IBM Notes Connector

The IBM Notes connector is a C-based connector that runs in the C-based Server. It handles search and update requests (SPML V1) and therefore is able to export entries from an IBM Notes address book or to import entries into the Notes address book.

For details of the OASIS SPML Service Provisioning Markup Language see http://www.oasis-open.org/committees/provision/docs.

Overview

In DirX Identity, the Java-based Server hosts the Java components, especially the workflow engine that includes the join engine. The join engine issues the search and update requests via the configured connectors: the LDAP connector to the Identity Store and the SOAP connector for requests to the IBM Notes connector. The SOAP connector sends SPML requests to the SPML/SOAP listener of the C++-based Server, which passes them to the Notes connector. Finally, the Notes connector interacts with the Notes server.

The Notes connector has the responsibility to:

Create (and update) a "Person" document in the Notes address book.
Register a user if the dxmLNregisterUser attribute is set.
Request a Rename at the Notes server if one of the relevant user attributes has changed: first name, last name, middle initial, unique organizational unit.
Request a MoveInHierarchy operation if the target certifier of the user has been changed.
Put the user into an appropriate deny group if the user is to be disabled and remove it from the deny group otherwise. The connector must consider that deny groups are limited in size and create a new one if the existing ones reach the limit.
Indicate that the user is disabled if it is a member of a deny group. As part of a search result entry, the attribute dxrTSstate is set to DISABLED, if the entry is member of a deny group; otherwise dxrTSstate is set to ENABLED.
Create (and update) a “Group” document in the Notes address book.

This functionality is partly provided offline by adminp. The following Notes API calls are used:

Renaming a user:
ADMINReqRename
Moving a person:
ADMINReqMoveUserInHier and
ADMINReqMoveComplete
Deleting a person:
ADMINReqDeleteInNAB
Registering a person:
REGNewUser (sets the flag fREGCreateMailFileUsingAdminp if the parameter CreateMailDBNow is set)

The following sections describe the functionality provided by the Notes connector in details.

Prerequisites and Limitations

The Notes connector supports only IBM Notes server and client versions 7.03 or higher. Earlier versions are no longer supported. Use of additional functionality of the Notes APIs enforces this restriction.

The Notes connector requires the following software packages to be installed on the platform where the C++-based Server is running:

IBM Notes Client V7.03 (or higher)

The operation of the Notes connector is restricted by these limitations:

Attribute names are handled as CaseExactStrings.
Search limitations:
If the SPML identifier (representing the universal IDs) is present, the search filter is ignored.
If any other search base format is present, it must define the type of document to be searched for; for example, Type=Person or Type=Group.
In filters, only matching for equality is supported for attribute values.
NOT filters are not supported.
UniqueOrgUnit
The unique organizational unit attribute value that could be part of a person’s full name cannot be searched for. As a result, the Notes connector stores the value of the unique organizational unit in a configurable attribute and uses that value, if available, when searching a person document. (See the sections about configuration for details.)
Rename and MoveInHierarchy:
If the parameters of an update operation both result in a Rename and a MoveInHierarchy operation, then only the Rename operation is propagated to the Notes server. The MoveInHierarchy operation is only executed in the next update operation if no pending request is present (which is only detected if the Notes real-time workflow is used). The connector itself has no knowledge whether there is a pending rename operation.
Item Types
The Notes attributes that are supported by the Notes connector must have one of the following item types:
TEXT
TEXT_LIST
NUMBER
TIME

Other Notes item types (for example, RICH_TEXT) that are not listed above are not supported.

Static Configuration Parameters

Static configuration parameters for the Notes connector are included with the "INI Template" definition that can be viewed in the DirX Identity Manager (Connectivity view) below the object:

Connectivity Configuration data → Configuration → Connector Types → Notes

The connector reads this information only once during the C++-based Server startup.

The Notes connector uses the following configuration information:

Connected Directory

AdminReqDB: The Admin Request Database field specifies the name of the Notes Administration Process (adminp) request database that is used when deleting persons.

Example:

AdminReqDB=admin4.nsf
AdminReqAuthor: The Admin Request Author field specifies the author name of the Notes Administration Process (adminp) request database that is used when deleting persons.

Example:

AdminReqAuthor=FullName_of_administrator AdminReqAuthor=CN=administrator/O=My-Company
AdrBook: The Address Book field specifies the name of the Notes address book.

Example:

AdrBook=names.nsf
GroupMemberLimit: The Group Member Limit field specifies the maximum number of members in a group. When that limit is reached, another group is created and the group name of that group is stored in previous group (nested groups).
UniqueOrgUnitAttrType: IBM Notes doesn’t return the UniqueOrgUnit attribute when searching with that attribute set. As a result, the Notes connector stores the UniqueOrgUnit in an additional configurable attribute UniqueOrgUnitAttrType that can be used for searching.

Example:

UniqueOrgUnitAttrType=telexTerminalIdentifier

Services

Server: The Server Name field specifies the name of the Notes server in the format:

CN=server_name/O=organization_name[/…]

Make sure that the attribute types in the server name (for example, CN, O, OU) are defined with uppercase letters.

Example:

CN=my-server/O=my-organization

Bind Profile

At least two bind profiles are required:

A bind profile for the administrator who has the right to add, delete, modify or move persons and groups
A bind profile that represents an organization or organizational unit - for example, cert.id - and is used when
registering a user
moving a person
renaming a person

within that organization or organizational unit.

Furthermore, if a MoveInHierarchy operation is called (when Notes users are moved to a different organization or organizational unit), additional bind profiles for each organization or organizational unit are required.

The following fields of the bind profile are used:

User: The User field specifies the full pathname of the ID file. This file must be accessible on the machine where the C++-based Server (hosting the Notes connector) is running. Make sure that the pathname matches the pathname that is passed in the connector update requests in the attributes "PathFileCertId" or "PathFileTargetCertId". (Be aware that for Notes real-time workflows, these attributes are set using the values of the Notes profiles in the Notes target system tree. So the pathnames in the bind profiles must match the pathnames that are used in the Notes profiles.)
Password: The Password field specifies the password that is related to the ID file.

Dynamic Configuration Parameters

The Notes connector evaluates all of the attributes that are sent in the each SPML request. A subset of attributes is set in the organizational unit-specific Notes profiles that are defined in each target system instance.

The available attributes from the Notes profile objects are:

Control Parameters:
CreateIdFile
CreateMailDatabase
CreateMailDBNow

CreateMailFullTextIndex

CreateMailReplicas
CreateNorthAmericanId
SaveIdInAddressBook
SaveIdInFile
SaveInternetPassword
DeleteMailFile

Other Attributes:
CertifierStructure (will be passed as TargetCerfier to the Notes connector)
ClientType
DbQuotaSizeLimit
DbQuotaWarningThreshold

DefaultMailServer (will normally be mapped to the attribute MailServer

LocalAdmin
MailACLManager
MailForwardAddress
MailOwnerAccess

MailServer
MailSystem
MailTemplate
MinPasswordLength

OtherMailServers
PathFileCertId
PathFileCertLog
PathUserId
RegistrationServer
Validity

The Notes connector does not know where these attributes originate because it simply processes the attribute that is passed to it in the SPML request. It is listed here to identify more details about Notes real-time workflows, Notes configuration data and finally the Notes connector.

If you are not using the Notes real-time workflows provided with DirX Identity, make sure that these attributes are passed in the SPML request, if needed.

Be aware, too, that the attribute names are handled as CaseExactStrings.

Attributes at IBM Notes

The following list of attributes is relevant at the target system (IBM Notes) side. Customer projects can synchronize additional attributes provided that the Notes documents in the IBM Notes address book can hold these new attribute types.

ClientType

The ClientType field specifies the type of Notes client that the Notes connector is to associate with the registered users it creates during the import process. The syntax is:

ClientType=number

where number is one of the following values:

1 - create registered users of client type "desktop"
2 - create registered users of client type "complete"
3 - create registered users of client type "mail"

The client types correspond to the different kinds of licenses available for Notes clients.

ComputeWithFormIgnoreErrors

The ComputeWithFormIgnoreErrors field specifies the way in which the Notes-API “ComputeWithForm” is called before the Notes document is saved. (“ComputeWithForm” calculates computed fields and evaluates validation formulas defined in the form used by the Notes document.)

