Question: What are the minimum rights needed for the Notes driver?
Answer: I don't think Novell has ever answered this question directly because there are many factors to consider when discussing minimum access rights for the IDM Driver for Lotus Notes. These factors vary depending on the Lotus Notes/Domino system configuration and the driver's configured integration with Lotus Notes/Domino. Many of these factors also require a reasonable amount of knowledge concerning Lotus Notes/Domino administration in the areas of security and access control, and are typically specific to the designated Notes/Domino installation and configuration.
The IDM Driver for Lotus Notes has been designed to be a 'general purpose' driver that can be leveraged in a variety of ways in various Lotus Notes and Domino environments (i.e. synchronization with names.nsf as well as other Notes (.nsf) databases, optional registration of new Notes users, optional integration with Domino AdminP, operate as a publisher only, optional synchronization of group, person, and other objects, optional setting of HTTPPasswords and user.id passwords, etc.).
When installing and integrating a new driver, a wise IDM integrator will always involve a specialist for the integrated system (Lotus Notes/Domino in this case) who is proficient in the security issues and has the ability to ensure secure installation and integration of a driver.
The following is an attempt to provide information in a question/answer format, that is not readily available in the documentation, but pertinent to different access rights issues associated with the IDM Driver for Lotus Notes.
Access Rights: Notes User Registration
Question: What are the minimum access rights needed within Notes (the names.nsf database) for the Notes Driver to register users?
Answer: The Notes Driver must access the names.nsf database with at least Author access to the master Domino Directory for the domain, with both the privilege "Create document" role and "User Creator" role enabled. This is the same access required by a Domino administrator to register Notes users. Also, for Notes Driver certification operations to succeed, a Certification Log (certlog.nsf) must exist and the Notes Driver must have at least Author with Create documents access to the Certification Log.
It is recommended that Manager level ACL's be set on names.nsf for the Notes Driver user because the driver has been tested this way for all features. Any customer is welcome to change the ACL for the Notes Driver person in names.nsf as needed, but if desired features of the driver no longer function as expected, Novell recommends using a Manager level ACL, because all features of the driver have been tested using a Manager level ACL. The Notes Address Book (names.nsf) has defined specific roles to be attached to the ACL, so if you expect the driver to create person objects the driver must include the UserCreator role in the ACL, if you expect the driver to modify person objects, the driver must include the UserModifier role, etc.
If Mailbox size quotas are to be applied, this requires special mail server administration rights for the Notes Driver user (person). Notes user password settings updates also require remote console privileges (Notes Driver v2.1 and above).
'Author' level access does not allow the driver to appropriately set-up Notes user mailboxes. To appropriately set-up mailboxes for Notes Users, the Notes Driver needs the ability to update fields holding protected flags within the Notes Address Book (names.nsf). The Notes Driver modifies the "MailFile", "MailServer", "MailDomain", and "InternetAddress" fields when setting-up a Notes user mailbox. All of these fields in the 'person' document of names.nsf have a 'protected' flag.
A more general description of this is that Author access does not allow writing to protected fields within a document. To verify this fact, see the following online doc, and search on 'protected': http://www-12.lotus.com/ldd/doc/domino_notes/6.5m2/help65_designer.nsf/0/05c8a29bd400708c85256d42004f6980?OpenDocument
It may be helpful to cross-reference the Lotus Domino Administrator Help's "Access level privileges in the ACL" matrix and "Setting up ACL for the Administration Process" documentation with the desired features of the Notes Driver (creating user, creating mailboxes, creating groups, modifying users, modifying groups, deleting users, etc.) to best determine the lowest possible ACL settings for a specific administrator's configuration.
Access Rights: Publish only
Question(s): We want to set up a Notes to eDir one-way syncronization (publisher channel data flow) and keep the user.id the Notes Driver uses to authenticate as restricted as possible. Does anyone know which minimum rights to names.nsf, dsrepcfg.nsf, ndsrep.nsf etc. are necessary to run this scenario? Do we have to give the Notes Driver user.id Manager access to names.nsf or would something read-only be sufficient?
Do we have to give the id Manager access to names.nsf or would something read-only be sufficient?
Novell recommends doing so, as it is the easiest way to guarantee full functionality of the driver. However, as you reduce the rights of the Notes Driver user.id, certain features of the driver may no longer work as you wish. If you are only trying to provide one-way synchronization for the Notes driver (publisher channel: Notes/Domino -> eDirectory), then you may be able to get-away with simply providing read-only access to names.nsf. I recommend you fully test this scenario outside of the production environment to validate your specific configuration, before implementing the driver's configuration within a production environment.
