Chat now with support
Chat mit Support

Identity Manager 8.1.4 - Administration Guide for Connecting to IBM Notes

Managing IBM Notes environments Setting up IBM Notes synchronization Basic configuration data Notes domains Notes certificates Notes templates Notes policies Notes user accounts Notes groups Mail-in databases Notes server Using AdminP requests for handling IBM Notes processes Reports about Notes domains Configuration parameters for synchronizing a Notes domain Default project template for IBM Notes

Restoring user ID files

If a user has forgotten the password to a user account and lost the user ID file, the user ID file can be restored. Since IBM Notes version 8.5, IBM Domino provides the ID vault function to do this.

One Identity Manager uses "ID Restore" to provide its own method for restoring the user ID files. This can be used if an older version of IBM Domino is in use or if ID Vault should not be used.

NOTE: The method to be used for restoring user ID files is specified by the domain. This option is valid for all user accounts in the domain!

ID vault

The ID Vault is an IBM Domino database that stores copies of user ID files. This allows IBM Notes to be able to restore user ID files and to reset user account passwords. One Identity Manager provides a process for resetting the passwords in the ID vault.

Prerequisites
  • The Domino server that communicates with the gateway server, is also the ID vault server.
  • There are executing permissions defined for agents for the synchronization user account. For more information, see Running restricted LotusScript/Java agents.
  • ID vault database permissions for the synchronization user account are set to: "Manager" access function and "Auditor" role. For more detailed information, see your IBM Notes documentation.
  • Permissions for restoring passwords of the synchronization administrative user account and the ID vault server are set. For more detailed information, see your IBM Notes documentation.

To use the ID vault

  1. Select the IBM Notes | Domains category.
  2. Select the domain you want to use for the ID vault in the result list and run the Change master data task.
  3. Set the ID vault enabled option.

    This setting effects all user accounts in the domain.

  4. Save the changes.

NOTE: If certain user accounts are excluded from the ID vault by the ID vault policy in IBM Notes, the password cannot be reset by One Identity Manager.

In order to ensure the passwords for all user accounts in a domain can be reset, assign a policy for ID Vault that cover the whole organization.

When a new user account is published in IBM Notes, One Identity Manager saves the initial password in the One Identity Manager database (NDOUser.PasswordInitial). This initial password is used when a user account password needs to be reset. Passwords are saved automatically for user accounts that are initially setup in One Identity Manager. The initial password for all other user accounts has to be transferred to the One Identity Manager database by a customized process.

To reset a user account password

  1. Select the IBM Notes | User accounts category.
  2. Select the user account in the result list.
  3. Select the ID restore task.

This task starts the NDO_NDOUser_PWReset_from_Vault process. This process replaces the password from the user ID file saved in the ID Vault with the initial password from the One Identity Manager database. If the user is logged into the IBM Notes client at this point, the user‘s local ID file is replaced with the update copy from the ID Vault. The user has to login with the initial password when the IBM Notes client is started the next time. If the user is not logged into the IBM Notes client when the password is reset, the updated ID file must be provided separately.

Once the password has been successfully reset, the user must be provided with initial password and the ID file if necessary. This process has to be customized to meet your needs.

ID restore

ID restore is a One Identity Manager mechanism that can be used when a user has forgotten his password or the ID file itself has been lost. If the user ID file is restored with the ID restore procedure, the full name of the user account and the display name are determined from the user account name, organizational unit and certificate.

The following information is required to run an ID restore:

  • An ID file that is initially imported into the database including the associated password (NotesUser.NotesID, NotesUser.PasswordInitial)
  • The certifier that the initial ID file was created with (NotesUser.UID_NotesCertifierInitial)
  • A copy of the initially loaded or added employee document in the gateway server’s archive database archiv.nsf
  • The GUID of the document copy in the archive database (NotesUser.ObjectGUID_Archiv)

This data is automatically generated and saved for the user accounts that were added in the One Identity Manager. A one-off custom import of the files mentioned above has to be run for all other user accounts.

To restore the user ID file

  1. Select the IBM Notes | User accounts category.
  2. Select the user account in the result list.
  3. Select the ID restore task.

    The ID restore process carries out the following steps:

    • Deletes all current employee documents from the Domino directory.
    • Copies initial employee documents from archive database to the Domino directory.
    • Exports the initially saved ID files to the gateway server.
    • Starts the AdminP request to track the changes made to the original ID up until now. This includes changes to the components of the user’s name, changes to the ID expiry date and exchanging certifiers.
    • Update the restored employee document using the known values.
  4. If the ID file is restored, provide the user with the ID file and the initial password.
Related topics

Locking and unlocking Notes user accounts

Table 43: Configuration parameters for locking/unlocking user accounts
Configuration parameter Effect when set
TargetSystem | NDO | MailBoxAnonymPre Prefix for user account anonymity.
QER | Person | TemporaryDeactivation This configuration parameter specifies whether user accounts for an employee are locked if the employee is temporarily or permanently disabled.

A user is considered to be locked in IBM Notes if it is no longer possible for the user to log on to a server in the domain with this user account. The user loses access to the mailbox file through this. Access to a server can be prevented if the user account has the "Not access server" permissions type for the corresponding server document. This is very complicated in environments with several servers because a user account, which is going to be locked, must be given this permissions type for every server document.

For this reason, denied access groups are used. Each denied access group initially gets the "Not access server" permissions type for each server document. A user that is going to be locked becomes a member of the denied access group and therefore is automatically prevented from accessing the domain servers.

The way you lock user accounts depends on how they are managed.

Scenario:

  • The user account is linked to employees and is managed through account definitions.

User accounts managed through account definitions are locked when the employee is temporarily or permanently disabled. The behavior depends on the user account manage level. Accounts with the Full managed manage level are disabled depending on the account definition settings. For user accounts with a manage level, configure the required behavior using the template in the NDOUser.AccountDisabled column.

Scenario:

  • The user accounts are linked to employees. No account definition is applied.

User accounts managed through user account definitions are locked when the employee is temporarily or permanently disabled. The behavior depends on the QER | Person | TemporaryDeactivation configuration parameter

  • If the configuration parameter is set, the employee’s user accounts are locked when the employee is permanently or temporarily disabled.

  • If the configuration parameter is not set, the employee’s properties do not have any effect on the associated user accounts.

To lock the user account when the configuration parameter is disabled

  1. In the Manager, select the IBM Notes | User accounts category.

  2. Select the user account in the result list.

  3. Select the Change master data task.

  4. On the General tab, set the Account is disabled option.

  5. Save the changes.
Scenario:
  • User accounts not linked to employees.

To lock a user account that is no longer linked to an employee

  1. In the Manager, select the IBM Notes | User accounts category.

  2. Select the user account in the result list.

  3. Select the Change master data task.

  4. On the General tab, set the Account is disabled option.

  5. Save the changes.

The user account becomes anonymous when it is locked and is not shown in address books. Access to Notes servers is removed. The "TargetSystem | NDO | MailBoxAnonymPre" configuration parameter is checked if the user is made anonymous.

To unlock a user account

  1. Select the IBM Notes | User accounts category.
  2. Select the user account in the result list.

  3. Select the Change master data task.

  4. Disable the Account is disabled option on the General tab.
  5. Save the changes.

    Anonymity is rescinded and the user account removed from denied access groups.

Detailed information about this topic
Related topics
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen