Lotus Domino Connector for FIM 2010 Technical Reference

  • Article

The objective of this document is to provide you with the reference information that is required to deploy the Lotus Domino connector for Microsoft® Forefront® Identity Manager (FIM) 2010. It has been updated to reflect the Connector build 5.3.259.0.

Overview of the Lotus Notes Connector

The Lotus Domino connector enables you manage Lotus Domino resources using FIM 2010. The connector is available as a download from the Microsoft Download Center. From a high level perspective, the following features are supported by the current release of the connector:

Requirement Support

Connect to data source
  • Server:

    • Lotus Domino 8.0.x

    • Lotus Domino 8.5.x

  • Client:

    • Lotus Notes 8.0.x

    • Lotus Notes 8.5.x

    • Lotus Notes 9.0 (Beta)

Scenario
  • Object Lifecycle Management

    • ID Vault

  • Group Management

  • Password Management

Operations
  • Full import

  • Delta import for add and updates

  • Export

  • Set and change password on HTTP password

Schema
  • Person

    • Roaming user

    • Contact (persons with no certificate)

  • Group

  • Resource (Resource, Room, Online meeting)

  • Mail-in database

  • Dynamic discovery of attributes for supported objects

The Lotus Domino connector leverages the Lotus Notes client to communicate with Lotus Domino Server. As a consequence of this, a supported Lotus Notes Client must be installed on the FIM 2010 synchronization server. The communication between the client and the server is implemented through the Lotus Notes .NET Interop (Interop.domino.dll) interface. This interface facilitates the communication between the Microsoft.NET platform and Lotus Notes client and supports access to Lotus Domino documents and views.

The following illustration provides a high level overview of the Lotus Domino Connector architecture:

Lotus Domino Connector Architecture

Operations will either go directly to the Domino directory or through the AdminP process. The following tables list all supported objects, operations and, if applicable, the related implementation method:

Primary Address Book

Object Create Update Delete

Person

AdminP

Direct

AdminP

Group

AdminP

Direct

AdminP

MailInDB

Direct

Direct

Direct

Resource

AdminP

Direct

AdminP

Secondary Address Book

Object Create Update Delete

Person

N/A

Direct

Direct

Group

Direct

Direct

Direct

MailInDB

Direct

Direct

Direct

Resource

N/A

N/A

N/A

When a resource is created a Notes document will be created. Similarly, when a resource is deleted, the Notes document will be deleted.

The following operations are not supported by the current release of the Lotus Domino connector:

  • Delta import on delete operations

  • Move mailbox between servers.

Connected Data Source Requirements

In order to manage objects using a FIM 2010 connector, you need to make sure that all requirements of the connected data source are fulfilled. This includes tasks such as opening the required network ports and granting the necessary permissions. The objective of this section is to provide an overview of the requirements of a connected data source to perform the desired operations.

Connected Data Source Permissions

To perform any of the supported tasks in Lotus Domino 8.x connector, you must be a member of following groups:

  • Full Access administrators

  • Administrators

  • Database Administrators

A connector is an interface that is used to connect FIM 2010 to an external data source for import and export operations. To perform these operations on the supported object types, the connector account must have sufficient permissions. The following table lists the permissions that are required for each operation:

Operation Access Rights

Import
  • Read public documents

  • Full Access Administrator (When you are member of Full Access administrators group, you will automatically have the effective access to in ACL.)

Export and Set Password

Effective Access:

  • Create documents

  • Delete documents

  • Read public documents

  • Write public documents

  • Replicate or copy documents

In addition to the above access, the following roles must be assigned for export operations:

  • CreateResource

  • GroupCreator

  • GroupModifier

  • UserCreator

  • UserModifier

Ports and Protocols

IBM Lotus Notes client and Domino servers communicate using Notes Remote Procedure Call (NRPC) where NRPC should use TCP/IP. The default port number is 1352, but can be changed by the Domino administrator.