The syntax is:

ComputeWithFormIgnoreErrors=switch

where switch is one of the following values:

0 - if you want the function to stop at the first error
1 - if you do not want the function to stop executing if a validation error occurs

If absent, the Notes-API “ComputeWithForm” is not called. This default behavior is compatible with older versions of DirX Identity where this parameter is not configurable.

CreateIdFile

The CreateIdFile field controls whether or not Notes connector creates a user ID file for Notes users that it registers during the import process. The syntax is:

CreateIdFile=switch

where switch is one of the following values:

0 - register Notes users, but do not create a user ID file for them
1 - register Notes users and create a user ID file for them

If CreateIDFile is set to 1, either the SaveIdInAddressBook field or the SaveIdInFile field (or both) must be set to 1 to specify where the Notes connector is to store the user ID files it creates.

CreateMailDatabase

The CreateMailDatabase field controls whether or not the Notes connector creates user mailboxes for Notes users that it registers. The syntax is:

CreateMailDatabase=switch

where switch is one of the following values:

0 - do not create a mailbox
1 - create a mailbox

CreateMailDBNow

The CreateMailDBNow field controls whether or not the mail file is created during the registration. The syntax is:

CreateMailDBNow =number

where number is one of the following values:

0 - create mail file later with the administration process
1 - create mail file during the registration

CreateMailFullTextIndex

The CreateMailFullTextIndex field controls whether or not a full-text index is created when creating the mailbox. The syntax is:

CreateMailFullTextIndex=number

where number is one of the following values:

0 - do not create mail full-text index
1 - create mail full-text index

If absent, the mail full-text index is created. (This default behavior is compatible with older versions of DirX Identity where this parameter is not configurable.)

CreateMailReplicas

The CreateMailReplicas field controls whether or not the mail replicas should be created with the administration process. The syntax is:

CreateMailReplicas=number

where number is one of the following values:

0 - do not create mail replicas
1 - create mail replicas with the administration process

If absent, no mail replicas are created. This default operation is compatible with older versions of DirX Identity where this parameter is not configurable.

CreateNorthAmericanId

The CreateNorthAmericanId field controls whether or not the Notes connector creates United States security-encrypted User ID files when registering a new user. The syntax is:

CreateNorthAmericanId=switch

where switch is one of the following values:

0 - do not create U.S.-encrypted user ID files
1 - create U.S.-encrypted user ID files

If CreateNorthAmericanId is set to 1, the Notes registered user can only be used within the United States.

DbQuotaSizeLimit

The DbQuotaSizeLimit field is only used when registering a new user and specifies the size limit of user’s mail database. The syntax is:

DbQuotaSizeLimit =number

where number is the size in MB.

DbQuotaWarningThreshold

The DbQuotaWarningThreshold field is only used when registering a new user and specifies the size of a user’s mail database at which point a warning about the size of the database is generated. The syntax is:

DbQuotaWarningThreshold =number

where number is the size in MB.

DeleteMailFile

The DeleteMailFile field controls the way the mail files of a person are handled when the person is deleted. The syntax is:

DeleteMailFile=switch

where switch is one of the following values:

0 - don’t delete mail file
1 - delete the mail file specified in the person record
2 - delete mail file specified in person record and all replicas

dxmLNregisterUser

The dxmLNregisterUser field controls whether or not the Notes connector registers a user. The syntax is:

dxmLNregisterUser=switch

where switch is one of the following values:

0 - do not register Notes users
1 - register Notes users

InternetAddress

The InternetAddress field is only used when registering a new user and specifies the internet mail address of the user. The syntax is:

InternetAddress=address

Example:

InternetAddress=john@x.com

MailACLManager

The MailACLManager field is only used when registering a new user and specifies the manager name of the access control list of the mail file. The syntax is:

MailACLManager=name

where name is the manager name in canonical format. For example:

MailACLManager=CN=Administrator/O=MyCompany

MailFile

The MailFile field is used when registering a new user or when deleting a user with its mail file. It specifies the mail file name including the path relative to the Notes data directory.

