ID Vault in Lotus Notes/Domino 8.5 solves many problems found in the previous
password recovery
feature. Given the interest in the ID Vault, this tip details how to
set up the ID Vault from scratch and documents all the steps. You'll
find detailed instructions for several ID Vault operations -- including
how to store new and existing users in the vault and how to reset a
password -- as well as the solutions to gotchas I encountered along the
way.
I set up the ID Vault on a Linux/Domino 8.5 server, using Domino
Administrator 8.5.1 on Windows. After creating the vault, I stored some
ID files in the vault, then used the vault to recover an ID file and
reset a password.
To create the ID Vault |
- From Domino Administrator, File -> Open Server to select the target server.
-
- Go to the Configuration tab and choose ID Vaults -> Create, on
the far right side, which starts a very helpful wizard to guide you
through the whole process.
-
- Set the Notes ID Vault Name to something short and simple. This will
be the name of a new organization certifier, which will manage the
vault. Something like AcmeVault works well enough.
-
- Set the description of the ID Vault. This will become the database title of the vault .nsf file. You can use something like Acme Corp ID Vault.
-
- Set a strong and secure vault password. Next, Make sure the vault server is correct.
-
- Your name will automatically be listed as one of the vault
administrators. Normally, you'd want to add some other administrators,
unless you work for a very small organization. These administrators will
be able to control the vault itself, specifically adding and removing
other administrators. This is not the list of people who can reset a
password; that will come later in the tip.
-
- Select the organizations that will trust this vault by choosing
their certifier ID files. Usually, this is your top-level organization,
such as /Acme. But it may also be one or more of your organization units, such as /Accounting/Acme or /IT/Acme.
- Be sure to
just choose certain organizations units if you're setting up other ID
vaults for other organization units. Note that you must have the
certifier ID for the organization(s) and know their passwords.
-
- Individual users are assigned to an ID Vault by the Security
Settings document within the relevant policy. The next step allows you
to perform this setup with several options, depending on whether you
already have an organization policy, want to start a new policy or would
like to set up the policy later. I chose to create a new policy for my
entire organization.
-
- The last screen of the wizard displays all the choices you've made,
so you can double-check them before any real action is taken. Some of
the choices cannot be undone later, so be sure to read the screen
carefully.
-
- After verifying your choices, press the button to create the ID
Vault. During this process, you'll be asked to find the certifier IDs
and to enter their passwords.
-
- The wizard creates an on-screen log file of its work, with the
option to copy the entire text to the clipboard when it's done. I
suggest copying it, then saving the log somewhere for later reference.
To store a new user ID in the vault |
- Make sure that the relevant policy -- in my case, a single
organization-wide policy -- contains setting documents for both
registration and security. Also make sure that the security setting
specifies the ID Vault. By default, the built-in ID Vault wizard creates
a policy without registration settings. Note: This caused a
new user registration to fail during my test. The fix was simple. I
added a standard registration settings document to the organization
policy containing two entries: a setting name and the server name.
-
- New users will now automatically have their ID files uploaded to the ID Vault during the user registration process.
To store an existing user ID in the vault |
- Make sure that existing users are covered by a policy -- in my
case a single organization-wide policy -- and that this policy contains a
security setting which specifies the ID Vault.
-
- When the above condition is met, existing user ID files will be uploaded to the ID Vault automatically.
-
- Be aware that Notes/Domino does not immediately upload existing ID
files to the vault. The client and server work together to perform the
upload on a reasonable schedule, so that the server doesn't get swamped
when a new vault is created.
-
- You can force an ID file to be uploaded immediately by switching IDs on a workstation, then switching back to the original ID.
To recover a lost ID file |
- To recover a lost ID file completely -- not just reset its
password -- the administrator doing the recovery must have the [Auditor]
role in the access control list (ACL) of the ID Vault database.
-
- Using the Domino Administrator client, select the name of the person with the missing ID file in the People view.
-
- On the right-hand side of the screen, under Tools -> ID Vaults, select Extract ID From Vault and follow the prompts. You should be able to override the default filename of the ID file, so that it's something like jsmith.id instead of user.id.
To reset a Lotus Notes user's password |
- To reset the password of a Notes ID file, the person doing the
reset must have password reset authority for that group of users. This
is controlled by the ID Vault administrator and is set with Tools ->
ID Vaults -> Password Reset Authority.
-
- Using the Domino Administrator client, select the name of the person who needs a password reset in the People view.
-
- On the right-hand side of the screen, under Tools -> ID Vaults, select Reset Password and follow the prompts
Chuck Connell
Không có nhận xét nào:
Đăng nhận xét