Beruflich Dokumente
Kultur Dokumente
Deploying Domino
This chapter outlines the steps required to deploy IBM® Lotus®Domino™ 6 successfully
and introduces important concepts that youneed to know before you install Domino
servers.
1. Determine your company’s server needs. Decide where to locate each server
physically, taking into consideration local and wide-area networks and the function of
each server.
2. Develop a hierarchical name scheme that includes organization and
organizational unit names.
3. Decide whether you need more than one Domino domain.
4. Understand how server name format affects network name-to-address resolution for
servers. Ensure that the DNS records for your company are the correct type for the
server names.
5. Determine which server services to enable.
6. Determine which certificate authority — Domino server-based certification authority,
Domino 5 certificate authority, third-party — to use.
7. Install and set up the first Domino server.
8. Install and set up the Domino Administrator on the administrator’s machine.
9. Complete network-related server setup.
10. If the Domino server is offering Internet services, set up Internet site documents.
There are some instances where Internet Site documents are required.
11. Specify Administration Preferences.
12. Create additional certifier IDs to support the hierarchical name scheme.
13. Set up recovery information for the certifier IDs.
14. Add the administrator’s ID to the recovery information for the certifier IDs and then
distribute the certifier IDs, as necessary, to other administrators.
15. Register additional servers.
16. If you did not choose to do so during first server setup, Create a group in the
Domino Directory for all administrators, and give this group Manager access to all
databases on the first server.
17. Install and set up additional servers.
18. Complete network-related server setup for each additional server.
19. Build the Domino environment.
A hierarchical name scheme uses a tree structure that reflects the actual structure of a
company. At the top of the tree is the organization name, which is usually the company
name. Below the organization name are organizational units, which you create to suit
the structure of the company; you can organize the structure geographically,
departmentally, or both. For example, the Acme company created this diagram for their
servers
Looking at Acme’s diagram, you can see where they located their servers in the tree.
Acme decided to split the company geographically at the first level and create certifier
IDs for the East and West organizational units. At the next level down, Acme made its
division according to department. For more information on certifier IDs, see the topic
“Certifier IDs and certificates” in this chapter. Components of a hierarchical name A
hierarchical name reflects a user’s or server’s place in the hierarchy and controls
whether users and servers in different organizations and
organizational units can communicate with each another. A hierarchical name may
include these components:
• Common name (CN) — Corresponds to a user’s name or a server’s name. All
names must include a common name component.
• Organizational unit (OU) — Identifies the location of the user or server in the
organization. Domino allows for a maximum of four organizational units in a
hierarchical name. Organizational units are optional.
• Organization (O) — Identifies the organization to which a user or server belongs.
Every name must include an organization component.
• Country (C) —Identifies the country in which the organization exists. The country
is optional. An example of a hierarchical name that uses all of the components is:
Julia Herlihy/Sales/East/Acme/US Typically a name is entered and displayed in this
abbreviated format, but it is stored internally in canonical format, which contains the
name and its associated components, as shown below:
CN=Julia Herlihy/OU=Sales/OU=East/O=Acme/C=US.
Note You can use hierarchical naming with wildcards as a way to isolate a group of
servers that need to connect to a given Domino server in order to route mail.
For more information, see the chapter “Setting Up Mail Routing.” Domino domains
A Domino domain is a group of Domino servers that share the same Domino Directory.
As the control and administration center for Domino servers in a domain, the Domino
Directory contains, among other
documents, a Server document for each server and a Person document for each Notes
user. Planning for Domino domains
There are four basic scenarios for setting up Domino domains. The first scenario, which
many small- and medium-size companies use, involves creating only one Domino
domain and registering all servers and users in one Domino Directory. This scenario is
the most common and the easiest to manage.
The second scenario is common when a large company has multiple independent
business units. In this case, one organization spread across multiple domains may be the
best scenario. Then all servers and users are members of the same organization, and
each business unit administers its own Domino Directory.
A third scenario is common when multiple companies work closely together yet want to
retain individual corporate identities. Then one domain and multiple organizations may
work best. Finally, the fourth scenario involves maintaining multiple domains and
multiple organizations. This scenario often occurs when one company acquires another.
Sometimes the decision to create multiple Domino domains is not based on
organizational structure at all. For example, you may want to create multiple Domino
domains if you have slow or unreliable network connections that prohibit frequent
replication of a single, large directory. Keep in mind that working with multiple domains
requires additional administrative work and requires you to set up a system for
managing them. Domains can be used as a broad security measure. For example, you
can grant or deny a user access to servers and databases, based on the domain in which
the user is registered. Using an extended ACL is an alternative to creating multiple
domains, because you can use the extended ACL to specify different levels of access to a
single Domino Directory, based on organization name hierarchy. Using Domino server
partitioning, you can run multiple instances of the Domino server on a single computer.
By doing so, you reduce hardware expenses and minimize the number of computers to
administer because, instead of purchasing multiple small computers to run Domino
servers that might not take advantage of the resources available to them, you can
purchase a single, more powerful computer and run multiple instances of the Domino
server on that single machine. On a Domino partitioned server, all partitions share the
same Domino program directory, and thus share one set of Domino executable
files.However, each partition has its own Domino data directory and NOTES.INI file; thus
each has its own copy of the Domino Directory and other administrative databases. If
one partition shuts down, the others continue to run. If a partition encounters a fatal
error, Domino’s fault recovery feature restarts only that partition, not the entire
computer.
For information on setting up fault recovery, see the chapter“Transaction Logging and
Recovery.”Partitioned servers can provide the scalability you need while alsoproviding
security. As your system grows, you can migrate users from apartition to a separate
server. A partitioned server can also be a member of a cluster if you require high
availability of databases. Security for a partitioned server is the same as for a single
server. When you set up a partitioned server, you must run the same version of Domino
on each partition. However, if the server runs on UNIX®, there is an alternative means
to run multiple instances of Domino on the server: on UNIX, you can run different
versions of Domino on a single computer, each version with its own program directory.
You can even
run multiple instances of each version by installing it as a Domino partitioned server.
Whether or not to use partitioned servers depends, in part, on how you set up Domino
domains. A partitioned server is most useful when the partitions are in different Domino
domains. For example, using a partitioned server, you can dedicate different Domino
domains to different customers or set up multiple Web sites. A partitioned server with
partitions all in the same Domino domain often uses more computer esources and disk
space than a single server that runs multiple services. hen making the decision to use
partitioned servers, remember that it is asier to administer a single server than it is to
administer multiple artitions. However, if your goal is to isolate certain server functions
on
the network — for example, to isolate the messaging hub from the plication hub or
isolate work groups for resource and activity logging you might be willing to take on the
additional administrative work. In dition, running a partitioned server on a
multiprocessor computer may prove performance, even when the partitions are in the
same domain, because the computer simultaneously runs certain processes.
To give Notes users access to a Domino server where they can create and run Domino
applications, use a partitioned server. However, to providecustomers with Internet
access to a specific set of Domino applications,
set up an xSP server environment.
Deciding how many partitions to have How many partitions you can install without
noticeably diminishingperformance depends on the power of the computer and the
operating system the computer uses. For optimal performance, partition multiprocessor
computers that have at least one, and preferably two,
processors for each partition that you install on the computer. Certifier IDs and
certificates Certifier IDs and certificates form the basis of Domino security. To
placeservers and users correctly within your organization’s hierarchical name scheme,
you create a certifier ID for each branch on the name tree. You use the certifiers during
server and user registration to “stamp” each server ID and user ID with a certificate that
defines where each belongs
in the organization. Servers and users who belong to the same name tree can
communicate with each other; servers and users who belong to different name trees
need a cross-certificate to communicate with each
other.
Each time you create a certifier ID, Domino creates a certifier ID file and a Certifier
document. The ID file contains the ID that you use to register servers and users. The
Certifier document serves as a record of the certifier ID and stores, among other things,
its hierarchical name, the name of the certifier ID that issued it, and the names of
certificates associated with it.
There are two types of certifier IDs: organization and organizational unit.
Organization certifier ID The organization certifier appears at the top of the name tree
and is
usually the name of the company — for example, Acme. During first server setup, the
Server Setup program creates the organization certifier and stores the organization
certifier ID file in the Domino data directory,
giving it the name CERT.ID. During first server setup, this organization certifier ID
automatically certifies the first Domino server ID and the administrator’s user ID. If your
company is large and decentralized, you might want to use the Domino Administrator
after server setup to create a second organization certifier ID to allow for further name
differentiation — for example, to differentiate between company subsidiaries.
For more information on working with multiple organizations, see the topic “Domino
domains” earlier in this chapter.
Managing Notes Users.” For information on recertifying server IDs, see the chapter
“Maintaining Domino Servers.”
You can create up to four levels of organizational unit certifiers. To create first-level
organizational unit certifier IDs, you use the organization certifier ID. To create second-
level organizational unit certifier IDs, you use the first-level organizational unit certifier
IDs, and so on. Using organizational unit certifier IDs, you can decentralize certification
by distributing individual certifier IDs to administrators who manage users and servers in
specific branches of the company. For example, the Acme company has two
administrators. One administers servers and
users in West/Acme and has access to only the West/Acme certifier ID, and the other
administers servers and users in East/Acme and has access to only the East/Acme
certifier ID.
Certifier security By default, the Server Setup program stores the certifier ID file in the
directory you specify as the Domino data directory. When you use the Domino
Administrator to create an additional organization certifier ID or
organizational unit certifier ID, you specify where you want the ID stored. To ensure
security, store certifiers in a secure location — such as a disk locked in a secure area.
User ID recovery
To provide ID and password recovery for Notes users, you need to set up recovery
information for each certifier ID. Before you can recover user ID files, you need access to
the certifier ID file to specify the recovery
information, and the user ID files themselves must be made recoverable.
There are three ways to do this:
At user registration, create the ID file with a certifier ID that contains recovery
information.
Export recovery information from the certifier ID file and have the user accept it.
(Only for servers using the server-based certification authority) Add recovery
information to the certifier. Then, when existing users authenticate to their home server,
their IDs are automatically
updated. For more information, see the chapter “Protecting and Managing Notes
IDs.”
Example of how certifier IDs mirror the hierarchical name scheme To implement their
hierarchical name scheme, the Acme company created a certifier ID at each branch of
the hierarchical name tree:
Before you start the Server Setup program, decide which services and tasks to set up on
the server. If you don’t select the services during the setup program, you can later
enable them by editing the ServerTasks setting in the NOTES.INI file or by starting the
server task from the server console.
Internet services The Domino Server Setup program presents these selections for
Internet
services:
• Web Browsers (HTTP Web services) Internet
Mail Clients (SMTP, POP3, and IMAP
mail services)
• Directory services (LDAP) Advanced Domino services These Domino services,
which are necessary for the proper operation of the Domino infrastructure, are
enabled by default when you set up a
• Domino server:
• Database Replicator
• Mail Router
• Agent Manager
• Administration Process
• Calendar Connector
• Schedule Manager
• DOLS (Domino Off-Line Services)
• These are optional advanced Domino server services that you can enable:
• DIIOP CORBA Services
• DECS (Domino Enterprise Connection Services)
• Billing
• HTTP Server
• IMAP Server
• ISpy
• LDAP Server
• POP3 Server
• Remote Debug Server
• SMTP Server
• Stats
• Statistic Collector
• Web Retriever
Table of Domino naming requirements
Consider these guidelines when naming parts of the Domino system.
