Thursday Feb 14, 2008
Thursday Feb 14, 2008
Hi all!
Today, I want to write about a complete other product from Sun. Since a few months I work with "Mr-IdM-Miagie" aka Chris in Wiesbaden to implement the Sun Identity Manager.
It’s a interesting project. The customer wants to connect more then 10 resources to the Identity Manager.
One of these resources is Lotus Domino. On Monday we get a test lab with a IdM VM and a physical Lotus Domino Test Server in a lab-network. The Domino server is a copy of the production environment.
We started to configure the “Gateway Service”. This Service must run on a windows machine and communicate with the IdM Server and the Lotus Domino machine.
After we unzip the gateway to C:\IdM\ we can install it as a service. Over the command line you can install the gateway as a service “C:\IdM\gateway.exe -i”
Before you can install the gateway you need to do something. There are some requirements:
Notes Client - The notes client was a standard installation from the customer.
All other requirements are in the resource-reference pdf:
Create the Identity Manager administrator in Domino. Use a certifier ID that
has access to all organizations needed to manage users.
Add the user to the access control list (ACL) of the address book for the server,
names.nsf.
Give the user Editor access.
Assign the user the following roles:
GroupModifier
UserCreator
UserModifier
Add the user to the ACL of the registration log, certlog.nsf, with Depositor
access.
Add the user to the ACL of the Administration Requests, admin4.nsf, with
Depositor access.
Add the newly-created user to server security:
Open the Security panel to edit the server configuration.
If access to the Domino server is restricted, make sure the Identity Manager proxy account has access to the server. This is done by specifying the account name or a group to which the proxy account belongs in the Access
Server field.
If there is a before or after action that calls a Domino agent, the user might need to be added to the Run nrestricted LotusScript/Java agents or Run restricted LotusScript/Java agent field, depending on how the gent being called is configured.
Installing the Gateway to Support Domino
For the gateway to talk with Domino there must be a Notes client already installed
on the gateway machine
Add the following string values to HKEY_LOCAL_MACHINE\SOFTWARE\
Waveset\Lighthouse\Gateway in the Windows registry to ensure Domino works
properly:
• notesInstallDir - This is the location where the client is installed and where
the notes.dll file is location. Typically, the location is something like
C:\Lotus\Notes\.
• notesIniFile - The full path to the Lotus Notes initialization file, including the
file name. You should copy the file from its default location (such as
C:\Lotus\Notes\notes.ini) to the directory containing the Identity Manager
gateway. Therefore, you should set the value of this registry key to a value
similar to C:\GatewayDir\notes.ini.
After this “pre installations” tasks we can create the gateway service and create the Lotus Domino Resource Adapter in IdM.
Over Resources and New Resource you can create a Domino Resource. If you do not see a Domino resource you must activate it in configure types.
To connect a domino resource you must fill out a lot of information. Host for example is the ip-address of you gateway host system. You also need information about the ID-files, certifier-ids, mail server and so on.
On the end of the site you can test the connection to the server. This fail!! We checked everything! The rights, the notes client connection and so on. After a few tests we saw on the Lotus Domino Server console that nothing connect to the domino server if we test it. If we connect with our notes client we saw a session which opens. After a lot of tests we reinstalled the notes client. We installed not the customer installation. It was a simple “Next, Next, Finish” installation. We configured the client with the IdM admin account.
After this reinstallation the gateway and adapter works very fine. We can connect to the Domino Server and see a open session.
On the next site you can configure the attribute mapping to the IdM system. We use the standard and do note change anything.
After we do all this things we write a correlation rule to map the users from the IdM system with the User in the Domino Server.
The synchronisation mapped a lot of users. We get a few errors, too. After a look to this accounts we saw that this accounts are not available in the IdM. This is ok for us because there are not all users in IdM.
It was very cool that the most things works out of the box. We can create, rename and delte users very simple.
That's our stand at the moment! We will test more on Monday!
Stay tuned...
Today, I want to write about a complete other product from Sun. Since a few months I work with "Mr-IdM-Miagie" aka Chris in Wiesbaden to implement the Sun Identity Manager.
