As an organization, one of our goals is to get to a single login. For us, this means that we want users to use the same username and password across various systems. Our primary authentication system is Active Directory, but we still have a number of legacy Domino databases around. To accomplish our goal, we want to have passwords sync between AD and Domino. There are a number of commercial systems that promise this ability, but many of them are costly. Since we are already entitled to use Tivoli Directory Integrator, we decided to try to use this to implement the password syncing. Of course, since, this is an IBM product, it means there is very little to zero clear documentation on how to implement this. Here is my attempt to document this process for others to use.
When dealing with IBM Domino passwords, there are two places where passwords are stored: internet password (otherwise known as the HTTP password) and ID file password. The internet password field is used by Domino when accessing resources over the internet (such as iNotes or other web enabled applications). The ID file that is used for “thick client” installations also contains its own password. If your company has implemented the ID vault, the best way to change this password is by changing the password in the ID vault.
To help us accomplish this, we found some great instructions on setting up a web service that enables the changing of the HTTP password and the ID vault password. Our journey started here: http://www.cloudevangelist.in/2015/07/tivoli-directory-integrator-sync-ad.html . Attached to that blog article is a Domino NSF that he has modified from the default pwdresetsample.nsf that is available on a standard installation of a Domino server. To get it working, there are a few security things you will have to modify so that this database will run in a context that will enable it to reset ID Vault passwords. One of the biggest security issues is to make sure that the database can update the ID Vault password. For this to happen, we signed both the database and the web service with the server certificate and gave the server password reset permissions on the ID Vault. This also needs to run on a server that has HTTP enabled as it is a SOAP service. Internally, you can also modify the database to use a shared secret that allows you to securely call the password change. You will want to look at any other security aspects on this to make sure it works securely in your environment.
Once we had the above up and running, we tested this by using PowerShell, of course. I have a script that can change both the HTTP and ID Vault password.
function Set-USSDominoPassword { <# .SYNOPSIS This will set the Domino HTTP and ID Vault password. .DESCRIPTION This uses a SOAP call to change the users HTTP and ID Vault passwords. .PARAMETER DominoAbbreviatedName This is the users name in Domino AbbreviatedName format: First Last/OU/Org .PARAMETER Password The new password to change to. .EXAMPLE PS C:\> Set-USSDominoPassword -DominoAbbreviatedName 'Joe Bob/AOK/SArmy' -Password "New Password Here" .NOTES =========================================================================== Created with: SAPIEN Technologies, Inc., PowerShell Studio 2016 v5.2.120 Created on: 2/27/2017 2:14 PM Created by: Doug Neely Organization: The Salvation Army Filename: Set-USSDominoPassword.ps1 Reference: https://foxdeploy.com/2014/11/19/working-with-web-services-soap-php-and-all-the-rest-with-powershell/ =========================================================================== #> [CmdletBinding()] param ( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [string]$DominoAbbreviatedName, [Parameter(Mandatory = $true)] [string]$Password ) $url = "http://servernamehere/PwdResetSample.nsf/passwordSync?WSDL" $HTTPMethodName = "CHANGEWEBPASSWORD" $IDVaultMethodName = "CHANGEIDPASSWORD" $SecretKey = "SecretKey" Write-Verbose $DominoAbbreviatedName foreach ($User in $DominoAbbreviatedName) { $ADUser = Get-ADUser -Filter { tsaDominoAbbreviatedName -eq $User } -Properties department, company $ADName = $ADUser.samaccountname $ADDepartment = $ADUser.Department $ADCompany = $ADUser.Company Write-Verbose "$ADName in $ADDepartment and $ADCompany" $proxy = New-WebServiceProxy $url $HTTPResults = $proxy.$HTTPMethodName($DominoAbbreviatedName, $Password, $SecretKey) #Start-Sleep 10 $ProxyID = New-WebServiceProxy $url $IDVaultResults = $ProxyID.$IDVaultMethodName($DominoAbbreviatedName, $Password, $SecretKey) $obj = New-Object PSObject -Property ([Ordered] @{ "DominoAbbreviatedName" = $DominoAbbreviatedName "SAMAccountName" = $ADName "Department" = $ADDepartment "Company" = $ADCompany "HTTPResultCode" = $HTTPResults "IDVaultResultCode" = $IDVaultResults }) #End PSObject Write-Output $obj Write-Verbose "Writing to DB and sending email" $Table = "dbo.DominoResetPasswordReport" $DBColumns = "Username, Company, Department, DominoAbbreviatedName, HTTPResults, IDVaultResults, DateTime" $DBValues = "'$ADName','$ADCompany','$ADDepartment','$DominoAbbreviatedName','$HTTPResults','$IDVaultResults''" Edit-ADProxyDBReport -Table $Table -DBColumns $DBColumns -DBValues $DBValues } #End foreach }
This is the end of part one where I configure the password change. Part two will cover the configuration of the password capture on the domain controllers, part three will cover the AD schema changes and part four will tie everything together with a PowerShell to capture the password changes and write them to Domino.