Novell Doc: Identity Manager 3.6.1 Driver for Lotus Notes Implementation Guide

A.2 Global Configuration Values

Global configuration values (GCVs) are values that can be used by the driver to control functionality. GCVs are defined on the driver or on the driver set. Driver set GCVs can be used by all drivers in the driver set. Driver GCVs can be used only by the driver on which they are defined.

The Lotus Notes driver includes many GCVs. You can also add your own if you discover you need additional ones as you implement policies in the driver.

To access the driver’s GCVs in iManager:

Click to display the Identity Manager Administration page.
Open the driver set that contains the driver whose properties you want to edit.
1. In the Administration list, click Identity Manager Overview.
2. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.
3. Click the driver set to open the Driver Set Overview page.
Locate the driver icon, click the upper right corner of the driver icon to display the Actions menu, then click Edit Properties.

or

To add a GCV to the driver set, click Driver Set, then click Edit Driver Set properties.

To access the driver’s GCVs in Designer:

Open a project in the Modeler.
Right-click the driver icon or line, then select Properties > Global Configuration Values.

or

To add a GCV to the driver set, right-clickthe driver set icon , then click Properties > GCVs.

The global configuration values are organized as follows:

Table A-7 Lotus Notes Certifier Names and Parameters References

Option	Description
Fully Qualified Default Certifier Name	Specify the default Fully Qualified (typed) Notes Certifier name as found in the Notes Address Book. The root certifier can be used (an example is /o=acme).
Default Certifier Name	Specify the default Notes Certifier name as found in the Notes Address Book. The root certifier can be used (an example is /acme).
Default Certifier Driver Parameter Key	Specify the driver parameter key name that stores the default certifier ID file name. An example is cert-id-file.
Default Certifier Password Driver Parameter Key	Specify the driver parameter key name that stores the default certifier ID password. An example is cert-id-password.

Table A-8 Lotus Notes New User Policy Settings

Option	Description
Add Notes User Certification Option	Select the desired Notes User Certification option. Select True to create a Notes Certification ID file for the user. Select False to not create the Notes Certification ID file. The default is True.
User ID File Creation	Select the desired Notes User ID file creation option. Select True to create an ID file when registering users. Select False to not create the ID file. The default is True.
Store User ID File in Address Book	Select the desired Notes User ID file option. Select True to place a Notes Certification ID file for the user in the Notes address book. Select False to not place the Notes Certification ID file in the address book. The default is False.
User ID Expire Term (in years)	Specify the expiration term (in years) for ID files created by the driver when certifying users who are added on the Subscriber channel. This number specifies how many years the user’s Certification ID file will be valid. The default is 2.
User ID Expiration Date	Specify an expiration date, or leave the field blank to ignore this setting. Specify the date when the user’s Certification ID file will expire. This entry has priority over the Expire Term entry.
Alternate Organization Unit	Specify an alternate Organizational Unit to be used for each registered user, or leave the field blank to ignore this setting.
Alternate Organization Unit Language	Specify an alternate Organizational Unit language to be used for each registered user, or leave the field blank to ignore this setting.
Notes Explicit Policy Name To Be Attached To User	Specify the desired Notes Explicit Policy Name to be attached to each registered user. When specified, registration policies are not executed.
Synchronize User’s Internet Password	Select the user’s Internet password option. Select True to synchronize the user password with the Web password. Select False to not synchronize user passwords. The default is True.
Notes User Password Check Setting	Select the desired option. Select Default to ignore this setting. Select Check Password to require users to enter a password when authenticating to servers that have password checking enabled. Select Don’t Check to not require users to enter a password when authenticating to other servers. Select Lockout to prevent users from accessing servers that have password checking enabled. The default is Check Password.
Notes User Password Change Interval (in days)	Specify the desired user password change interval in days. Specify a number to indicate the days a password is valid and before the user must supply a new password.
Notes User Password Grace Period (in days)	Specify the desired user password grace period in days. Specify a number to indicate the days the grace period is valid before the user must supply a new password.
Notes User’s Internet Password Change Required	Select the user’s Internet password change option. Select True to require users to change the password on the next login. Select False to not require users to change the password on the next login. The default is False.
Roaming Option	Select the desired Notes roaming user option. Select True to enable roaming for Notes users. Select False to disable roaming. The default is False. Selecting True brings up the next four options.
Roam Server Name	Specify the Domino server that will host this roaming user. An example is (cn=ServerName/o=org)
Roam Server Subdirectory	Specify the Domino server subdirectory to store roaming user data. An example is Roaming\
Cleanup Setting	Select the Notes roaming user cleanup setting. Select Default to do nothing. Select Never to never delete roaming data. Select Every n Days to delete roaming data by the days specified by Roaming Cleanup Period. Select At Shutdown to delete Notes data when Notes shuts down. Select User Prompt to clean up roaming data when the user exits Notes; the user can also decline to be prompted in the future.
Cleanup Period (in days)	If Every n Days is selected as the Roaming User Cleanup Setting, specify the number of days before deleting roaming user data.