Connector Deployment

Before you can start with the installation of a connector, you need to make sure that the deployment prerequisites are satisfied. The objective of this section is to give you an overview of what these prerequisites are and to provide you with the required information to install and configure your Lotus Domino connector.

Deployment Prerequisites

The Lotus Domino connector depends on the Lotus Notes client being installed on the FIM Synchronization Server. Before you can start with the actual connector installation, you must ensure that the following requirements are satisfied:

  1. The Lotus Notes client must be installed on your FIM 2010 server

  2. You must start Lotus Notes once with a user that is located on the same server as the account you will use as the connector’s service account.

  3. The Lotus Domino Connector requires the default Lotus Domino LDAP schema database (schema.nsf) to be present on the Domino Directory server. You need to verify that it is present. If it is not present you can install it by running or restarting the LDAP service on the Domino server.

Note

The Lotus Domino client requires either the version 8.0, 8.5 or 9.0 of the Lotus Notes client to be installed.

In addition to the Lotus Notes client, the following features must be installed on your FIM 2010 server

  • Microsoft .NET 4.0 Framework

  • FIM Synchronization Service (FIM2010 Update 2, FIM2010 R2, or later)

Client Software Installation and Configuration

The Lotus Domino connector is available as a downloadable MSI package from the Microsoft Download Center. When you install the Lotus Notes client, keep the default settings and install only the required Lotus Notes features and Client Single Logon. Single Logon is required for the connector to be able to logon to the Domino server.

Configure Extensions

Important

If you need to upgrade from Lotus Notes 7.x to Lotus Notes 8.x, the uninstallation of the old version does not remove the old notes.ini file from the location %Program Files (x86)%\IBM\Lotus\Notes, which is incompatible with the Domino connector. Before you install Lotus Notes 8.x manually, remove this file from your FIM 2010 server.

After installing the Lotus Notes Client, you must start it once with a User located on the same server as the account you will be using as the connector’s service account.

Connector Installation and Configuration

This section provides an overview of the Lotus Domino installation and configuration.

Connector Installation

The Lotus Domino connector is a standalone setup package available from Microsoft Download Center. The connector is installed at the location: %Program Files%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions.

Connector Configuration

You configure your Lotus Domino connector by using the Management Agent Designer. In the following sections, you will find configuration details for some of the designer’s configuration pages.

Create Management Agent

Lotus Notes does only support 32-bit architectures. As a consequence of this, the Architecture property of the Create Management Agent page must be set to x86 when you create a new connector for Lotus Domino. The following screenshot shows an example for this:

Create Management Agent

Connectivity

On the Connectivity page, you must specify the Lotus Domino server name and enter the logon credentials.

The following screenshot shows an example for the related configuration page:

Connectivity

The Domino Server property supports two formats for the server name:

  1. ServerName

  2. ServerName/DirectoryName

The “ServerName/DirectoryName” format is the preferred format for this attribute because it provides faster response when the connector contacts the Domino Server.

The provided UserID file is stored in the configuration database of the FIM 2010 synchronization service. If you have a hot-standby environment, the UserID file is automatically moved between the related FIM 2010 synchronization service servers.

If you want to use this connector for a delta import, select the DeltaImport option. You can only use a delta import for Add and Update operations. For Delete operations, you must run a full import.

When you click Next, the UserID and password configuration parameters are verified.

Global Parameters

On the Global Parameters page, you configure the time zone and the import and export operation option

The following screenshot shows an example for the related configuration page:

Global Parameters Configuration

The Domino Server Time Zone parameter defines the location of your Domino Server.

This configuration option is required to support delta import operations because it enables the FIM 2010 synchronization service determine changes between the last two imports.

Creation of Virtual Contact Objects

In Domino, reference attributes can contain many different formats to reference other objects. To be able to represent different variations the Connector implements _Contact objects, a.k.a. as Virtual Contacts (VC). These objects are created so they can be joined to existing MV objects and projected as new objects and in this way preserve reference attributes.

Enable creation of _Contact object for non-reference value

By enabling this setting and if the content of a reference attribute is not a DN format, a _Contact object is created.