Example:

MailFile=mail/tom.nsf

MailForwardAddress

The MailForwardAddress field is only used when registering a new user and specifies the forwarding address of a Domino domain or foreign mail gateway. The syntax is:

MailForwardAddress=name of the forwarding address

MailOwnerAccess

The MailOwnerAccess field is only used when registering a new user and specifies the mail owner’s ACL privileges. The syntax is:

MailOwnerAccess =number

where number is one of the following values:

0 - Manager (default)
1 - Designer
2 - Editor

MailServer

The MailServer field specifies the name of a Notes server on which the Notes connector is to create user mailboxes during the user registration process. Furthermore it’s used when deleting a user and its mail must be deleted, too. The syntax is:

MailServer=server_name

where server_name is the name of a Notes server in the format:

"CN=server_name/O=organization_name[/…]"

For example:

MailServer="CN=Cambridge4/O=Notes/O=IBM"

MailSystem

The MailSystem field is only used when registering a new user and specifies the type of the mail system. The syntax is:

MailSystem=number

where number is one of the following values:

0 - NOTES (default)
1 - CCMAIL
2 - VINMAIL
99 - NONE

MailTemplate

The MailTemplate field is only used when registering a new user and specifies the name of the mail template database. The syntax is:

MailTemplate =name of the template database

Example:

MailTemplate=mail7.ntf

MinPasswordLength

The MinPasswordLength field is only used when registering a new user and specifies the minimum number of characters that a user password must have. The syntax is:

MinPasswordLength=number

For example:

MinPasswordLength=5

The Notes connector sets the specified value as an attribute of the registered user entry.

If the value is set to 0 the SaveIdInAddressBook field also must be set to 0.

PathFileCertId

The PathFileCertId field specifies the pathname to the certificate ID file cert.id, which is a binary file that is supplied with the Notes Server installation software. This file contains the certificate that grants the Notes connector the right to create registered users. The syntax is:

PathFileCertId=pathname

where pathname is the pathname to the certificate ID file. For example:

PathFileCertId=a:\cert.id

This is a required field if the update operation is to process a RenameUser request or if the dxmLNregisterUser field is set to TRUE.

This is a required field that must specify the pathname to the certificate ID file of the source organizational unit if the update operation is to process the MoveUserInHier operation.

PathFileCertLog

The PathFileCertLog field specifies the pathname to the certifier logging file certlog.nsf on the server. This file contains the certifier logging entries of the registered users. The syntax is:

PathFileCertLog=pathname

where pathname is the pathname to the certifier logging file. For example:

PathFileCertLog=d:\lotus\domino\data\certlog.nsf

This is a required field if the dxmLNregisterUser field is set to TRUE or if the update operation is to process a RenameUser or a MoveUserInHier request.

PathFileTargetCertId

The PathFileTargetCertId field specifies the pathname to the certificate ID file of a target organizational unit. The file contains the certificate that grants the Notes connector the right to create registered users for the organizational unit. The syntax is:

PathFileTargetCertId=pathname

where pathname is the pathname to the certificate ID file. For example:

PathFileTargetCertId=a:\German.id

This is a required field if the update operation is to process a MoveUserInHier operation.

PathUserId

The PathUserId field specifies the directory in which the Notes connector is to store Notes user IDs created during the user registration process. The syntax is:

PathUserId=directory

where directory is a directory pathname. For example:

PathUserId=e:\notes\data

Notes User IDs are binary user certificate files that the Notes connector creates during the registration process if CreateIdFile is set to 1. The Notes connector writes these user ID files to the directory specified in the PathUserId field if SaveIdInFile field is set to 1.

RegistrationServer

The RegistrationServer field specifies the name of the Notes registration server that is to register the users in the Notes server address book. The syntax is:

RegistrationServer=server_name

where server_name is a the name of a Notes server in the format:

"CN=server_name/O=organization_name[/…]"

For example:

RegistrationServer="CN=Cambridge3/O=Notes/O=IBM"

SaveIdInAddressBook

The SaveIdInAddressBook field controls whether or not the Notes connector saves the user ID files it creates as attachments of the Notes entries for the registered users. The syntax is:

SaveIdInAddressBook=switch

where switch is one of the following values:

0 - do not save user ID files as attachments of the Notes entries for the registered users
1 - save user ID files as attachments of the Notes entries for the registered users in the Notes address book

If SaveIdInAddressBook is set to 1, the Notes connector creates the user ID file and stores it as an attachment of the corresponding Person entry for the registered user. If SaveIdInAddressBook is set to 1, the registered user must have got a password.

