Chat now with support
Chat with Support

Identity Manager 8.1.5 - Administration Guide for Connecting to IBM Notes

Managing IBM Notes environments Setting up IBM Notes synchronization Basic configuration data Notes domains Notes certificates Notes templates Notes policies Notes user accounts Notes groups Mail-in databases Notes server Using AdminP requests for handling IBM Notes processes Reports about Notes domains Configuration parameters for synchronizing a Notes domain Default project template for IBM Notes

Users and permissions for synchronizing with IBM Notes

The following users are involved in synchronizing One Identity Manager with IBM Notes.

Table 3: Users for synchronization
User Permissions
One Identity Manager Service user account

The user account for One Identity Manager Service requires permissions to carry out operations at file level. For example, assigning permissions and creating and editing directories and files.

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user permissions.

The user account requires access permissions to the internal web service.

NOTE: If One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can issue access permissions for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.

In the default installation, One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)
  • %ProgramFiles%\One Identity (on 64-bit operating systems)
User for accessing the target system (synchronization user) The user who accesses the system required sufficient administrative permissions to the Domino Directory (names.nsf). The minimum requirements are:
  • "Editor" access function on the primary Domino directory
  • Permissions for deleting documents
  • "UserCreator" in addition to the default permissions
  • Remote console access
  • Administrative access to a Domino server (server on which new user can be registered and AdminP tasks created)

"Editor" is also required for the following databases:

  • certlog.nsf
  • admin4.nsf
User for accessing the One Identity Manager database

The Synchronization default system user is provided to execute synchronization with an application server.

Domino server configuration

Configure the following settings on the Domino server that the gateway server communicates with:

  • Set up a full-text index for the Domino directory.

  • In the file Notes.ini, set FT_MAX_SEARCH_RESULTS = 2147483000.

    If you apply filters in the Domino Directory, a maximum of 5,000 filtered values are returned. To obtain a complete result list of the elements that satisfy the filter condition, you must overwrite this value in the Domino server's Notes.ini file with the value given here.

For more detailed information, see your IBM Notes documentation.

Installing and configuring a gateway server

The gateway server administrates the functionality of the synchronization server. To set up a gateway server, a computer has to be available with the following software installed:

  • Windows operating system

    The following versions are supported:

    • Windows Server 2008 R2 (non-Itanium based 64-bit) service pack 1 or later

    • Windows Server 2012

    • Windows Server 2012 R2

    • Windows Server 2016

    • Windows Server 2019

  • Microsoft .NET Framework Version 4.7.2 or later

    NOTE: Take the target system manufacturer's recommendations into account.
  • Windows Installer

  • IBM Notes Client version 8.5.3 or 10.0 or HCL Notes Client version 11.0.1

    NOTE:

    • Run the installation in single-user mode.

    • You must run a proper installation. IBM Domino COM class libraries are registered during installation. This requires the IBM Notes connector.

  • Write access to the IBM Notes client install directory and the One Identity Manager install directory.
  • One Identity Manager Service, IBM Notes connector
    • Install One Identity Manager components with the installation wizard.
      1. Select the Select installation modules with existing database option.
      2. Select the Server | Job server | IBM Notes machine role.
Special requirements for synchronizing an IBM Domino 8.5. or 9 environment

The following versions of the IBM Domino and IBM Notes components are required for synchronizing an IBM Domino version 8.5 or 9 environment as a minimum.

  • IBM Domino Server version 8.5.1 with Fix Pack 2 or later or version 9.0.1.
  • IBM Notes client in version 8.5.3, Fix Pack 4 or IBM Notes client version 10.0

To set up a gateway server

  1. Configure the IBM Notes client.

    For more information, see To configure the IBM Notes client.

  2. Install the One Identity Manager Service and declare the gateway server as Job server in the One Identity Manager database. For more information, see Installing and configuring the One Identity Manager Service.

To configure the IBM Notes client

  1. Extend the PATH variable to include the default search path (installation directory) and the data directory (<Installation directory>\data).

    Enter the IBM Notes install path, that means the path where Notes.exe can be found, in the default search path for the operating system (PATH variable). Also insert the path selected for the Notes data directory during installation of the IBM Notes client for the PATH variables.

  2. Specify the directory for the ID files repository (<Installation directory>\data\IDS\<Name of the domain>).
  3. Ensure the synchronization user's user ID file is available.

    A separate ID file must be provided for this user. The path to this ID file is entered later into the custom INI file. User ID files with multiple passwords are not supported.

    NOTE: The administrator ID file that is created when the Notes server is installed may not be used because it is used for other administrative tasks.

  4. Keep the certifier ID file available for certificate administration.

    Set up all certifier ID files for registering users on the gateway server. Certifier ID files with multiple passwords are not supported.

  5. Start the IBM Notes client with the synchronization user's ID file and log in.

    This causes the configuration entries to be made on the computer. The access permissions can be checked by calculating a new user with the ID file as a test.

  6. Copy the Domino Directory certificate documents into the user account's personal address book for synchronization.
  7. Check whether the certification log certlog.nsf exists.
  8. Create a custom INI file.

    The path of the synchronization user's ID file must be entered in this INI file.

NOTE:

  • If you did not install the IBM Notes client in the default install directory, modify the default search path and data directory in the PATH variables as well as the path entries in Notes.ini and your custom INI file to your install directory path.
  • If you are using IBM Notes client version 10.0, change the path to Notes.ini. Depending on the installation, this file can be saved in the user profile directory.
Detailed information about this topic

Copying the Notes certificate

When you are configuring the gateway server ensure that the certification documents are copied from the Domino Directory into the synchronization user's personal address book. This is necessary to enable the IBM Notes connector to add, rename, or move user accounts in the target system.

TIP: Copy new certificates regularly from the Domino Directory into the synchronization user's personal address book. For more detailed information about copying certificate documents, see your IBM Notes documentation.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating