id file on the Lotus Domino Server. Enter the absolute path of the certifier file. For example, C:\Lotus\Domino\Data\cert.id. 4 Password for the Certifier Password for certifier ID (cert.id) file. IBM Tivoli Lotus Notes Agent White Paper 73

74 The above fields are the required fields (only for ADD and PASSWORD CHANGE operations) which needs to be specified for creating a Notes accounts if you are not using the registry keys Certification File Location and Certification Password. Notes Agent now provides a provision of specifying the Path of Certifier ID File and its password in the Notes Agent registry. So if your Notes Agent deployment wants to avoid specifying the Path of Certifier ID File and its password on the Notes Account form in ADD operation, then specify their values in these registry keys. If the Notes Agent receives the values of Path of Certifier ID File and its password from ITIM in an ADD operation, then the agent ignore these two registry key values (whether they are empty/blank or with some values) For Example, specify the values of these registry keys as follows: Certification File Location as C:\Lotus\Domino\cert.id Certification Password as passwordofcertifier Note: Use AgentCfg tool to modify the values of Certification Password registry key. The following screenshot shows the Notes Account form on ITIM with minimum attributes specified for an ADD operation: IBM Tivoli Lotus Notes Agent White Paper 74

75 Figure 46: Notes Account form with Minimum attributes to ADD a user. IBM Tivoli Lotus Notes Agent White Paper 75

76 The following screenshot shows the Notes Account form on ITIM with minimum attributes specified for an ADD operation assuming that the certifier ID file name/path and its password is present in the agent s registry: IBM Tivoli Lotus Notes Agent White Paper 76

The below fields are the required fields that needs to be specified for creating a Notes accounts if you are using the registry keys Certification

Table 5: Required fields for Notes Accounts creation No Field Name Description 1 Login ID Login ID of the account.

77 The below fields are the required fields that needs to be specified for creating a Notes accounts if you are using the registry keys Certification File Location and Certification Password that has correct values for Certifier ID file path and its password. Table 5: Required fields for Notes Accounts creation No Field Name Description 1 Login ID Login ID of the account. 2 Last Name Last name of the account holder. The following registry keys will be used for the Ceritfication ID file name and the password for the above Account form for ADD Operation IBM Tivoli Lotus Notes Agent White Paper 77

78 Notes Account provides some more attributes with default values while user account is created with the above parameters. The following table list these attributes with there default values: Table 6: Fields available with default values for Notes Accounts creation Variable Default Value CertExpDate If no is value is specified, then default 2 years of expiry date is taken. CheckPassword Do not check password Generational Qualifier I MailOwnerAccess Designer MailSystem Notes PersonalTitle Mr. IBM Tivoli Lotus Notes Agent White Paper 78

$with their values in ITIM as follows: 1. User Id / Login ID - UserId 2. Last Name - Lastname 3. Path of Certifier [Absolute path of cert file] - C:\Lotus\Domino\data\cert.id 4.$

79 Specifying Certification Expiry Date Attribute To create a user with a certifier expiration date, specify the attributes with their values in ITIM as follows: 1. User Id / Login ID - UserId 2. Last Name - Lastname 3. Path of Certifier [Absolute path of cert file] - C:\Lotus\Domino\data\cert.id 4. Certifier Password - password 5. Certificate Expiration Date - MM/DD/YYYY HH:MM:SS The following is the Format of Certificate Expiration Date MM/DD/YYYY HH:MM:SS MM Month, DD Day, YYYY Year, HH Hour, MM Minutes, SS Seconds For example 01/01/ :01:01 The following screen shots shows the ADD operation Account form on ITIM: IBM Tivoli Lotus Notes Agent White Paper 79

80 Valid values to be specified for First Name and Last Name attributes Consider following points for specifying the First Name (if specified on user creation) and the Last Name on Notes Account form for User creation: 1. All the characters which Domino resource does not allow (for First Name and Last Name) is not allowed by agent for user creation through ITIM. 2. The following are the list of valid characters allowed in the First Name and Last Name a. Alphabets (Unicode) b. Numbers (Unicode) c. Punctuations (Allowed punctuations are & - _ '. space) These are allowed on the Domino resource too. 3. The following are the list of invalid characters for First Name and Last Name a. Control Characters b. Punctuations (Any other punctuation characters than given above 3c> are not valid) 4. If the First Name and Last Name contains invalid characters, agent will display appropriate error. 5. The following are some examples of invalid First and Last names: a. Jos/eph (Invalid First Name, contains / character) b. D Souz/a (Invalid Last Name, contains / character) c. Jos*@ eph (Invalid First Name, contains punctuations characters and control characters) 6. The following are some examples of valid First Name and Last Name: a. Фиап (Valid First Name, contains Russian Characters) b. Jo&_h-n (valid First name, contains punctuations characters are allowed on the resource) IBM Tivoli Lotus Notes Agent White Paper 80

81 Using Full name field for storing User Id from ITIM The registry setting Use ShortName = FALSE, CustomEruid = empty and Use ITIM_ERUID = FALSE implies the User Id on TIM is mapped to User name field of the person document. In this case the value of Store ERUID in FullName registry key must be TRUE. If the user is created with the following attributes and there values from TIM: 1. User Id - UserID 2. Last Name LastName 3. Path of Certifier [Absolute path of cert file] C:\Lotus\Domino\data\cert.id 4. Certifier password password 5. Short Name/User ID ShortName 6. Full Name FullName1, FullName2, FullName3 The following fields get filled in the person document of the created user as shown below: 1. Last Name - LastName 2. User name LastName/Compnay FullName1 FullName2 FullName3 UserID 3. Short name/userid ShortName The User Id attributes value from TIM is added at the end of all the values in the User name field of this registered user s person document. IBM Tivoli Lotus Notes Agent White Paper 81

82 Using Short name field for storing User Id from ITIM The registry setting Use ShortName = TRUE, means the User Id on TIM is mapped to Short name/userid field of the person document. In this case the value of CustomEruid registry key must be blank. In this case the value of Use ITIM_ERUID registry key could be FALSE or TRUE. In this case, the value of the User Id stored in FullName field only if the value of Store ERUID in FullName registry key is TRUE. If the user is created with the following attributes and there values from TIM: 1. User Id UserID 2. Last Name LastName 3. Path of Certifier [Absolute path of cert file] C:\Lotus\Domino\data\cert.id 4. Certifier password password 5. Short Name/User ID ShortName 6. Full Name FullName1, FullName2, FullName3 Then, the following fields get filled in the person document of the created: 1. Last Name LastName 2. User name LastName/Compnay FullName1 FullName2 FullName3 UserID 3. Short name/userid UserID Notes Agent ignores the ShortName/User ID field from ITIM, when Use ShortName registry setting is FALSE. This field on ITIM should not be used when Use ShortName registry setting is FALSE. The User Id attributes value from TIM is added at the end of all the values in the User name and the Shot name fields of this registered user s person document. IBM Tivoli Lotus Notes Agent White Paper 82

83 Using Custom Eruid field for storing User Id from ITIM The registry setting CustomEruid has some attribute name, means the User Id on TIM is mapped to that attribute field of the person document. In this case the value of Use ShortName registry key must be FALSE. In this case the value of Use ITIM_ERUID registry key could be FALSE or TRUE. In this case, the value of the User Id stored in FullName ield only if the value of Store ERUID in FullName registry key is TRUE. Assume that the value of CustomEruid registry key is DirSynchKey If the user is created with the following attributes and there values from TIM: 1. User Id UserID 2. Last Name LastName 3. Path of Certifier [Absolute path of cert file] C:\Lotus\Domino\data\cert.id 4. Certifier password password 5. Short Name/User ID ShortName 6. Full Name FullName1, FullName2, FullName3 The following fields get filled in the person document of the created user as shown below: 1. Last Name - LastName 2. User name LastName/Compnay FullName1 FullName2 FullName3 UserID 3. Short name/userid ShortName 4. DirSynchKey - UserID The User Id attribute s value from TIM is added to the DirSynchKey field in the User s person document. The User Id attribute s value from TIM is also added at the end of all the values in the User name field of this registered user s person document. IBM Tivoli Lotus Notes Agent White Paper 83

84 Using "Use ITIM_ERUID" registry key When a AdminP rename operation is performed through Notes Agent on a user, the last value (which is used to store the eruid value) from the Full name field get wipes out. After performing a reconciliation operation for this user, this user account goes into the list of Orphan Account. Eliminating orphan accounts requires the creation of an immutable key to link the Notes Account to the ITIM Identity. The original design added a new ITIM_ERUID to the Notes NAB to serve this purpose. Using the ITIM_ERUID field provides Natexis with the flexibility to change any/all attributes on a Notes Account simultaneously and still maintain the ownership to an ITIM Identity. Only through use of the ITIM_ERIUD field does this enhancement fulfill the original customer FITS request to eliminate orphan accounts during Recon. This updated enhancement specification adds an option to turn OFF use of the ITIM_ERUID field. While this option prevents any modification of the Notes NAB, it requires Natexis to assume responsibility for the maintenance of the shortname link to ITIM. Natexis acknowledges and accepts that the restrictions outlined in Item 6 (below) must be followed in order to maintain the link to ITIM and eliminate orphan accounts. The restrictions are designed to ensure that the shortname contained within ITIM is always identical to the shortname contained within Domino. In all the examples below registry key Store ERUID in FullName value is assumed to be TRUE. 1. Full name field is used to store the value of eruid <Value of Use ShortName = FALSE and value of CustomERUID is blank> a. If Registry key Use ITIM_ERUID = FALSE i. Assume the user is created with the following values from ITIM: 1. Eruid = eruid 2. First name = firstname 3. Last Name = lastname 4. Cert ID file path = c:\lotus\domino\cert.id 5. Cert ID file password = password ii. The user will be created on the Domino resource with the following values in its Full name field in the person document: 1. firstname lastname/ibm 2. firstname lastname 3. eruid iii. The field ITIM_ERUID will not be created in the person document for any user. iv. The Lotus Notes agent will use the last value ( eruid. as above) in the Full name field of the person document for ERUID to be sent back to ITIM. Note: If this scenario is deployed, then firing an AdminP Rename on a User will cause the user to go into Orphan account list after reconciliation operation. Some customers implement a Workflow to resolve this issue by doing the following: IBM Tivoli Lotus Notes Agent White Paper 84

85 1.After the AdminP Rename is fired through the Lotus Notes Agent, they have a workflow that will modify the value of ERUID on ITIM directory server directly. 2.By doing this, the User does not go to the list of Orphan accounts. b. If Registry key Use ITIM_ERUID = TRUE i. Assume the user is created with the following values from ITIM: 1. Eruid = Eruid 2. First name = firstname 3. Last Name = lastname 4. Cert ID file path = c:\lotus\domino\cert.id 5. Cert ID file password = password ii. The user will be created on the Domino resource with the following values in its Full name field in the person document: 1. firstname lastname/ibm 2. firstname lastname 3. eruid iii. The field ITIM_ERUID will be created in the person document for all user with value as Eruid (as specified in step b. i. 1. above). iv. The Lotus Notes agent will use value ( eruid ) in the ITIM_ERUID field of the person document for ERUID to be sent back to ITIM. 2. Short name field is used to store the value of eruid <Value of Use ShortName = TRUE and value of CustomERUID is blank> a. If Registry key Use ITIM_ERUID = FALSE i. Assume the user is created with the following values from ITIM: 1. Eruid = eruid 2. First name = firstname 3. Last Name = lastname 4. Cert ID file path = c:\lotus\domino\cert.id 5. Cert ID file password = password ii. The User will be created on the Domino resource. iii. The Lotus Notes Agent will store the value of eruid in Short name field of the person document. iv. The Full name field for this user will have the following values: 1. firstname lastname/ibm 2. firstname lastname 3. eruid v. The field ITIM_ERUID will not be created in the person document for any user. vi. The Lotus Notes agent will use the value ( eruid. as above) in the Short name field of the person document for ERUID to be sent back to ITIM. b. If Registry key Use ITIM_ERUID = TRUE i. Assume the user is created with the following values from ITIM 1. Eruid = eruid. 2. First name = firstname 3. Last Name = lastname 4. Cert ID file path = c:\lotus\domino\cert.id IBM Tivoli Lotus Notes Agent White Paper 85

86 5. Cert ID file password = password ii. The User will be created on the Domino resource. iii. The Lotus Notes Agent will store the value of eruid in Short name field of the person document. iv. The Full name field for this user will have the following values: 1. firstname lastname/ibm 2. firstname lastname 3. eruid v. The field ITIM_ERUID will be created in the person document for all user with value as Eruid (as specified in step c. i. 1. above). vi. The Lotus Notes agent will use value ( eruid ) in the ITIM_ERUID field of the person document for ERUID to be sent back to ITIM. 3. Custom field (name of the field DirSynchkey ) is used to store the value of eruid. a. If Registry key Use ITIM_ERUID = FALSE i. Assume the user is created with the following values from ITIM: 1. Eruid = eruid 2. First name = firstname 3. Last Name = lastname 4. Cert ID file path = c:\lotus\domino\cert.id 5. Cert ID file password = password ii. The User will be created on the Domino resource. iii. The Lotus Notes Agent will store the value of eruid in DirSynchkey used as custom field for ERUID in the person document. iv. The Full name field for this user will have the following values: 1. firstname lastname/ibm 2. firstname lastname 3. eruid v. The field ITIM_ERUID will not be created in the person document for any user. vi. The Lotus Notes agent will use the value ( eruid. as above) in the DirSynchKey field (used as custom field for ERUID) of the person document for ERUID to be sent back to ITIM. b. If Registry key Use ITIM_ERUID = TRUE i. Assume the user is created with the following values from ITIM: 1. Eruid = eruid 2. First name = firstname 3. Last Name = lastname 4. Cert ID file path = c:\lotus\domino\cert.id 5. Cert ID file password = password ii. The User will be created on the Domino resource. iii. The Lotus Notes Agent will store the value of eruid in DirSynchkey used as custom field for ERUID in the person document. iv. The Full name field for this user will have the following values: 1. firstname lastname/ibm 2. firstname lastname IBM Tivoli Lotus Notes Agent White Paper 86

87 3. eruid v. The field ITIM_ERUID will be created in the person document for all users with value as eruid (as specified in step b. i. 1. above). vi. The Lotus Notes agent will use value ( eruid ) in the ITIM_ERUID field of the person document for ERUID to be sent back to ITIM. IBM Tivoli Lotus Notes Agent White Paper 87

88 Using "Refresh ITIM_ERUID" registry key The following are the reasons why a customer would delete ITIM_ERUID field from all the user s person documents: 1. Assuming the customer has already deployed the Notes Agent that populated the ITIM_ERUID field for all the users. 2. Now he wants to delete the ITIM_ERUID field from all the person documents and use some other field < Full name OR Short name or Custom field for ERUID> for ERUID than the existing one. Set the following registry settings for the Lotus Notes Agent which you are running: 1. Set the Use ITIM_ERUID registry key to TRUE. 2. Set the Refresh ITIM_ERUID registry key to TRUE. 3. Set the field for Eruid for Reconciliation i. If you are using Full name field to store the eruid value, then make sure the registry keys Use ShortName is set to FALSE and the value of registry key CustomERUID is set to blank. ii. If you are using Short name field to store the eruid value, then make sure the registry keys Use ShortName is set to TRUE and the value of registry key CustomERUID is set to blank. iii. If you are using Custom field to store the eruid value, then make sure the registry keys Use ShortName is set to FALSE and the value of registry key CustomERUID is set to the custom field used to store the eruid value on Domino resource. 4. Start the Agent with the above registry settings. 5. Run a reconciliation operation from ITIM. 6. The reconciliation operation sets the Refresh ITIM_ERUID registry key to FALSE. IBM Tivoli Lotus Notes Agent White Paper 88

89 Brief Overview of Notes Agent design for ERUID value: ADD Operation Table 7: Design of ERUID storage location in Notes Field in Add Operation Registry Keys value ERUID Value Stored in field Use Use CustomEruid Store ERUID Full name Short name CustEruid1 ITIM_ERUID ITIM_ERUID ShortName in FullName TRUE FALSE Blank TRUE YES NO NO YES TRUE FALSE Blank FALSE NO NO NO YES TRUE TRUE Blank TRUE YES YES NO YES TRUE TRUE Blank FALSE NO YES NO YES TRUE FALSE Name of the field used to store value of ERUID (Say CustEruid1 ) TRUE FALSE Name of the field used to store value of ERUID (Say CustEruid1 ) TRUE YES NO YES YES FALSE NO NO YES YES FALSE TRUE Blank TRUE YES YES NO NO FALSE TRUE Blank FALSE NO YES NO NO FALSE FALSE Name of the field used to store value of ERUID (Say CustEruid1 ) TRUE YES NO YES NO FALSE FALSE Name of the field used to store value of ERUID (Say CustEruid1 ) FALSE NO NO YES NO FALSE FALSE Blank TRUE YES NO NO NO IBM Tivoli Lotus Notes Agent White Paper 89

90 Reconciliation Operation Table 8: Design of ERUID storage location in Notes Field in Reconciliation Operation Field for Registry Keys value ERUID value will be taken ERUID Use Refresh Use CustomERUID from the field. ITIM_ERUID ITIM_ERUID ShortName Full name FALSE FALSE FALSE Blank Last value from Full name Short FALSE FALSE TRUE Blank Short name name Custom Field TRUE FALSE FALSE Name of the field used to store value ITIM_ERUID Custom Field of ERUID FALSE FALSE FALSE Name of the field used to store value of ERUID Name of the Custom field used for ERUID IBM Tivoli Lotus Notes Agent White Paper 90

91 Using Synchronize HTTPPassword resgistry setting The following table specifies the functionality of the Notes Agent ADD Operation with respect to the Synchronize HTTPPassword registry setting: Table 9: Details of Internet Password in Add Operation Internal (Internet/HTTP) Synchronize Password attribute HTTPPassword specified from ITIM in Registry setting ADD operation Expected Result TRUE Specified The user s password will not be synchronized for Internet Password. The specified Internet Password will be set. TRUE Not Specified The user s password will be synchronized for Internet Password. FALSE Specified The user s password will not be synchronized for Internet Password. The specified Internet Password will be set. FALSE Not Specified The user s password will not be synchronized for Internet Password. The Internet Password will be NULL on the Resource. IBM Tivoli Lotus Notes Agent White Paper 91

92 Specifying Mail File Owner Access Attribute There are total 7 Mail File Owner Access options which can be selected for managing access control on mail file of any user on the resource: 1. LNACLLEVEL_DESIGNER: user or server can create and/or edit any database documents and/or design documents. 2. LNACLLEVEL_MANAGER: user or server can create and/or maintain any type of documents, including the ACL 3. LNACLLEVEL_EDITOR: user or server can create and/or edit any database documents 4. LNACLLEVEL_AUTHOR: user or server can create and/or edit their own documents and examine existing ones in the database 5. LNACLLEVEL_READER: user or server can only view data documents in the database 6. LNACLLEVEL_DEPOSITOR: user or server can add new data documents to a database 7. LNACLLEVEL_NO_ACCESS: user or server has no access to the database. Creation of User on the Resource (Domino Server) with respect to Mail File Owner Access Mail File Owner Access Operations on Resource (Domino Server), done by the administrator are as follows: 1. While creation of User on the Domino Server, Administrator has only 3 options out of the above 7 for mail file access controls. 2. Administrator has only Designer, Manager or Editor access control to be set for a mail file at the time of new user creation. 3. If the new user is created with Manager Access control for the mail file, then Administrator won t have permissions to manage this users access control. 4. If the new user is created with Designer or Editor access control option for its mail file, then Administrator will automatically become the manager of this mail file. 5. There has to be at least one user (it can be Administrator too) who has Manager access control options on the mail file. 6. The user, who has Manager access control on the mail file, can add new users to this mail file, giving them access control permissions. 7. If the Administrator is not in the list of the access control of a particular mail file, then Administrator cannot manage access control of this mail file. Operations done through ITIM with respect to Mail File Owner Access The following are the ways in which Mail File Owner Access will be given in Add operation. 1. When a new user is created through ITIM, there are 7 options for mail file owner access in the 'Mail' TAB of user details 2. Out of these 7 options of mail file owner access, only the first three options in the combo box of Mail File Owner Access should be selected. (This is as per the operation on the resource). Designer, Manager or Editor can be selected for Mail File Owner Access. If any other option is selected apart from these 3, then default Mail File Owner Access with which the new user will be created is Designer. IBM Tivoli Lotus Notes Agent White Paper 92

93 3. Following are some scenarios which should be taken care while creation of new user with respect to Mail File Owner Access: a. If new user is created with 'Manager' Mail File Owner Access, then administrator wont have permissions to modify or read this user's mail file access control. As ITIM acts as an Administrator while creation of new user, and if the new user created has Manager Access on his mail file, then the recon and modify operations for this user's mail file wont work. As the administrator has no permissions to manage this user's mail file access control. b. If new user is created with 'Designer' or 'Editor' Mail File Owner Access, then Administrator has manager access on this new mail file. Thus this user's mail file owner access can be modified/read by the Administrator (ITIM). c. The reason behind keeping the default Mail File Owner Access for the mail file as 'Designer' is that, through ITIM (which acts as an administrator) becomes manager of the mail file and can do a modify and recon operation on the mail file owner access for each user's mail file IBM Tivoli Lotus Notes Agent White Paper 93

94 Specifying Mail Template Name Attribute If the user is added using the agent with the following attributes from TIM: 1. User ID UserID 2. Last Name - LastName 3. Certifier ID path c:\lotus\domino\data\cert.id 4. Certifier ID password password 5. Mail Template name Name given as described below I/P - Mail Template name = mail6ex.ntf (assume this file is present in data directory of Domino) O/P - User is added properly on Domino with mail template for its mail file as mail6ex.ntf I/P - Mail Template name = mail\mail6ex.ntf (assume this file is present in mail directory of Domino) O/P - User is added properly on Domino with mail template for its mail file as mail6ex.ntf from the mail directory I/P - Mail Template name = mailjrn123.ntf (assume this file is not present in data directory of Domino) O/P - User is added properly on Domino with mail template for its mail file as default mail template for Domino from the data directory. I/P - Mail Template name = c:\mail6ex.ntf (assume this file is present in c:\ ) O/P - Add user operation returns with error indicating Mail template name path cannot be absolute. I/P - Mail Template name = \\machinename\directoryname\mail6ex.ntf (assume this file on machine with name machinename in directory directoryname ) O/P - Add user operation returns with error indicating UNC path cannot be used for Mail template name. Note: Do not specify absolute path or UNC path for mail file template. For example, do not give following paths: 1. c:\a.ntf or c:\lotus\notes\data\a.ntf 2. \\machinename\directoryname\a.ntf IBM Tivoli Lotus Notes Agent White Paper 94

For Existing Customers: The Mail Template Name attribute will come as text field on the Notes Account form in MAIL TAB, so that existing customer can use

95 For Existing Customers: The Mail Template Name attribute will come as text field on the Notes Account form in MAIL TAB, so that existing customer can use this field without the Mail Template Server enhancement. Account form details for Mail Template Name Attribute: IBM Tivoli Lotus Notes Agent White Paper 95

For Customers who wants List Box instead of Text field for mail template file as supporting data: The Mail Template Name attribute will come as text field control on the Notes Account form by default.

96 For Customers who wants List Box instead of Text field for mail template file as supporting data: The Mail Template Name attribute will come as text field control on the Notes Account form by default. New Customers need to change this text field TO a list box as described in the below steps to use this Mail Template Server enhancement. Step 1: Login to Identity Manager Step 2: Click on CONFIGURATION TAB. Step 3: On the Existing Service Types page, click on the USER INTERFACE CUSTOMIZATION TAB. Step 4: Double click on Account folder in Left pane to expand the list of Accounts. Step 5: Double click on NotesAccount. Step 6: Click on $ernotesmailtab TAB. Step 7: Right click on attribute ernotesmailtemplatename and choose Change to- >Listbox as shown in the below screen shot: IBM Tivoli Lotus Notes Agent White Paper 96

Step 8: The following window pops up after selecting listbox. Select Search Filter.

Search Base = contextual Objectclass = (blank) Attribute = ernotesmailtemplatename Source

Value = Unchecked Step 10: Click OK on the SearchFilter Editor window.

97 Step 8: The following window pops up after selecting listbox. Select Search Filter. Step 9: Enter the following values in SearchFilter Editor window. Search Base = contextual Objectclass = (blank) Attribute = ernotesmailtemplatename Source Attribute = ernotesmailtemplatename Filter = (objectclass=ernotesmailfiletemplatelist) Multiple Value = Unchecked Step 10: Click OK on the SearchFilter Editor window. Step 11: Click on Save button in the USER INTERFACE CUSTOMIZATION TAB. The following window appears Step 12: Click "OK" to save the changes. IBM Tivoli Lotus Notes Agent White Paper 97

After performing the above steps on ITIM, the Notes Account form (MAIL TAB) will be seen as shown below: Using the Mail Template List Box for ADD Operation: 1.

98 After performing the above steps on ITIM, the Notes Account form (MAIL TAB) will be seen as shown below: Using the Mail Template List Box for ADD Operation: 1. A new registry key Mail Template Server is added to the Notes Agent. Specify the name of the Domino server in this registry key. 2. For using this listbox field for mail template attribute, first you have to execute a recon operation. 3. In Recon operation, the Notes Agent will pick all the template file names from the domino server specified in the registry key Mail Template Server. 4. If the value of registry key Mail Template Server is blank or empty, then the Notes Agent pick all the template file names from the domino registration server specified in the registry key Domino Server. 5. In the above screen, click on the search button, the following dialog will appear: IBM Tivoli Lotus Notes Agent White Paper 98

99 6. You can select one of the Mail templates file name for the mail file 7. Click Add and Done button to use the selected value of the mail template file name. IBM Tivoli Lotus Notes Agent White Paper 99

100 Specifying Mail File Name Attribute If the name of the mail file is not specified while user creation, then Mail File name is generated on the basis of the following inputs: 1. First Character of User s First name. (If specified, for user creation) 2. First 8 characters of User s Last name. (This is the required attribute for user creation) The following table indicates the mail file name generation depending on the first name and last name of the user created: Table 10: Formation of Mail File Name No. First Name Last Name Directory in which mail file is Name of the Mail File created 1. Not Specified Dsouza Mail Dsouza.nsf 2. John Dsouza Mail Jdousza.nsf 3. John Fernandis Mail Jfernandi.nsf 4. Not Spcified A Mail A.nsf 5. A A Mail AA.nsf 6. J J Mail (Assume JJ.nsf is already existing in Mail directory) JJ00.nsf Note: The above cases are valid only when name of the mail file is not specified, while user creation. The following table indicates the mail file creation in respective directory as per the input given while User creation: Table 11: Directory Location of Mail File On Domino Server No. Mail File Name Directory in which Mail File Name of the Mail Specified is created File created 1. mail\a.nsf Mail a.nsf 2. a.nsf Data a.nsf 3. mail\a\a.nsf mail\a (directory a is created a.nsf in Mail Directory) 4. mail\aa.nsf mail aa.nsf 5. mail\aa.nsf (Assume that mail aa00.nsf aa.nsf is already present in mail directory) 6. mail\aa00.nsf(assume that aa00.nsf is already present in mail directory) mail aa01.nsf IBM Tivoli Lotus Notes Agent White Paper 100

101 Note: The above cases are valid only when name of the mail file is specified for user creation. Do not specify absolute path or UNC path for mail file name. For example, do not give following paths: c:\a.nsf or c:\lotus\notes\data\mail\a.nsf \\machinename\directoryname\a.nsf IBM Tivoli Lotus Notes Agent White Paper 101

102 Creation of User ID files The location of User ID file created by Notes Agent depends on the following parameters: 1. User ID File Path attribute on Notes Account form on ITIM. (ADMINISTRATION TAB) This specifies the absolute location of the ID file to be created at. For example c:\id\user.id 2. Save ID in Address Book attribute on Notes Account form on ITIM. (ADMINISTRATION TAB). This specifies that the generated ID file for the user should be attached to its person dcocument. 3. NoteIDsAddressBook registry setting. This parameter is used to save the User s ID file and its password in the NoteIDsAddressBook.nsf database file. 4. User ID in Certlog attribute on Notes Account form on ITIM. (ADMINISTRATION TAB). This attribute is used to save the User s ID file and its password in the Certlog.nsf database file. Important Note: 1. Only one attribute/parameter out of 3 rd and 4 th above should be used.. 2. If your Notes Agent deployment is using the NoteIDsAddressBook registry setting, then do not specify the User ID in Certlog attribute for user creation from ITIM. 3. If your Notes Agent deployment is using the User ID in Certlog attribute, then do leave the NoteIDsAddressBook registry key blank. User ID in Certlog attribute on Notes Account form (ADMINISTRATION TAB) If you want the want to use the User ID In Certlog attribute on the Notes Account form (ADMINISTRATION TAB), make sure that the registry key NoteIDsAddressBook value is set to NULL. In this case, NoteIDsAddressBook is not used. The user information (User ID file and password) is saved in the Certlog.nsf file in case of Add operation. If a password change operation is performed, the agent retrieves the old password of the use from the Certlog.nsf file. IBM Tivoli Lotus Notes Agent White Paper 102

103 The following are the locations where User s ID File is created with respect to NoteIDsAddressBook registry key: Table 12: Details of User ID file Creation - 1 User s Registry Entry ID File NoteIDsAddressBook No. name has value and NoteIDsAddressBook.nsf Path 1. Not Specified 2. Not Specified 3. Not Specified 4. Not SaveIDIn- AddressBook attribute Created in the Specified Path Attached to User s Document in NoteIDsAddressBook.nsf Not Present Not Specified No No YES Not Present Specified No No YES Present Not Specified No Yes No Present Specified No Yes Yes Specified 5. Specified Not Present Not Specified Yes No No 6. Specified Not Present Specified Yes No Yes 7. Specified Present Not Specified Yes Yes No 8. Specified Present Specified Yes Yes Yes Note: 1. Not Specified Value is not specified during ADD Operation. 2. Specified Value is specified during ADD Operation. 3. Not Present Registry Key and its value is not present during ADD Operation. 4. Present - Registry Key and its value is present during ADD Operation. Attached to User s Person Document IBM Tivoli Lotus Notes Agent White Paper 103

104 The following are the places where User s ID File is created with respect to User ID in Certlog is specified during a ADD Operation and NoteIDsAddressBook registry key s value is blank: Table 13: Details of User ID file Creation - 2 No. User s ID SaveIDIn- File name UserIDInCerLog AddressBook and Path Attribute Attribute Specified 1. Specified Not Specified Not Specified Created in the Specified Path Attached to User s Document in Certlog.nsf Yes No No 2. Specified Not Specified Specified Yes No Yes 3. Specified Specified Not Yes Yes No Specified 4. Specified Specified Specified Yes Yes Yes Note: 1. Not Specified Value is not specified during ADD Operation. 2. Specified Value is specified during ADD Operation. 3. Not Present Registry Key and its value is not present during ADD Operation. 4. Present - Registry Key and its value is present during ADD Operation. Attached to User s Person Document Note: Do not specify relative path for ID file. For example, id\1.nsf or directory1\directory2\1.id Replication Conflict Attribute This attribute on Notes Account form of ITIM (MISC TAB) is ignored in ADD operation. This is just a Reconciliation operation related attribute. IBM Tivoli Lotus Notes Agent White Paper 104

105 Support for Unique Organization Unit (UOU) Assume a Notes User is being provisioned through ITIM with the following values: CertID file path of certifier /pspl IBM Tivoli Lotus Notes Agent White Paper 105

shot shows the password input prompt for the above created

106 The following screen shot shows the Notes User person document of the created user with UOU attribute The following screen shot shows the password input prompt for the above created user with UOU attribute: IBM Tivoli Lotus Notes Agent White Paper 106

107 Support for Alternate Full Name and Alternate Full Name Language Assume a Notes User is being provisioned through ITIM with the following values: IBM Tivoli Lotus Notes Agent White Paper 107

108 The following screen shot shows the Notes User person document of the created user with Alternate Full Name and Alternate Full Name Language attributes: IBM Tivoli Lotus Notes Agent White Paper 108

109 Support for Password Quality Scale A new "Password Quality Scale" attribute (ernotespasswordscale) is be added to the Notes Adapter Schema/Profile. This attribute is supported only for Domino R5. This "Password complexity" attribute is by default, hidden attribute on ITIM. So the customers who are using Domino R5 and wants to us this attribute will have to include it in there Account form. Functionality of this attribute for ADD operation: 1. This attribute will be used only in ADD operation. This is required only at the time of user registration. 2. If any value is specified for this attribute from ITIM, the Notes Agent will use this attribute for the "minpasswordlength" field. 3. If no value comes for this attribute from ITIM, the agent will use the length of password attribute for the "minpasswordlength" attribute field. IBM Tivoli Lotus Notes Agent White Paper 109

$First Name firstname Last Name lastname Certifier location c:\lotus\domino\cert.id Certifier location password Mail Domain com Mail server CN=EmailServerName/O=IBM Mai File mail\flastname.$

110 Support for Mail File Replication Assuming that you are creating a user with the following attributes from ITIM: Eruid eruid First Name firstname Last Name lastname Certifier location c:\lotus\domino\cert.id Certifier location password Mail Domain com Mail server CN= ServerName/O=IBM Mai File mail\flastname.nsf And if you want to replicate the user s mail on replication server CN=ReplicationSerName/O=IBM with the name flastname.nsf in the mail directory of the replication server name, then you have to specify the following attribute values on ITIM in ADD Operation Replication Server CN=ReplicationServerName/O=IBM Replication Mail File mail\flastname.nsf The below screen shot shows the MAIL TAB of Notes Account from in ADD operation to replicate the user s mail file on a replication server: IBM Tivoli Lotus Notes Agent White Paper 110

111 Support to add Person document only To create a person document only for a user, instead of registering it using the organization certifier id file and password, the user needs to select ONLY the value "Lotus inotes/domino CAL" for the attribute Client License while adding a new Notes account through ITIM. In this case the Agent will create only a person document for the user with a field PersonDocOnly created in the person doc to reflect that the user is created with a person doc only. The Agent will set all the specified attributes except the attributes related to mail file creation and user id file creation. The user password specified through ITIM will be set into the HTTP Password in the user s person document on the resource. The field PersonDocOnly will only be created in the person document of the user to indicate that this user is created without registering it on Domino server. It will be created on Domino Sever 6.0 and above only and has nothing to do with the meaning of the attribute on the resource. Assuming that you are creating a user with the following attributes from ITIM: Eruid eruid First Name firstname Last Name lastname Certifier location c:\lotus\domino\cert.id Certifier location password Mail Domain com Mail server CN= ServerName/O=IBM Mai File mail\flastname.nsf Client License Lotus inotes/domino CAL In this case, a person document will be created for the user eruid, without using the specified certifier file and password. The Agent will give errors for all specified attributes which are not applicable for a user with a person doc only (mail file, id file related attributes and certifier id file and password). The below screen shot shows the ADMINISTRATION TAB of Notes Account form in ADD operation to create a person document only for the user: IBM Tivoli Lotus Notes Agent White Paper 111

112 IBM Tivoli Lotus Notes Agent White Paper 112

113 The following attributes are not allowed to be specified while adding a user with a person doc only: Tab Attributes (Not allowed) PERSONAL 1. Path of Certifier 2. Certifier Password 3. Certificate Expiration Date 4. Unique org unit 5. Alt Full Name Language 6. Alt Full Name 7. Password Quality Scale MAIL 1. Mail Domain 2. Mail Server 3. Forwarding Address 4. Mail File 5. Replication Server 6. Replication Mail File 7. Mail Template Name 8. Mail Quota Size 9. Mail System 10. Mail File Owner Access 11. Internet Address ADMINISTRATION 1. User ID File path 2. User ID in CertLog 3. Save ID In Address Book 4. Create North American ID SAMETIME 1. Only SameTime Account IBM Tivoli Lotus Notes Agent White Paper 113

114 MODIFY Operation Table 7: Design of ERUID storage location in Notes Field in Modify Operation Registry Keys value ERUID Value Changed in field Use Use CustomEruid Store ERUID Full name Short name CustEruid1 ITIM_ERUID ITIM_ERUID ShortName in FullName TRUE FALSE Blank TRUE YES NO NO YES TRUE FALSE Blank FALSE NO NO NO YES TRUE TRUE Blank TRUE YES YES NO YES TRUE TRUE Blank FALSE NO YES NO YES TRUE FALSE Name of the field TRUE YES NO YES YES used to store value of ERUID (Say CustEruid1 ) TRUE FALSE Name of the field FALSE NO NO YES YES used to store value of ERUID (Say CustEruid1 ) FALSE TRUE Blank TRUE YES YES NO NO FALSE TRUE Blank FALSE NO YES NO NO FALSE FALSE Name of the field TRUE YES NO YES NO used to store value of ERUID (Say CustEruid1 ) FALSE FALSE Name of the field FALSE NO NO YES NO used to store value of ERUID (Say CustEruid1 ) FALSE FALSE Blank TRUE YES NO NO NO IBM Tivoli Lotus Notes Agent White Paper 114

115

116 Modifying ERUID/User Id Attribute If Use ShortName registry key = FALSE, the value of CustomEruid registry key is blank and Store ERUID in FullName registry key = TRUE. Assume a user is present on Domino with the values as follows: Short name - shortname Full Name 1/ibm FullName1 FullName2 FullName3 UserID Modify the User Id from TIM from UserID to UserID1, then the following are the values seen in the Full name field in the person document on the Domino for the user: Full Name 1/ibm FullName1 FullName2 FullName3 UserID1 If Use ShortName registry key = TRUE, the value of CustomEruid registry key is blank and Store ERUID in FullName registry key = TRUE Assume a user is present on Domino with the values as follows: Short name - UserID Full Name 1/ibm FullName1 FullName2 FullName3 UserID Modify the User Id on TIM from UserID to UserID1, then the following are the values seen in the Full name and Short name in the person document fields on Domino for the user: Short name UserID1 Full Name 1/ibm FullName1 FullName2 FullName3 UserID1 IBM Tivoli Lotus Notes Agent White Paper 116

117 If Use ShortName registry key = FALSE, the value of CustomEruid registry key is DirSynchKey and Store ERUID in FullName registry key = TRUE Assume a user is present on Domino with the values as follows: Full Name 1/ibm FullName1 FullName2 FullName3 UserID DirSynchKey - UserID Modify the User Id on TIM from UserID to UserID1, and then the following are the values seen in the Full name and DirSynchKey fields in the person document fields on Domino for the user: Full Name 1/ibm FullName1 FullName2 FullName3 UserID1 DirSynchKey UserID1 If Use ShortName registry key = TRUE, the value of CustomEruid registry key is blank and Store ERUID in FullName registry key = FALSE Assume a user is present on Domino with the values as follows: Short name - UserID Full Name 1/ibm FullName1 FullName2 FullName3 Modify the User Id on TIM from UserID to UserID1, then the following are the values seen in the Full name and Short name in the person document fields on Domino for the user: Short name UserID1 Full Name 1/ibm FullName1 FullName2 FullName3 IBM Tivoli Lotus Notes Agent White Paper 117

118 Modifying Full Name Attribute Assume the user is created with following values from TIM: User ID - UserID Last Name - 1 Full Name FullName1 FullName2 FullName3 Thus the User name field in the person document for this created user is seen as follows on Domino server: User name 1/ibm FullName1 FullName2 FullName3 UserID Modify this User s Full name as: Delete FullName2 value and add FullName4 value from TIM. After this modification operation is successful, then User name field on Domino is seen as follows: User name 1/ibm FullName1 FullName3 FullName4 UserID Modify this User s Full name as: Add FullName2 value from TIM. After this modification operation is successful, then User name field on Domino is seen as follows: User name 1/ibm FullName1 FullName3 FullName4 FullName2 UserID IBM Tivoli Lotus Notes Agent White Paper 118

119 Modifying Short Name Attribute If Use ShortName registry key = TRUE, then Short Name attribute is not modified, agent ignores the value of the Short Name attribute. Assume the user is created with following attributes and their values from TIM: User ID - UserID Last Name - 1 Full Name FullName1 FullName2 FullName3 Short Name ShortName Thus the values of the user will be seen in the person document as follows: User ID - UserID Last Name - 1 Full Name FullName1 FullName2 FullName3 Short Name This field is not updated by the agent and its not updated on ITIM. Thus the Short Name attribute on ITIM would also be blank. Now if you try to modify the Short Name attribute from TIM with a new value, then the agent ignores this value and keeps the Short name/userid field on Domino as blank. If Use ShortName registry key = FALSE, then Short Name attribute is modified properly by the agent. IBM Tivoli Lotus Notes Agent White Paper 119