SaveIdInFile

The SaveIdInFile field is only used when registering a new user and controls whether or not the Notes connector saves the user ID files it creates in individual files. The syntax is:

SaveIdInFile=switch

where switch is one of the following values:

0 - do not save user ID files in individual files
1 - save user ID files in individual files

If SaveIdInFile is set to 1, the Notes connector creates the user ID files and stores them in the directory specified in the PathUserId field.

SaveInternetPassword

The SaveInternetPassword field is only used when registering a new user and controls whether or not the Notes connector saves the user ID password also for use as an Internet password. The syntax is:

SaveInternetPassword=switch

where switch is one of the following values:

0 - do not save user ID password also as Internet password
1 - save user ID password also as Internet password

If SaveInternetPassword is set to 1, the Notes connector saves the user ID password also in the field for the Internet password.

TargetCertifier

The TargetCertifier field specifies the name of the new location when is user is moved.. The syntax is:

TargetCertifier=name

where name is a the name of a Notes entity in the format:

"OU=organizational unit name/O=/organization_name[/…]"

For example:

TargetCertifier=/OU=sales/O=my-company

Type

The Type field specifies the Notes document type to be extracted from the Notes address book (on Export) or to be created in the Notes address book (on Import). The syntax is:

Type=document_type

where document_type is a Notes document type.

Example:

Type=Person

Type=Group

UserIdFile

The UserIdFile field is only used when registering a new user and specifies the name of a Notes ID file of a a user. The syntax is:

UserIdFile=filename

where filename is the name of the user ID file.

Example:

UserIdFile=tom.id

Validity

The Validity field defines the lifetime of a certificate in GeneralizedTime syntax. The syntax is as follows:

Validity=YYYYMMDDhhmmssZ

Example:

Validity=20101230150000Z

Other important attributes

There are many other attributes available in the Notes address book. The important ones include:

User attributes:

FirstName
LastName
MiddleInitial
UniqueOrgUnit
FullName
ShortName

Group attributes:

ListName

All of these attributes are string attributes and define the name of the group or (for user) the combination of FirstName, LastName, MiddleIntitial and UniqueOrgUnit define the user object.

Attributes at Identity Store

The following list of attributes is relevant at the Identity Store side.

dxmLNregistereUser: The attribute dxmLNregisterUser is a Boolean attribute and indicates whether a person should be registered in Notes. If set to FALSE, only a Notes document is created in the Notes address book.
dxmLNuserRegistered: The attribute dxmLNuserRegistered is a Boolean attribute and indicates whether the account has been registered in the Notes server. The attribute is set to TRUE, if the FullName is present in Notes.
dxmLNuserInAddressBook: The attribute dxmLNuserInAddressBook is a Boolean attribute and indicates whether or not the Type attribute in the Notes server is set to Person or not. dxmLNuserInAddressBook is set to TRUE, if TYPE=Person; it is set to FALSE, if type is set to InactivePerson. (Type=InactivePerson is set to make the user invisible for the Notes Client).

Feature Details

This section describes Notes connector feature details.

General Aspects

This section describes general features of the Notes connector.

SPMLv1 Identifier

The SPML identifier is mandatory for the following operations:

DeleteRequest
ModifyRequest

It is optional for the following operations:

AddRequest
SearchRequest

When present, it is normally set up as type=value list of the Notes universal IDs. The format is as follows (for example, as part of a Modify request):

<spml:identifier type="urn:oasis:names:tc:SPML:1:0#DN">
<spml:id>UniversalIDPart1=<id1>,UniversalIDPart2=<id2>,
   UniversalIDPart3=<id3>,UniversalIDPart4=<id4>
</spml:id>
</spml:identifier>

If absent, then the SPML identifier should be set as follows:

<spml:identifier type="urn:oasis:names:tc:SPML:1:0#DN">
    <spml:id/>
</spml:identifier>

If search requests, the Identifier could also by set using the Notes Type attribute, for example

<spml:searchBase type="urn:oasis:names:tc:SPML:1:0#DN">
       <spml:id>Type=Person</spml:id>
</spml:identifier>

Deny Groups

If a user is disabled in the Identity Store, the user is put into one of the deny groups that are available in the Notes system. In the SPML update operations, the attribute “dxrTSstate” must be passed with the value set to “DISABLED”. The Notes connector will check all the deny groups and will put the user into one of them if not yet present there. If during an SMPL update operation the value “dxrTSstate=ENABLED” is passed, then the user is dropped from the deny groups. When putting users in the deny group, the Notes connector guarantees that a new deny group is created when the existing ones have reached their capacity limits.

