Lotus Notes users have two separate passwords:
- An HTTPPassword hash in the Domino Directory (formerly the Name
and Address Book (NAB)) on one or more Notes / Domino servers
- A password used to encrypt their Notes ID file, which may be physically stored in one or more locations, including their local hard disk, a network share or even a USB flash drive or iPod.
Managing HTTPPassword hashes is straightforward. Hitachi ID Identity and Access Management Suite uses its own ID file to connect to the appropriate Notes server and administratively set a new value on the user's password hash field. Logic is included in the Hitachi ID Password Manager Lotus Notes connector to find the most appropriate server (e.g., the user's local mail server) and to also clear the password digest field.
Managing ID file passwords is more challenging, since this password cannot be administratively reset and since delivering an updated ID file to the user depends on non-Lotus infrastructure.
To simulate a Lotus Notes ID file password reset, Hitachi ID Identity and Access Management Suite extracts a copy of the user's ID file from a central repository, changes the password on the ID file from a known (archived) value to a desired new value and delivers the new, replacement ID file to the user.
Hitachi ID Identity and Access Management Suite includes a built-in repository which can house encrypted copies of each user's ID file and associated password. It can also leverage the repository introduced with more recent versions of Lotus Notes (an architecture we are sure IBM copied from Password Manager).
ID file delivery can be implemented with a variety of techniques. The most common technique is to deploy an extension DLL to the Notes client installed on user PCs. This DLL checks with the Hitachi ID Identity and Access Management Suite server to see if there is a newer ID files for the current OS user whenever notes.exe starts and if so - downloads it before the user signs into Notes. The same DLL also detects local changes to the ID file and uploads fresh copies of the ID file and associated password (e.g., after a Notes-native password change, name change or cross-certification).
Hitachi ID Identity and Access Management Suite connectors can provision Notes users, including creating or updating Domino Directory entries, creating a mail folder on the appropriate server and creating and delivering new ID files to users.