For example, a member attribute of a group can contain SMTP addresses. It is also possible to have shortName and other attributes present in reference attributes.

By joining on the correct attributes, the _Contact objects would be a connector to the MV object.

These objects will have VC=_Contact added to their DN.

Exclude Conflict Object

In a large Domino implementation, it is possible that multiple objects have the same DN due to replication issues. In these cases, the connector would see two objects with different UniversalIDs but same DN. This would cause a transient object being created in the connector space. The Connector can ignore the objects that have been selected in Domino as replication victims. It is recommended to keep this checkbox selected.

Routing Information

In Domino, it is possible that a reference attribute has routing information embedded as a suffix to the DN. For example the member attribute in a group could contain “CN=example/organization@ABC”. The suffix @ABC is the routing information. The routing information is used by Domino to send emails to the correct Domino system, which could be a system in a different organization. In the Routing Information field you can specify the routing suffixes used within the organization in scope of the Connector. If one of these values is found as a suffix in a reference attribute, the routing information is removed from the reference so it will match the DN for the object in the Connector space. If the routing suffix on a reference value cannot be matched to one of those specified, a _Contact object is created.These _Contact objects will be created with RO=@<RoutingSuffix> inserted into the DN. For these _Contact objects the following attributes are also added to allow joining to a real object if necessary: _routingName, _contactName, _displayName, and UniversalID.

Multivalued Transformation

Many attributes in Lotus Domino are multi-valued. The corresponding metaverse attributes are typically single- valued. By configuring the Import and the Export operation option, you enable the connector to help with the required translation of the affected attributes, which simplifies the configuration.

Export

The Export operation option supports two modes:

  1. Append item

  2. Replace item

Replace Item – When you select this option, the connector will always remove the current values of the attribute in Domino and replace them with the provided values. The provided valued can be either single-valued or multi-valued.

Example

The Assistant attribute of a person object has the following values:

  • CN=Greg Winston/OU= Contoso /O=Americas,NAB=names.nsf

  • CN=John Smith/OU= Contoso /O=Americas,NAB=names.nsf

If a new Assistant named “David Alexander” is assigned to this person object, the result is:

  • CN=David Alexander/OU= Contoso /O=Americas,NAB=names.nsf

Append Item – When you select this option, the connector will retain the existing values on the attribute in Domino and insert new values at the top of the data list.

Example

The Assistant attribute of a person object has the following values:

  • CN=Greg Winston/OU= Contoso /O=Americas,NAB=names.nsf

  • CN=John Smith/OU= Contoso /O=Americas,NAB=names.nsf

If a new Assistant named “David Alexander” is assigned to this person object, the result is:

  • CN=David Alexander/OU= Contoso /O=Americas,NAB=names.nsf

  • CN=Greg Winston/OU= Contoso /O=Americas,NAB=names.nsf

  • CN=John Smith/OU= Contoso /O=Americas,NAB=names.nsf
Import

The Export operation option supports two modes:

  1. Default

  2. Multivalued to Single Value

Default – When you select the Default option all values of all the attributes will be imported.

Multivalued to Single Value – When you select this option, a multi-valued attribute is converted into a single-valued attribute. If more than one value exists, the value on the top (this is typically also the latest value) will be used.

Example

The Assistant attribute of a person object has the following values:

  • CN=David Alexander/OU= Contoso /O=Americas,NAB=names.nsf

  • CN=Greg Winston/OU= Contoso /O=Americas,NAB=names.nsf

  • CN=John Smith/OU= Contoso /O=Americas,NAB=names.nsf

The most recent update to this attribute is “David Alexander”. Because the Import operation option is set to Multivalued to Single Value, connector only imports “David Alexander” into the FIM 2010 connector space.

Note

The logic to convert multi-valued attributes into single-valued attributes does not apply to member attribute of a group object and to the fullname attribute of a person object..

Configure Provisioning Hierarchy

When you configure the Lotus Domino connector, you can skip this dialog page. This is because the Lotus Domino connector does not support hierarchy provisioning.