When Notes users are returned in a search result, the attribute “dxrTSstate” is set according to the presence of the users in the deny groups; the value is set to ENABLED if the user is not present in one of the deny groups; otherwise, the value is set to DISABLED.

Register User

A user will be registered if the dxmLNregisterUser attribute comes along in an ADD or MODIFY request and the Type attribute of a new object (for ADD) or of an existing object (for MODIFY) is PERSON.

The user registration enforces a unique short name; that’s not required by Notes itself, it’s a requirement of the Notes connector.

For registering the user, the following attributes are evaluated:

ClientType
CreateIdFile
CreateMailDatabase
CreateMailDbNow
CreateNorthAmericanId
FirstName
IdFile (composed of “PathUserId\UserIdFile”)
InternetAddress
LastName
MiddleInitial
SaveIdInFile
SaveIdInAddressBook
SaveInternetPassword
ShortName
SMTPHostDomain
UniqueOrgUnit (derived from the configurable attribute type)

If a mail database should be created, then these attributes are required, too:

DvQuotaSizeLimit
DbQuotaWarningThreshold
MailACLManager
MailFile
MailForwardAddress
MailOwnerAccess
MailServer
MailSystem
MailTemplate

Add Request

The Notes connector first checks whether a Notes document is already present in the Notes address book. Therefore for objects of Type=Group, it uses the ListName for retrieving the object, for objects of Type=Person or Type=InactivePerson, it uses FirstName, LastName, MiddleInitial and UniqueOrgUnit. If UniqueOrgUnit is present, it uses the attribute specified in UniqueOrgUnitAttr because the attribute UniqueOrgUnit is not searchable in Notes address book.

If no such document is found, then the document is created.

If the attribute dxmLNregisterUser is set to TRUE, the user will be registered. For details, see the section “Register User”.

If the attribute dxrTSstate is DISABLED, then the user is put into the Deny groups.

Add Response

The add response will return the SPML identifier of the new object. It will also return the FullName of the new object, if the user was registered before. If available, it will also return the ShortName of the user.

Delete Request

A user will be deleted if the TYPE attribute of the existing user is Person and the user had been registered before. When deleting the user, the DeleteMailFile attribute (in the OperationalAttributes section of the SPML Modify request) provides information whether or not to delete the user’s mail database.

If the object is not a registered used, then the Notes document will simply be deleted from the Notes address book.

Delete Response

There is no specific information available in the delete response. It either return success or provides the error message.

Modify Request

If the object exists in the Notes address book, then the attributes in the Notes document are updated.

If the attribute dxmLNregisterUser is present in the attribute list and the value is set to TRUE, then the user will be registered (if not yet registered). For details, see section “Register User” above.

A user will be renamed if the Type attribute of the existing user is Person and one of the following attribute changes in a MODIFY request:

FirstName
LastName
MiddleInitial
UniqueOrgUnit

Keep in mind that the UniqueOrgUnit attribute is not retrievable. Therefore the Notes connector uses the value from the configurable attribute that is defined in UniqueOrgUnitAttrType.

A user will be moved if the Type attribute of the existing user is Person and the attribute PathFileTargetCertId is present and is different from PathFileCertId and the user has not been renamed before. If the user has been renamed, then moving the person is rejected until the user was successfully renamed. It’s the responsibility of the client to send another MODIFY request later on in order to move the person.

Modify Response

If available, the modify response will return the FullName and the ShortName of the object.

Search Request

For details on search base, see the section “SPMLv1 Identifier”.

Apart from the search base, an SPML filter can be provided. For limitations on search filters, see the section “Prerequisites and Limitations”.

Search Response

The Notes connector will search the relevant objects. It also checks, for every object, whether it is present in one of the Deny groups. If present, it returns the attribute dxrTSstate with the value DISABLED; otherwise ENABLED.