120 Modifying HTTP/Internet Password Attribute The following table specifies the functionality of modifying the Internal (Internet/HTTP) Password attribute from ITIM with respect to Synchronize HTTPPassword registry setting: Table 14: Details of Modifying HTTP/Internet Password Attribute Operation Value Internal (Internet/HTTP) Password attribute specified from ITIM Modify HTTP Password attribute Modify HTTP Password attribute Modify HTTP Password attribute Modify HTTP Password attribute TRUE FALSE TRUE FALSE Modified with NULL Value. Modified with NULL Value. Modified with a Value. Modified with a Value. Expected Result A NULL value is set as Internet Password on Resource. A NULL value is set as Internet Password on Resource. The specified value is set as Internet Password on Resource. The specified value is set as Internet Password on Resource Modifying User ID file path Attribute User ID File path attribute on Notes Account form (ADMINISTRATION TAB) on ITIM can be modified to some other path as follows: Assume a user already present on TIM with User ID path as C:\id\a.id Modify it to \\machinename\id\a.id The User s ID file path is modified to \\machinename\id\a.id without any problem. IBM Tivoli Lotus Notes Agent White Paper 120

121 Modifying Mail File Owner Access Attribute The following are the details of modifying user's Mail File Owner Access: a. All the 7 access control options can be used to modify the Mail File Owner Access of a user's mail file. b. The modify operation on Mail file Owner Access attribute will only succeed, if the Administrator has 'Manager' access on the Mail file. c. Thus, while creation of new user, care must be taken that the new user should create with 'Designer' or 'Editor' access control for its mail file Modifying Certification Expiry Date for User This attribute can be modified using Recertify AdminP Command. Give the following input parameters for Recertify AdminP command: 1. AdminP Command Recertify 2. Original Certifier of user[absolute path of cert file] D:\Lotus\Domino\Data\cert.id 3. Original Certifier Password ******** (password) 4. Certificate Expiration Date 01/01/ :01:01 (Format is MM/DD/YYYY HH:MM:SS) This operation does not update the user s ID file in the Shadow NAB. The Notes Agent does support re-certification of ID file for a user. To perform this, one has to use the ADMINP TAB on the Notes Account form on ITIM to perform a re-certification AdminP operation. The agent re-certifies the user, but the re-certified ID file of the user is not updated in the Shadow Database. The following is the reason for not doing this: 8. Assume that the user is using a remote machine for accessing his mails through Notes Client/ID file. He logs off. 9. Now on domino server you re-certify this user through AdminP Re-certify request. Now this re-certification process on Domino Server does not does not requires user's ID file. At this point the information of re-certification is not yet updated on the user's remote ID file. 10. Once the user again logs into this Notes client, the ID file is updated with the new certification information. 11. Now in the above manual steps, the agent performs Step 2. and the actual updation of certification information is done in Step 3 <The above Step 3 is a manual step and out of scope of agent functionality>. That is why the Agent does not update the Shadow NAB with the new certifier ID, as this new certification information is updated on the user's ID file when the user log on through Notes Client. IBM Tivoli Lotus Notes Agent White Paper 121

122 Modifying Replication Conflict Attribute This attribute on TIM on MISC. TAB is ignored in Modify operation. This is just a Recon attribute Non-Modifiable Attributes on Notes Account Form The following are the Read-only attributes on the Notes Account form that cannot be modified: 1. Mail File(MAIL\UserID) (MAIL TAB on Notes Account form) 2. Mail Template Name (MAIL TAB on Notes Account form) 3. User ID in Certlog (ADMINISTRATION TAB on Notes Account form) 4. Save ID In Address Book (ADMINISTRATION TAB on Notes Account form) IBM Tivoli Lotus Notes Agent White Paper 122

$values: Mail Server CN=ps2580/O=pspl Mail File mail\flastnam Assume the following values of the user on ITIM: Now if you want to replicate this user s mail file (mail\flastnam) from the email server$

123 Mail File Replication Assume a user is already created through Notes Agent is present on Domino server with the following values: Mail Server CN=ps2580/O=pspl Mail File mail\flastnam Assume the following values of the user on ITIM: Now if you want to replicate this user s mail file (mail\flastnam) from the server (CN=ps2580/O=pspsl) to a replication server (CN=arni/O=pspl) with a name (mail\flastnam.nsf), then perform a modify operation for the user with the following values on ITIM Notes Account form: IBM Tivoli Lotus Notes Agent White Paper 123

124 IBM Tivoli Lotus Notes Agent White Paper 124

125 Modifying a user with a Person document only All the attributes of a user with person document only can be modified except to set it as a SameTime only account. The Adapter will give error for modification of HTTP Password and attributes related to user-id file, in a modify operation. To change the HTTP Password for such a user, execute the user password change operation. All the attributes related to mail file can be set in modify for the user, if the mail file has been explicitly created and the path for that has been specified in the user s person document. The value for the Client License attribute can be modified by setting any (one or more) values in the modify operation. The following attributes are not allowed to be specified while adding a user with a person doc only: Tab Attributes (Not allowed) PERSONAL 1. Path of Certifier 2. Certifier Password 3. Certificate Expiration Date 1. Unique org unit 2. Alt Full Name Language 3. Alt Full Name 4. Password Quality Scale ADMINISTRATION 1. User ID File path 2. User ID in CertLog 3. Save ID In Address Book 4. Create North American ID SAMETIME 1. Only SameTime Account IBM Tivoli Lotus Notes Agent White Paper 125

126 SUSPEND Operation Functionality Suspend Group registry key Assume value of Suspend Group registry key is Suspended Users. 1. When a user is suspended from TIM, the CN of this user is added to any of the groups (present on the Domino server) whose name starts with Suspended Users having maximum free space. 2. For each successive suspend operation it adds the CN of user to that group only until that group has no more space. 3. If this group gets full, the adapter adds the user s CN to new group having name that starts with Suspended Users appending it with a number ( Suspended Users1 ) and so on. 4. If all groups are full, adapter creates new group name starting with name Suspended Users with a number (example, Suspended Users ) appended to it. 5. The user s CN is added to this newly created group. 6. If the registry key Update Server Doc is TRUE, adapter puts this new group name to Not Access Server field of server document. 7. If the registry key Update Server Doc is FALSE, it is the Lotus Notes Administrator s job to add all the suspend groups to the Not Access Server field of server document. The above logic is applicable for Suspend HTTP group too Suspend HTTPPassword registry key Assume value of Suspend HTTPPassword registry key is Suspend HTTPPassword Users. When a user is suspended from TIM, the CN of this user is added to any of the present groups whose name starts with Suspended HTTPPassword Users. If the groups are full, adapter creates new group name starting with name Suspended HTTPPassword Users with some number appended to it. The user s CN is added to this newly created group HTTP/Internet Access of User When a user is suspended from TIM, the value in Internet password field of person document is copied to HTTPPasswordSuspended field and the Internet Password field is set to NULL Log DB Assume value of Log DB registry key is LogDB.nsf and LogDB.nsf database file is present on Domino. The suspended user document is created in the LogDb.nsf database file. Important: IBM Tivoli Lotus Notes Agent White Paper 126

127 If the registry key Update Server Doc is FALSE, then refer section Giving server access to Groups for giving server access to Suspend Group. IBM Tivoli Lotus Notes Agent White Paper 127

128 Examples Table E1: Example of suspend operation support of multiple groups Registry Settings Request from ITIM Result User to be suspended = fn mn ln/pspl Suspend Group = suspend. suspend, suspend1 and suspend2 groups are present on the resource Initial Group Status: suspend = 32k suspend1 = 32k suspend2= 32k Suspend Group = suspend. suspend group is present on the resource Initial Group Status: suspend = 32k User to be suspended = fn mn ln/pspl The user name is added in the group suspend. The user name is added in the group suspend. Suspend Group = suspend. suspend, suspend1 and suspend2 groups are present on the resource. Initial Group Status: suspend = 2 bytes suspend1 = 32k suspend2 = 32k Suspend Group = suspend. suspend, suspend1 and suspend2 groups are present on the resource. Initial Group Status: suspend = 2 bytes suspend1 = 3 bytes suspend2 = 4 bytes Suspend Group = suspend. suspend group is present on the resource Initial Group Status: suspend = 3 bytes Suspend Group = suspend. suspend group is present on the resource Initial Group Status: No Group is present on the resource. User to be Suspended = fn mn ln/pspl User to be Suspended = fn mn ln/pspl User to be suspended = fn mn ln/pspl User to be suspended = fn mn ln/pspl The user name is added in the group suspend1. The group is created with name suspend3. Its map entry will be created at beginning of the map. The user name will be added to suspend3. The group is created with name suspend1. The user name will be added to suspend1. The group is created with name suspend. The user name will be added to suspend. IBM Tivoli Lotus Notes Agent White Paper 128

129 RESTORE Operation Functionality Suspend Group registry key Assume value of Suspend Group registry key is Suspended Users. The adapter searches the value user s CN in all the groups whose name starts with Suspended Users. If it finds the user in any of the above group, it removes the user s CN from it, otherwise the adapter gives an error indicating that the user is not the member of suspend group. The above logic is applicable for Suspend HTTP group too Suspend HTTPPassword registry key Assume value of Suspend HTTPPassword registry key is Suspended HTTPPassword Users and Suspended HTTPPassword Users group is present on Domino. When a user is restored from TIM, the CN of the user is removed from one of the groups whose name starts with Suspended HTTPPassword Users (assuming the user belongs to this group) HTTP Access of User When a user is restored from TIM, the value from HTTPPasswordSuspended field of person document is copied to Internet password field and the HTTPPasswordSuspended field is set to NULL Log DB Assume value of Log DB registry key is LogDB.nsf and LogDB.nsf database file is present on Domino. The restored user document is deleted from the LogDb.nsf database file. IBM Tivoli Lotus Notes Agent White Paper 129

130 Examples Table E2: Example of restore operation support of multiple groups Registry Settings Request from ITIM Result User to be restored = fn mn ln/pspl Suspend Group = suspend. suspend, suspend1, suspend2 and suspend3 groups are present on the resource [User name = fn mn ln/pspl is present in the group suspend ] Suspend Group = suspend. suspend, suspend1, suspend2 and suspend3 groups are present on the resource [User name = fn mn ln/pspl is present in the group suspend3 ] User to be restored = fn mn ln/pspl The user name is removed from the group suspend. The user name is removed from the group suspend3. IBM Tivoli Lotus Notes Agent White Paper 130

131 PASSWORD CHANGE Operation Functionality Deployment Assumptions Before Password Change Operation Assume the following Notes Agent Deployment: 1. The ShadowNAB NoteIDsAddressBook.nsf is deployed (by executing the Notes Shadow Agent) with the User s ID file and password. 2. The name of the ShadowNAB NoteIDsAddressBook.nsf is specified in the Notes Agent registry key NoteIDsAddressBook. 3. All the users ID file is present at a common location on a remote machine. (for example, all the users ID file are kept at \\machinename\id ) Assume, that a reconciliation operation is executed and all the users are on ITIM server. The reconciliation operation does not send the following attributes to ITIM server. 1. Path of the Users ID file 2. Whether the users ID file is attached to person document or not. 3. Whether the users ID file is North American or not Password Change Settings To perform a password change operation for a user, perform the following steps: 1. If you want to change the password on the user s id file which is on the remote machine ( \\machinename\id ), perform a modify operation through Notes Agent to update the path of the user s ID file location to the location on the remote machine. Assume that the user s ID file is at location \\machinename\id\user.id, then modify the User s ID File Path attribute from ITIm server with value \\machinename\id\user.id. 2. If the user s ID file is also attached to the person document, the agent requires the attribute SaveIDInAddressBook value on a password change operation. As the value of The SaveIDInAddressBook attribute is read only on ITIM in the current profile, we need to make it modifiable to make sure to keep this check box attribute checked. To do this perform the following steps: a. The change is required in the "ernotesaccount.xml" file in the Notes profile. b. The following entry is present for the "SaveIDInAddressBook" attribute in "ernotesaccount.xml" profile file: <formelement name="data.ernotessaveidinaddressbook" label="$ernotessaveidinaddressbook" isreadonlyonmodify="true" > <checkbox name="checkbox" value="no"/></formelement> This needs to be changed with the following: <formelement name="data.ernotessaveidinaddressbook" label="$ernotessaveidinaddressbook" > <checkbox name="checkbox" value="no"/></formelement> c. Re-install the notes profile to make sure that the attribute SaveIDInAddressBook attribute is modifiable IBM Tivoli Lotus Notes Agent White Paper 131

132 Perform a modify operation through Notes Agent to make the attribute "SaveIDInAddressBook checked on ITIM. Note: If the user s ID file is not in its person document, you can skip this step. 3. If the already existing users ID files on remote machine are of type North American, the agent requires the attribute Create North American ID value on a password change operation. As the value of The Create North American ID attribute is read only on ITIM in the current profile, we need to make it modifiable to make sure to keep this check box attribute checked. To do this perform the following steps: a. The change is required in the "ernotesaccount.xml" file in the Notes profile b. The following entry is present for the "Create North American ID" attribute in "ernotesaccount.xml" profile file: <formelement name="data.ernotescreatenorthamericanid" label="$ernotescreatenorthamericanid" isreadonlyonmodify="true" > <checkbox name="checkbox" value="no"/></formelement> This needs to be changed with the following: <formelement name="data.ernotescreatenorthamericanid" label="$ernotescreatenorthamericanid"> <checkbox name="checkbox" value="no"/></formelement> Perform a modify operation through Notes Agent to make the attribute "Create North American ID checked on ITIM. Note: If the user s ID file is not of type North American ID, you can skip this step. 4. Once, the above 1, 2 and 3 steps are completed, perform a password change operation Password Changes on ID file at various locations The password change operation will use the old password from the ShadowNAB (NoteIDsAddressBook.nsf, which is already deployed with the user s old password and the ID file) and change it to the new one on the ID files at the following locations: a. The ID file present in the ShadowNAB (NoteIDsAddressBook.nsf) b. The ID file present on the remote machine (\\machinename\id\user.id) c. The ID file attached to the person document. When a user password is changed, the password is updated on all the places where the user s id file is present. Refer tables for ID file creation locations (Table 12: Details of User ID file Creation - 1 and Table 13: Details of User ID file Creation - 2) with respect to User ID File Path, NotesIDsAddressBook, UserIDInCertLog and SaveIDInAddressBook IBM Tivoli Lotus Notes Agent White Paper 132

133 The following table details the synchronization of HTTP/Internet password field of the user on Password change operation: Table 15: Details of HTTP/Internet Password Attribute on User Password Change Operation Value of Expected Result Synchronize HTTPPassword in registry Password Change TRUE The user s password will be synchronized for Internet Password Change FALSE Password. The user s password will not be synchronized for Internet Password. The following table details the sequence of change of the fields HTTP Password and User Password on resource on password change operation performed using ITIM. Table 15a: Details of effects of registry keys on Password Change Operation Value of Synchronize HTTPPassword in registry Value of Change HTTPPassword First in registry Field on resource that is changed first. Field on resource that is changed later. FALSE FALSE User Password FALSE TRUE User Password TRUE FALSE User Password HTTP Password TRUE TRUE HTTP Password User Password Password Change for a user having person document only If a password change operation is executed for a user having a person document only, the Agent will set the value of User Password in the HTTP Password field in the user s person document on the resource. IBM Tivoli Lotus Notes Agent White Paper 133

134 Certificate Expiration Date in Password Change operation This section is applicable only for the customers who do not use NoteIDsAddressBook i.e. ShadowNAB to store the ID files. ADD PASSWORD CHANGE Assume a Notes Account is provisioned through ITIM with following values: User ID firstname lastname Lastname lastname Cert ID C:\Lotus\Notes\cert.id Cert ID Password ******* Cert Exp. Date 05/12/2020 User ID file Path C:\IDs\flastname.id User Password abc This user will be created on Domino and its ID file will be created at location C:\IDs\flastname.id with certificate expiration date as 05/12/2020. Assume, that after this ADD operation immediately password change operation is executed: In this password change operation following attributes will go to the agent: User ID firstname lastname Cert ID C:\Lotus\Notes\cert.id Cert ID Password ******* Cert Exp. Date 05/12/2020 User ID file Path C:\IDs\flastname.id New Password xyz Thus the password on the ID file at location C:\IDs\flastname.id will be changed from abc to xyz. In this password change operation, as the old password is not available with the Agent a new ID file with the same name will be regenerated at path C:\IDs\flastname.id. As the Certificate Expiration Date is sent to the agent in the password change operation, the same Certificate Expiration Date will be set on the newly created ID file. IBM Tivoli Lotus Notes Agent White Paper 134

135 ADD RECONCILIATION PASSWORD CHANGE Assume a Notes Account is provisioned through ITIM with following values: User ID firstname lastname Lastname lastname Cert ID C:\Lotus\Notes\cert.id Cert ID Password ******* Cert Exp. Date 05/12/2020 User ID file Path C:\IDs\flastname.id User Password abc This user will be created on Domino and its ID file will be created at location C:\IDs\flastname.id with certificate expiration date as 05/12/2020. Now assume that a reconciliation operation is executed after the above ADD operation. Now the following attributes will not be reconciled for this created user: Cert ID C:\Lotus\Notes\cert.id Cert ID Password ******* Cert Exp. Date 05/12/2020 User ID file Path C:\IDs\flastname.id For executing the password change operation for this user, you need to first perform a modify operation for the following attributes with the correct values: Cert ID C:\Lotus\Notes\cert.id Cert ID Password ******* Cert Exp. Date 05/12/2020 User ID file Path C:\IDs\flastname.id Then perform a password change operation with new Password as xyz. Thus the password on the ID file at location C:\IDs\flastname.id will be changed from abc to xyz. In this password change operation, as the old password is not available with the Agent a new ID file with the same name will be regenerated at path C:\IDs\flastname.id. As the Certificate Expiration Date is sent to the agent in the password change operation, the same Certificate Expiration Date will be set on the newly created ID file. IBM Tivoli Lotus Notes Agent White Paper 135

136 DELETE Operation Functionality Delete Group Assume value of Delete Group registry key is Deleted Users. When a User is deleted from TIM, the user s CN is added to one of the groups whose name starts with Deleted Users. If the groups are full, adapter creates new group name starting with name Deleted Users with some number appended to it. The user s CN is added to this newly created group Log DB Assume value of Log DB registry key is LogDB.nsf and LogDB.nsf database file is present on Domino. The deleted user document is added to the LogDb.nsf database file Delete Mail DB If the value of Delete Mail DB key in registry is TRUE, and if the User is deleted from TIM, then its mail database file is deleted from Domino. If the value of Delete Mail DB key in registry is FALSE, and if the User is deleted from TIM, then its mail database file is not deleted from Domino User s Person Document When a User is deleted from TIM, the user s Person Document is deleted Removal from groups Entry of the user to be deleted is removed from all the groups that it belongs to. IBM Tivoli Lotus Notes Agent White Paper 136

137 Examples Table E3: Example of delete operation support of multiple groups Registry Settings Input from ITIM Result Delete Group = Delete. Delete, Delete1 and Delete2 groups are present on the resource Initial Group Status: Delete = 32k Delete1 = 32k Delete2= 32k User to be Deleted = fn mn ln/pspl Delete Group = Delete. Delete group is present on the resource Initial Group Status: Delete = 32k User to be Deleted = fn mn ln/pspl The user name is added in the group Delete. The user name is added in the group Delete. Delete Group = Delete. Delete, Delete1 and Delete2 groups are present on the resource. Initial Group Status: Delete = 2 bytes Delete1 = 32k Delete2 = 32k Delete Group = Delete. Delete, Delete1 and Delete2 groups are present on the resource. Initial Group Status: Delete = 2 bytes Delete1 = 3 bytes Delete2 = 4 bytes Delete Group = Delete. Delete group is present on the resource Initial Group Status: Delete = 3 bytes Delete Group = Delete. Delete group is present on the resource Initial Group Status: No Group is present on the resource. User to be Deleted = fn mn ln/pspl User to be Deleted = fn mn ln/pspl User to be Deleted = fn mn ln/pspl User to be Deleted = fn mn ln/pspl The user name is added in the group Delete1. The group is created with name Delete3. Its map entry will be created at beginning of the map. The user name will be added to Delete3. The group is created with name Delete1. The user name will be added to Delete1. The group is created with name Delete. The user name will be added to Delete. IBM Tivoli Lotus Notes Agent White Paper 137

138 De-provision User from ITIM using DeleteInNAB AdminP Command If your Notes Agent deployment requires deletion of user using DeleteInNAB AdminP request in the deprovisioning operation from ITIM, then set the Notes Agent registry key Execute AdminP Operation to TRUE. The default value of registry key Execute AdminP Operation to FALSE. This registry key value (TRUE) enables the DeleteInNAB AdminP command execution in the deprovisioning request on ITIM. If the registry key value is TRUE and you de-provision a User from ITIM, the Notes Agent will execute the following steps: The Notes Agent executes an AdminP DeleteInNAB request. This AdminP request deletes the user s person document and if the registry key Delete Mail DB value is TRUE, it will also delete the user s mail file from all the server and all replica servers. If the value of the registry key Delete Mail DB is FALSE then the user s mail file is not deleted. The user s entry is removed from the Shadow NAB, removing its User ID file and password. The user is removed from the Domino groups it belongs to. The user s entry is added to the LogDB database. The name of this LogDB database is specified in the Log DB registry key. IBM Tivoli Lotus Notes Agent White Paper 138

139 RECONCILIATION Operation Functionality Using Short name field for ERUID for Reconciliation operation The registry setting Use ShortName = TRUE, means the User Id on TIM is mapped to Short name/userid field of the person document. In this case the value of the registry key CustomEruid must be blank. In this case the value of the registry key Use ITIM_ERUID must be FALSE. Assume a user is already created on the Domino with the following values in its person document: 1. Last Name LastName 2. User name LastName/Compnay FullName1 FullName2 FullName3 UserID 3. Short name/userid UserID After performing the Reconciliation operation, the following are the values seen on the ITIM for this user: If the user is created with the following attributes and there values from TIM: 1. User Id UserID 2. Last Name LastName 3. Full Name LastName/Compnay FullName1 FullName2 FullName3 UserID 4. Short Name/User ID UserID The Short name/userid field s value from the person document is sent back as User Id attribute on IIM. IBM Tivoli Lotus Notes Agent White Paper 139

140 Using Full name field for ERUID for Reconciliation operation The registry setting Use ShortName = FALSE, means the User Id on TIM is mapped to User name field of the person document. The registry setting Use ShortName = FALSE In this case the value of the registry key CustomEruid must be blank. In this case the value of the registry key Use ITIM_ERUID must be FALSE. In this case the value of the registry key Store ERUID in FullName must be TRUE. Assume a user is already created on the Domino with the following values in its person document: 1. Last Name LastName 2. User name LastName/Compnay FullName1 FullName2 FullName3 UserID 3. Short name/userid ShortName After performing the Reconciliation operation, the following are the values seen on the ITIM for this user: If the user is created with the following attributes and there values from TIM: 1. User Id UserID 2. Last Name LastName 3. Full Name LastName/Compnay FullName1 FullName2 FullName3 UserID 4. Short Name/User ID ShortName The last value from the Full Name field from the person document is sent back as User Id attribute on ITIM. IBM Tivoli Lotus Notes Agent White Paper 140

141 Using Custom Notes field for ERUID for Reconciliation operation Assume a Notes field DirSynchKey is used for ERUID for reconciliation operation. In this case the value of the registry key Use ShortName must be FALSE. In this case the value of the registry key CustomEruid must be DirSynchKey. In this case the value of the registry key Use ITIM_ERUID must be FALSE. Assume a user is already created on the Domino with the following values in its person document: 1. Last Name LastName 2. User name LastName/Compnay FullName1 FullName2 FullName3 UserID 3. DirSynchKey - UserID After performing the Reconciliation operation, the following are the values seen on the ITIM for this user: 1. User Id UserID 2. Last Name LastName 3. Full Name LastName/Compnay FullName1 FullName2 FullName3 UserID 4. DirSynchKey - User ID The value from the DirSynchKey field from the person document is sent back as User Id attribute on IIM. IBM Tivoli Lotus Notes Agent White Paper 141

142 Account Status Attribute The Account status (Suspended / Restored or Active / Inactive) for a user in an Reconciliation operation is taken from either of the following two sources: 1. List if Users in the Suspend Group. 2. List of Users in Not Access Server field in the Security TAB of the Server Document. Assume registry key Suspend Group is present, its value is Suspended Users and Suspended Users group is present on Domino. Reconciliation operation will read the User s Account status from the groups whose name start with Suspended Users. If the user s CN name is present in the Suspended User groups, then the account status will be shown as INACTIVE on TIM. If the user s CN name is not present in the Suspended User group, then the account status will be shown as ACTIVE on TIM. The above two points are applicable for multiple Suspend groups. The following are the types of groups supported for Suspend Groups: i). Multi-purpose. ii. Deny List only. iii). Mail only. iv). Access Control List only v). Servers only Assume registry key Suspend Group is not present. Reconciliation operation will read the User s Account status from Not Access Server field in the Security TAB of the Server Document. If the user s CN name is present in the Not Access Server field in the Security TAB of the Server Document, then the account status will be shown as INACTIVE on TIM. If the user s CN name is not present in the Not Access Server field in the Security TAB of the Server Document, then the account status will be shown as ACTIVE on TIM. IBM Tivoli Lotus Notes Agent White Paper 142

143 Mail File Owner Access Attribute If the mail file of the user is not present on the Domino server, then this attribute is sent back on ITIM as No Access. If the Administrator does not have manager access on the User s mail file, then this attribute is sent back on ITIM as No Access Replication Conflict Attribute This attribute is a RECON attribute. When a replication conflict occurs on the Domino Server, for any user, a reconciliation operation will update the Replication Conflict attribute check box as checked on Notes Account From (MISC. TAB) on TIM. General information about Replication Conflict Multiple users can simultaneously edit the same document in one copy of a database or edit the same document in different replicas between replication sessions. When these conditions occur, Domino stores the results of one editing session in a main document and stores the results of additional editing sessions as response documents. These response documents have the title "Replication or Save Conflict." Domino uses the $Revisions field, which tracks the date and time of each document editing session, to determine which document becomes the main document and which documents become responses. Replication conflicts A replication conflict occurs when two or more users edit the same document and save the changes in different replicas between replications. These rules determine how Domino saves the edit sessions: The document edited and saved the most times becomes the main document; other documents become Replication or Save Conflict documents. If all of the documents are edited and saved the same number of times, the document saved most recently becomes the main document, and the others become Replication or Save Conflict documents If a document is edited in one replica but it is deleted in another replica, the deletion takes precedence, unless the edited document is edited more than once or the editing occurs after the deletion. IBM Tivoli Lotus Notes Agent White Paper 143

144 Attributes not sent back on TIM server after reconciliation Operation The following are the list of attributes that the Lotus Notes Agent does not send to ITIM server in Reconciliation operations: 1. Certifier ID File path used to create the User. (ernotesaddcertpath) 2. Certifier ID File password used to create the User. (ernotespasswdaddcert) 3. Certificate expiration date of the User. (ernotescertexpirydate) 4. Path of the user s ID file. (ernotesuseridfilename) 5. Name of the ID file in the Certlog.nsf database file. (ernotesuseridincertlog) 6. The User s ID file attached to the person document. (ernotessaveidinaddressbook) 7. The Type of the User s ID file. (ernotescreatenorthamericanid) 8. Replication Mail Server. (ernotesreplservername) 9. Replication Mail File Name. (ernotesreplmailfilename) 10. Unique Organization Unit. (ernotesuniqueorgunit) 11. Password Quality Scale. (ernotespasswordscale) As the values of the above attributes is not saved by the Agent on the Domino side, the Notes agent is unable to send it back to ITIM server on reconciliation Group Reconcialiation: The Notes Agents supports the feature of group reconciliation. By this feature, the agent reconciles the group-names and stores it on ITIM LDAP. This reconciled new groups can be used in add and modify operation for selecting groups using search widget. The suspend groups, suspend HTTP groups and delete groups are not reconciled to ITIM LDAP, as these groups have special meaning with respect to Notes Agent. For example if the registry key Suspend Group has value SU all the groups starting with name SU are not reconciled. (This applies for Suspend HTTP and Delete groups too.) The groups of all types are reconciled to ITIM. In reconciliation, when a new suspend group is found, depending on the registry key Update Server Doc, Notes Agent puts the name of that group in Not Access Server field of Server Document. The same operation happens before first operation after agent start-up. Refer section Giving server access to Groups for Not Access Server field of Server Document. IBM Tivoli Lotus Notes Agent White Paper 144

145 Table E4: Example of RECON operation - Different registry settings and corresponding groups that are reconciled on RECON operations well as first operation after agent start-up. Registry Settings Suspend Group = Suspend. Suspend HTTPPassword = SuspendHTTP. Delete Group = Delete Suspend Group = SU. Suspend HTTPPassword = SHU. Delete Group = DU. Suspend Group = SU. Suspend HTTPPassword = SHU. Delete Group = DU. Groups present on resource (Domino Server) 1. abc1 2. abc2 3. Suspend1 4. Suspend2 5. Suspend3 6. SuspendHTTP1 7. SuspendHTTP2 8. SuspendHTTP3 9. LocalDomainAdmins 10. OtherDomainServers 11. LocalDomainServers 12. xyz1 13. Delete1 14. Delete2 1. SU1 2. SU2 3. SU3 4. SHU1 5. SHU2 6. SHU3 7. LocalDomainAdmins 8. OtherDomainServers 9. LocalDomainServers 10. DU1 11. DU2 1. SU 2. SHU 3. LocalDomainAdmins 4. OtherDomainServers 5. LocalDomainServers 6. DU The groups reconciled after successful RECON operation 1. abc1 2. abc2 3. xyz1 4. LocalDomainAdmins 5. OtherDomainServers 6. LocalDomainServers 1. LocalDomainAdmins 2. OtherDomainServers 3. LocalDomainServers 1. LocalDomainAdmins 2. OtherDomainServers 3. LocalDomainServers IBM Tivoli Lotus Notes Agent White Paper 145

146 Add operation using search widget for Group Attribute: 1. Perform the reconciliation operation first. 2. Now, while adding the new user, go to Administration tab. Figure new (1) use of search widget IBM Tivoli Lotus Notes Agent White Paper 146

147 3. Click on Search button of Member of groups attribute. The new window will appear. Figure new (2) use of search widget IBM Tivoli Lotus Notes Agent White Paper 147

148 4. Select groups where you want to add the user. Figure new (3) use of search wizard IBM Tivoli Lotus Notes Agent White Paper 148

149 5. Click Add button. The selected groups will be added to the Member of Groups attributes. Figure new (4) use of search wizard 6. Click Done button Modify operation using search widget: It is same as add operation using search widget. IBM Tivoli Lotus Notes Agent White Paper 149

150 Server Document update: (when the registry key Update Server Doc = TRUE) Registry key Suspend Group = SG Groups on the Domino resource: Figure resource (1) Use of registry key Update Server Doc IBM Tivoli Lotus Notes Agent White Paper 150

151 Domino Server Document initially: No groups present in the Not access server field Figure resource (2) Use of registry key Update Server Doc IBM Tivoli Lotus Notes Agent White Paper 151

152 Domino Server Document after reconciliation operation: Figure resource (3) Use of registry key Update Server Doc Groups SG, SG1, SG2 and SG3 are added to the Not access server field. IBM Tivoli Lotus Notes Agent White Paper 152

153 Mail Template File name: The Notes Agents supports the feature of template file names reconciliation. By this feature, the agent reconciles the template file names and stores it on ITIM LDAP. This reconciled templates file names can be used in add operation for selecting template file name using search widget. All the template files present on the server specified in the registry key Mail Template Server are reconciled back to ITIM If the registry key Mail Template Server is blank or empty, then all the template files present on the server specified in the registry key Domino Server are reconciled to ITIM. For Existing Customers: The Mail Template Name attribute will come as text field on the Notes Account form in MAIL TAB, so that existing customer can use this field without the Mail Template Server enhancement. For Customers who wants List Box instead of Text field for Mail Template Name attribute as supporting data: The Mail Template Name attribute will come as text field on the Notes Account form by default. New Customers need to change this text field TO a list box as described in the below steps to use this Mail Template Server enhancement. Refer Section "Specifying Mail Template Name Attribute" for more details. IBM Tivoli Lotus Notes Agent White Paper 153

154 Chapter 7 SameTime Only Account Management Scenarios and Requirements Apart from creating only Domino Accounts, the Notes Agent can also be used to perform the following operations with respect to SameTime user s management: ADD Creation of Domino+SameTime accounts. Creation of SameTime only accounts. MODIFY Modifying attributes of a user having Domino+SameTime Account. Modifying attributes of a user having only SameTime Account SUSPEND Suspending a User having only SameTime Account. Suspending SameTime Access for an account having Domino+SameTime Account. RESTORE Restoring a User having only SameTime Account. Restoring a SameTime Access for an account having Domino+SameTime Account. LOCKING SAMETIME ACCESS Locking out SameTime access of a user having Domino+SameTime account. DELETE Deleting a User having only SameTime account. Deleting a User having Domino+SameTime account. RECON Reconciliation of users having only SameTime account. Reconciliation of users having Domino+SameTime account. SAMETIME ACL MANAGEMNT Managing user s ACL on SameTime database files (stconf.nsf and stsrc.nsf) for accounts having only SameTime Account. Managing user s ACL on SameTime database files (stconf.nsf and stsrc.nsf) for accounts having Domino+SameTime Account. IBM Tivoli Lotus Notes Agent White Paper 154

155 Software and Hardware Requirement The Notes Agent supports the SameTime and Domino+SameTime User Management on the following configurations: No. Domino Server Lotus Notes Admin Client Domino Same Time Server Operating System Windows 2000 and Windows 2003 IBM Tivoli Lotus Notes Agent White Paper 155

156 Supported Setup Notes Agent supports Domino+SameTime and Only SameTime Accounts management on the following Domino server deployments: Supported Setup 1 - Single Domino Server Single Domino Registration Server (Also acting as Domino Server) SameTime server is installed on the same Domino Registration server. Domino Server (Registration and Server) SameTime Server Notes Administrator/Client (user.id) SameTime Connect Client IBM Tivoli Lotus Notes Agent White Paper 156

157 Supported Setup 2 - Multiple Domino Servers - Case I Single Domino Server acting as Registration and server Another secondary Domino Server on which SameTime server installed. Domino Server (Registration and Server) Secondary Domino Server SameTime Server Notes Administrator/Client (user.id) SameTime Connect IBM Tivoli Lotus Notes Agent White Paper 157

158 Supported Setup 3 - Multiple Domino Servers - Case II One Domino Server acting as Registration. One separate secondary server. One separate secondary Domino Server on which SameTime server installed. Domino Server (Registration Server) Secondary Domino Server Secondary Domino Server SameTime Server Notes Administrator/Client (user.id) SameTime Connect IBM Tivoli Lotus Notes Agent White Paper 158

159 Supported Setup 4 - Multiple Domino Servers - Case III One Domino Server acting as Registration. Multiple secondary servers. Multiple separate secondary Domino Servers on which SameTime servers are installed. Domino Server (Registration Server) Domino Server 1 Domino Server n Secondary Domino Server 1 SameTime Server 1 Secondary Domino Server n SameTime Server n Notes Administrator/Client (user.id) SameTime Connect Very Important: In all the above 4 supported setups, the Notes Agent assumes that the Administrator (user.id) is same for all the primary (registration server) server and secondary ( and sametime domino servers) servers. IBM Tivoli Lotus Notes Agent White Paper 159

160 SameTime Account Attributes The following are the SameTime Server related attributes: 1. Only SameTime Account This attributes specifies whether the Account to be created on Domino is Only SameTime Account. 2. Sametime Server This attributes specifies the SameTime Server Value for the Domino+SameTime Account or Only SameTime accounts. 3. ACL for SameTime Account This attributes specifies the ACL of the SameTime user on the SameTime databases (stconf.nsf and stsrc.nsf) 4. Lock SameTime Account This attribute is used to block the SameTime Access of a Domino+SameTime account. The following screen shot shows the SAMETIME TAB of ITIM Notes Account form: IBM Tivoli Lotus Notes Agent White Paper 160

161 SameTime - ADD Operation Functionality Add a User with Domino + SameTime Account. The following attributes needs to be specified to create a Domino+SameTime Account: 1. Specify required attributes. (Eruid and Last name) (Refer section for the details of required attributes) 2. Specify value for Same Time server attribute. If Same Time Server attribute is not specified, then only a Domino Account will be created. 3. Do not specify SameTime only Account for this user. 4. You can specify all the other optional attributes Add a User with Only SameTime Account. The following attributes needs to be specified to create only SameTime Account: 1. Specify required attributes. (Eruid and Last name) 2. Specify SameTime only Account attribute. 3. Specify value for Same Time server attribute. 4. You can specify all the other optional attributes, except the following attributes: a. Certificate Expiration Date b. Internal (Internet/HTTP) Password c. Server d. Mail File Name e. Address f. Forward Address g. Mail System h. Domain i. Quota Size j. Replication Server k. Replication Mail File l. Mail Template Name m. User ID File path n. User ID in CertLog o. Save ID In Address Book p. Create North American ID IBM Tivoli Lotus Notes Agent White Paper 161

162 How does the Notes Agent decides what account (Only Domino OR Domino+SameTime OR Only SameTime) to create: If Agent receives only the required attributes and other optional attributes (No SameTime account related attributes) from ITIM, then only Domino Account will be created. If Agent receives only the required/optional attributes and sametime server attributes (excluding SameTime only Account attribute) from ITIM, then only Domino+SameTime Account will be created. If Agent receives only the required attributes and sametime server attributes (including SameTime only Account attribute) from ITIM, then Only SameTime account will be created. IBM Tivoli Lotus Notes Agent White Paper 162

163 The Notes Agent will use the following algorithm for ADD Operation: Common Algorithm: 1. Check if SameTime only Account and if SameTime server attributes are specified from ITIM. a. If SameTime only Account is not specified and SameTime server attribute is specified, then perform steps from Algorithm A for creating Domino+SameTime Account. b. If SameTime only Account attribute is specified and SameTime server attribute is specified, then perform steps from Algorithm B for creating SameTime only Account. (If SameTime only Account attribute is specified and SameTime server attribute is not specified, then return with error indicating SameTime only Account cannot be created without the SameTime Server value.) c. If SameTime only Account and SameTime server attributes are not specified, then perform steps from Algorithm C for creating Domino only Account. Algorithm A - Creating Domino + SameTime Account: 1. Register the Domino account for the user on the resource (with ID file and mail file) 2. Set the SameTime server value field. 3. Set the other optional attributes for the user. 4. Set the ACL for the SameTime server by adding the user to the ACL s group on Domino registration server. Add that ACL group in stconf.nsf and stsrc.nsf databases on the resource if not already added. 5. Add the User s entry to NoteIDsAdressBook with the user s ID file and password. Algorithm B - Creating SameTime only account: 1. Register the user on Domino with the value of Mail System Attribute as None (without creating ID file and mail file). 2. Log a debug message indicating the Mail System for this user is None. 3. Create a new field SameTime Only Account in the person document with value TRUE, to indicate that it is a SameTime only account. 4. Set the SameTime server attribute for this user. 5. Set the other optional attributes for the user. a. The user password attribute will be saved in the Internet/HTTP password field in person document for the user. b. The adapter will ignore the value of Internet/HTTP password attribute specified from the ITIM. 6. Set the ACL for the SameTime server by adding the user to the ACL s group on Domino registration server. Add that ACL group in stconf.nsf and stsrc.nsf databases on the resource if not already added. Algorithm C - Creating Domino only Account: 1. Register the Domino account for the user on the resource (with ID file and mail file) 2. Set the optional attributes for this user. 3. Add the User s entry to NoteIDsAdressBook with the user s ID file and password. This algorithm will work as the original design of the ADD Operation. IBM Tivoli Lotus Notes Agent White Paper 163

164 Examples: ADD OPERATION: Different Registry settings, Inputs from ITIM and corresponding result of ADD operation Registry setting Input from ITIM Result Creating a Domino as well as SameTime account Domino Server = <CN=RegServer/O= ORG> Synchronize HTTPPassword = <FALSE> Domino Server = <CN=RegServer/O= ORG> Synchronize HTTPPassword = <TRUE> Domino Server = <CN=RegServer/O= ORG> Synchronize HTTPPassword = <FALSE> Domino Server = <CN=RegServer/O= ORG> Domino Server = <CN=RegServer/O= ORG> Domino Server = <CN=RegServer/O= UserID = <user1> Last name = <user1> Certifier id = <D:\Domino\Data\cert.id> Cert Password = <password> Internet Password = <inet123> Only SameTime Account = FALSE SameTime Server Name = <CN=STServer/O=ORG> User Password = <passwd123> UserID = <user1> Last name = <user1> Certifier id = <D:\Domino\Data\cert.id> Cert Password = <password> Internet Password = <inet123> Only SameTime Account = FALSE SameTime Server Name = <CN=STServer/O=ORG> User Password = <passwd123> UserID = <user1> Last name = <user1> Certifier id = <D:\Domino\Data\cert.id> Cert Password = <password> Internet Password = <passwd123> Only SameTime Account = FALSE SameTime Server Name = <empty> Creating a SameTime only account UserID = <user1> Last name = <user1> Certifier id = <D:\Domino\Data\cert.id> Cert Password = <password> Internet Password = <inet123> Only SameTime Account = TRUE SameTime Server Name = <CN=STServer/O=ORG> User Password = <passwd123> SameTime ACLs = <Editor> UserID = <user1> Last name = <user1> Certifier id = <D:\Domino\Data\cert.id> Cert Password = <password> Internet Password = <empty> Only SameTime Account = TRUE SameTime Server Name = <CN=STServer/O=ORG> User Password = <passwd123> SameTime ACLs = <Manager> UserID = <user1> Last name = <user1> A Domino account (on server <CN=RegServer/O=ORG>) and SameTime account (on server <CN=STServer/O=ORG>) will be created for the user user1. The HTTP/SameTime password will be <inet123>. A Domino account (on server <CN=RegServer/O=ORG>) and SameTime account (on server <CN=STServer/O=ORG>) will be created for the user user1. The SameTime password will be <passwd123>. Only a Domino account (on server <CN=RegServer/O=ORG>) will be created for the user user1. SameTime Account will not be created for this user. Only a person document (without ID and mail file) will be created for user user1 on Domino with a SameTime account on server CN=STServer/O=ORG. The SameTime password will be <passwd123> User will be added to STEditor group and this group will be added to the Editor ACL on the stconf.nsf and stsrc.nsf files. Only a person document (without ID and mail file) will be created for user user1 on Domino with a SameTime access on server CN=STServer/O=ORG. The SameTime password will be <passwd123> User will be added to STmanager group and this group will be added to the Editor ACL on the stconf.nsf and stsrc.nsf files. Adapter will return with error SameTime server name should be IBM Tivoli Lotus Notes Agent White Paper 164

165 ORG> Certifier id = <D:\Domino\Data\cert.id> Cert Password = <password> Internet Password = <inet123> Only SameTime Account = TRUE SameTime Server Name = <empty> SameTime ACLs = <Editor> specified to create a SameTime only account. IBM Tivoli Lotus Notes Agent White Paper 165

166 Creation of only SameTime Account for a user: Assume a user is created through ITIM for Only SameTime account with the following values: (PERSONAL and SAMETIME TABs) IBM Tivoli Lotus Notes Agent White Paper 166

167 The user created on Domino with the above values will be seen as follows: IBM Tivoli Lotus Notes Agent White Paper 167

The SameTime ACL of the user will be managed in the following way: 1. A group with name ITIMST_ps2580_Designer will be created on domino. 2. This user s CN will be added to this group. 3.