Does anyone know which minimum rights to names.nsf, dsrepcfg.nsf, ndsrep.nsf etc. are necessary to run this scenario?
This question does not have a quick answer, as both Domino and Identity Manager have sophisticated security systems. Each driver configuration may vary (even with only a publisher channel enabled) as to the required minimum security rights. Usage of policies to send queries and commands to an application (like Notes/Domino) may require specific rights be in place for the NotesDriverShim within the application (Notes/Domino) for the policies to succeed.
dsrepcfg.nsf: Full access (manager) should be provided to dsrepcfg.nsf. dsrepcfg.nsf is created from the dsrepcfg.ntf template by the NotesDriverShim using the Notes user access provided by the Notes Driver user ID available in the driver configuration.
ndsrep.nsf: Access for ndsrep.nsf from the Notes Driver user should probably be full access (manager) as well, but depending on the needs of your driver, you may be able to get by with less. The NotesDriverShim authenticates using the Notes Driver user.id and then expects to be able to read each record in this database to determine what has changed within the Notes synchronized database (names.nsf). Once the changes are read and passed to the DirXML engine, then the record entry within ndsrep.nsf is removed. This ndsrep.nsf database represents a filtered cache of modifications that have been made within the synchronized Notes database (names.nsf). The filter is determined by the publisher filter specified within the Notes driver configuration. The database (ndsrep.nsf) is created by the Domino add-in process ndsrep, and is essentially an 'empty' copy of the synchronized database (names.nsf). As such the ACLs of the synchronized database (names.nsf) are duplicated into ndsrep.nsf at the time ndsrep.nsf is initially created by ndsrep. However, the only ACL that is absolutely necessary for ndsrep.nsf is the one that allows the Notes Driver user.id adequate access to ndsrep.nsf. To provide more detail, you may want to look at the previous question in this Q/A list (What are the minimum access rights needed within Notes (the names.nsf database) for the Notes Driver to register users?).
Access Rights: Notes Database File Access
Question: Which Notes database files are accessed by the NotesDriverShim, how are they accessed?
Answer: Notes Driver Accessing Notes Databases
ndsrep.nsf file is created by the ndsrep Domino server add-in process. ndsrep modifies ndsrep.nsf by adding new documents to the database as events are detected during the ndsrep polling cycle. NotesDriverShim.jar utilizes Notes database methods from Notes.jar to open ndsrep.nsf, detect the event documents, process them, and then delete the processed event documents.
dsrepcfg.nsf file is created by NotesDriverShim.jar and contains driver publisher details utilized by ndsrep, including the publisher filter. ndsrep uses the publisher filter stored in dsrepcfg.nsf to know which types of Notes documents and fields to publish to the publisher cache file (ndsrep output file; ndsrep.nsf). If dsrepcfg.nsf is present, dsrepcfg.nsf is created by NotesDriverShim.jar using Notes database methods from Notes.jar and an existing Notes database template, dsrepcfg.ntf. Every time the driver starts, dsrepcfg.nsf is appropriately updated with any new publisher information. dsrepcfg.nsf is read and can be updated by ndsrep.
names.nsf ndsrep polls the synchronized database on a periodic interval. The synchronized database is typically the Notes Address Book, names.nsf. No special locking calls are performed to do the polling. All calls are made via the Lotus cross-platform Notes C API. No calls are made to lock the database, and any file sharing is handled automatically via the Domino server. The NotesDriverShim.jar uses Notes database methods from Notes.jar to open, read, and write to the synchronized database which is typically the Notes Address Book, names.nsf. All java methods are invoked via Notes.jar. By default, no methods are used to lock the database, and any file sharing is handled automatically via the Domino server.
admin4.nsf. In certain circumstances NotesDriverShim.jar uses Notes database methods from Notes.jar to open, read, and write to the admin4.nsf database. All java methods are invoked via Notes.jar. By default, no methods are used to lock the database, and any file sharing is handled automatically via the Domino server.
certlog.nsf, log.nsf. All other Notes database files that are updated by the NotesDriverShim are updated on an indirect basis. In other words, based on NotesDriverShim.jar's usage of the Notes.jar APIs, certain methods are invoked that may cause the Domino server to update Notes/Domino databases. For example when NotesDriverShim.jar invokes methods to register (certify) a new user, the certlog.nsf database is updated to reflect this registration. Other Notes databases that are updated indirectly in this manner are: log.nsf and admin4.nsf.
notes.ini. The NotesDriverShim also indirectly accesses and can modify the notes.ini file when the NotesDriverShim initializes and authenticates to Domino.
Question: What updates the publisher filter in dsrepcfg.nsf?