[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 270
  • Last Modified:

Still see old domain user/company/oldcompany info when setting up notes users

On domino 6.5, when installing a notes client and putting in a users name, it gives me the users old domain
The server used to be set up as user/company/oldcompany  now it is just user/company. For example joe/widget/pacific is not just joe/widget

I am assuming that when a change of domain name was done, something was missed. I don't have this problem with newly created clients.

The last direction I was going towards was re-doing the fixname agent on the public address book.
Looking in each individual user's information, i can not see any sign of the /company/oldcompany anywhere.



0
packetdrivers
Asked:
packetdrivers
  • 4
  • 4
  • 3
  • +1
2 Solutions
 
Sjef BosmanGroupware ConsultantCommented:
See File/Preferences/Administration Prfeferences, Registration
0
 
qwaleteeCommented:
I'm confused.  Were do you see the old name?  Dring client setup?  When enetring an e-Mail address?

AFAIK, in the client setup, there is no place where Notes would give YOU the certifier hierarchy -- you would be the one telling Notes what the hierarchy is.

And for mail addressing, well, just because you HAVE a new certifier, and all your SERVERS use the new certifier, and NEW USERS are REGISTERED with the new certifier, does not mean you are done.  Because any user registered with the old certifier still exists as he or she always did, with the old certificate and the corresponding old name.

You need to recertify those users.  Don't do it using an agent in the directory, unless the users don't have Notes ID files, because doing that only fixes the directory entry, and leaves the user with a still-outdated ID file.

If I've misread you, please explain.
0
 
packetdriversAuthor Commented:
I see the old name during client setup. I would enter the user name and server name,  and during the password prompt for that user it would read user/company/oldcompany instead of user/company

Email seems to route fine

I noticed when I do a search while looking at the public address book and using the Domino Admin tool, that i get about 43 hits when I put in the "oldcompany" value. Yet when I actually look at those users I do not see the "oldcompany"


0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Bozzie4Commented:
Users (id's) that haven't connected to the server since you did the rename, will still have the OLD hierarchical name.  They must connect, the server will update the data in the actual id file, and complete the 'rename' process for that user.  If the next time you connect using that id, you STILL get the old org. name, it's time to start worrying.

Also (I don't know if this applies for renaming of certificates) when you rename a user, and that user doesn't connect using his notes.id within 20 days, the rename will cancel.  On the other hand, if the rename is 'in process', the users that haven't connected yet will have a FullName field on their person document that contains both names (check that : it's the field with the UserName: label).  So there would be
cn=joe/ou=widget/o=pacific
cn=joe/o=widget

in there (plus all other aliases you may have added)

cheers,

Tom
0
 
packetdriversAuthor Commented:
I only get this problem when I am installing a fresh Notes on a computer, I believe the id files are fine, because when I specify id files to use for the client install it shows as user/widget. However, when I tray to have the install look for the username by just adding the usernamd and the servername; it shows as user/widget/pacific   instead of user/widget; and does not allow me to continue to install Notes.

I know that before me, the Domino environment used to be user/widget/pacific and then they changed it to user/widget

The username label contains 2 entries user/widget and user. But not user/widget/pacific
I played with a ldap export in the past with the public address book, and didn't see any references to /pacific.
0
 
Bozzie4Commented:
So you still have id files attached in your person documents ?  Get them out asap - it's bad practice to keep them there.  Anyway, these id files are probably still the original ones, and are not updated with the new data.  If you install a fresh Notes, copy over the id file that you a) freshly registered or b) that the user was using on his old pc.

cheers,

Tom
0
 
qwaleteeCommented:
******************************* Where are you getting the ID file for the new install of old IDs? **************************************

Important background information:

Lotus Notes uses PKI-based authentication, which uses certificates.  Those certificate names are what appear after the slash in teh user name.  PKI is decnetralized -- the user identity is maintained in the ID file. The directory entry just provides a mechnism for mail delivery and permissions (from the perspective of the Notes client), as well as some control information useful to the client and the server.  

Changing the directory in no way affects the ID file.  In fact, if you make multiple copies of te same ID file, you can change them separately -- different passwords, different ecrtificate expiration dates (if some copies accept renewal and some do not), different names (if a name change is acceptd by some but not others), and different certificates (if recertified with a difefrent certifier -- such as you case -- and only some accept).

