Setting Notes User Passwords with NotesDriverShim v3.5
Novell Cool Solutions: Feature
By Perry Nuffer
Digg This -
Posted: 16 May 2007
The NotesDriverShim v3.5 is supposed to be able to set a password on a Notes user.id file. Is this true? And if so, what parameters to I need to set for the driver to make it work?
Yes, this is true. The NotesDriverShim provides password-set capabilities via the modify-password command. When issuing such a command on the subscriber channel, the NotesDriverShim can use a shared native library to access the appropriate Lotus Notes APIs that allow for changing a password within a user.id file. The shared native library that comes with the driver is named notesdrvjni. On the Windows platform, notesdrvjni.dll is placed in the IDM binaries folder (c:\novell\nds ). There it can be found by the NotesDriverShim.jar launched by the IDM engine. On AIX, Linux, and Solaris platforms, the notesdrvjni.so is linked in the Notes/Domino execution directory.
If the NotesDriverShim is appropriately initialized with notesdrvjni shared library present, then text similar to the following should show in a level 3 (or above) trace: "NotesDriverShimLotusCAPIAccess: notesdrvjni (notesdrvjni.dll) successfully loaded." If this text does not show in a level 3 trace, or a message to the contrary is displayed, then the 'user.id password set' feature will be automatically disabled within the NotesDriverShim.
For the NotesDriverShim to successfully set a password on a Notes .id file, the following conditions must be satisfied:
1. An .id file reference (path + file_name) must be provided via the user-id-file custom parameter.
2. The correct password of the referenced .id file (old-password) must be provided via the old-password child element.
3. A new password must be provided via the password child element that satisfies the strength requirements of the referenced (existing) .id file.
4. The Notes/Domino API (client) instantiated by the NotesDriverShim must have file access to the referenced .id file.
The NotesDriverShim cannot set passwords on .id files without the existing password (old-password) of the .id file. This is a requirement of the Lotus Notes API. Using IDM v3.5, old-password (nspmDistributionPassword attribute) values are available from the Identity Vault when the Engine Control Value (ECV) 'Use password event values' (ecnm_pevvl) is set 'true'.
When receiving the modify-password command, the NotesDriverShim will attempt to modify Notes user.id file passwords if the modify-password command has both an old-password and a password child element, and also contains a user-id-file="c:\Lotus\Domino\ids\people\JohnDoe.id" XML attribute as a custom parameter. Note that this custom parameter is the same as that used for add commands. However, in this case the file name that is specified is never used in conjunction with the user-id-path parameter, as is an add command. If a full path is not specified, the NotesDriverShim will default the user.id file search to the default directory that the driver is using (the Notes/Domino data folder). This user-id-file parameter can also be used to specify multiple id files by separating the id file names with semicolons (";"); (e.g., user-id-file="ids\people\JohnDoe.id;ids\people\johnnydoe.id;c:\Temp\jd.id").
ID files containing (requiring) multiple passwords cannot be set using this feature. I believe it is possible to use this feature to change the password for a user.id file, a server.id file, or a cert.id file.
Below is a general example of an XDS command where a password is being set for JohnDoe.id:
<input> <modify-password class-name="Person" event-id="pwd-subscribe" src-dn="\PWDSYNCTREE\sync\dom\unit\JohnDoe" src-entry-id="35952" user-id-file="c:\Lotus\Domino\ids\people\JohnDoe.id"> <association>D9628831A988381AC12570F9005BE6B3</association> <old-password>zyxwvut321</old-password> <password>abcdefg123</password> </modify-password> </input>
The NotesDriverShim must have appropriate read and write file system access to the specified user.id file. When a correct user-id-file="user.id" XML attribute and valid old-password and password elements are available to the modify-password command, this command can then modify an existing user.id file password as well as the HTTPPassword within the Notes Address Book.
You can control whether the NotesDriverShim will modify the user.id password or the HTTPPassword. This is done via the following driver parameters set within subscriber-options section of the driver configuration:
These subscriber-options parameters are boolean and can be set to true or false, depending on the desired default behavior of the NotesDriverShim. They can also be used as override parameters when set as attributes to the modify-password element.
If only the HTTPPassword should be modified, then the user-id-file XML attribute should be omitted from the XDS command, or the allow-userid-password-set="false" attribute can be applied. If only the user.id password should be modified, then the allow-http-password-set="false" attribute can be applied.
No special code is incorporated into the NotesDriverShim to manage or maintain mapped drives, file shares, or network access. The NotesDriverShim assumes that the files referenced will be available, and if not, errors will be reported. Within the NotesDriverShim, the 'user-id-file' reference is simply handed-off to the Lotus Notes API (one by one, in the case of multiple file references). Thus if the Notes/Domino client has access to the file reference, the password set can be attempted. Remember that file access is subject to the logon account of the running process. For example, when running a driver as a service on Windows (using remote loader) using local account access, remote files drive access is not available. So, it is necessary to configure the service to run using an account that has available and appropriate network access to the needed user.id files.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com