Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Connecting to HCL Domino

Managing HCL Domino environments Synchronizing a Domino environment
Setting up initial synchronization of a Domino environment Domino server configuration Setting up a gateway server Creating a synchronization project for initial synchronization of a Notes domain Adjusting the synchronization configuration for Domino environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Notes user accounts and identities Managing memberships in Notes groups Login credentials for Notes user accounts Using AdminP requests for handling Domino processes Mapping Notes objects in One Identity Manager
Notes domains Notes user accounts Notes groups Notes certificates Notes templates Notes policies Notes mail-in databases Notes server Reports about Notes objects
Handling of Notes objects in the Web Portal Basic data for managing a Domino environment Configuration parameters for managing a Domino environment Default project template for Domino Processing methods of Domino system objects Domino connector settings

Restoring user ID files

If a user has forgotten the password to a user account and lost the user ID file, the user ID file can be restored. Since Domino version 8.5, Domino provides the ID vault function to do this.

One Identity Manager uses ID restore to provide its own method for restoring the user ID files. This can be used if an older version of Domino is in use or if ID Vault should not be used.

NOTE: The method to be used for restoring user ID files is specified by the domain. This option is valid for all user accounts in the domain.

Detailed information about this topic

Restoring user ID files using ID vault

The ID vault is a Domino database that stores copies of user ID files. This allows Domino to be able to restore user ID files and to reset user account passwords. One Identity Manager provides a process for resetting the passwords in the ID vault.

Prerequisites
  • The Domino server that communicates with the gateway server, is also the ID vault server.

  • There are running permissions defined for agents for the synchronization user account. For more information, see Running restricted LotusScript/Java agents.

  • ID vault database permissions for the synchronization user account are set to: Manager access function and Auditor role. For more detailed information, see your Domino documentation.

  • Permissions for restoring passwords of the synchronization administrative user account and the ID vault server are set. For more detailed information, see your Domino documentation.

To use the ID vault

  1. In the Manager, select the HCL Domino > Domains category.

  2. Select the domain you want to use for the ID vault in the result list and run the Change main data task.

  3. Set the ID vault enabled option.

    This setting effects all user accounts in the domain.

  4. Save the changes.

NOTE: If certain user accounts are excluded from the ID vault by the ID vault policy in Domino, the password cannot be reset by One Identity Manager.

In order to ensure the passwords for all user accounts in a domain can be reset, assign a policy for ID Vault that cover the whole organization.

When a new user account is published in Domino, One Identity Manager saves the initial password in the One Identity Manager database (NDOUser.PasswordInitial). This initial password is used when a user account password needs to be reset. Passwords are saved automatically for user accounts that are initially setup in One Identity Manager. The initial password for all other user accounts has to be transferred to the One Identity Manager database by a customized process.

To reset a user account password

  1. In the Manager, select the HCL Domino > User accounts category.

  2. Select the user account in the result list.

  3. Select the ID restore task.

This task starts the NDO_NDOUser_PWReset_from_Vault process. This process replaces the password from the user ID file saved in the ID Vault with the initial password from the One Identity Manager database. If the user is logged into the Notes client at this point, the user‘s local ID file is replaced with the update copy from the ID Vault. The user has to login with the initial password when the Notes client is started the next time. If the user is not logged into the Notes client when the password is reset, the updated ID file must be provided separately.

Once the password has been successfully reset, the user must be provided with initial password and the ID file if necessary. This process has to be customized to meet your needs.

Restoring user ID files through ID restore

ID restore is a One Identity Manager mechanism that can be used when a user has forgotten his password or the ID file itself has been lost. If the user ID file is restored with the ID restore procedure, the full name of the user account and the display name are determined from the user account name, organizational unit and certificate.

The following information is required to run an ID restore:

  • An ID file that is initially imported into the database including the associated password (NotesUser.NotesID, NotesUser.PasswordInitial)

  • The certifier that the initial ID file was created with (NotesUser.UID_NotesCertifierInitial)

  • A copy of the initially loaded or added person document in the gateway server’s archive database archiv.nsf

  • The GUID of the document copy in the archive database (NotesUser.ObjectGUID_Archiv)

This data is automatically generated and saved for the user accounts that were added in the One Identity Manager. A one-off custom import of the files mentioned above has to be run for all other user accounts.

To restore the user ID file

  1. In the Manager, select the HCL Domino > User accounts category.

  2. Select the user account in the result list.

  3. Select the ID restore task.

    The ID restore process carries out the following steps:

    • Deletes all current person documents from the Domino directory.

    • Copies initial person documents from archive database to the Domino directory.

    • Exports the initially saved ID files to the gateway server.

    • Starts the AdminP request to track the changes made to the original ID up until now. This includes changes to the components of the user’s name, changes to the ID expiry date and exchanging certifiers.

    • Update the restored person document using the known values.

  4. If the ID file is restored, provide the user with the ID file and the initial password.
Related topics

Locking and unlocking Notes user accounts

A user is considered to be locked in Domino if it is no longer possible for the user to log on to a server in the domain with this user account. The user loses access to the mailbox file through this. Access to a server can be prevented if the user account has the Not access server permissions type for the corresponding server document. This is very complicated in environments with several servers because a user account, which is going to be locked, must be given this permissions type for every server document.

For this reason, denied access groups are used. Each denied access group initially gets the Not access server permissions type for each server document. A user that is going to be locked becomes a member of the denied access group and therefore is automatically prevented from accessing the domain servers.

The way you lock user accounts depends on how they are managed.

Scenario: The user accounts are linked to identities and are managed through account definitions.

User accounts managed through account definitions are locked when the identity is temporarily or permanently disabled. The behavior depends on the user account manage level. Accounts with the Full managed manage level are disabled depending on the account definition settings. For user accounts with a manage level, configure the required behavior using the template in the NDOUser.AccountDisabled column.

Scenario: The user accounts are linked to identities. No account definition is applied.

User accounts managed through user account definitions are locked when the identity is temporarily or permanently disabled. The behavior depends on the QER | Person | TemporaryDeactivation configuration parameter

  • If the configuration parameter is set, the identity’s user accounts are locked when the identity is permanently or temporarily disabled.

  • If the configuration parameter is not set, the identity’s properties do not have any effect on the associated user accounts.

To lock the user account when the configuration parameter is disabled

  1. In the Manager, select the HCL Domino > User accounts category.

  2. Select the user account in the result list.

  3. Select the Change main data task.

  4. On the General tab, set the Account is disabled option.

  5. Save the changes.
Scenario: The user accounts are not linked to identities.

To lock a user account that is no longer linked to an identity

  1. In the Manager, select the HCL Domino > User accounts category.

  2. Select the user account in the result list.

  3. Select the Change main data task.

  4. On the General tab, set the Account is disabled option.

  5. Save the changes.

The user account becomes anonymous when it is locked and is not shown in address books. Access to Notes servers is removed. The TargetSystem | NDO | MailBoxAnonymPre configuration parameter is checked if the user is made anonymous.

To unlock a user account

  1. In the Manager, select the HCL Domino > User accounts category.

  2. Select the user account in the result list.

  3. Select the Change main data task.

  4. Disable the Account is disabled option on the General tab.

  5. Save the changes.

    Anonymity is rescinded and the user account removed from denied access groups.

Detailed information about this topic
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating