Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to IBM Notes

Managing IBM Notes Environments Setting up IBM Notes Synchronization Basic Configuration Data Notes Domains Notes Certificates Notes Templates Notes Policies Notes User Accounts Notes Groups Mail-In Databases Notes Servers Using AdminP Requests for Handling IBM Notes Processes Reports about Notes Domains Appendix: Configuration Parameters for Synchronization with a Notes Domain Appendix: Default Project Template for IBM Notes

Users and Permissions for Synchronizing with IBM Notes

Users and Permissions for Synchronizing with IBM Notes

The following users are involved in synchronizing One Identity Manager with IBM Notes.

Table 3: Users for Synchronization
User Authorizations
One Identity Manager Service user account

The user account for the One Identity Manager Service requires access rights to carry out operations at file level (issuing user rights, adding directories and files to be edited).

The user account must belong to the group "Domain Users".

The user account must have the extended access right "Log on as a service".

The user account requires access rights to the internal web service.

NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can issue access rights for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update the One Identity Manager.

In the default installation the One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)
  • %ProgramFiles%\One Identity (on 64-bit operating systems)
User for accessing the target system (synchronization user) The user who accesses the system required sufficient administrative permissions to the Domino Directory (names.nsf). The minimum requirements are:
  • "Editor" access function on the primary Domino directory
  • Permissions for deleting documents
  • The role "UserCreator" in addition to the default roles
  • Administration access to the Domino server (server available for registering new user accounts and creating AdminP tasks)

The access function "Editor" is also required for the following databases:

  • cert.log
  • admin4.nsf
User for accessing the One Identity Manager database

The default system user "SynchronizationClosed" is available to run synchronization over an application server.

Domino Server Configuration

Domino Server Configuration

Configure the following settings on the Domino server that the gateway server communicates with:

  • Set up a full-text index for the Domino directory.

  • Set FT_MAX_SEARCH_RESULTS = 2147483000 in the file Notes.ini.

    If you apply filters in the Domino Directory, a maximum of 5000 filtered values are returned. To obtain a complete result list of the elements which satisfy the filter condition, you must overwrite this value in the Domino server's Notes.ini file with the value given here.

For more detailed information, see your IBM Notes documentation.

Installing and Configuring a Gateway Server

Installing and Configuring a Gateway Server

The gateway server administrates the functionality of the synchronization server. To set up a gateway server, a computer has to be available with the following software installed:

  • Windows operating system

    Following versions are supported:

    • Windows Server 2008 (non-Itanium based 64-bit) Service Pack 2 or later
    • Windows Server 2008 R2 (non-Itanium based 64-bit) Service Pack 1 or later
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016
  • Microsoft .NET Framework Version 4.5.2 or later

    NOTE: Microsoft .NET Framework version 4.6 is not supported.

    NOTE: Take the target system manufacturer's recommendations into account.
  • Windows Installer
  • IBM Notes Client version 8.5.3

    NOTE: A real installation must be run. IBM Domino COM class libraries are registered during installation. These require the IBM Notes connector.
  • Write access to the IBM Notes client install directory and the One Identity Manager install directory.
  • One Identity Manager Service, IBM Notes connector
    • Install One Identity Manager components with the installation wizard.
      1. Select the option Select installation modules with existing database.
      2. Select the machine role Server | Job serverClosed | IBM Notes.
Special requirements for synchronizing a IBM Domino 8.5. or 9 environment

The following versions of the IBM Notes and IBM Domino components are required for synchronizing a IBM Domino version 8.5 or 9 environment as a minimum.

  • IBM Domino Server version 8.5.1 with Fix Pack 2 or later or version 9.0.1.
  • IBM Notes Client version 8.5.3, Fix Pack 4

To set up a gateway server

  1. Configure the IBM Notes client.

    For more information, see To configure the IBM Notes client.

  2. Install the One Identity Manager Service and declare the gateway server as Job server in the One Identity Manager database. For more information, see Installing and Configuring the One Identity Manager Service.

To configure the IBM Notes client

  1. Extend the PATH variable to include the default search path (installation directory) and the data directory (<Installation directory>\data).

    Enter the IBM Notes install path, that means the path where Notes.exe can be found, in the default search path for the operating system (PATH variable). Also add the path you selected for the Notes data directory when you installed the IBM Notes client, to the PATH variable.

  2. Specify the directory for the ID files repository (<Installation directory>\data\IDS\<Name of the domain>).
  3. Ensure the synchronization user's user ID file is available.

    A separate ID file must be provided for this user. The path to this ID file is entered later into the custom INI file. User ID files with multiple passwords are not supported.

    NOTE: The administrator ID file that is created when the Notes server is installed may not be used because it is used for other administrative tasks.

  4. Keep the certifier ID file available for certificate administration.

    Set up all certifier ID files for registering users on the gateway server. Certifier ID files with multiple passwords are not supported.

  5. Start the IBM Notes client with the synchronization user's ID file and log in.

    This causes the configuration entries to be made on the computer. The access rights can be checked by calculating a new user with the ID file as a test.

  6. Copy the Domino Directory certificate documents into the user account's personal address book for synchronization.
  7. Check whether the certification log certlog.nsf exists.
  8. Create a custom INI file.

    The path of the synchronization user's ID file must be entered in this INI file.

NOTE: If you did not install the IBM Notes client in the default install directory, modify the default search path and data directory in the PATH variables as well as the path entries in Notes.ini and your custom ini file to your install directory path.

Detailed information about this topic

Copying the Notes Certificate

Copying the Notes Certificate

When you are configuring the gateway server ensure that the certification documents are copied from the Domino Directory into the synchronization user's personal address book. This is necessary to enable the IBM Notes connector to add, rename or move user accounts in the target system.

TIP: Copy new certificates regularly from the Domino Directory into the synchronization user's personal address book. For more detailed information about copying certificate documents, see your IBM Notes documentation.
Related Documents