When IDs are creatd, the admin is offered the choice of saving them to the person doc, a local file, or both.  In addition, if set up to do so, a copy may be placed in a special "vault" database.

When setting up a client, it asks you for teh ID file.  You can tell it to look in the directory, or to use a local fle you will supply.  If you chose teh directory option, it will try to remove the file from teh directory after downloading it, to prevent abuse and attacks.  If it fals to detahc, it will still exist in teh directory.

When you rename or recertify a person, the results can either be saved to a file for you to distribute, or sent via e-Mail for the person to accept.  Any copy on the person document will NEVER be updated this way.  Any copies in the "vault" will be unchanged.  Any copies on someone's hard drive that are not updated by the user will also be left with the old name/certificate.

Now, does this begin to add up for your case?
0
 
packetdriversAuthor Commented:
This does begin to add up.
I do see the .id files when I look at a person's document. I"ll look at removing them.

Yes we have been saving the .id's to a directory, and then using the id's to install notes. A problem is I would type in the person's name and i wouldn't get the option to locate the .id file because it would prompt with the person/widget/pacific and ask for a password. I can put in a bogus name and then point to the .id file, which woud give me the corret person/widget.

So then you're saying my problem is there are old .id files attached to the person documents of those users, and I should "unattach" them or update them. I suppose the bad practice part is allowing a user to try to hack a users password if the id is attached; wheras if the id is not attached they would have to know where to locate that .id file.

0
 
Bozzie4Commented:
yes, if the id is attached everybody can download them and start trying to hack them.  You'd better store them somewhere else - a protected drive on a fileserver, a floppy disk, a disconnected media type (usb harddrive), a Notes database, the administrator workstation, ... somewhere not everybody has access to them, but where you can access them if you need them (like when installing a new pc, you bring the usb harddrive along which holds the passwords).  There are many opinions what you should do, but 1 thing is clear : it should not be the domino directory :-)

I'll get you an agent to download the id files and remove them (you are on 6.5, right ?)

cheers,

Tom
0
 
Bozzie4Commented:
(code snippet, some declarations are missing !)

Set reg = New notesregistration
      reg.RegistrationServer  = db.server
      
      If continue Then
            Set personview = pab.GetView( PAB_PERSONVIEW )
            
            Set persondoc = personview.getfirstdocument
            Do While Not persondoc Is Nothing
                  hasid = False
                  hasADefaultPassword = False
                  Print "Processing " + persondoc.FullName(0) + " " + personHashedPassword
'THIS CREATES A LOG DOCUMENT IN A DATABASE, WHERE YOU CAN STORE THE ID FILE
                  Set doc = db.CreateDocument
                  doc.form ="fLOG"
                  doc.FullName = persondoc.FullName
                  ' extra information for mailing
                  doc.EmployeeID = persondoc.EmployeeID
                  doc.Location = persondoc.Location
                  doc.Department = persondoc.Department
                  doc.Manager = persondoc.Manager
                  If persondoc.HasEmbedded Then
                        'Forall anobject In persondoc.EmbeddedObjects
                              'Just load the first one
%REM
doesn't work very well this way (doesn't work at all, really :-) )
                        Set attachedId = persondoc.GetAttachment( "UserID" )
                        If Isnull( attachedId )  Then
                              Msgbox "error"
                        Else
                              attachedId.ExtractFile( TEMP_DRIVE + "\" + persondoc.ShortName(0)+".id")
                              
                        End If
%ENDREM
                        Call reg.GetIDFromServer( persondoc.FullName(0),TEMP_DRIVE + "\" + persondoc.ShortName(0)+".id", False )
                        Call reg.DeleteIDOnServer( persondoc.FullName(0), False )
                        
                        hasID = True
                  End If
loop
end if
0
 
packetdriversAuthor Commented:
I've been trying to find out how to paste the code in; do I need to be in Domino designer to be able to do that. Tried pasting it in @function view of agent.
0
 
qwaleteeCommented:
You need designer installed to eb able to create a script agent.  You have to change the agent code type from Formula or Simple Actions to Lotusscript, then click on the INITIALIZE section, and paste in the middle of that.

If you have been recertifying to a different certifier, then hopefully you know where you placed the resulting files, and didn't just allow them to be sent off by e-Mail without retinaing a copy.  If I may be so bold, I would check that you have ID recovery set up, including

1) the password recovery mechanism enabled
2) a mail address (leading to a protected mailbox) to store the recertified copies.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now