Table A-9 Lotus Notes E-Mail Information

Option	Description
Internet Mail Domain	Specify the Internet Mail Domain to be used when generating Internet e-mail addresses. An example is mycompany.com.
E-mail Box	Select the desired Notes user e-mail creation option. Select True to create a Notes e-mail account for a user. Select False to not create an e-mail account. The default is True.
Create Mail File in Background via AdminP	Select the desired Notes user e-mail creation option. Select True to create a mail file by issuing a request to the Domino administration process to create the mail file in the background through AdminP. Select False to create the mail file directly. AdminP support is required for this option. The default is False.
Inherit from Mail File Template	Select the desired Notes user e-mail database inheritance option. Select True in order for the user e-mail database to inherit changes from the specified creation template. Select False to not inherit changes. You specify the e-mail creation template through the Subscriber channel settings. The default is True.
E-mail Database ACL Setting	Select the desired Notes user e-mail database ACL option. Select Default to ignore this setting. Other options include Manager, Designer, Author, Editor, Reader, Depositor, and No Access. The default is Default.
Mail ACL Manager	Specify the Notes e-mail database Manager name. Leave this entry blank to allow e-mail access by the owner. If ACL access of the mail database is less than Manager, you need to specify an e-mail manager. Use the plus icon to add names, the minus icon to delete names, and the pen icon to edit present entries.
Mail File Size Quota (in Megabytes)	Specify the Notes e-mail database size quota in megabytes. Leave blank to ignore this setting. The size specifies disk space that the server administrator allows for the e-mail database. If the Notes driver user is not a Domino server administrator, leave this value blank.
Mail FIle Size Warning Threshold (in Megabytes)	Specify the mail file size warning threshold in megabytes. Leave blank to ignore this setting. The size specifies disk space allowed before warning messages are sent to the database owner.
Mail File Replication	Select the desired Notes user e-mail file replication option. Select True to replicate the mail file of a user. Select False to not replicate the mail file. The default is False.
Create Mail File Replica On Which Server	Specify the distinguished name of the desired Domino server where the mailbox replicas are initially created and should be replicated (for example CN=Server1/O=acme.
Mail File Replication Priority	Select the mail file replication priority setting: Low, Medium, or High. Default is Medium.
Create Mail File Replica in Background via AdminPDescription of Global Configuration Value	Select the desired Notes User E-Mail replica creation option. True replicates the mail file by issuing a request to the Administration Process to create the replica in the background. False creates the replica directly on the destination server. NOTE:If the Create Mail File in the account.email.createinbackground (background setting) is set to True, the policy overrides this setting with a value of True.

Table A-10 Lotus Notes Object Deletion Policy Settings

Option	Description
Lotus Notes Deny Access Group Name	Specify a Notes Deny Access Group as a placeholder for disabled users. An example is Deny Access.

Table A-11 Domino Administration Process Activation Command Settings

Option	Description
Add User: Tell AdminP Process Command	Select the AdminP process command when a user is added. This specifies the Tell adminp Process command to send to the Domino server immediately after the user has been added to the Domino Public Address Book. Options include No Action (default), All, New, Daily, Delayed, Interval, People, and Time.
Modify User: Tell AdminP Process Command	Select the AdminP process command when a user is modified. This specifies the Tell adminp Process command to send to the Domino server immediately after the user has been modified using AdminP methods in the Domino Public Address Book. Options include No Action (default), All, New, Daily, Delayed, Interval, People, and Time.

Table A-12 User Password Policy Settings

Option	Description
Application accepts passwords from Identity Manager	If True, this option allows passwords to flow from Identity Manager to the connected system. The default is True.
Notify the user of password synchronization failure via e-mail	If True, notify the user by e-mail of any password synchronization failures. The default is False. Selecting True brings up the next two options.
Default E-mail Notification User	Select the default user (administrator) to receive e-mail notifications. The user should have a valid Internet EMail Address attribute specified in the Identity Vault. Password Synchronization policies are configured to send e-mail notifications to the associated user when password updates fail. The selected user receives a copy of each notification e-mail. Be sure to select a user who has proper authorization to review password update actions (such as a security administrator). If the field is left blank, password synchronization notification e-mails are only sent to the affected user.
Connected System or Driver Name	Specify the name of the connected system, application, or Identity Manager driver. This value is used by the e-mail notification templates. An example is Notes.
Identity Manager accepts passwords from the application	True allows passwords to flow from the connected system to the Identity Manager. False does not allow passwords to flow from the connected system to the Identity Manager.
Publish passwords to the Distribution Password	Select whenther to use the password from the connected system to set the NMAS Distribution Password used for Identity Manager password synchronization.
Require password policy validation before publishing passwords	True applies the NMAS password policies during password operations on the Publisher channel. The password is not written to the data store if it does not comply. False does not apply the NMAS password policies during password operations on the Publisher channel.
Reset the user's external system password to the Identity Manager password on failure	True attempts to reset the password in the connected system by using the Distribution Password from the Identity Vault when a publish Distribution Password failure occurs.
Publish passwords to the NDS password	Use the password from the connected system to set the non-reversible NDS password in eDirectory.

Table A-13 Credential Provisioning

Option	Description
Enable Credential Provisioning Policies	Select True to enable the driver’s policies for provisioning credentials to Novell SecureLogin.
On user creation	Select True to provision new users with credentials
On user enable/disable	Select True to provision credentials to user accounts that have just been enabled and to deprovision credentials from user accounts that have been disabled.
On password changes	Select True to reprovision credentials when Identity Vault passwords change.
Application Credential ID	Specify the ID that SecureLogin uses to identify the login. This login is linked with the application in the SecureLogin client.
Application User ID Attribute	Specify the name of the attribute from which to retrieve the application user ID.
Provision to Novell SecretStore	Select True if Novell SecretStore is to be used by the credential provisioning policies.
SecretStore Shared Secret Type	Select the shared secret type that Novell SecretStore is using.
Use Enhanced Protection Password	Select True if the Novell SecretStore Enhanced Protection Password is to be used. If true is selected then the named password 'secretstore-enhanced-proctection-password' must be appropriately set.
Provision to Novell SecureLogin Repository	Select True if the Novell SecureLogin repository is to be used by the credential provisioning policies.
Set Novell SecureLogin Passphrase	Select True to enable the SecureLogin passphrase to be set.
SecureLogin Passphrase Question	If you enabled the passphrase to be set, specify the passphrase question. The question needs to be one that can be verified against an Identity Vault attribute.
SecureLogin Passphrase Answer Value Attribute	If you enabled the passphrase to be set, specify the Identity Vault attribute used to verify the user’s response to the passphrase question.

Table A-14 Account Tracking Settings

Option	Description
Enable Account Tracking	Select whether to enable account tracking. True enables the account tracking policies. False does not execute the account tracking policies. Selecting True brings up the following options:
Realm	Specify the name of the Realm, Security Domain, or Namespace in which the acount name is unique.
Object Class	Specify the object classes to track. Class names must be in the application namespace.
Identifiers	Specify the account identifier attributes. Attribute names must be in the application namespace.
Status Attribute	Specify the name of the attribute in the application namespace to represent the account status.
Status Active Value	Specify the value of the status attribute that represents an active state.
Status Inactive Value	Specify the value of the status attribute that represents an inactive state.
Subscription Default Status	Select the default status the policies assume when an object is subscribed to the application and the status attribute is not set in the Identity Vault.
Publication Default Status	Select the default status the policies assume when an object is published to the Identity Vault and the status attribute is not set in the application.

Table A-15 Entitlements Options

Option	Description
Use Account Entitlement	Entitlements act like an ON/OFF switch to control the account access. When the driver is enabled for entitlements, accounts are only created and removed/disabled when the account entitlement is granted to or revoked from the users. For more information, see the Identity Manager Entitlements Guide.
When Account Entitlement Revoked	If the Use Account Entitlement option is True, specify what action is taken in Notes when a User Account Entitlement is revoked.
Use Group Entitlement	Select whether the driver manages groups with the group entitlement. True allows the driver to manage Notes groups based on the notesGroup2 Entitlement. False does not allow the driver to manage Notes groupsbased on the notesGroup2Entitlement.