Configure Provisioning Hierachy

Configure Partitions and Hierarchies

When you configure partitions and hierarchies, you must select the primary address book called NAB=names.nsf.

In addition to the primary address book, you can select secondary address books if they exist

The following screenshot shows an example for this:

Configure Extensions

Select Attributes

When you configure your attributes, you must select all attributes that are prefixed with “_MMS_”. These attributes are required when you provision new objects to Lotus Domino. The following screenshot shows an example of this:

Select Attributes

Object Lifecycle Management

This section provides an overview of the different objects in Domino.

Person Objects

The person object represents users in Organization and Organization Units. In addition to the default attributes, the Domino administrator can add custom attributes to a Person object. At a minimum, a Peson object must include all mandatory attributes. For a complete list of mandatory attributes, see the related section later in this document. In order to register a person object, the following prerequisites must be met

  • The address book (names.nsf) should have been defined and it should be the primary address book.

  • You should have the O/OU certifier Id and the password to register a particular user in the Organization / Organization Unit.

  • You need to define a specific set of Lotus Notes properties for a person object. These are used for provisioning the person object. For more details, see the section called Lotus Notes Properties later in this document.

  • The initial HTTP password for a person is an attribute and set during provisioning.

  • The person object must be one of the following three supported types:

    1. Normal User that has a mail file and a user id file

    2. Roaming User (a Normal User that includes all roaming database files)

    3. Contacts (user with no id file)

Persons (with the exception of contacts) can further be grouped into US Users and International Users as defined by the value of the _MMS_IDRegType property. These are the people using the Notes Client to access Lotus Domino servers, database, have a Notes Id, and a Person document. If they are using Notes mail, then they will also have a mail file. The user must be registered to become active. For more information see:

  1. Setting up Notes users

  2. User Registration

  3. Managing users

  4. Renaming users

All these operations are performed in Lotus Domino and then imported into FIM 2010

Resources and Rooms

A Resource is another type of a database in Lotus Domino. Resources can be conference rooms with various types of equipment such as video machines, overhead projectors and so on. There are sub-types of resources supported by Lotus Domino connector that are defined on the basis of the Resource Type attribute:

Type of Resource Resource Type Attribute

Room

1

Resource (Other)

2

Online Meeting

3

Note

For the Resource object type to work, the following is required:

  • Resource Reservation database should already exist in the connected Domino server

  • The site is already defined for the Resource

The Resource Reservation database contains 3 types of documents:

  • Site Profile

  • Resource

  • Reservation

For more details on setting up of Resource Reservation database see, Setting up the Resource Reservations database

Create, Update and Delete Resources

The Create, Update and Delete operations are performed by the Lotus Domino connector in the Resource Reservation database. As a result of this, resources are created as documents in Names.nsf (i.e. the primary address book).For more details about editing and deleting Resources, see Editing and deleting Resource documents

Import and Export operation for Resources

The Resources can be imported to and exported from FIM just like any other object type. You should select the object type as Resource in during configuration. For successful export operation, you should have details for Resource type, Conference Database and Site name.

Mail-In Databases

A Mail-In Database is a database that is designed to receive mails. It is a Lotus Domino mailbox (Notes database based on the Mail template) that is not associated with any specific Lotus Domino user account (i.e. it does not have its own ID file and password). A mail-in database has a unique UserID ("short name") associated with it and its own e-mail address.

Each user requires only one Lotus Domino account. If there is a need for a separate mailbox with its own e-mail address that can be shared among different users (e.g.: group@contoso.com), a mail-in database is created instead of an additional Notes account. The access to this mailbox is controlled through its Access Control List (ACL), which contains the names of the Notes users that are allowed to open the mailbox using their own ID files and passwords. There is no separate password required to access a mail-in database.

For a list of the required attributes, see the section called Mandatory Attributes later in this document.

When a database is designed to receive a mail, a Mail-In Database document is created in Lotus Domino. This document must exist in Domino Directory of every server that stores a copy of the database. For a detailed description about creating a mail-in database document see, Creating a Mail-In Database document

Note

Before creating a Mail-In Database, the database should already exist (should have been created by Lotus Admin) at the Domino server.

Group Management

You can get a detailed overview of the Lotus Domino group management from the following resources:

Password Management

For a registered Lotus Domino user, there are two types of passwords:

  1. User password (Stored in User.id file)

  2. Internet / HTTP password

The Lotus Domino connector supports only operations with HTTP password.

In order to perform password management, you should enable password management for the connector in the Management Agent Designer. To enable password management, select Enable password management on the Configure Extensions dialog page. The following screenshot shows an example for this:

Configure Extensions

The Lotus Notes connector support following operations on Internet password:

  1. Set Password: Set password will set a new HTTP/Internet password on the user in Domino. By default the account will also be unlocked. The unlock flag is exposed on the WMI interface of the Sync Engine.

    Change Password: In this scenario, a user might want to change the password or is prompted to change password after a specified time. For this operation to take place, both (the old and the new password) are mandatory. Once changed, the new password is updated in Lotus Domino.

For more information, see:

Troubleshooting

In the context of a troubleshooting scenario, log files represent a great mechanism to get a detailed overview of a processing status. By default, Lotus Domino connector logging is disabled. You can enable logging by configuring the related logging level section in the related logging xml file.

The following shows and example of this section:

Logging level section:<setting name="LoggingLevel" serializeAs="String"><value>0</value></setting>

To control the amount of data that is written into the log file, you set the value tag in the xml file. The Lotus Domino connector supports two log levels that are indicated by the following values:

  • 2 (High logging) – Logs high important events (e.g. Exceptions)

  • 3 (Verbose logging) – All the activities that are performed are logged

Any other value than the two listed above switches logging of

To turn logging on, you perform the following steps:

  1. Open file FIM_INSTALL_DIR\Synchronization Service\Extensions\Logging.xml

  2. Goto the LoggingLevel section and change the value to 2 or 3.

  3. Save the changes.

Important

If you change the log level configuration while the connector is running, you have to restart it to apply the new settings

The log file is written to the following folder: “FIM_INSTALL_DIR”\Synchronization Service\Extensions. The name of the log file is “LotusDominoConnector.log”.

Log File size restrictions

By default, the maximum log file size is restricted to 10 MB. When a log file exceeds this size limitation, a new log file is created and the old log file is renamed to “LogFileName.Index.log”.

Important

It is highly recommended to exclude the log file name from your Antivirus scanner to avoid the Antivirus scanner from engaging the file at the same time it is being accessed by the connector.

Performance Testing

This section provides a summary of performance information that was gathered in a lab environment.

The data is based on the following configuration:

Scale Topology Hardware
  • Domino Server, configured with two Address Books – Primary and Secondary NABs

  • 1000 Persons

  • 1000 Groups

  • Average of 10 Members per group
  • Single server

  • FIM Synchronization Service and FIM Synchronization database, Lotus Notes Client collocated on one server

Both servers have the same hardware:

  • 2-gigabyte (GB) SDRAM

  • Intel® Xeron® 2.27GHz Processor

  • Single hard disk volume

Note

The server hardware in this example is not representative for a large organization. The objective of the provided number is just to outline the difference between various operations. Microsoft cannot guarantee that organizations will experience the same capacity or performance characteristics, even if the FIM synchronization service instances are deployed and configured identically to the configuration described in this guide

The tests and results shown in the following table were gathered using scripted provisioning code. The Lotus Domino connector was connected to the Domino Server with 2 address books as shown in the previous table.

Operation Elapsed time (minutes: seconds) Statistics Rate

Full Import (Person Object)
  • 02:09
  • Add: 1000 Persons
  • 8 objects read / second

Full Import (Group Object)
  • 01:00
  • Add: 1000 Groups
  • 16.7 objects read / second

Delta Import (Person Object)
  • 03:24

  • 1:58
  • Add: 1000 Persons

  • Update: 1000 Persons
  • 4.90 records read/second

  • 7.24 records read/second

Delta Import (Group Object)
  • 24:05

  • 01:16
  • Add: 1000 Groups

  • Update: 1000 Groups
  • 0.7 records read/second

  • 7.24 records read / second

Export (Person Object)
  • 46:05

  • 00:22

  • 24:10
  • Add: 1000 Persons

  • Update: 1000 Persons

  • Delete: 1000 Persons
  • 0.53 records exported / second

  • 46 objects updated / second

  • 0.69 records deleted / second

Export (Group Object)
  • 999:00

  • 27:06

  • 00:45
  • Add: 1000 Groups

  • Update: 1000 Groups

  • Delete: 1000 Groups
  • 0.17 records exported / second

  • 0.625 objects updated / second

  • 39 objects deleted / second

In production environments with real data, customers have reported a full import rate of between 50,000 and 100,000 objects/hour.

Reference Information

This section lists such as attribute descriptions and attribute requirements for the Lotus Notes connector.

Lotus Notes Properties

When you provision Person objects to your Lotus Domino directory, your objects must have a specific set of properties with specific values populated. These values are only required for Create operations.

The following table lists these properties and provides a description of them.

Property Description

_MMS_AltFullName

The alternate full name of user.

_MMS_AltFullNameLanguage

The language to be used for specifying the alternate full name of user.

_MMS_CertDaysToExpire

The number of days from the current date before the certificate expires. If not specified, the default date is two years from the current date.

_MMS_Certifier

Property that contains the organizational hierarchy name of the certifier. For Example: OU=OrganizationUnit,O=Org,C=Country.

_MMS_IDPath

If the property is empty, no user identification file is created locally on the Sync Server. If the property contains a file name, a user ID file is created in the madata folder. The property can also contain a full path in which the user ID file is created in this location.

_MMS_IDRegType

Persons can be classified into contacts. US Users and international Users. The following table lists the possible values:

 

Value Description

0

Contact

0

Contact

1

U.S. user

2

International user

_MMS_IDStoreType

Required property for U.S. and international users. The property contains an integer value that specifies whether the user identification is stored as an attachment in the Notes address book or in the person’s mail file. If the User ID file is an attachment in the address book, it can optionally be created as a file with _MMS_IDPath.

 

Value Description

Empty
  1. Store ID file in ID Vault

  2. No identification file (used for Contacts).

1

Attachment in the Notes address book. The _MMS_Password property must be set for user identification files that are attachments

2

Store ID in person’s Mail File. The _MMS_UseAdminP must be set to false to let the mail file be created during the Person registration.The _MMS_Password property must be set for user identification files.

_MMS_MailQuotaSizeLimit

The number of megabytes that are allowed for the e-mail file database.

_MMS_MailQuotaWarningThreshold

The number of megabytes that are allowed for the e-mail file database before a warning is issued.

_MMS_MailTemplateName

The e-mail template file that is used to create the user's e-mail file. If a template is specified, the mail file is created using the specified template. If no template is specified, the default template file is used to create the file.

_MMS_OU

Optional property that is the OU name under the certifier. This property should be empty for contacts.

_MMS_Password

Required property for users. The property contains the password for the identification file of the object.

_MMS_UseAdminP

Property should be set to true if the mail file should be created by the AdminP process on the Domino server (asynchronous to the export process). If property is set to false the mail file is created with the Domino user (synchronous in the export process).

Important

For a user with an associated identification file, the _MMS_Password property must contain a value.For e-mail access through the Lotus Notes client, the MailServer and MailFile properties of a user must contain a value. To access e-mail through a Web browser, the following properties must contain values:

  • MailFile - Required property that contains the path on the Lotus Domino server where the mail file is stored.

  • MailServer - Required property that contains the name of the Lotus Domino server. This is the name to use when you create the Lotus mail file on the Domino server.

  • HTTPPassword - Optional property that contains the Web access password for the object.

To access the Domino Server without mail capability, the HTTPPassword property must contain a value, and the MailFile property and the MailServer property can be empty.