It’s a interesting project. The customer wants to connect more then 10 resources to the Identity Manager.
One of these resources is Lotus Domino. On Monday we get a test lab with a IdM VM and a physical Lotus Domino Test Server in a lab-network. The Domino server is a copy of the production environment.
We started to configure the “Gateway Service”. This Service must run on a windows machine and communicate with the IdM Server and the Lotus Domino machine.
After we unzip the gateway to C:\IdM\ we can install it as a service. Over the command line you can install the gateway as a service “C:\IdM\gateway.exe -i”
Before you can install the gateway you need to do something. There are some requirements:
Notes Client - The notes client was a standard installation from the customer.
All other requirements are in the resource-reference pdf:
Create the Identity Manager administrator in Domino. Use a certifier ID that
has access to all organizations needed to manage users.
Add the user to the access control list (ACL) of the address book for the server,
names.nsf.
Give the user Editor access.
Assign the user the following roles:
GroupModifier
UserCreator
UserModifier
Add the user to the ACL of the registration log, certlog.nsf, with Depositor
access.
Add the user to the ACL of the Administration Requests, admin4.nsf, with
Depositor access.
Add the newly-created user to server security:
Open the Security panel to edit the server configuration.
If access to the Domino server is restricted, make sure the Identity Manager proxy account has access to the server. This is done by specifying the account name or a group to which the proxy account belongs in the Access
Server field.
If there is a before or after action that calls a Domino agent, the user might need to be added to the Run nrestricted LotusScript/Java agents or Run restricted LotusScript/Java agent field, depending on how the gent being called is configured.
Installing the Gateway to Support Domino
For the gateway to talk with Domino there must be a Notes client already installed
on the gateway machine
Add the following string values to HKEY_LOCAL_MACHINE\SOFTWARE\
Waveset\Lighthouse\Gateway in the Windows registry to ensure Domino works
properly:
• notesInstallDir - This is the location where the client is installed and where
the notes.dll file is location. Typically, the location is something like
C:\Lotus\Notes\.
• notesIniFile - The full path to the Lotus Notes initialization file, including the
file name. You should copy the file from its default location (such as
C:\Lotus\Notes\notes.ini) to the directory containing the Identity Manager
gateway. Therefore, you should set the value of this registry key to a value
similar to C:\GatewayDir\notes.ini.
After this “pre installations” tasks we can create the gateway service and create the Lotus Domino Resource Adapter in IdM.
Over Resources and New Resource you can create a Domino Resource. If you do not see a Domino resource you must activate it in configure types.
To connect a domino resource you must fill out a lot of information. Host for example is the ip-address of you gateway host system. You also need information about the ID-files, certifier-ids, mail server and so on.
On the end of the site you can test the connection to the server. This fail!! We checked everything! The rights, the notes client connection and so on. After a few tests we saw on the Lotus Domino Server console that nothing connect to the domino server if we test it. If we connect with our notes client we saw a session which opens. After a lot of tests we reinstalled the notes client. We installed not the customer installation. It was a simple “Next, Next, Finish” installation. We configured the client with the IdM admin account.
After this reinstallation the gateway and adapter works very fine. We can connect to the Domino Server and see a open session.
On the next site you can configure the attribute mapping to the IdM system. We use the standard and do note change anything.
After we do all this things we write a correlation rule to map the users from the IdM system with the User in the Domino Server.
The synchronisation mapped a lot of users. We get a few errors, too. After a look to this accounts we saw that this accounts are not available in the IdM. This is ok for us because there are not all users in IdM.
It was very cool that the most things works out of the box. We can create, rename and delte users very simple.
That's our stand at the moment! We will test more on Monday!
Stay tuned...
Very helpful post...thanks!
Posted by 70.162.167.69 on March 14, 2008 at 03:21 AM CET #
Hi,
The deatils you provided are useful. But i have a issue here. I am unable to store a ID file in seperate path but i can give the same path when i create the Id using admin console of notes.
eg: idFile - \\ipaddress\iam\ids\user.id.
Posted by venkatraj on May 23, 2008 at 07:00 PM CEST #