168 The SameTime ACL of the user will be managed in the following way: 1. A group with name ITIMST_ps2580_Designer will be created on domino. 2. This user s CN will be added to this group. 3. This group ITIMST_ ps2580_designer will be added as the Designer ACLs on the stconf.nsf and stsrc.nsf database files on the SameTime server ps2580/pspl. 4. If SameTime ACL is provided with value None, then no groups are created for the None ACL and these users with None ACL will have no ACLs on the stconf.nsf and stsrc.nsf database files on the SameTime server 5. The user password is set to the HTTP/Internet field of this user s person document. 6. The Notes Agent ignores the value of HTTP/Internet Password attribute coming from ITIM. Similarly, other groups with above convention (group name starting with ITIMST_, then appended the SameTime server host name ps2580_ and then the ACL name Designer ITIMST_SameTimeServerHostName_ACL) will be created on the domino registration server for other ACLs. IBM Tivoli Lotus Notes Agent White Paper 168

169 IBM Tivoli Lotus Notes Agent White Paper 169

170 The above ITIMST_ ps2580_designer group will then be added as appropriate ACL on the stsrc.nsf and stconf.nsf database files on the SameTime server ps2580/pspl as shown in the below screen shots: Screen shot showing the ACLs of users/groups/servers for database file stconf.nsf: IBM Tivoli Lotus Notes Agent White Paper 170

171 The group ITIMST_ ps2580_designer is added as Author ACL on the stconf.nsf file: IBM Tivoli Lotus Notes Agent White Paper 171

172 Also this group ITIMST_ ps2580_designer is added as Author ACL on the stsrc.nsf database file: The above logic of ACL management for SameTime users will be used to other SameTime servers. Example Assume is user is created on domino with Domino+SameTime OR Only SameTime account with the following values: User firstname2 middleinitial2 lastname2/ibm SameTime Server SameTimeServer2/IBM SameTime ACL Author Only SameTime Account TRUE The following steps will be executed by the agent: 1. The above user will be created on Domino. 2. A group with name ITIM_SAMETIMESERVER2_AUTHOR will be created on the primary registration server. 3. The user s CN firstname2 middleinitial2 lastname2/ibm will be added to ITIM_SAMETIMESERVER2_AUTHOR group. 4. This group ITIM_SAMETIMESERVER2_AUTHOR will be added as the Author ACL on the stconf.nsf and stsrc.nsf database files on the SameTime server SameTimeServer2/IBM. If you go on creating users (say with Author SameTime-ACL) on this SameTime server SameTimeServer2/IBM, then at a certain stage this group will be full. Once this group is full (Domino 5 group size limit is 15K and IBM Tivoli Lotus Notes Agent White Paper 172

173 Domino 6 & above group size is 32 K), the new groups created with the above logic will be appended with number 1 (ITIM_SAMETIMESERVER2_AUTHOR1) and if this group ITIM_SAMETIMESERVER2_AUTHOR1 also gets full, then the next group created will be ITIM_SAMETIMESERVER2_AUTHOR2 and so on. IBM Tivoli Lotus Notes Agent White Paper 173

174 SameTime - MODIFY Operation Modifying attributes of a user having Domino+SameTime Account All the attributes supported by the Notes Agent can be modified. Do not modify the following attribute, as it is applicable for only users having only SameTime Account: Attribute ernotessametimeonlyaccount (SametimeOnlyAccount) This attribute is a checkbox on ITIM Notes Account form. This attribute should not be used for Domino and Domino+SameTime accounts. If this attribute is modified for Domino and Domino+SameTime accounts, then agent will return with error indicating this attribute cannot be modified Modifying attributes of a user having only SameTime Account All the attributes supported by the Notes Agent can be modified except the following: a. Certificate Expiration Date b. Internal (Internet/HTTP) Password. User s having Only SameTime will have their passwords stored in the Internet/HTTP Password field in its person documents. Now if you want to change the password of the user having only sametime account, then do not modify the Internet/HTTP Password attribute from ITIM, perform a password change operation to change the user s password. c. Server d. Mail File Name e. Address f. Forward Address g. Mail System h. Domain i. Quota Size j. Replication Server k. Replication Mail File l. Mail Template Name m. User ID File path n. User ID in CertLog o. Save ID In Address Book p. Create North American ID Notes Agent will return with an error if the above listed attributes are modified. EXCEPTIONS: a. Attribute ernotessametimeonlyaccount (SametimeOnlyAccount) IBM Tivoli Lotus Notes Agent White Paper 174

175 This attribute is a checkbox on ITIM Notes Account form. When you perform the Reconciliation operation for the first time, the agent will reconcile all the following types of account to ITIM from your Notes deployment: Users with Only Domino Account. User having Domino+SameTime Account. Users having only SameTime Account. The Notes Agent recognizes the above account type depending on the SameTime Only Account field in the person s document. At the first reconciliation operation, the Notes Agent is not aware of which are only domino/domino+sametime or Only SameTime accounts. If you current Notes Deployment already has users having only SameTime Account form, then you can modify this attribute with TRUE value (checked) to let ITIM and Notes Agent know that this account> Once this is done, a field named SameTime Only Account is created in the user s person document. Once this check box is checked on ITIM, then it cannot be modified to unchecked. Once the field OnlySameTimeAccount is found in the users person document, then the agent returns ernotessametimeonlyaccount attribute to ITIM that indicates that the accounts are Only SameTime accounts. b. Attribute ernotessametimelockaccount (SametimeLockAccount) This attribute is a checkbox on ITIM Notes Account form. This attribute is used to lock (checked in modify) the SameTime server access for a user having a Domino+SameTime account. This attribute is modifiable only for users having Domino+SameTime Accounts. So do not modify this attribute for users having only Domino and only SameTime accounts. IBM Tivoli Lotus Notes Agent White Paper 175

176 Modifying SameTime Server Attribute for a user having a Domino+SameTime Account OR Only SameTime Account Assume is user is already created on domino with Domino+SameTime OR Only SameTime account with the following values: User firstname middleinitial lastname/ibm SameTime Server SameTimeServer1/IBM SameTime ACL Author Only SameTime Account TRUE On domino resource the following will be created: 1. Group with name ITIMST_SameTimeServer1_Author will be created on Domino registration server. 2. The user s CN firstname middleinitial lastname/ibm will be added to this ITIMST_SameTimeServer1_Author group. 3. This group ITIMST_SameTimeServer1_Author will be add as Author ACL on stsrc.nsf and stconf.nsf database files on the SameTime server SameTimeServer1/IBM. Now if you modify the SameTime Server attribute for this user from ITIM from SameTimeServer1/IBM to SameTimeServer2/IBM, the following will be seen on Domino. 1. A new group with name ITIMST_SameTimeServer2_Author will be created on Domino registration server. 2. The user s CN firstname middleinitial lastname/ibm will be removed from ITIMST_SameTimeServer1_Author group and added to ITIMST_SameTimeServer2_Author group. 3. This group ITIMST_SameTimeServer2_Author will be add as Author ACL on stsrc.nsf and stconf.nsf database files on the SameTime server SameTimeServer2/IBM. 4. The first group ITIMST_SameTimeServer1_Author group will remain on Domino registration server. IBM Tivoli Lotus Notes Agent White Paper 176

177 Modifying SameTime Server and SameTime ACL Attributes in one single modify operation for a user having a Domino+SameTime Account OR Only SameTime Account Assume is user is already created on domino with Domino+SameTime OR Only SameTime account with the following values: User firstname middleinitial lastname/ibm SameTime Server SameTimeServer1/IBM SameTime ACL Author Only SameTime Account TRUE On domino resource the following will be created: 1. Group with name ITIMST_SameTimeServer1_Author will be created on Domino registration server. 2. The user s CN firstname middleinitial lastname/ibm will be added to this ITIMST_SameTimeServer1_Author group. 3. This group ITIMST_SameTimeServer1_Author will be add as Author ACL on stsrc.nsf and stconf.nsf database files on the SameTime server SameTimeServer1/IBM. Now if you modify the following attributes for the above user from ITIM: 1. SameTime Server attribute from SameTimeServer1/IBM to SameTimeServer2/IBM. 2. SameTime ACL from Author to Reader. The following will be seen on Domino: 1. A new group with name ITIMST_SameTimeServer2_Reader will be created on Domino registration server. 2. The user s CN firstname middleinitial lastname/ibm will be removed from ITIMST_SameTimeServer1_Author group and added to ITIMST_SameTimeServer2_Reader group. 3. This group ITIMST_SameTimeServer2_Reader will be add as Reader ACL on stsrc.nsf and stconf.nsf database files on the SameTime server SameTimeServer2/IBM. 4. The first group ITIMST_SameTimeServer1_Author group will remain on Domino registration server. IBM Tivoli Lotus Notes Agent White Paper 177

178 SameTime - SUSPEND Operation Functionality The Notes Agent will perform the following steps when a Suspend operation is fired from ITIM: Common Algorithm for SUSPEND Operation 1. Get the eruid from ITIM for the suspend operation. 2. Get the user s person document. 3. Check the field SameTime only Account. 4. Check the field SameTime Server. 5. If SameTime only Account field is present with value TRUE in the user s person document, then suspend the user having only SameTime Account using Algorithm A. 6. If SameTime only Account field is not present and SameTime Server field has a value (valid SameTime server name OR **** <4 asterisks>), then suspend the user having Domino and SameTime Account using Algorithm B. 7. If SameTime only Account field is not present and SameTime Server field is empty/blank, then suspend the user having only Domino Account using Algorithm B. A. Algorithm for SUSPEND operation for SameTime Only Account Algorithm for the SUSPEND operation SameTime only account: 1. If the field SameTime server field has some value in it, then create a new field SameTimeServerSuspended in the person document with the value of the SameTime server for the user. 2. Put an invalid value **** (4 asterisks) in the SameTime server field. 3. Add the user s entry in the log database indicating this is a Suspended Account of the user. B. Algorithm for SUSPEND operation for using having Domino + SameTime Accounts or Domino Only Accounts. (Existing Logic) 1. Get the user s CN from Full name field. 2. Add the user s CN to the Suspend group. 3. If the value of registry key Update Server Doc is TRUE, then add the suspend Group name to No Access Server field in the Domino registration server document. 4. Create a new field HTTPPasswordSuspended in the person document of the user. 5. Add the value of user s internet/http password to the HTTPPasswordSuspended field. 6. Blank out the Internet/HTTP Password field in the user s person document. 7. Add the user s entry in the log database indicating that this is a Suspended Account of the user. IBM Tivoli Lotus Notes Agent White Paper 178

179 SameTime - RESTORE Operation Functionality The Notes Agent will perform the following steps when a Suspend operation is fired from ITIM: Common Algorithm for RESTORE Operation 1. Get the eruid from ITIM for the restore operation. 2. Get the user s person document. 3. Check the field SameTime only Account. 4. Check the field SameTime Server. 5. If SameTime only Account field is present with value TRUE in the user s person document, then restore the user having only SameTime Account using Algorithm A. 6. If SameTime only Account field is not present and SameTime Server field has a value (valid SameTime server name OR **** <4 asterisks>), then restore the user having Domino and SameTime Account using Algorithm B. 7. If SameTime only Account field is not present and SameTime Server field is empty/blank, then restore the user having only Domino Account using Algorithm B. A. Algorithm for RESTORE operation for SameTime Only Account 1. Get the value of SameTimeServerSuspended field from the user s person document. 2. Set this value in the SameTime Server field in this user s person document. 3. Delete the SameTimeServerSuspended field from the user s person document. B. Algorithm for RESTORE operation for using having Domino + SameTime Accounts or Domino Only Accounts. (Existing Logic) 1. Get the user s CN from Full name field. 2. Remove the user s CN from the Suspend group. 3. Get the value of the HTTPPasswordSuspended field from person document of the user. 4. Set this value to the Internet/HTTP password field in the person document of the user. 5. Blank out the HTTPPasswordSuspended field in the person document of the user. 6. Remove the user s entry from the log database. IBM Tivoli Lotus Notes Agent White Paper 179

180 SameTime - LOCKING SAMETIME ACCESS Locking out SameTime access of a user having Domino+SameTime account. There is an attribute ernotessametimelockaccount (SametimeLockAccount) on the Notes Account form that allows locking a SameTime server access of a user having a Domino+SameTime account. Locking SameTime Server Access for a user having Domino+SameTime Account: To lock the SameTime access for a user having Domino & SameTime account, perform a modify operation for Lock SameTime Account attribute with value TRUE. The following steps are performed by Notes Agent to lock a sametime server access for a user having Domino+SameTime Account: 1. Create a new field (SameTime Server Suspended) in the user s person document. 2. The user s exiting SameTime server value present in the SameTime Server field is copied to the SameTime Server Suspended field. 3. The user s SameTime Server field is set with an invalid (****) server value. Thus, the user will be able to access only Domino and not the SameTime server. Unlocking SameTime Server Access for a user having Domino+SameTime Account: To unlock the SameTime access for a user having Domino & SameTime account, perform a modify operation for Lock SameTime Account attribute with value FALSE. The following steps are performed by Notes Agent to unlock a sametime server access for a user having Domino+SameTime Account: 1. The SameTime server value from the SameTime Server Suspended field is copied into the SameTime Server field of the user s person document. 2. The new field SameTime Server Suspended is deleted from the user s person document. Thus, the user will be able to access both Domino and the SameTime server. Locking SameTime Server Access for a user having Only Domino account OR Only SameTime Account: This field should not be modified for users having Only SameTime accounts If this field is modified, then the Notes Agent will return with error indicating that this field cannot be modified. IBM Tivoli Lotus Notes Agent White Paper 180

181 SameTime - PASSWORD Change Operation Functionality Password Change Operation of a User having Only SameTime Account. When a password change operation is executed from ITIM for a user having only SameTime account, then the Notes Agent performs the following steps: 1. The Notes Agent first checks if the user has only SameTime account, by checking if the field SameTime only Account is present in the user s person document 2. If the field SameTime only Account is present then the new password is set in the Internet/HTTP Password field of the user document. IBM Tivoli Lotus Notes Agent White Paper 181

182 SameTime - DELETE Operation Functionality Deleting a User having only SameTime account. When a delete operation is executed from ITIM for a user having only SameTime account, then the Notes Agent performs the following steps: 1. The Notes Agent first checks if the user has only SameTime account, by checking if the field SameTime only Account is present in the user s person document. 2. If the field SameTime only Account is present in the person document, then it performs the following steps: a. Delete the user s person document. b. Delete the user from groups that it belongs too. c. Add the user s entry to LogDB file whose name is specified in the registry key Log DB. d. Delete the user from the ACL group that it is a member of Deleting a User having Domino+SameTime account. When a delete operation is executed from ITIM for a user having Domino+SameTime account, then the Notes Agent performs the following steps: 1. The Notes Agent first checks if the user has Domino+SameTime account, by checking if the field SameTime only Account is present and if the SameTime Server field has some value other than **** in the user s person document. 2. If the field SameTime only Account is present and if the SameTime Server field has some value other than **** in the person document, then it performs the following steps: a. Delete the user s person document. b. Delete the user s mail file if the registry key Delete Mail DB is set to TRUE. e. Delete the user s entry from the Shadow NAB. f. Delete the user from groups that it belongs too. c. Add the user s entry to LogDB file whose name is specified in the registry key Log DB. d. Delete the user from the ACL group that it is a member of. IBM Tivoli Lotus Notes Agent White Paper 182

183 SameTime - RECONLICIATION Operation Functionality SAMETIME ONLY ACCOUNT Attribute For SameTime only Account If the user s person document contains the SameTime Only field with value TRUE, then a value TRUE will be sent back to ITIM. There will be no SameTime only account without this field. For Domino only Account + For Domino and SameTime Account This attribute will not be sent for these types of accounts. This is not an RECON attribute for these types of users. SAMETIME SERVER Attribute for ACTIVE USERS For SameTime only Account + For Domino and SameTime Account The value in the SameTime Server field in the user s person document will be sent to ITIM. For Domino only Account This attribute will not be sent back to ITIM for this account. This is not an RECON attribute for this account. SAMETIME SERVER Attribute for SUSPENDED USERS For SameTime only Account The value in the SameTimeServerSuspended field in the user s person document will be sent to ITIM. For Domino and SameTime Account The value in the SameTime Server field in the user s person document will be sent to ITIM. For Domino only Account This attribute will not be sent back to ITIM for this account. This is not an RECON attribute for this account. SAMETIME LOCK Attribute for ACTIVE USERS For SameTime only Account + For Domino only Accounts This attribute will not be sent for these types of accounts. This is not an RECON attribute for these types of users. For Domino and SameTime Account If the field SameTime Only is not present and if the field SameTimeServerSuspended is present in the person document, then the value TRUE will be sent, else FALSE will be sent to ITIM. IBM Tivoli Lotus Notes Agent White Paper 183

184 SAMETIME LOCK Attribute for SUSPENDED USERS For SameTime only Account + For Domino only Accounts This attribute will not be sent for these types of accounts. This is not an RECON attribute for these types of users. For Domino and SameTime Account If the field SameTime Only is not present and if the field SameTimeServerSuspended is present in the person document, then the value TRUE will be sent, else FALSE will be sent to ITIM. SAMETIME ACLs Attribute For SameTime only Account + For Domino and SameTime Account The ACLs of these types of account will be retrieved from the SameTime ACLs groups present on the Domino Server. (These SameTime ACLs groups are put on the ACL list of the SameTime stsrc.nsf and stconf.nsf SameTime Server database files.) For Domino only Account This attribute will not be sent for the Domino only Account. This is not an RECON attribute for users having Domino only account. ACCOUNT STATUS Attribute For SameTime only Account If the field SameTime Only is present and the SameTimeServerSuspended field is present in the user s person document, then a value SUSPENDED will be sent back to ITIM for Account Status. If the field SameTime Only is present and if the field SameTimeServerSuspended is not present in the user s person document, then a value ACTIVE will be sent back to ITIM for Account Status. For Domino only Account + For Domino and SameTime Account The Adapter will check if the Suspend group has the user s CN entry present in it. If the user s CN entry is present in the Suspend group, then the Adapter will send the account as INACTIVE (suspended account), else ACTIVE. IBM Tivoli Lotus Notes Agent White Paper 184

185 SameTime - Existing Domino/ITIM Deployment If there are accounts already existing on the resource which are SameTime only accounts then the user will have to run first a recon operation and modify these accounts on ITIM to specify that these are SameTime Only accounts. For doing this, the ITIM Administrator has to modify the attribute SameTime Only Account to TRUE for all the reconciled users having SameTime Account only. IBM Tivoli Lotus Notes Agent White Paper 185

186 Chapter 8 ADMINP Operation An administration request represents an administration task and is run by the server task AdminP (Administration Process). When an administration request is generated, it appears in the Administration Requests database Administration servers Administration servers control how the Administration Process does its work. You specify an administration server for the Domino Directory and for specific databases. By default, the first Lotus Domino server you set up in a domain is the administration server for the Domino Directory. The administration server for the Domino Directory maintains the Domino Directory's ACL, performs deletion and name change operations in that Domino Directory, and these changes are replicated to other servers in the domain. If you have multiple directories in your domain -- not replicas of other domain's directories, but more than one of your own -- you can specify an administration server for each of the directories in your domain. Do not specify an administration server in your domain for a replica of another domain's Domino Directory. All databases need an administration server to manage name changes and deletions that apply to the database -- for example, changes to the ACL, Readers and Authors fields, or Names fields. If a database has replicas, you assign an administration server to only one replica. Then the Administration Process makes all changes to that replica, and replication for that database carries out the changes in all other replicas. You can also set up one or more extended administration servers to distribute across multiple servers the processing of administration requests that modify the Domino Directory The Administration Requests database The Administration Requests database (ADMIN4.NSF) is created on the administration server for the Domino Directory when that server starts for the first time. Requests for work to be done by the Administration Process are stored in the Administration Requests database. The status of work done by the Administration Process is also stored there as response Log documents to the requests, in the form of Administration Request documents. To complete tasks, the Administration Process posts and responds to requests in the Administration Requests database. Domino servers use replicas of this database to distribute requests made on one server to other servers in the domain. When other servers start, if the Administration Requests database does not exist, the server creates a replica stub of the Administration Requests database and waits for it to be initialized from another server in the domain. Every server in the domain stores a replica of the Administration Requests database and the Domino Directory. IBM Tivoli Lotus Notes Agent White Paper 186

187 The Administration Requests database also acts as the interface to the Domino Certificate Authority requests. It is the responsibility of the Registration Authority to monitor the status of the Certification Authority (CA) Requests. The CA requests can be removed from the view or resubmitted for processing in the same manner as the Administration Process Requests Lotus Notes features for execute AdminP Commands: The Lotus Notes Agent can be used to execute the following the AdminP commands: 1. Renaming a User account The agent can be used to rename all references to a user account in the Lotus Domino Server. 2. Re-certifying a user account The agent can be used to re-certify a specific user account in the Lotus Domino Server. 3. Move User in Hierarchy The agent can be used to move a user to a new hierarchy in the organization s hierarchal name scheme. 4. Move User Complete When used with Move User in Hierarchy, the move of a user to a new hierarchy is completed. 5. Creating a New Replica of Database The agent can be used to create a new replica of a database on another Lotus Domino Server. 6. Moving a Replica of Database The agent can be used to move a replica of a database from one Lotus Domino Server to another. 7. Deleting an ACL The agent can be used to delete the name of a user from the ACLs list of the mail database files on the Lotus Domino server. 8. Delete in NAB The agent can be used to delete the user from NAB and also delete the user s mail database files from all replicas. IBM Tivoli Lotus Notes Agent White Paper 187

188 The following screen shot shows ADMINP TAB on Notes Account from on ITIM inidcating all the supported Adminp Commands: IBM Tivoli Lotus Notes Agent White Paper 188

189 Sending AdminP Command attributes in modify operation: All the attributes (modified or non-modified) on the ADMINP TAB on the user account form will be sent from the ITIM to the Notes Agent in a modify operation. The AdminP command name attribute will only be sent if it is specified through ITIM in the modify operation. If the AdminP command name is specified then the Agent will use only the required attributes for an AdminP command and ignore all others which are sent through ITIM Executing the AdminP Commands through ITIM Server: The following sections specifies sample examples for execution of AdminP commands through ITIM server: Executing Rename AdminP Command Specify the attributes to execute the Rename AdminP command as shown in the following figure: IBM Tivoli Lotus Notes Agent White Paper 189

190 Figure 47: Notes Account form AdminP TAB (Rename command) This AdminP request creates a request in admin4.nsf to rename a user in the address book that is on the same server as admin4.nsf Executing Re-Certify AdminP Operation Specify the attributes to execute the Re-Certify AdminP command as shown in the following figure: IBM Tivoli Lotus Notes Agent White Paper 190

191 Figure 48: Notes Account form AdminP TAB (Recertify Command) This AdminP request creates a request in admin4.nsf to recertify a user Moving a User in a Domino Hierarchy. IBM Tivoli Lotus Notes Agent White Paper 191

192 The following move user can be performed in the above Domino Hierarchy: 5. Move User from /IBM to US/IBM 6. Move User from /IBM to UK/IBM 7. Move User from US/IBM to /IBM 8. Move User from US/IBM to UK/IBM 9. Move User UK/IBM to /IBM 10. Move User UK/IBM to US/IBM You have to perform two steps to move a user in a Domino Hierarchy. The following two steps needs to be executed to move a user in Domino Hierarchy: 5. Execute a Move User in Hierarchy AdminP Command. 6. Execute a Move User Complete AdminP Command. The following two sections describe an example of moving a user fn mi ln/us/ibm from US/IBM hierarchy to UK/IBM hierarchy Executing Move User In Hierarchy AdminP Command IBM Tivoli Lotus Notes Agent White Paper 192

Specify the attributes to execute the Move user in Hierarchy AdminP command as shown in the following figure: Move User in Hierarchy (fn mi ln/us/ibm) from US/IBM to UK/IBM.

193 Specify the attributes to execute the Move user in Hierarchy AdminP command as shown in the following figure: Move User in Hierarchy (fn mi ln/us/ibm) from US/IBM to UK/IBM. Figure 49: Notes Account form AdminP TAB (Move User In Hierarchy Command) This AdminP request creates a request in admin4.nsf to move a user to a new hierarchy IBM Tivoli Lotus Notes Agent White Paper 193

194 Executing Move User Complete AdminP Command Move User Complete (fn mi ln/us/ibm) from US/IBM to UK/IBM. Specify the attributes to execute the Move User Complete AdminP command as shown in the following figure: Figure 50: Notes Account form AdminP TAB (Move User Complete Command) This AdminP request is used in conjunction with RequestMoveUserInHierarchy, completes the move of a user to a new hierarchy. IBM Tivoli Lotus Notes Agent White Paper 194

195 Executing New Replica AdminP Command Specify the attributes to execute the New Replica AdminP command as shown in the following figure: Figure 51: Notes Account form AdminP TAB (New Replica Command) This AdminP request creates a request in admin4.nsf to create a new replica of a database on another server IBM Tivoli Lotus Notes Agent White Paper 195

196 Executing Move Replica AdminP Command Specify the attributes to execute the Move Replica AdminP command as shown in the following figure: Figure 52: Notes Account form AdminP TAB (Move Replica Command) This AdminP request creates a request in admin4.nsf to move a replica of a database to another server IBM Tivoli Lotus Notes Agent White Paper 196

197 Executing Delete In ACL AdminP Command Specify the attributes to execute the Delete in ACL AdminP command as shown in the following figure: This command does not require any other attributes to be specified, except the AdminP command attribute. Figure 53: Notes Account form AdminP TAB (Delete In ACL Command) This AdminP request creates a request in admin4.nsf to delete a user from the Access Control List IBM Tivoli Lotus Notes Agent White Paper 197

198 Executing Delete In NAB AdminP Command Specify the attributes to execute the Delete in NAB AdminP command as shown in the following figure: This command does not require any other attributes to be specified, except the AdminP command attribute. This AdminP request creates a request in admin4.nsf to delete a user from the public address book (names.nsf) on the server. IBM Tivoli Lotus Notes Agent White Paper 198

199

200 Summary of AdminP command execution with the necessary Attributes The following table indicates the AdminP attributes as appearing on the ITIM Notes Account form on ADMINP TAB, it also gives the details of required and optional attributes for executing each of the AdminP commands: Table 16: Details of AdminP Command Attributes AdminP Required Attrbs R AdminP Optional Attrbs O No ADMINP TAB Attrbs AdminP Commands 0 ADMINP Command RENAME RECERTIFYMOVEUSERMOVECOMPLETENEWREPLICAMOVEREPLICA *DELETEINACL *DELETEINNAB 1 ADMINP First Name O 2 ADMINP Middle Initial O 3 ADMINP Last Name R Database Title (new 4 Database) R R Original Certifier of user 5 [Absolute path of cert file] R R R 6 Original Certifier Password R R R 7 Certificate Expiration Date O O O 8 Org Unit Certifier ID R 9 Org Unit Name O Path of new Certifier of user 10 [Absolute path of cert file] R 11 New Certifier Password R Destination Database Path 12 (relative to data directory) R R 13 Destination Database Server R R Source Database Path 14 (relative to data directory) R R Source Database Server 15 Name R R Note: * => Delete In ACL and Delete In NAB Administration request does not require any attributes. IBM Tivoli Lotus Notes Agent White Paper 200

201

202 Chapter 9 - Configuring the Notes Agent to use Custom Attributes The Lotus Notes Agent should support custom attributes by just doing changes in the profiles (schema) and providing a XML file to the Notes Agent for proper function of the newly added custom attribute. The Lotus Notes Agent supports the following types of custom attributes: Table 17: Types of attributes supported for Custom Attributes No. Type of Attribute 1. Single value string 2. Multi value string 3. Single value numeric 4. Multi value numeric 5. Single value string (from a fixed list of string values) 6. Single value numeric (from a fixed list of numeric values) 7. Date type value All the custom attributes to be supported by the Notes Agent will be present in an XML file, with their other properties. The name of this file should be CustomAttributes.xml. The Custom Attributes XML file (CustomAttributes.xml) will reside in the Agent s data directory. The following section describes the necessary pre-requisites to use the Custom Attributes by the Notes Agent: Update following files to specify the details of custom attributes to be supported: A. CustomAttributes.xml: This file contains the specification of custom attributes to be supported. The user is expected to create the file at the location <Agent Install Directory>\data. The Notes Agent Installer puts the CustomAttributes.dtd file, at the same location. The CustomAttributes.xml file created by user will be validated using this DTD file during runtime. The following is an example of a CustomAttributes.xml: (The line numbers and '.' following that, are only for the purpose of explanation. They should not find any place in actual CustomAttributes.xml) 1. <?xml version="1.0" encoding="iso "?> 2. <!DOCTYPE CustomAttributeDefinitions SYSTEM "CustomAttributes.dtd"> 3. <CustomAttributeDefinitions> 4. <CustomAttribute RemoteName="CustomRemoteName1" Type="Date" /> 5. <CustomAttribute RemoteName="CustomRemoteName2" Type="String" /> 6. <CustomAttribute RemoteName="CustomRemoteName3" Type="Integer" /> IBM Tivoli Lotus Notes Agent White Paper 202

203 7. </CustomAttributeDefinitions> 1. Line 1 specifies encoding. It can be copied as it is into the CustomAttributes.xml. 2. Line 2 specifies the name of the.dtd, which specifies the structure of the CustomAttributes.xml file. For the Custom Attribute feature of Notes Agent to work, the same DTD file must be referenced by CustomAttributes.xml file. The CustomAttributes.dtd is shipped along with the NotesAgent, and the installation of the Notes Agent will put this file at the location: <Notes Agent Install location>\data\customattributes.dtd. The CustomAttributes.xml file must also be created at the same directory. 3. <CustomAttributeDefinitions> This is the root of the CustomAttributes.xml file. Line 3 opens the root. Line 7 closes the root. All the Attributes must be enclosed within the root open and close tags. 4. <CustomAttribute RemoteName="CustomRemoteName1" Type="Date" /> Each Custom Attribute is defined within the "CustomAttribute" tag. The Attributes of the CustomAttribute tag are: RemoteName The name of the Attribute on resource (Domino Server). Type Type of the attribute. Both RemoteName and Type are Mandatory attributes for any custom attribute description. The Agent Validates the CustomAttributes.xml for following 3 types (Note: The type values are CASE SENSITIVE) Allowed types are: Integer String Date B. xforms.xml: For each attribute added in CustomAttribute.xml file, the corresponding entry should be added in xforms.xml file (The xforms.xml file on Agent side and ITIM side must be same). Following is an example for one such a attribute: <EnRoleAttribute Name = "ernotescustomattribute1" RemoteName = "CustomRemoteName1" RemoteType="DateYYYYMMDDhhmmssss"/> WHERE: Name Then name of custom attribute on ITIM side. RemoteName The name of custom attribute on resource. This must be same as specified in CustomAttributes.xml RemoteType OPTIONAL. It specifies the special handling if any, that must be done on the Attribute, before Agent receives the data, and after Agent sends the Data. In above case, we are specifying that the attribute CustomRemoteName1 is of type Date, and the Agent must receive the Date from the ITIM server in the format:yyyymmddhhmmssss. C. schema.dsml: Defining the custom attribute 1:   IBM Tivoli Lotus Notes Agent White Paper 203

204  <attribute-type single-value = "true" > <name>ernotescustomattribute1</name> <description>custom Attribute 1</description> <object-identifier> </object-identifier> <syntax> </syntax> </attribute-type> The attribute defined must also be declared as the member of the object - class "ernotesaccount": <attribute ref = "ernotescustomattribute1" required = "false" /> D. For appropriate changes in Notes Account form on the ITIM UI, the following 2 profile files must be appropriately modified: ernotesaccount.xml CustomLabels.xml. The same can be achieved by performing User customizations on ITIM. (Using CONFIGURATION -> USER INTERFACE CUSTOMIZATION) 2. Once all the profile files are changed appropriately, the profile must be reloaded, with the following steps (for Windows): a. <itim path>\bin\win\config_remote_services.cmd notesprofile b. Restart the ITIM. 2. Known Issues: 1. The Notes Agent assumes the Date to be in the following form: YYYYMMDDhhmmssss Y = year, M = Month, D = Date, h = hour, m = minute, ss = seconds, ss = milliseconds. Therefore, if the type of CustomAttribute is Date, then its RemoteType is xforms.xml (at Agent and ITIM Server side) must be RemoteType="DateYYYYMMDDhhmmssss" Very Important 1. After the required profiles are updated, reinstall the notesprofile with the newly added custom attributes on ITIM server. 2. The two new attributes of Domino 7 DB2 Account Name and LTPA User Name are to be used as Custom attribute. These two new fields cannot be used as Custom Eruid. IBM Tivoli Lotus Notes Agent White Paper 204

205 Chapter 10 Configuring the Notes Agent to use Custom ERUID The Notes Agent supports only Custom Attributes for Custom ERUID. The existing attributes that are supported by the Notes Agent are not allowed as Custom ERUID. The registry key for Custom ERUID is "CustomEruid". This registry key is created by the Notes Agent installer with an empty value. The value of this key will be the resource name of the attribute to be used as Custom ERUID. Only the following field/attribute types are supported for Custom ERUID: a. Single value STRING attribute b. Multivalue STRING attribute c. Single value NUMERIC attribute. After installing the Lotus Notes Agent, a new registry key, CustomEruid, is created with an empty value. The value of this key should be the resource field name of the attribute to be used as Custom ERUID. To use Custom ERUID, complete the following steps: 1. Execute the Lotus Notes Agent. 2. Execute the agentcfg tool to add a value to the registry key CustomEruid. 3. Add the name of the Notes field (to be used as Custom ERUID) to the CustomEruid registry key. For example, assume the following: a. A field is present on the Domino resource with the name DirSynchKey, b. A DirSynchKey field is added to the CustomAttributes.xml file, c. The DirSynchKey field is to be used as Custom ERUID. d. Then add the value DirSynchKey to the registry key CustomEruid. 4. Restart the Agent. Note: Existing parameters that are supported by the Lotus Notes Agent are not allowed as Custom ERUID by the Lotus Notes Agent. IBM Tivoli Lotus Notes Agent White Paper 205

206 Chapter 11 Configuring the Notes Agent to use ITIM only Attributes Support for attributes used only by ITIM Attributes that are present in the schema but not supported by the Agent will be ignored. These attributes are not Notes user account attributes. The entries of this attribute should be made only in the schema. These attributes must not be added to the CustomAttributes.xml. IBM Tivoli Lotus Notes Agent White Paper 206

207 Chapter 12 Configuring the Notes Agent to use ERUID location After installing the Lotus Notes Agent, two new registry keys are created as follows: 1. Use ITIM_ERUID This registry setting is used to create ITIM_ERUID field in the person document for each user with the value of Eruid stored in it. 2. Refresh ITIM_ERUID This registry setting is used to remove ITIM_ERUID field from the person document. The default values of the above registry keys are FALSE. The following is the use of Use ITIM_ERUID registry key, if set to TRUE: Add Operation 1. In a Add operation, after the user is registered, the agent creates a field ITIM_ERUID in the person document with the value of Eruid stored in it. 2. The agent will also add the ERUID value as per the field (Full name or Short Name or Custom field) used for ERUID. Modify Operation 1. If value of Eruid is modified from ITIM, the value of ITIM_ERUID is modified with the new value of Eruid. 2. The agent will also modify the ERUID value as per the field used for ERUID. Reconciliation Operation 1. If you are executing the Reconciliation operation for the first time with the registry key Use ITIM_ERUID" set to TRUE, the Lotus Notes Agent creates a new field ITIM_ERUID in the person document for each user with the value from the 'Full name' or 'Short name' or 'Custom' field used for Eruid. 2. In a reconciliation operation, the agent will always use the value from the ITIM_ERUID field as ERUID to be sent back to ITIM The following is the use of Refresh ITIM_ERUID registry key, if set to TRUE: 1. The value of this registry key is used only in Reconciliation operation of the agent. 2. To remove the ITIM_ERUID field from all the user documents, run reconciliation operation with the value of the Registry key Refresh ITIM_ERUID set to TRUE. 3. The Eruid value used in the above reconciliation process is taken either from the Full name field or Short name field or from Custom field used for Eruid (whichever is used in the deployment) 4. The value of the registry key Refresh ITIM_ERUID will be set to FALSE as soon as the ITIM_ERUID fields are removed from the person documents during the reconciliation operation. To change the default values of Use ITIM_ERUID or Refresh ITIM_ERUID registry keys, complete the following steps: 1. Execute the Lotus Notes Agent. 2. Execute the agentcfg tool to modify the value to the registry key Use ITIM_ERUID or Refresh ITIM_ERUID from FALSE to TRUE or vice-a-versa. 3. Restart the Agent. IBM Tivoli Lotus Notes Agent White Paper 207

208 Chapter 13 - Troubleshooting the Lotus Notes Agent Deployment Troubleshooting is the process of determining why a product does not function as it is designed to function. This chapter provides information and techniques to use while attempting to identify and resolve problems related to the Lotus Notes Agent deployment. It provides information about troubleshooting error messages that occur while running the Notes Agent and Notes ShadowAgent utility (Shadow utility) Troubleshooting the Lotus Notes Agent Errors Table 18: Troubleshooting Notes Agent Errors Error Message Recommended Action Error in initializing the Notes session No Error Message Available Error in opening the (database file name) database -- <Notes Error Message> Cannot update User's (username) information into NoteIDsAddressBook (database file name) database file. This file is not present on Domino Server. Multiple users contain the same Common Name (common name of user) in NoteIDsAddressBook. Cannot find User (username) in the NoteIDsAddressBook. NoteIDsAddressBook (database file name) database file is not found on Domino Server. Cannot delete User's (username) information from it. General This error occurs usually when the nnotes.dll file path is not present in the System PATH variable. Add the path of nnotes.dll file in the System PATH variable and run the agent again. This error occurs usually when specified (database file name) database file is unable to open by Notes Agent. The <Notes Error Message> error message will indicate the actual error and perform necessary steps depending on this error message to resolve the problem. This error message occurs when the database file is not present on the Domino Server. Make sure that the registry NoteIDsAddressBook entry s value file name is present on Domino server. This error occurs when the database file contains some users with same common name. Change the common names of the user s accordingly. This error occurs in a Delete operation, when the Agent tries to delete the user s entry from the NotesIDsAddressBook database file. Run the Shadow Agent utility to add the user s entry to this database file. This error occurs in a Delete operation, when the NotesIDsAddressBook database file is not present on the server. Create the NoteIDsAddressBook databse file on the Domino Server and execute the Delete Operation again. IBM Tivoli Lotus Notes Agent White Paper 208

209 User's ID file is attached to this User's Person Document. After Change Password is done for this User, the new ID file must be taken from this User's Person Document. Log database file (database file name) does not exist on Domino Server. Cannot Update User information into it. Cannot update User's (username) information into CERTLOG.NSF database file. This file is not present on Domino Server. Multiple users contains the same Common Name (common name of user) in CERTLOG.NSF. Certification Log (CERTLOG.NSF) is not found on the Domino Server. Cannot update User's (username) information into it. Error in getting the Certifier Context for the Certifier ID file (cert id file name) - <Notes Error Message>. Incorrect (case sensitive) Certification (cert ID file path) password. Multiple Users contain the same User ID (username) in Domino Address Book. The registry key Store ERUID in FullName value cannot be FALSE in this scenario of registry setting. This warning message occurs when the User is created with no NoteIDsAddressBook registry setting or no User ID in Certlog attributes. When this is the case, the ID file for the created user is attached to the person s document. Make sure that either of the NoteIDsAddressBook registry setting is present or User ID in Certlog is specified while user creation. This is just a warning message to indicate that the CertLog.nsf database file is not present on the Domino Server in Add operation. Create this database file on the server. This message occurs when the Agent tries to update the User s ID file and password in the Certlog.nsf database file in Add operation. Create this database file on the server. This error occurs when the Certlog.nsf database file contains some users with same common name. Change the common names of the user s accordingly. This message occurs when the Agent tries to update the User s ID file and password in the Certlog.nsf database file in Delete operation. Create this database file on the server. This error occurs when the certifier context is not retrieved for user account creation. The <Notes Error Message> error message will indicate the actual error and perform necessary steps depending on this error message to resolve the problem. Probable reasons could be as follows: Cannot open Cert file (cert ID file path). Problem getting permission from Certification file: (cert ID file path). This error occurs when the certifier context is not retrieved for user account creation or password change operation. Make sure that the correct certifier password is supplied with the request. This error occurs when the database file contains some users with same common name. Change the common names of the user s accordingly. This error occurs when agent finds no place to store the value of eruid. Change registry setting in such way that eruid is stored in Short name or Cust Eruid or ITIM_ERUID or Full name. IBM Tivoli Lotus Notes Agent White Paper 209

210 Registry settings Use ShortName and Custom Eruid cannot be used at the same time. Use one of these registry settings for ERUID. Registry settings Use ShortName, Custom Eruid and ITIM_ERUID cannot be used at the same time. Use one of these registry settings for ERUID. No server document found for the Domino This error occurs when two fields are used to store the value of eruid. Make one setting OFF. This error occurs when three fields are used to store the value of eruid. Make two settings OFF. This error occurs when no server document is Server (%s) found. Check the server document on resource. Multiple server documents found for the Domino This error occurs when multiple server Server (%s) documents are found. Check the server documents on resource. ADD Operation Length of User ID (User id from ITIM) cannot Do not specify the User ID more than 255 be greater than 255 characters. characters. First Name (firstname value) of this User Invalid characters for First Name should not be contains invalid characters. given. (Refer Section 5.1 for more details) Last Name (lastname value) of this User Invalid characters for Last Name should not be contains invalid characters. given. (Refer Section 5.1 for more details) The specified Mail Template file (template file Template file existing on Domino server needs name) does not exist on Domino Server. Default to be specified. Do not specify any template file, template will be used for Mail file. which is not present on the Domino server. Mail file (mail file) already present. Specify a different Mail file for this User. Length of User's Mail file including its path (mail file with path) should not be greater than 100. User password cannot be empty. Specify a User Password for creating a new User. User with this (username) ID is already present. Create User with a unique User ID from ITIM. UNC path should not be given for the Template file (template file name) path. UNC path should not be given for the Mail file (mail file) path. Mail file (mail file) path is not relative to data directory of Domino. Template file (template name) path is not relative to data directory of Domino. The specified mail file is already present on the Domino server for User creation. Specify a unique mail file name while User creation. Always specify the mail file with its path with less than 100 characters. Always specify a password while account creation. Always create users with unique user name (eruid). UNC paths are not allowed for template file. Do not specify UNC path for template files. UNC paths are not allowed for mail file. Mail file path should always be specified with respect to the Domino s data directory. Absolute paths for mail file path are not allowed. (Like, c:\domino\notes\data\a.nsf). Mail file path should always be specified with respect to the Domino s data directory. Absolute paths for template file path are not allowed. (Like, c:\domino\notes\data\a.ntf). Template file path should always be specified with respect to the Domino s data directory. IBM Tivoli Lotus Notes Agent White Paper 210

211 CERTLOG.NSF is not found on server. Will not use to record registered Users. (username) Address Book entry already exists. Add operation did not complete successfully. Refer agent log for details. All AdminP attributes for the AdminP process are not complete. No AdminP request to execute with this operation. Modified User ID (username) cannot be greater than 255 characters. User (username) is not found in Domino Address Book. Compulsory attributes which cannot be set are -- <attribute names> Non-modifiable attributes which cannot be set are -- <attribute names> Unable to set some compulsory attributes. Refer agent log for details. Attributes which cannot be set are -- < attribute names> This is just a warning message, which occurs when Certlog.nsf database file is not present on the Domino Server. When users are created when this database file is not present on Domino server, then the user s entry is not registered in Certlog.nsf database file. This error message occurs when the user registration operation fails on Domino. Make sure that the created user is not present on Domino Server. This error message occurs as the status of the Add operation. Refer the agents log files for the details of the errors occurred in Add operation. This error occurs if AdminP command is fired without necessary attributes for the command to execute. Specify all the attributes required for corresponding AdminP command. This is a warning message, which occurs, with every Add and Modify request if AdminP command is not specified. MODIFY Operation This error message occurs when User ID is modified with value more than 255 characters. Value of User ID should always be specified with less than 255 characters. This error message occurs when User ID is not present on the Domino Server. This is a case, when a user is created from TIM and deleted from Domino directly. In such cases, perform a Reconciliation operation. This error message occurs in a Modify Operation, when a compulsory attribute is not modified. Refer agents log file for the details of the error. This error message occurs in a Modify Operation, when non-modifiable attributes are not modified. Do not modify the non-modifiable parameters This error message occurs in a Modify Operation, when a compulsory attribute is not modified. Refer agents log file for the details of the error. This error message occurs in a Modify Operation, when a optional attribute is not modified. Refer agents log file for the details of the error. IBM Tivoli Lotus Notes Agent White Paper 211

212 User with User ID name (username) is already present on Domino Server. Cannot modify User ID. Modify operation not completed successfully. Refer agent log for details. All AdminP attributes for the AdminP process are not complete. No AdminP request to execute with this operation. Suspend-Restore Group Key Name not present in registry. User (username) is already a member of Suspend Group. Cannot be suspended. HTTP Group Key is not found in registry. Cannot update User (username) in HTTP Group. Modify operation not completed successfully. Refer agent log for details. Suspend-Restore Group Key Name not present in registry. User (username) is not a member of Suspend Group. Cannot be restored. SUSPEND Operation RESTORE Operation This error message occurs when a UserID of the user is modified with a value, which is already a UserID for another user on Domino. Always specify unique UserIDs for modification. This error message occurs as the status of the Modify operation. Refer the agents log files for the details of the errors occurred in Modify operation. This error occurs if AdminP command is fired without necessary attributes for the command to execute. Specify all the attributes required for corresponding AdminP command. This is a warning message, which occurs, with every Add and Modify request if AdminP command is not specified. This error message occurs, when the registry value for the key Suspend Group is not present or the key itself is not present in the Agents registry. Make sure that the key Suspend Group with proper value is present in the agent s registry This error message occurs when a suspended user is again suspended. Make sure that, suspended users are not suspended again. This error message occurs, when the registry value for the key Suspend HTTPPassword is not present or the key itself is not present in the Agents registry. Make sure that the key Suspend HTTPPassword with proper value is present in the agent s registry This error message occurs as the status of the Modify (Suspend) operation. Refer the agents log files for the details of the errors occurred in Modify operation. This error message occurs, when the registry value for the key Suspend Group is not present or the key itself is not present in the Agents registry. Make sure that the key Suspend Group with proper value is present in the agent s registry This error message occurs when a active user is restored. Make sure that, active users ate not restored. IBM Tivoli Lotus Notes Agent White Paper 212

213 HTTP Group Key is not found in registry. Cannot update User (username) in HTTP Group. Modify operation not completed successfully. Refer agent log for details. User (username) is not present on Domino Server. Delete Group Name is not present in the registry. Cannot add User to Delete Group. NoteIDsAddressBook (database file name) database file is not found on Domino Server. Cannot delete User's (%s) information from it. Certification Log (CERTLOG.NSF) is not found on the Domino Server. Cannot update User's (username) information into it. Registry Setting for Delete Mail database is FALSE. User's (username) Mail file is not deleted. DELETE Operation This error message occurs, when the registry value for the key Suspend HTTPPassword is not present or the key itself is not present in the Agents registry. Make sure that the key Suspend HTTPPassword with proper value is present in the agent s registry This error message occurs as the status of the Modify (Restore) operation. Refer the agents log files for the details of the errors occurred in Modify operation. This error message occurs when User ID is not present on the Domino Server. This is a case, when a user is created from TIM and deleted from Domino directly. In such cases, perform a Reconciliation operation. This warning message occurs when registry key Delete Group or its value is not present in the agent s registry. This is a warning message indicates that the user to be deleted cannot be put in the Delete Group. Make sure that the key Delete Group with proper value is present in the agent s registry This warning message occurs when NotesIDsAddrressBook database file is not present in the Domino directory. This message occurs when the agent tries to delete the User s entry from the NotesIDsAddrressBook database file. Make sure that NotesIDsAddrressBook database file is present at the time of user creation. This warning message occurs when Certlog.nsf database file is not present in the Domino directory. This message occurs when the agent tries to delete the User s entry from the Certlog.nsf database file. Make sure that Certlog.nsf database file is present and the user is added with User ID in Certlog attribute value for user creation. This is a warning message to indicate that user s mail database is not deleted in a Delete operation. Set the value to of the key Delete Mail DB to TRUE, to avoid this warning message and for deleting the mail database file. Make sure that only the required value (TRUE or FALSE) for the key Delete Mail DB is present in the agent s registry. IBM Tivoli Lotus Notes Agent White Paper 213

214 Delete operation is not completed successfully, refer agent log for details. HTTP Password cannot be synchronized, since Password Change request has failed Unable to change Password for the User (username) -- <Notes Error Message> The user is not persent in the NoteIDsAddressBook. Run Notes Shadow Agent before password change of this user. Error in searching Server Documents. <Notes Error Message> Error in getting Group Names and Members -- <Notes Error Message> Error in opening the view folder -- $VIMPeople <Notes Error Message> Error in opening the view folder -- $Servers <Notes Error Message> Mailfile name not found for User (%s). PASSWORD CHANGE Operation RECON/USER LOOKUP Operation This is a error message which gives the status of the Delete operation. Check the agent s log file for the details of the error occurred in the Delete operation. This warning message occurs when the Password change operation fails indicating user password cannot be synched for HTTP Password or Internet Password. Make sure that the password change for a user is successful to resolve this warning message. This error message occurs when the password operation fails. The < Notes Error Message> gives the details of the actual cause for the failure of password change operation. This error message occurs when the user s entry is not present in the Shadow NAB in the password operation fails. This error message occurs if the server name is not present in the ServerName field of server document on the Domino server. This is the warning message, which occurs when the agent is unable to get users entry in the groups present on the Domino server. Make sure that the Administrator used by the agent has proper rights on the group documents. This error message occurs when the agent is unable to open the People view folder. The <Notes Error Message> message indicates the actual cause of the error. This error message occurs when the agent is unable to open the Server view folder. The <Notes Error Message> message indicates the actual cause of the error. This is a warning message, which occurs when the agent does not find the mail file for a user on the Domino Server. Make sure that all the users have a mail file and avoid deleting mail files for users from the Domino servers. IBM Tivoli Lotus Notes Agent White Paper 214

215 Chapter 14 Troubleshooting the Lotus Notes Shadow Utility Errors Table 19: Troubleshooting Notes Shadow Utility Errors Error Message Recommended Action MailDB not specified, Mandatory Argument. Verify that the Lotus Notes mail database is given as one of the arguments to the NotesShadowDB.exe. When attempting to get the Domino Server key Verify that the Shadow utility registry has this from the registry. key specified, along with a valid value. When attempting to get the Verify that the Shadow utility registry has this NoteIdsAddressBook key from the registry. key specified, along with a valid value. When attempting to get the Notes Address Book Verify that the Shadow utility registry has this key from registry. key specified, along with a valid value. Database file <abc> does not exist on Server. Verify that the specified database file exists on the Lotus Domino Server. Check if mentioned database file exists on server Verify that the text portion of the message has the CN and password specified. No CN specified for mail sent from User Import Verify that the CN is specified in the correct Failed. format, for example, CN=abc/O=xyz ID File not attached to mail for User Import Verify that the ID file is properly attached to the Failed. message. User not present in Domino Address Book. Verify that the user mentioned in the mail exists on the Lotus Domino Server. Multiple users contain the same CN in Multiple entries should not exist in the NoteIDsAddressBook. NoteIDsAddressBook registry key. Remove all but one entry. IBM Tivoli Lotus Notes Agent White Paper 215

216 Chapter 15 FAQs Can Notes agent send with ID file to the specified address (possible requestor) after account provisioning? No. The Lotus Notes Agent function is restricted to User management on Domino server. Does NOTES agent see all groups available on the NAB and recon them into ITIM, so that they can be select from a pick-list during provisioning request? Yes, all the groups in the "Groups" view are reconciled on TIM, except the following groups: b. Group name specified in the registry key 'Suspend Group' - This group is used by Notes Agent to keep the list of Suspended Users. c. Group name specified in the registry key 'Suspend HTTPPassword' - This group is used by Notes Agent to keep the list of Suspended HTTP Users. d. Group name specified in the registry key 'Delete Group' - This group is used by Notes Agent to keep the list of Deleted Users. What are the ADMINP commands supported by Lotus Notes Agent? The following are the AdminP commands supported by the Lotus Notes Agent: 1. Rename a user - Use the AdminP RENAME operation for any specific user who you want to rename. 2. Re-Certifying a User - Use the AdminP RECERTIFY operation for any specific user for re-certifying. 3. Rename User in Hierarchy - Moves a user to a new hierarchy. 4. Rename User Complete - Used in conjunction with Move User In Hierarchy, completes the move of a user to a new hierarchy. 5. New Replica of Database - Creates a new replica of a database on another server. 6. Move Replica of Database - Moves a replica of a database to another server. 7. Delete in ACL - Deletes a user from the Access Control List Can the Notes Agent invoke an Rename AdminP command when the First Name/Middle Initial/Last Name/Full Name attribute of the user is modified? Modifying the User Full Name on TIM (present on the PERSONAL TAB on Account form) does not fires an ADMINP command for rename. Rename ADMINP command (from the ADMINP TAB of the Notes Account form on ITIM) should always be used to rename the Notes User. Would the agent run into problems with a change Password request, if the user's Notes Client were open (I would assume this would mean that the id file being updated is the same one being used by the client, not a server copy that gets pushed to the client box)? There are two scenarios here: 1. The user is logged in to his notes client using his ID file and we perform a password change through Notes Agent on this ID file. In this case there is no problem. 2. The user is logged in to his notes client using his ID file, then locks his Notes Cleint by hitting F5 and we perform a password change through Notes Agent on this ID file. a. In this case, (for Domino R5) the ID file gets corrupted b. In this case, (for Domino 6) there is no problem. I would also like to know if ITIM could recertify an ID file upon a password change? Yes, on a password change the ID file is re-certified. IBM Tivoli Lotus Notes Agent White Paper 216

217 What process is moving the ID file to the path specified in the agent Notes or Agent? When the request of creation of new account is given from ITIM to the agent (assuming you have specified the path of the ID file in the Notes Account from - ADMINISTRATION TAB, egs. c:\id\user1.id), the Notes Agent registers the new user (creates the new Notes Account for the user) and as well create the ID file for the user and stores in the following location: a. Path specified from ITIM (c:\id\user1.id) b. This ID file is also copied to the Shadow NAB (if you are using one) c. If the path of ID file is not specified, then the Agent stores the ID file attaching it to the User's person document How is the ID file in the IDDB merged with the new ID generated by ITIM? On an ADD Operation The ID file is merged in IDDB on user creation as described in the answer to the above question. On an Password Change Operation Assume that the ID file at location "c:\id\user1.id" Now you change the password through the Notes Agent. The password is changed on the ID file at location "c:\id\user1.id" This ID file with new password is attached back to Shadow NAB (If you are using one) There is only one database used by the Notes agent for storing ID files and passwords. It will be written to either by: The agent when a new Notes account is created in Domino (new Person Document), and by the shadow agent when an containing the id file and password is sent to the special mail account: Yes, you are right, 1. The Lotus Notes Agent adds the ID file and password to the Shadow Database in a ADD operation. 2. The Lotus Notes Shadow Agent populates the Shadow database with the users ID file and password from the mails in the special mail account. If a password change request goes through the Notes agent, the agent will look for the ID file for this user in the database. If it finds the ID file it will try to re-certify the ID file with the old password, and if this fails it will then re-create the ID file. If ID file and old password is present in the Shadow Database - In this case the agent s updates the Shadow database with the new password and the new ID file. If in this case, the password change operation fails, the Lotus Notes Agent does not do anything; it will just report error to ITIM indicating, "Password operation was not successful". If password change operation fails, the Lotus Notes Agent does not re-create the ID file. It simply reports error to ITIM. If it doesn't find the ID file in the database it will re-create the user's ID file with the new password If ID file and old password is not present in the Shadow Database, then the Lotus Notes Agent simply returns an error; it does not recreate the user's ID file with the new password The ID file and password are only written to the database by the agent on an ADD operation, not on a MODIFY operation. Yes, the Notes Agent saves the ID file and password in the Shadow database on an ADD operation. IBM Tivoli Lotus Notes Agent White Paper 217

218 In case of modify operation; Notes Agent replaces the old password and ID file in the Shadow database when a password change operation is successful. The above mechanism using the Notes agent database only works for mail encryption, not database encryption. Yes, you are right, the Notes Agent database works only for mail encryption. The Notes Agent does not deal with the any other database encryption/decryption. The database encryption is tied to the ID file password, not a certificate/key contained in the ID file, so if the password changes these databases cannot be decrypted. If database files are encrypted using the ID file, then I am sure, the decryption of the database file can be done using the ID file. Does Notes Agent handle Clean up distribution lists, etc.? Yes, Notes handles clean up of distribution list in the scenario described below. Notes uses 'GROUPS' for creating distribution lists. These groups are of type 'Mail only'. User's belonging to a particular distribution list is added to the 'Members' field of that group. This group acts as a distribution list. Mail sent to this group, is received by the members of that group. This is what we tried: We created a 'Distribution list' on the Domino resource by creating a group and added all the users name to the 'Members' field of this group document. On Notes deprovision operation; Agent removed the user's entry from this group. Thus Notes deprovision operation cleans up the distribution list. Note: The above clean up of distribution list is applicable only for those distribution groups which are created in the Domino Address book. Notes Administrator can also create distribution groups in its personal address book that can be used by the Notes users to send mails. On deprovision operation, Notes Agent does not remove the entries of the users from the groups that are created in the Notes Administrator's personal address book. Does Notes Agent automatically maintain referential integrity and remove that person from any public distribution lists they're on? On deprovision operation, Notes agent does remove the person from any groups it belongs to. So, it does maintain referential integrity. I'm assuming that the agent acts as a Notes user, remote from the Domino server, and therefore requires a Notes ID file to supply credentials to the Domino server. I'd like to get some details about this: How is the Notes ID file stored on the machine running the agent - is it just stored on the file system, or is it secured inside the agent in some additional way? Yes you are right, Notes agent uses the Notes Administrator's ID file and its password to remotely manage users on Domino Server. The Notes Administrator s ID file is just stored on the file system. Agent does have no mechanism to save this ID file in a secure way. If the ID file requires a password for activation (as most Notes ID files would), how does the agent store that password in order to use the ID file when talking to the IBM Tivoli Lotus Notes Agent White Paper 218

219 Domino server? Does the agent store the password securely? The agent uses the Notes Administrator's ID file and its password to connect to Domino Server. The path of the Notes Administrator's ID file and its password is stored in the Agent's registry and agent uses this registry values as the time of connecting to the server. The password is stored in the Agent's registry in an encrypted format using <with a unique key> ADK encryption. This is unique to the agent. The path of the Notes Administrator's ID file and its password is taken as input at the time of Agent installation. The agent carries out some activities that would usually require an administrator to have either local access to the Domino certifier files, or the authority to use the Domino CA process. Which of these alternatives does the agent use, in particular can it use the Domino CA process to nominate the appropriate certifier? The Agent uses the certifiers ID file and its password to create users on the resource. The Agent does not support registering of users using CA process. If not, then the same questions - how are the certifier files and their passwords stored on the agent's machine - on the file system? Are they stored in encrypted form? The Certifier's file is just stored on the file system on which the Agent is executing. Agent does have no mechanism to save this ID file in a secure way. Every time you create a user from ITIM, the certifier ID file path and its password has to be entered with ADD request. Certifier Password field on ITIM is not display as clear text, when entered. What level of physical security is appropriate for the agent's machine? Looking to the points mentioned above, there is a one more way to store the Notes Administrator's ID and the Certifier ID files in a secured way. 1. We can keep these ID files on a remote machine in a directory <which has only read access> and the agent can use the UNC path for the ID files. The current Agent does supports UNC file path for Notes Administrator's ID file and Certifier ID file paths. Specify the ID file paths as follows: \\machinename\directoryname\user.id in registry OR \\machinename\directoryname\cert.id.id while entering through ITIM <machinename> => name of the remote machine <directoryname> => name of the directory shared (read only) on the machine with name <machinename> <user.id> => Notes Administrator's ID file <cert.id> => Certfier ID file This scenario needs the Administrator to be logged in onto the domino server with the ID file from this remote machine only. 2. Administrator's ID file's password is encrypted and kept in the Agent registry. 3. Certifier ID file's password is entered through ITIM, which is never displayed in clear text format. Notes Agent supports a list of attributes that can be seen in the xforms.xml file. Can I use any one of these attributes to be used for Custom ERUID? No, the Lotus Notes Agent does not support existing supported attributes to be used as attribute for Custom ERUID. IBM Tivoli Lotus Notes Agent White Paper 219

220 You Domino Deployment needs to have another field out of the Agent s supported field to be used for Custom ERUID. Is the Notes Agent Multi-Instance? Yes, Notes Agent is Multi-Instance. Every new agent installed on the same machine should be installed with a different name. Can one running agent handle many service forms in ITIM? Yes, One running agent can handle can handle many service forms from different ITIM installations. (All the ITIM installations sending request to this agent must be configured for this agent) Can one running agent manage multiple Notes Domain? No, Agent cannot manager multiple Notes Domains. When a Notes agent is installed on a machine, it uses the Notes.ini file from the Lotus Notes client. This file has the configuration setting for a particular server. This file is present for one client. Multiple clients cannot be installed on one machine. What can one do, when one gets error at each operation Error in opening the (NAMES.NSF) database -- Wrong Password. (Passwords are case sensitive - be sure to use correct upper and lower case.) The above issue may arise in the Notes Agent because of one or more from the following reasons: 1. Password of the admin id file (LITIMADM.id) could be incorrectly specified in the Notes Agent's registry. If this is the issue, please run AgentCfg tool and to modify the value of the encrypted registry key "Workstation Password" with the correct password. Do not manually change value for this registry key. Always use AgentCfg utility to modify values of encrypted registry keys. 2. If the environment variable PATH has incorrect path set for nnotes.dll. Assume that your Lotus Notes Admin/Client is installed on "D:\\Program Files\\lotus\\notes", then the PATH environment variable should have the following path: "D:\\Program Files\\lotus\\notes" 3. The Notes agent and the Lotus Notes Admin/Client on the same machine are not using the same ID file (LITIMADM.id). From the registry settings it looks like the agent is using the LITIMADM.id file from "D:\\Program Files\\lotus\\notes\\data" location. Make sure that the ID file used to log onto the Lotus Notes Admin/Client is from the location "D:\\Program Files\\lotus\\notes\\data". This will make sure that the Agent and the Lotus Notes Admin/Client are using the same ID file and from same location. 4. If any other ID file (who is not an administrator, other than LITIMADM.id) is logged on Lotus Notes Admin/Client when the agent is executed for ADD operation. Make sure that the Lotus Notes Admin/Client is always logged on with LITIMADM.id file from "D:\\Program Files\\lotus\\notes\\data\\" location. You are requested to ask the customer to please verify the above settings and make sure all of them are correct and then run the Notes Operation. IBM Tivoli Lotus Notes Agent White Paper 220

221 What is the use LogDB file? 1. The registry key "Log DB" contains the key for database name for log database. 2. The Log DB contains entries of users suspended or deleted. 3. a. When the suspend operation is performed, the entry is added in LogDB with attribute "Categories" of the entry/document set to "Suspended". b. In case of restore operation, the entry is deleted from LogDB if exists. 4. a. When delete operation is performed, the entry of user is added to in LogDB with attribute "Categories" of the entry/document set to "Deleted". b. When add operation is performed, the Full name of the user to be added is searched for existence in logdb. If the entry found, the entry gets deleted from the LogDB. Why one get error Generic exception occurred after initsession() function of class NotesSession. How can one remove this error? The Adapter, giving the Generic Exception error before it connects to the Domino in the NotesSession::InitSession() function, is more of a setup/configuration issue. Required Setup: Assuming that the Lotus Notes client is installed in the path "c:\lotus\notes" The "nnotes.dll" and "notes.ini" files reside in "c:\lotus\notes". The Notes Adapter requires both these files to be in the same directory as they are when the Notes client is installed. The path of the nnotes.dll ("c:\lotus\notes") needs to be put in the environment PATH variable. Setups that can report this error: 1. If the file "nnotes.dll" is also found in Adapter s \bin directory. 2. If the file "nnotes.dll" is also found in in Windows "System32" directory. 3. If the file "nnotes.dll" is also found in some another path like "C:\NewFolder" and this path is put in the environment path variable. Solution for the above error: Before running the Notes Adapter Ensure that the path of "nnotes.dll" (C:\Lotus\Notes) is added to the path environment variable. Remove the "nnotes.dll" file if it exists in any path other (2 and 3). What is the error when a user cannot be provisioned on Domino server giving an error saying the certificate file password is wrong? The values certifier ID file and its password and the result for the ADD operation are as follows: 1. Certifier ID file = Correct Certifier password = Incorrect Result of ADD operation: Notes Adapter returns with an error - Error in getting the Certifier Context for the Certifier ID file (<path of certifier>).wrong Password. (Passwords are case sensitive - be sure to use correct upper and lower case.) 2. Certifier ID file = Incorrect Certifier password = Incorrect/Correct IBM Tivoli Lotus Notes Agent White Paper 221

222 Result of ADD operation: Notes Adapter returns with an error - Error in getting the Certifier Context for the Certifier ID file (<path of certifier>).could not open the ID file. 3. Certifier ID file = Blank Certifier password = Blank/ Incorrect/Correct Result of ADD operation: Notes Adapter returns with an error - Can not perform the ADD operation. Certifier ID path is not present 4. Certifier ID file = Correct Certifier password = Correct Result of ADD operation: User is added successfully. From the test-cases it looks like "certifier wrong password error" comes in the adapter only when the certifier password is incorrect. Note: The certificate can have multiple passwords. Please check if the certificate, you have, has only one password. IBM Tivoli Lotus Notes Agent White Paper 222

223 APPENDIX A. Variables As part of the agent implementation, a dedicated account for Tivoli Identity Manager to access the Lotus Domino Server is created on the Lotus Domino Server. The Lotus Notes Agent consists of files and directories owned by the Tivoli Identity Manager account. The Tivoli Identity Manager-owned files establish communication with the Tivoli Identity Manager Server Variable Descriptions The Tivoli Identity Manager Server communicates with the Lotus Notes Agent using variables included in transmission packets sent over a network. The combination of variables, included in the packets, depends on the type of action the Tivoli Identity Manager Server requests from the Lotus Notes Agent. The following table lists the supported attributes as they appear on the ITIM Notes Account Form. The table gives a brief description and the data format associated with the variable. IBM Tivoli Lotus Notes Agent White Paper 223

224 Variables by Lotus Notes Account From on ITIM Attributes on PERSOANL TAB (Notes Account Form) Figure 54: Notes Account form PERSONAL TAB 16 IBM Tivoli Lotus Notes Agent White Paper 224

225 Table 20: Attribute Details on Notes Account Form - Person TAB No EnRoleAttribute Name RemoteName Description 1 eruid UserName Login ID of the User 2 ernotesfirstname FirstName First Name 3 ernotesmiddleinitial MiddleInitial Middle Initial 4 ernoteslastname LastName Last Name 5 ernotesfullname FullName Full Name 6 ernotesshortname ShortName Short Name 7 ernotesaddcertpath AddCertPath Path of the Certifier ID file 8 ernotespasswdaddcert AddCertPasswd Password of the Certifier ID file 9 ernotescertexpirydate CertExpiryDate Certificate Expiration Date 10 ernotestitle Title Notes Title 11 ernotessuffix Suffix Notes Suffix 12 ernotespassword Password HTTP Password 13 ernotespreferredlanguage PreferredLanguage Preferred Language 14 ernotesuniqueorgunit UniqueOrgUnit Unique Org Unit 15 ernotesaltlanguagefullname AltFullNameLanguage Alternate Full Name Language 16 ernotesaltfullname AltFullName Alternate Full Name IBM Tivoli Lotus Notes Agent White Paper 225

226 Attributes on MAIL TAB (Notes Account Form) Figure 55: Notes Account form MAIL TAB Table 21: Attribute Details on Notes Account Form - MAIL TAB 12 No EnRoleAttribute Name RemoteName Description 1 ernotesmaildomain MailDomain Mail Domain 2 ernotesmailserver MailServer Mail Server 3 ernotesmailaddress MailAddress Address 4 ernotesmailfile MailFile Mail File name 5 ernotesreplservername ReplicationServerName Replication Server Name 6 ernotesreplmailfilename ReplicationFileName Replication File Name 7 ernotesmailtemplatename MailTemplateName Mail Template name 8 ernotesmailquotasize MailQuotaSize Mail Quota Size on Mail File 9 ernotesmailsystem MailSystem Mail System 10 ernotesmailfileowneraccess MailFileOwnerAccess Mail File Owner Access 11 ernotesinternetaddress InternetAddress Internet Address IBM Tivoli Lotus Notes Agent White Paper 226

227 Attributes on WORK TAB (Notes Account Form) Figure 56: Notes Account form WORK TAB 11 Table 22: Attribute Details on Notes Account Form - WORK TAB No EnRoleAttribute Name RemoteName Description 1 ernotesjobtitle JobTitle Job Title 2 ernotescompanyname CompanyName Company Name 3 ernotesdepartment Department Department Name 4 ernoteslocation Location Work Location 5 ernotesmanager Manager Work Manager 6 ernotesofficephonenumber OfficePhoneNumber Office Phone Number 7 ernotesofficefaxphonenumber OfficeFAXPhoneNumber Office FAX Phone Number 8 ernotescellphonenumber CellPhoneNumber Cell Phone Number 9 ernotespagernumber PhoneNumber_6 Pager Number 10 ernotesassistant Assistant Assistant Name 11 ernotesemployeeid EmployeeID Employee Identifier IBM Tivoli Lotus Notes Agent White Paper 227

------------------------------------------------------------------------------------------ Attributes on PERSONAL HOME TAB (Notes Account Form) 1 2 3 4 5 6 7 Figure 57: Notes Account form PERSONAL

228 Attributes on PERSONAL HOME TAB (Notes Account Form) Figure 57: Notes Account form PERSONAL HOME TAB 8 9 Table 23: Attribute Details on Notes Account Form PERSONAL HOME TAB No EnRoleAttribute Name RemoteName Description 1 ernotesstreetaddress StreetAddress Street Address 2 ernotescity City City 3 ernotesstate State State 4 ernoteszip Zip Zip 5 ernotescountry Country Country 6 ernotesphonenumber PhoneNumber Phone Number 7 ernoteshomefaxphonenumber HomeFAXPhoneNumber Home FAX Phone Number 8 ernotesspouse Spouse Spouse Name 9 ernoteschildren Children Children Name IBM Tivoli Lotus Notes Agent White Paper 228

------------------------------------------------------------------------------------------ Attributes on COMPANY TAB (Notes Account Form) 1 2 3 4 5 Figure 58: Notes Account form COMPANY TAB 6 Table

229 Attributes on COMPANY TAB (Notes Account Form) Figure 58: Notes Account form COMPANY TAB 6 Table 24: Attribute Details on Notes Account Form COMPANY TAB No EnRoleAttribute Name RemoteName Description 1 ernotesofficestreetaddress OfficeStreetAddress Office Street Address 2 ernotesofficecity OfficeCity Office City 3 ernotesofficestate OfficeState Office State 4 ernotesofficezip OfficeZIP Office ZIP 5 ernotesofficecountry OfficeCountry Office Country 6 ernotesofficenumber OfficeNumber Office Number IBM Tivoli Lotus Notes Agent White Paper 229

------------------------------------------------------------------------------------------ Attributes on ADMINISTRATION TAB (Notes Account Form) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Figure 59:

230 Attributes on ADMINISTRATION TAB (Notes Account Form) Figure 59: Notes Account form ADMINISTRATION TAB 17 Table 25: Attribute Details on Notes Account Form ADMINISTRATION TAB No EnRoleAttribute Name RemoteName Description 1 ernotesowner Owner Owner 2 ernotesuseridfilename UserIDfileName Path of user s ID file to be created 3 ernotesuseridincertlog UserIdInCertLog Specify the name to be IBM Tivoli Lotus Notes Agent White Paper 230

231 saved as for the ID file in Certlog.nsf. 4 ernotessaveidinaddressbook SaveIdInAddressBook Save User s ID file in the Dominos Address Book (Attach the ID file to the User s Person document) 5 ernotescreatenorthamericanid CreateNorthAmericanId Create North American ID file 6 ernoteslocaladmin LocalAdmin Local Administrator 7 ernotesmemberofgroups MemberOfGroups Groups to which the User belongs to 8 ernoteschangeintervalpassword PasswordChangeInterval Password Change Interval 9 ernotespasswordgraceperiod PasswordGracePeriod Password Grace Period 10 ernotescheckpassword CheckPassword Check Password 11 ernotesprofiles Profiles Profiles 12 ernotesforceinetpwdchange HTTPPasswordForceChange HTTP Password Force Change 13 ernotesclienttype ClientType Client Type 14 ernotesclientmachine ClntMachine Client Machine 15 ernotesclientplatform ClntPltfrm Client Pltfrm 16 ernotesclientbuild ClntBld Client Build 17 ernotesnetusername NetUserName Net User Name IBM Tivoli Lotus Notes Agent White Paper 231

------------------------------------------------------------------------------------------ Attributes on MISC. TAB (Notes Account Form) 1 2 3 4 5 6 7 Figure 60: Notes Account form MISC.

232 Attributes on MISC. TAB (Notes Account Form) Figure 60: Notes Account form MISC. TAB 8 Table 26: Attribute Details on Notes Account Form MISC. TAB No EnRoleAttribute Name RemoteName Description 1 ernotescomment Comment Comment 2 ernotesencryptincomingmail EncryptIncomingMail Encrypt Incoming Mail 3 ernotesx400address x400address x400address 4 ernotescalendardomain CalendarDomain Calendar Domain 5 ernoteswebsite WebSite Web Site 6 ernotesrasexec RASEXEC System Call to be executed after each Notes Agent operation 7 ernotesreplicationconflict $Conflict $Conflict 8 ernotesaltsortfullname AltFullNameSort Alternate Full Name Sort IBM Tivoli Lotus Notes Agent White Paper 232

------------------------------------------------------------------------------------------ Attributes on ADMINP TAB (Notes Account Form) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Figure 61: Notes Account form

233 Attributes on ADMINP TAB (Notes Account Form) Figure 61: Notes Account form ADMINP TAB Table 27: Attribute Details on Notes Account Form ADMINP TAB No EnRoleAttribute Name RemoteName Description 1 ernotesadminprequest AdminPRequest AdminP Command to execute 2 ernotesadminpfirstname AdminpFirstName First Name 3 ernotesadminpmiddilename AdminpMiddileName Middile Name 4 ernotesadminplastname AdminpLastName Last Name 5 ernotesadminpdbtitle AdminpDBTitle Database Title 6 ernotesorigcertifier OrigCertifier Path of Original Certifier ID file 7 ernotesorigcertpasswd OrigCertPasswd Password of Original Certifier ID file 8 ernotesnewcertexpirydate NewCertExpiryDate New Certificate Expiry Date 9 ernotesadminpcertifier AdminpCertifier Adminp Certifier 10 ernotesadminporgunitname AdminpOrgUnitName Adminp Org Unit Name 11 ernotesnewcertpath NewCertPath Path of new Certifier ID file IBM Tivoli Lotus Notes Agent White Paper 233

234 12 ernotespasswdnewcert NewCertPasswd Password of new Certifier ID file 13 ernotesdestdbpathadminp AdminpDestDBPath Destination Database Path (Specify path, relative to data directory of Domino Server) 14 ernotesdestdbserveradminp AdminpDestDBServer Destination Database Server 15 ernotessrcdbpathadminp AdminpSrcDBPath Source Database Path (Specify path, relative to data directory of Domino Server) 16 ernotessrcdbserveradminp AdminpSrcDBServer Source Database Server IBM Tivoli Lotus Notes Agent White Paper 234

235 Attributes on SAMETIME TAB (Notes Account Form) Table 28: Attribute Details on Notes Account Form SAMETIME TAB No EnRoleAttribute Name RemoteName Description 1 ernotessametimeonlyaccount SametimeOnlyAccount Sametime Only Account 2 ernotessametimeserver SametimeServer Sametime Server 3 ernotessametimeacl SametimeACL Sametime ACL 4 ernotessametimelockaccount SametimeLockAccount Lock Sametime access IBM Tivoli Lotus Notes Agent White Paper 235

236 Hidden Attributes The USER INTERFACE CUSTOMIZATION TAB on ITIM shows the Notes Account attributes as per each TAB with its Enrole Attributes names. Notes Agent also supports attributes that currently do not appear on any of the Notes Account form TAB. These attributes are hidden, as they are not present in the Account form. The following figure shows the USER INTERFACE CUSTOMIZATION TAB on ITIM that shows the hidden attributes that are also supported by Notes Agent: Hidden Attributes supported by Notes Agent Figure 62: ITIM Configuration TAB, User Interface Customization TAB. Hidden Attributes IBM Tivoli Lotus Notes Agent White Paper 236

List of Hidden Attributes Supported by Notes Agent 1 2 3 4 9 10 11 12 5 6 7 8 13 14 15 16 17 18 20 21 19 22 Figure 63: List of Hidden Attributes Supported by Notes Agent Table 28: Hidden Attribute

237 List of Hidden Attributes Supported by Notes Agent Figure 63: List of Hidden Attributes Supported by Notes Agent Table 28: Hidden Attribute Details on User Interface Customization TAB No EnRoleAttribute Name RemoteName Description 1 ernotesadministrator Administrator Is the user Administrator of Domino Server 2 ernotesaltcommonnameproposed ProposedAltCommonName Proposed Alternate Common Name 3 ernotesaltorgunitproposed ProposedAltOrgUnit Proposed Alternate Org Unit 4 ernotesavailablefordirsync AvailableForDirSync Available For Directory Sync IBM Tivoli Lotus Notes Agent White Paper 237

Exchange 2000 Agent Installation Guide

IBM Tivoli Identity Manager Exchange 2000 Agent Installation Guide Version 4.5.0 SC32-1156-03 IBM Tivoli Identity Manager Exchange 2000 Agent Installation Guide Version 4.5.0 SC32-1156-03 Note: Before