Note

With MMS IDStoreType = 2 (store id in Mail file), the MailSystem property of NotesRegistrationclass will be set to REG_MAILSYSTEM_INOTES (3).

Mandatory Attributes of the Lotus Notes Connector Objects

The Lotus Notes connector mainly supports four types of objects (document types) in the FIM 2010 synchronization service:

  • Group

  • Mail-In Database

  • Person

  • Resource

This section lists the attributes that are mandatory for each supported object type in order to export object to a Domino server.

Object Type Mandatory Attributes

Group
  • ListName

Main-In Database
  • FullName

  • MailFile

  • MailServer

  • MailDomain

Person
  • LastName

  • MailFile

  • ShortName

  • _MMS_Password

  • _MMS_IDStoreType

  • _MMS_Certifier

  • _MMS_IDRegType

  • _MMS_UseAdminP

Contact (Person with no certifier)
  • _MMS_Certifier

  • _MMS_IDRegType

Resource
  • FullName

  • ResourceType

  • ConfDB

  • ResourceCapacity

  • Site

  • DisplayName

  • MailFile

  • MailServer

  • MailDomain

Common issues and questions

Schema detection does not work

To be able to detect the schema it is necessary that the schema.nsf file is present on the Domino server. This file will only appear if LDAP is installed on the server. If the schema is not detectable, please verify the following:

  • The file schema.nsf is present at the root folder of the Domino Server

  • The user has permissions to see the schema.nsf file.

  • Force a restart of the LDAP server. Open ‘Lotus Domino Console’ and use ‘Tell LDAP ReloadSchema’ command to reload the schema.

Not all secondary address books are visible

The Domino Connector relies on the feature Directory Assistance to be able to find the secondary address books. If the secondary address books are missing, please verify if Directory Assistance has been enabled and configured on the Domino Server.https://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_ABOUT_DIRECTORY_ASSISTANCE.html

Custom attributes in Domino

There are several ways in Domino to extend the schema so it will appear as a custom attribute consumable by the Connector.

Approach 1: Extend Lotus Domino schema

  1. Create a copy of Domino Directory Template <PUBNAMES.NTF> by following the below steps in the given URL (you should not customize the default IBM Lotus Domino directory Template): https://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_CREATING_A_COPY_OF_THE_DEFAULT_PUBIC_ADDRESS_BOOK_TEMPLATE.html

  2. Open Copy of Domino directory template <CONTOSO.NTF> template which is just created, in Domino Designer and follow the below steps:

    1. Click on Shared Elements and expand Subforms

    2. Double click on $<ObjectName>InheritableSchema subform (where <ObjectName> is the name of the default structural object class ex: Person).

    3. Name the attribute you want to add into schema < MyPersonAtrribute > and corresponding to that create a field by selecting “Create” Menu and then select ‘Field’ from menu.

    4. In the added field, set its properties by selecting its Type, Style, size, font and other related parameters on field Properties window.

    5. Keep the attribute Default value same as the name given for that attribute (e.g. if attribute name is MyPersonAttribute, keep the default value with the same name).

    6. Save the $<ObjectName>InheritableSchema subform with updated values

  3. Replace the Domino Directory Template <PUBNAMES.NTF> with the new customized template <CONTOSO.NTF>by following the steps mentioned in below URL: https://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_ABOUT_RULES_FOR_CUSTOMIZING_THE_PUBLIC_ADDRESS_BOOK.html

  4. Close Domino Admin and open Domino Console to restart the LDAP service and to Reload the LDAP Schema:

    1. In Domino Console insert the command under “Domino Command” text filed to restart the LDAP service - Restart Task LDAP. https://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_STARTING_AND_STOPPING_THE_LDAP_SERVER_OVER.html

    2. To reload LDAP schema use Tell LDAP command - Tell LDAP ReloadSchema

  5. Open Domino Admin and select People & Groups tab to see added attribute is reflected in domino Add Person

  6. Open Schema.nsf from ‘Files’ tab and see added attribute is reflected into dominoPerson LDAP object class

Approach 2: Create an auxClass with custom attribute and associate with the object class

