Wednesday, October 24, 2012

Lotus Notes Provisioning Experience

So I was at a client and had to remember how to provision to Lotus Notes.  Unfortunately I didn't have a lot of my notes and there's always something new from client to client so some learning was needed.

Let's start with the address book:  this is the target database where users will ultimately be created.  Also in Notes terms user objects are called Person documents.  So keep that in mind.  The default address book is called names.nsf -

I was given an address book that happened to be down a few levels from the top level.  What does this mean?  When you log in to the Lotus Notes client, you open the database be first entering the Server value (sometimes called Hierarchical server name) of ServerName/Location/sub-location.  This should be given to you by your Notes admin.  Then you browse around at this level until you find the name.nsf database, typically.  In my case the database was several folders deep, but was called names.nsf.  Unfortunately I would keep getting an error when trying to provision the user object to the Notes CS.  The error was:

NoCompatiblePartitionFoundException: The partition filter criteria...

The error went away after I was given access to use a top-level database.  But the name of that database was not the default names.nsf, which lead me to my next error.  When I tried to export this new user I would get:

Could not create objects in the address book. Primary address book not configured on the Lotus Notes server.

Google didn't help much to figure out this error, so I interpreted this to mean that FIM needs to write to the default database(names.nsf) first, then a secondary address book could be configured.  When I was finally given rights to export to the names.nsf address book (at the top level) the error went away, and was able to create the user object.  Maybe someone else can explain this.

Also while configuring the MA remember you need to configure the certifiers.  What's a certifier you ask?  A Notes admin explained it to me like this:  the certifier represents the  single OU structure like OU=abc,O=local (similar to AD), but it also includes an ID file that goes with it.  When I asked why they needed this, I was told it had something to do with security.  Oh yea and the ID file has a password too.  It's Notes' way of certifying the user created by someone authorized.

Here's a link to find standard provisioning code:  http://msdn.microsoft.com/en-us/library/windows/desktop/aa965243(v=vs.85).aspx

Provisioning code lesson
csentry("_MMS_IDStoreType").IntegerValue = 1  ' ID File as an attachment  - this means it places the ID file in the database (I think)

if you need to put the id file somewhere then use the following 2 lines.
csentry("_MMS_IDStoreType").IntegerValue = 2 'ID File will be generated then you have to tell it where you want it to go see next line
csentry("_MMS_IDPath").Value = \<filename>.id