User 79 maximum* Use a first and last name. A middle name is allowed,
but usually not needed.
Alternate user No minimum Can have only one alternate name
Group 62 maximum Use any of these characters: A - Z, 0 - 9, & - . _ ’/
(ampersand, dash, period, space, underscore,
apostrophe, and forward slash) For mail routing, you
can nest up to five levels of groups. For all other
purposes, you can nest up to six levels of groups.
* This name may include alpha characters (A - Z), numbers (0 - 9), and the ampersand
(&), dash (-), period (.), space ( ) , and underscore (_). For more information on
network name requirements and the effect that
server name format has on network name-to-address resolution, see the chapter
“Setting Up the Domino Network.”
After installing the first Domino server and any additional servers, you configure the
servers and build the environment.
This overview lists the features that you may want to include in your
Domino environment.
1. Create Connection documents for server communication.
2. If you have mobile users, set up modems, dialup support, and RAS.
3. Set up mail routing
4. Establish a replication schedule.
5. Configure incoming and outgoing Internet mail (SMTP).
6. Customize the Administration Process for your organization.
7. Plan and create policies before you register users and groups.
8. Register users and groups.
9. Determine backup and maintenance plans and consider transaction logging.
10. Consider remote server administration from the Domino console or Web
Administrator console. Also consider the use of an extended administration server.
11. Set up a mobile directory catalog on Notes clients to give Notes users local access to
a corporate-wide directory.
12. Consider implementing clustering on servers.
Chapter 2
Setting Up the Domino Network
This chapter describes planning concepts and presents protocol-specific procedures
required to run Domino on a network. The chapter describes using network protocols
from a Domino perspective and does not
provide general network information. Lotus Domino and networks A variety of client
systems can use wireless technology or modems to communicate with Domino servers
over local area networks (LANs), wide area networks (WANs), and metropolitan area
networks (MANs). To govern how computers share information over a network, they use
one or more protocols, which are sets of rules. For example, Notes workstations and
Domino servers use the Notes remote procedure call (NRPC) protocol running over the
LAN’s network protocol to communicate with other Domino servers. Other client
systems, such as Web browsers, Internet mail clients, wireless application protocol
(WAP) devices, and personal information management (PIM) devices, can also
communicate with Domino servers. Isolated LANs can be connected by WANs. A WAN is
either a continuous connection — such as a frame-relay, leased telephone line, or digital
subscriber line (DSL) — or a dialup connection over a modem or Integrated Services
Digital Network (ISDN) line. Dialup connections are either to an individual server or to a
LAN (through a provider network or your company’s own communications server).
Buildings or sites that are geographically close to each other can use a MAN, which is a
continuous, high-speed connection that can connect corporate LANs or connect a LAN to
the WAN. Like a WAN, a MAN is usually shared by multiple organizations. Wireless
technology that works with Domino ranges from localized transmission systems (802.11a
or 802.11b) to national or international satellite transmission systems that are
geostationary, mid-orbit, ortracked orbit. If you are planning a network for
geographically dispersed locations, consider how to achieve a cost-effective
infrastructure. Placing servers in one location requires that users in other locations
access the Domino server ac oss WAN connections, which can be slow and expensive.
Placing servers in every location and replicating databases to make the same information
available on several LANs requires attention to administration at each location. One
effective way to set up a network is to use a hub server at each location to handle
communication with hub servers in other locations. Then, only the hub servers, not
every server in the network, use WAN connections. The functionality of Notes
workstations and Domino servers depends on the effectiveness and capacity of
networks. To plan a Domino network
with sufficient capacity, you must consider not only the traffic to and from Domino
servers but also any other traffic on the network. NRPC communication
Domino servers offer many different services. The foundation for communication
between Notes workstations and Domino servers or between two Domino servers is the
Notes remote procedure call (NRPC)
service. Network protocols for NRPC communication To communicate, two computers
must run the same network protocol and software driver. For dialup connections, Lotus
Domino uses its own X.PC protocol natively; Notes and Domino also support PPP using
either Microsoft Dialup Networking (DUN) or Remote Access Service (RAS) for
network dialup. In addition, you can use any IETF-compliant PPP communications server
to dial into the network on which the Domino server resides or though which the server
can be accessed.
On LANs, Lotus Domino is compatible with the TCP/IP and IPX/SPX protocol suites, as
well as NetBIOS over the lower transports IP, IPX, and NetBEUI. For NetBIOS
connections to work, both Notes workstations and Domino servers must use the same
lower transport.
For detailed information on which protocols are compatible with Lotus Domino for each
supported operating system, see the Release Notes. Notes network ports During the
Server Setup program, Domino provides a list of Notes network ports based on the
current operating system configuration. If these ports are not the ones you want to
enable for use with the Domino server, you can edit the list during setup. Because each
network protocol consumes memory and processing resources, you might want to
exclude one or more ports and later remove the associated protocol software from the
system. In TCP/IP and NetBIOS, you can install multiple network interface cards
(NICs) and enable additional Notes network ports for each protocol, using the NOTES.INI
file to bind each port to a separate IP address or NetBIOS LANA number. For more
information, see the topic “Adding a network port on a server” later in this chapter.
Network security
Physical network security is beyond the scope of this book, but you must set it up before
you set up connection security. Physical network security prevents unauthorized users
from breaking through the network and
using one of the operating system’s native services — for example, file sharing — to
access the server. Physical network security also comes into play when any data is
exposed, as the potential exists for malicious or
unauthorized users to eavesdrop both on the network where the Domino system resides
and on the system you are using to set up the server. Network access is typically
controlled using network hardware — such
as filtering routers, firewalls, and proxy servers. Be sure to enable rules and connection
pathways for the services that you and others will access. Newer firewall systems offer
virtual-private-network (VPN) services,
which encapsulate the TCP/IP packet into another IP wrapper where the inner TCP/IP
packet and its data are encrypted. This is a popular way to create virtual tunnels through
the Internet between remote sites. If you
want to have the Domino server access both a private VPN and the Internet for SMTP
mail, make sure your solution is able to handle full TCP data packets and that it allows
dual connections. If not, the Domino
server system may require a second NIC to work around limitations of the VPN solution.
NRPC and Internet connection security
To control connection access, you typically use a network hardware configuration, such
as a firewall, reverse proxy, or Domino passthru server, to which you can authorize
connections and define access to
network resources. In addition, you can encrypt all connections by service type.
Encryptin connections protects data from access by malicious or unauthorizedusers. To
prevent data from being compromised, encrypt all Domino and Notes services that
connect to public networks or to networks over which you have no direct control.
Encrypting the connection channel prevents unauthorized users from using a network
protocol analyzer to read data. To encrypt NRPC network traffic, use the Notes port
encryption feature. For traffic over Internet protocols, use SSL. For both NRPC and
Internet protocols, you can enforce en ryption at the server for all inbound and outbound
connections. In the case of the Notes client, you can also enforce encryption on all
outbound connections, even if the server to
which you are connecting allows unencrypted connections. 2-6 Administering the Domino
System, Volume 1
Because encryption adds additional load to the server, you may want to limit the
services for which the server uses encryption. Other ways to minimize the load that
encryption puts on the system include:
Using an additional Domino server acting as a passthru server forNRPC connections
Using a reverse proxy to manage authentication and encryptionoutside of Domino
servers when using SSL
Removing unnecessary or unused protocols or services on the server system as well as
Domino server services
On the Notes workstation, create a Connection document that includes the IP address
of the destination server.
On the passthru server, create a Connection document to the destination server.
If you don’t use DNS at your site or if a Domino server is not registered with DNS (as is
sometimes the case if the server offers Internet services), use one of these methods to
enable each Notes workstation and Domino
server to perform name resolution locally. Keep in mind that the upkeep required for
both of these approaches is considerable.
Place a hosts file, which is a table that pairs each system name with its IP address, on
every system that needs private access. Set up each system so that it accesses the
hosts file before accessing DNS.
Create a Connection document that contains the destination server’s IP address on
every Notes workstation and Domino server that needs to access that server. Tip Use
policies to automate the setup of Connection documents for
Notes users. Even if you use DNS, you should set up Connection documents for Notes
users in locations from which they have difficulty accessing the DNS server. For more
information on policies, see the chapter “Using Policies.”
Alternative IP name services Microsoft networking services offers four additional
methods of IP
address resolution. These methods are not as reliable as traditional DNS and hosts files
and can cause name and address confusion. For best results, do not use these methods
when also using the Notes network
port for TCP/IP.
Direct NetBIOS broadcast — The system sends out a name broadcast message so that
all of the systems on the local network segment can register the name and IP address in
their name cache. If you must use NetBIOS over IP and use Domino with both the
NetBIOS and TCP/IP port drivers, avoid name-resolution problems by giving the
Domino server and the system different names.
Master Browser cache (for NT domains or SAMBA servers) — Collects broadcasted
names and IP addresses and publishes them across the NT domain to other Master
Browser systems for Windows® systems to access in their name lookups.
Windows Internet Name Service (WINS) — Uses NetBIOS broadcasts. Unlike DNS,
which is static in nature, WINS is dynamic. Note that the TCP/IP stacks of Macintosh and
UNIX client systems may not be able to access the WINS server.
LAN Manager Hosts (LMHosts) — A static hosts file method. Caution On a Windows
system, the combination of the system’s native NetBIOS over IP name-resolver service
and DNS can cause name
resolution failure for the Domino server name.
When you register a new Domino server, you specify a common name for it. Within a
Domino hierarchical name, the common name is the portion before the leftmost slash.
For example, in the name App01/East/Acme, the common name is App01. The common
name, not the hierarchical name, is the name that the Domino server is known by in
DNS.
Note When you choose a common name for a Domino server that uses DNS, use only
the characters 0 through 9, A through Z, and the dash (-). Do not use spaces or
underscores.
Note The DNS names held in Lotus Notes and Lotus Domino are not case sensitive;
Notes workstations and Domino servers always pass DNS names to DNS in lowercase.
You can avoid problems and extra work if you consider the DNS configuration, as well as
the effect of other protocol name-resolver services, when you choose the format for the
common name of the Domino server. To avoid name-resolution problems that affect all
TCP services on Windows systems, see the topic “Ensuring DNS resolves on Windows
systems — All TCP protocols.”
For procedures to help you avoid DNS problems in NRPC, see these
topics:
Ensuring DNS resolves in NRPC — Best Practices
Ensuring DNS resolves in NRPC — Alternative practices
Ensuring DNS resolves in NRPC — A practice to use with caution
If you administer servers that provide Internet services such as HTTP, SMTP, POP3, or
LDAP, you can skip these topics, as these services use DNS directly.
Ensuring DNS resolves on Windows systems — All TCP protocols If a Domino server is a
Windows system, often two name services exist on the system — NetBIOS over IP and
DNS. If you assign the same name to both the Domino server and the system, client
applications that use either the Notes Name Service or DNS can encounter name-space
ghosting between the two names. In other words, because the NetBIOS record for a
system’s host name has already been found, the name resolving process ends and the
DNS record for the Domino server on that
system is never found.
Note For a Domino server on Windows 2000, problems occur only if you enable name
services for NetBIOS over IP in order to join an NT
domain using Server Message Blocks (SMB).
To prevent this problem:
1. Do one:
On Windows NT, assign one name as the Domino server common name and then alter
that name slightly for the system name by adding a preface such as NT-. In the Network
dialog box on the Windows NT Control Panel, specify the name in two places: the
Identification tab and the Protocols - TCP/IP properties - DNS tab.
On Windows 2000, add a preface such as W2K- to the system name, using the Network
Identification tab on the System Properties dialog box.
2. Create an A record (or, for IPv6, AAAA record) in DNS for the system name. The IP
address is the same as the one for the Domino server.
3. Create a CNAME record in DNS for the Domino server’s name, linking it to the system
name. For example, for the Domino server BosMail02/Acme, the common name is
BosMail02. You name the system NT-BosMail02. You create an A
record in DNS for NT-BosMail02.acme.com and a CNAME record for
BosMail02.acme.com, linking it with NT-BosMail02.acme.com.
The following procedures provide the best name-resolution practices for
a Domino server using the default NRPC configuration on a TCP/IP network (one Notes
network port for TCP/IP). These procedures address the following DNS configurations:
One DNS domain
Multiple DNS domain levels If your TCP/IP configuration has multiple Notes network
ports for TCP/IP, see the topic “Ensuring DNS resolves in advanced TCP/IP
configurations” later in this chapter.
When you have one DNS domain If your company uses only one DNS domain, doing the
following
eliminates the need for CNAME records in DNS:
1. Assign the same name as both the Domino server common name and the simple IP
host name registered with DNS.
2. Make sure the Net Address field on the Server document contains the server’s FQDN.
3. Create an A record (or, for IPv6, AAAA record) in DNS. For example, you set up the
Domino server App01/Engr/Acme. Thus, you register the server with DNS as app01, the
server’s common name. The Net Address field in the Server document contains
app01.acme.com
(the server’s FQDN), and the A record is: app01.acme.com IN A
192.168.10.17. When you have multiple DNS domain levels
If your company uses multiple DNS domain levels — for example, when each country in
which a multinational company has offices is a subdomain in DNS — doing the following
eliminates the need for
multiple CNAME records in DNS and ensures that DNS lookups always work, regardless
of the DNS domain level of the user’s system:
1. Assign the same name as both the Domino server common name and the simple IP
host name.
2. Make sure the Net Address field on the Server document contains the server’s FQDN.
3. Create an A record (or, for IPv6, AAAA record) in DNS.
4. If users’ systems are in a different DNS domain than that of their home server or in a
DNS subdomain of their home server’s domain, set up a secondary name server. Place
this secondary name server on the same physical network as the users’ systems or on a
network that the users can access.
5. Set up all Notes users or a subset of users affected by Step 4, or set up an individual
Notes user.
For more information on setting up groups of users, see the chapter “Using Policies.” For
more information on setting up an individual Notes user, see the topic “Setting up a
secondary name server” later
in this chapter.
For example, you register the Domino server ParisMail01/Sales/Acme with DNS as
parismail01.france.acme.com. Parismail01 is the home
server for some users in the DNS subdomain spain.acme.com. You set up a secondary
name server, Nameserver/Acme, register it with DNS as nameserver.acme.com, and
ensure that the Location documents of users
who need a secondary name server point to this server. When a user in spain.acme.com
attempts a first connection with the home server (parismail01.france.acme.com), the
connection fails because the DNS subdomain for spain.acme.com has no records for the
subdomain
france.acme.com. Notes then connects successfully with the secondary name server
(nameserver.acme.com), since the DNS subdomain for spain.acme.com does include the
records for acme.com. When the
secondary name server supplies the Notes workstation with the FQDN
from the Net Address field in the Server document for ParisMail01, DNS resolves the
FQDN to an IP address, and the user can access mail. As long as all Server documents in
the Domino domain have the TCP/IP network address in FQDN format, this approach
allows any Notes
workstation or Domino server to locate any Domino server, regardless of
its DNS domain level. Ensuring DNS resolves in NRPC — Alternative practices The
following procedures provide alternative name-resolution practices for a Domino server
using the default NRPC configuration on a TCP/IP
network (one Notes network port for TCP/IP). Domino server names that differ from
their DNS names When your name scheme for Domino servers is different than that for
DNS, use one of the following methods to translate the Domino server’s name to the
host name:
Create a local Connection document on each Notes client and Domino server that needs
to connect to the Domino server, and enter the FQDN for the system that hosts the
Domino server in the Net Address field. For example, for the Domino server named
App01/Sales/Acme on the system registered with DNS as redflier, enter
redflier.acme.com
Use an alias (CNAME) record in DNS to link the Domino server common name to the
simple IP host name. For example, for the Domino server App01/Sales/Acme on the
system registered with DNS as redflier, use a CNAME record to link the name App01 to
the name redflier. When a Notes workstation first accesses this server, it obtains the
host name from the Net Address field of the Server document and caches it, thereby
making future connections faster. IP addresses in Connection documents In situations in
which you don’t want to use any name-resolver service
— such as bringing up a new server system that you don’t want known yet, or having a
server on the Internet that you want accessible but for which you can’t use DNS —
create Connection documents that directly tell Notes workstations or Domino servers
how to access this Domino server by using the server’s IP address in the documents’ Net
Address
fields.
Network Address Translation (NAT) NAT is a method of translating an IP address
between two address
spaces: a public space and a private space. Public addresses are assigned to companies
by the Internet Corporation
of Assigned Names and Numbers (ICANN) or leased from the company’s ISP/NSP. Public
addresses are accessible through the Internet (routable) unless firewalls and isolated
networks make them inaccessible.
Private addresses are IP address spaces that have been reserved for internal use. These
addresses are not accessible over the Internet (non-routable) because network routers
within the Internet will not allow
access to them.
The following address spaces have been reserved for internal use. It is
best to use these IP addresses and not make up your own.
Class A: 10.0.0.0 to 10.255.255.255
Class B: 127.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255
For example, users inside a company access the Domino server based on its assigned IP
address, which is a private address (192.168.1.1). Internet users must access the
Domino server through a NAT router, which
converts the private address to one of its static public addresses (130.20.2.2).
Therefore, a Notes client accessing the server from the
Ensuring DNS resolves in NRPC — A practice to use with caution The following practice, if
followed precisely, should ensure good DNS resolves in NRPC for companies with
multiple DNS domain levels, but
might result in extra work if the infrastructure changes. Using this practice has the
following disadvantages:
You can never assign more than one IP address in DNS to the Domino server.
If the FQDN changes, the Domino server name will not match the FQDN, thus
invalidating the DNS resolve. You will then need to create a new server and migrate
users to it.
If you use network address translation (NAT), the server’s FQDN must be identical in
both instances of DNS (internal and external shadow DNS).
You cannot use other network protocols, as many of them use flat network name
services, and those that use hierarchical name systems will not function unless the name
hierarchy is exactly the same.
Diagnosing connectivity issues can be much harder. When you have multiple DNS
domain levels
If your company uses multiple DNS domain levels — for example, when each country in
which a multinational company has offices is a subdomain in DNS — do the following:
1. Use the server’s FQDN as the Domino server common name.
2. Create an A record (or, for IPv6, AAAA record) in DNS. For example, if you register a
server with DNS as app01.germany.acme. com, you can also assign the Domino server’s
common name as
app01.germany.acme.com. In this case, the server’s Domino hierarchical name might be
app01.germany.acme.com/Sales/Acme.
Advanced Domino TCP/IP configurations
A single Domino server can have multiple IP addresses if you use multiple NICs, each
offering an address, or if one NIC offers multiple addresses. Having multiple IP
addresses allows the server to listen for connections at more than one instance of the
TCP port assigned to NRPC (1352) or at TCP ports that are assigned to other services
such as LDAP or HTTP. Both individual Domino servers and partitioned Domino
servers can have multiple NICs, each with its own IP address.
Multiple IP addresses and NICs on a Domino server Set up a Domino server with multiple
IP addresses, each with its own NIC, if you want to:
Split the client load for better performance
Split client-to-server access from server-to-server communication
Set up mail routing, replication, or cluster replication on an alternate path (private
network)
Partition a Domino server so that more than one partition offers the same Internet
service (SMTP, POP3, IMAP, LDAP, or HTTP).
Allow access to the Domino server via a TCP/IP firewall system over a different network
segment, a configuration known as a demilitarized zone (DMZ)
Use a Domino passthru server as an application proxy
Provide network/server failover, used in mission-critical resource access
Set up alternate window and/or maximum transmission unit (MTU) settings for satellite
uplink and downlink connections isolated from local access connections
For a configuration with multiple IP addresses, you must bind each listening port to the
appropriate IP address to ensure that each TCP service receives the network connections
intended for it.
For more information, see the topics “Binding an NRPC port to an IP address” and
“Binding an Internet service to an IP address” later in this chapter. For more information
on private networks for cluster
replication, see the book Administering Domino Clusters.
Note A configuration with multiple NICs does not increase the number of Domino
sessions you can have on a server. In TCP/IP, machine capacity depends on processors
and memory.
Multiple IP addresses with one NIC
Reasons to use one NIC to serve multiple IP addresses include:
Isolating local versus WAN Notes named networks so local users can see only local
Domino servers
Preventing independent remote access dialup connections (ISDN dialup router) from
being arbitrarily accessed
When setting up redundant WAN path connections for server to server access
When the use of a different TCP/IP port map is needed for firewall connections
When offering HTTP services to a different group than NRPC
connections
As a service provider when offering Domino server access for either
Notes or Web clients to different groups/companies
For a configuration with multiple addresses and one NIC, you must configure the TCP/IP
stack and bind each listening port to an IP address. Partitioned servers and IP addresses
When you set up a Domino partitioned server, it is usually best to assign a separate IP
address to each partition and use a separate NIC for each. Using a separate NIC for each
address can make the computer’s I/O
much faster. Lotus Domino is designed to listen for TCP/IP connections on all NICs in
a computer system. If more than one partition is hosting the same service (NRPC, SMTP,
POP3, IMAP, LDAP, or HTTP), fine-tune which partitions listen for which connections by
associating each service’s TCP port with a
specific IP address. For more information on associating services with IP addresses, see
the
topics “Binding an NRPC port to an IP address” and “Binding an Internet service to an IP
address” later in this chapter. As an alternative to using a separate NIC for each IP
address, you can
use a single NIC and still assign a separate IP address to each partition. For more
information, see the topic “Assigning separate IP addresses to partitions on a system
with a single NIC” later in this chapter.
If you are unable to assign a separate IP address to each partition, you can use port
mapping.
For more information on port mapping, see the topic “Configuring a partitioned server
for one IP address and port mapping” later in this chapter.
Note As an alternative to port mapping, you can use port address translation (PAT), in
which a firewall redirects the TCP port connection to a different TCP port. Both port
mapping and PAT require advanced
skills to implement correctly.
Ensuring DNS resolves in advanced TCP/IP configurations When you have Domino
servers with multiple Notes network ports for TCP/IP, follow these procedures to ensure
server name-to-address resolution by DNS. This topic covers the following
configurations:
Users in different DNS subdomains accessing one Domino server
User-to-server access and server-to-server access via different DNS subdomains
Users in different DNS subdomains accessing one Domino serverIf users are on two
isolated networks and the Domino server has a NIC for each network, use DNS to direct
the users to the NIC the server
shares with them.
1. Assign an IP address to each NIC by creating A records (or, for IPv6, AAAA records) in
DNS. Use the ping command and the IP address to test the responsiveness of the NIC.
Note If the Domino server is running Windows and there is a route between the two
networks, prevent the NetBIOS broadcasts from exiting from both adapters by using the
Windows Control Panel to disable one instance of the WINS client. Use the Bindings tab
of the Network dialog box, select All Adapters, and select the name of the NIC for which
you want to disable WINS.
2. Create two CNAME records in DNS for the Domino server, linking the server’s common
name to each NIC name in the A records. (Using CNAME records for the Domino server
provides diagnostic fidelity to test the network pathway independently of the server’s
name resolve.)
3. Add a second Notes network port for TCP/IP in Domino. For more information, see the
topic “Adding a network port on a server” later in this chapter.
4. Bind each TCP/IP port to the IP address of the appropriate NIC. On the server
console, verify that both TCP/IP ports are active and linked to the correct IP address. For
more information on binding ports to IP addresses, see the topic “Binding an NRPC port
to an IP address” later in this chapter.
5. In the Server document’s Net Address field for each TCP/IP port, use the server’s
common name only, not its FQDN.
6. On each Notes workstation, set the user’s DNS name lookup scope to the correct DNS
subdomain.
Example
At the Acme company, some users connect to the Domino server Chicago/Sales/Acme
over an Ethernet network, others over a Token Ring network. Register the Domino
server with DNS as chicago.east.acme.com for the users on the Ethernet network and as
chicago.west.acme.com for users on the Token Ring network.
1. Create start of authority (SOA) table entries in DNS for th
chi-ethernet A 10.20.20.2
chicago CNAME chi-ethernet
chi-tokenring A 10.10.10.1
chicago CNAME chi-tokenring
3. Change the name of the original Notes network port for TCP/IP to TCPIP1, and name
the second port TCPIP2.
4. Use the NOTES.INI file to bind TCPIP1 to the IP address for the Ethernet network and
to bind TCPIP2 to the IP Address for the Token Ring network.
5. In the Server document’s Net Address field for each TCP/IP port, enter chicago.
6. On the Ethernet users’ workstations, set the DNS name lookup scope to
east.acme.com, and on the Token Ring users’ workstations, set it to west.acme.com.
User-to-server access and server-to-server access via different DNS
subdomains
If users need to access a Domino server over the LAN and other Domino servers need to
access the same server over the WAN, add a second NIC to the server. Then use DNS to
direct the users to the NIC for the LAN and to direct other servers to the NIC for the
WAN.
1. Assign an IP address to each NIC by creating an A record (or, for IPv6, AAAA record)
in DNS. Use the ping command and the IP address to test the responsiveness of the NIC.
Note If the Domino server is running Windows and there is a route between the two
networks, prevent the NetBIOS broadcasts from exiting from both adapters by using the
Windows Control Panel to disable one instance of the WINS client. Use the Bindings tab
of the Network dialog box, select All Adapters, and select the name of the NIC for which
you want to disable WINS.
Installation
2. Create two CNAME records in DNS for the Domino server, linking the server’s common
name to each NIC name in the A records. (Using CNAME records for the Domino server
provides diagnostic fidelity to test the network pathway independently of the server’s
name resolve.)
3. Add a second Notes network port for TCP/IP in Domino.
For more information, see the topic “Adding a network port on a server” later in this
chapter.
4. Bind each TCP/IP port to the IP address of the appropriate NIC. On the server
console, verify that both TCP/IP ports are active and linked to the correct IP address.
For more information on binding ports to IP addresses, see the topic
“Binding an NRPC port to an IP address” later in this chapter.
5. To direct the Domino server’s first outbound connection to the
server-to-server network, edit the PORT setting in the NOTES.INI
file to read as follows:
PORT=serverportname, userportname
Where serverportname is the name of the Notes network port for
TCP/IP that other Domino servers will use to connect to this server,
and userportname is the name of the Notes network port for TCP/IP
that users will use to connect to this server.
6. In the Server document’s Net Address field for the first TCP/IP port
(the port that users will use), enter the FQDN, using the server’s
common name and the users’ DNS subdomain.
Note Listing the port that users will use first is important, as the
Notes Name Service cannot distinguish which NIC a user is
accessing and makes the connection based on the content of the Net
Address field for the first TCP/IP port listed in the Server document.
7. In the Server document’s Net Address field for the second TCP/IP
port (the port that servers will use), enter the FQDN, using the
server’s common name and the servers’ DNS subdomain.
An initiating server uses its local Domino Directory to detect the
Notes named network it has in common with this server.
8. Set each user’s DNS name lookup scope to the correct DNS
subdomain.
9. In each server’s TCP/IP stack, set the DNS name lookup scope to the
correct DNS subdomain.
2-24 Administering the Domino System, Volume 1
Example
At the Acme company, users connect to the Domino server
BostonApp04/Sales/Acme over the LAN, and other Domino servers
access it privately over the WAN. You register the server with DNS as
bostonapp04.boston.acme.com for the LAN users and as
bostonapp04.domino.acme.com for the server-to-server network over the
WAN.
1. Create the following SOA table entries in DNS for the subdomain
usr-bostonapp04 A 103.210.20.2
usr-
bostonapp04 CNAME
bostonapp04
2. Create the following SOA table entries in DNS for the subdomain
domino.acme.com, as follows:
srv-bostonapp04 A 103.210.41.1
srv-
bostonapp04 CNAME
bostonapp04
3. Change the name of the original Notes network port for TCP/IP to
TCPIP1, and name the second port TCPIP2.
4. Use the NOTES.INI file to bind TCPIP1 to the IP address for the user
network, to bind TCPIP2 to the IP address for the server-to-server
network, and to add the setting PORT=TCPIP2, TCPIP1.
5. In the Server document’s Net Address field for port TCPIP1, enter
bostonapp04.boston.acme.com. For port TCPIP2, enter
bostonapp04.domino.acme.com.
6. On each user’s workstation, set the DNS name lookup scope to
boston.acme.com. In the TCP/IP stacks of the servers that need to
connect to this server, set the name lookup scope to
domino.acme.com.