  1. Create a copy of Domino Directory Template <PUBNAMES.NTF> by following the below steps in the given URL (Never customize the default IBM Lotus Domino directory Template): https://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_CREATING_A_COPY_OF_THE_DEFAULT_PUBIC_ADDRESS_BOOK_TEMPLATE.html

  2. Open Copy of Domino directory template <CONTOSO.NTF> template which is just created, in Domino Designer.

  3. In the left pane, select Shared Code and then Subforms.

  4. Click New Subform

  5. Do the following to specify the properties for the new subform:

    1. With the new subform open, choose Design - Subform Properties

    2. Next to the Name property, enter a name for the auxiliary object class -- for example, TestSubform.

    3. Keep the Options property "Include in Insert Subform... dialog" selected

    4. Deselect the Options property "Render pass through HTML in Notes."

    5. Leave the other properties the same, and close the Subform Properties box.

    6. Save and close the new subform.

  6. Do the following to add a field to define the auxiliary object class:

    1. Open the subform you just created.

    2. Choose Create - Field.

    3. Next to Name on the Basics tab of the Field dialog box, specify any name, for example: <MyPersonTestAttribute>.

    4. In the added field, set its properties by selecting its Type, Style, size, font and related properties.

    5. Keep the attribute Default value same as the name given for that attribute (e.g. if attribute name is MyPersonTestAttribute, keep the default value with the same name).

    6. Save the subform with updated values and do the following:

      1. In the left pane, select Shared Code and then Subforms

      2. Select the new subform, and choose Design - Design Properties.

      3. Click the third tab from the left, and select "Propagate this prohibition of design change”.

  7. Open $<ObjectName>ExtensibleSchema subform, (where <ObjectName> is the name of the default structural object class, say – Person).

  8. Insert Resource and select the Subform (which you just created, say – TestSubform) and save the $<ObjectName>ExtensibleSchema subform.

  9. Replace the Domino Directory Template <PUBNAMES.NTF> with the new customized template <CONTOSO.NTF>by following the steps mentioned in below URL: https://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_ABOUT_RULES_FOR_CUSTOMIZING_THE_PUBLIC_ADDRESS_BOOK.html

  10. Close Domino Admin and open Domino Console to restart the LDAP service and to Reload the LDAP Schema:

    1. In Domino Console insert the command under “Domino Command” text filed to restart the LDAP service - Restart Task LDAP. https://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_STARTING_AND_STOPPING_THE_LDAP_SERVER_OVER.html

    2. To reload LDAP schema use Tell LDAP command - Tell LDAP ReloadSchema

  11. Open Domino Admin and select People & Groups tab to see added attribute is reflected in domino Add Person (under Others tab)

  12. Open Schema.nsf from ‘Files’ tab and see added attribute is reflected under TestSubform LDAP Auxiliary object class.

Approach 3: Add the custom attribute to the ExtensibleObject class

  1. Open <Schema.nsf> file placed on the root directory

  2. Select LDAP Object Classes from the left menu under ‘All Schema Documents’ and click on “Add Object class” button:

  3. Provide LDAP Name in the form of <###ExtensibleSchema> (where ### is the name of the default structural object class e.g. Person ) with reference to the object for which you want to extend the schema. For example, to extend the schema for Person object class, provide LDAP name <PersonExtensibleSchema>.

  4. Provide Superior Object class name, for which you want to extend the schema. For example, to extend the schema for Person object class, provide Superior Object class name <dominoPerson>:

  5. Mention a valid OID corresponding to the object class.

  6. Select Extended/custom attributes under Mandatory or Optional Attribute Types fields as per the requirement:

  7. After adding required attributes to the ExtensibleObjectClass, click on “Save & Close” button.

  8. An ExtensibleObjectClass will be created for respective default object class with extended attributes.

Release Notes

It is not supported to export group members when the member is a group located in the root of the address book.
To work around this limitation, move the groups to a sub-OU.