IPv6 and Lotus Domino
Because support for IPv6 by hardware and operating system suppliers
and the Internet is still in the early stages, moving to the IPv6 standard
will be a gradual process for most organizations. In Lotus Domino, you
can enable IPv6 support for SMTP, POP3, IMAP, LDAP, and HTTP
services on AIX®, Solaris®, and Linux systems.
Domino supports both IPv6 and IPv4. Thus, if an IPv6-enabled Domino
server encounters an IP address in IPv4 format, the Domino server can
still make the connection to that address.
In DNS, records that store IPv6 addresses are called AAAA records.
After you enable IPv6 on a Domino server and add the server’s AAAA
Setting Up the Domino Network 2-25
Installation
record to DNS, another IPv6-enabled Domino server can connect to it
only over IPv6. Servers that don’t support IPv6 can run Domino with
IPv6 support disabled, which is the default. These servers can
successfully connect to IPv6-enabled Domino servers only if the DNS for
the IPv6 servers contain A records.
Using IPv6 in a Domino network
For best results when using IPv6 with Domino servers, set up network
devices in the network pathway to connect directly with native IPv6,
rather than tunnel through the IPv4 network.
How Lotus Domino decides whether to connect over IPv6 or IPv4
A Domino server evaluates the address format and then, based on that
information, makes an IPv4 or an IPv6 connection.
Field Action
Port Enter the port name. Lotus Domino
assigns a default port name to each
network protocol detected on the
system.
Notes Network Enter the name of the Notes named
network for the group of Domino
servers that are in this location and
run on a particular protocol —for
example, Boston TCPIP. Space
characters are allowed in a Notes
network name.
Net Address Enter the protocol-specific name of the
server —for example, sales.acme.com.
The name you use depends on the
convention of the network protocol.
This field is used to determine the
address that other servers use to
access this server.
Disabled/Enable Choose Enabled so that other servers
d will know the port is enabled.
Field Action
Enter the port name. Lotus Domino
Port
assigns a default
port name to each network protocol
detected on the
system.
Enter the name of the Notes named
Notes Network
network for the
group of Domino servers that are in
this location and run on a particular
protocol —for example, Boston TCPIP.
Space characters are allowed in a
Notes network name.
Field Action
Net Address Enter the protocol-specific name of
the server —for example,
sales.acme.com. The name you use
depends on the convention of the
network protocol. This field is used to
determine the address that other
servers use to
access this server.
Choose Enabled so that other servers
Disabled/Enabled
will know the
port is enabled.
11. Save the Server document.
12. Make sure that this server is set up to replicate its Domino Directory
to other servers, or enter the preceding changes to the Server
document on a server that is set up to do the replication, or other
servers will not know that they can connect to this server over the
newly enabled port.
13. If you are adding an additional TCP/IP port on a computer with
multiple NICs, see these topics:
Binding an NRPC port to an IP address
Binding an Internet service to an IP address.
14. If you are adding an additional NetBIOS port on a computer with
multiple NICs, see the topic Creating additional network ports for
NetBIOS.
Renaming a network port on a server
You might want to rename a port to reflect its function. For example,
suppose you add a second TCP/IP port named SRV-TCP so that
clustered servers can communicate over a private network. Then you
might want to might want to rename the original TCP/IP port through
which users will communicate with the server USR-TCP.
1. From the Domino Administrator or Web Administrator, click the
server on which you want to rename a port.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the port you want to rename.
5. Click Rename, and then enter the new name. Do not use spaces in the
port name.
6. Click OK.
Administering the Domino System, Volume 1
7. Click the Server - Status tab.
8. Do one of these so that the change takes effect:
From the Domino Administrator’s Tools pane, choose Restart Port.
(If you can’t see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrator’s Ports tool, choose Restart.
9. In the server document, on the Ports - Notes Network Ports tab,
change the name of the port to the new name and save the
document.
10. If this server is the source server for any Connection documents in
the Domino Directory, click Server - Connections.
11. Select a Connection document and click Edit Connection.
12. On the Basics tab, enter the new port name in the “Use the port(s)”
field.
13. Save and close the Connection document.
14. Repeat steps 11 to 13 for each Connection document for which this
server is the source.
Reordering network ports on a server
Changing the order in which ports are listed in the Setup Ports dialog
box also changes the Ports setting in the NOTES.INI file. List the ports in
the order in which you want them to be used — for example, list nearest
or fastest connections first. Then when a server uses a Notes named
network or a Connection document to locate another server, the port
with a close or fast connection will be used as the preferred path.
If the Domino server has multiple TCP/IP ports, see the topic
“Reordering multiple server ports for TCP/IP” later in this chapter.
To reorder network ports
1. From the Domino Administrator or Web Administrator, click the
server on which you want to reorder ports.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the port that you want to relocate in the list.
5. Click the up and down arrows, as necessary to relocate the port.
6. Click OK.
Setting Up the Domino Network 2-39
Installation
7. Click the Server - Status tab.
8. Do one of these so that the change takes effect:
From the Domino Administrator’s Tools pane, choose Restart Port.
(If you can’t see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrator’s Ports tool, choose Restart.
9. In the Server document, on the Ports - Notes Network Ports tab,
change the port order to the new order by cutting and pasting all the
necessary fields.
10. Save the Server document.
Note When you create a Connection document on a server, the
Connection document takes the port order from the order in the Setup
Ports dialog box. Then, whenever the server connects with the
destination server, the server obtains the port order directly from the
Connection document. If you change the port order after you create
Connection documents, you must save each Connection document again.
To have different Connection documents reflect different port orders,
change the port order, save a Connection document, change the port
order again, save another Connection document, and so on.
Deleting a network port on a server
If you delete a port, it no longer appears in the list of available ports in
the Setup Ports dialog box.
1. From the Domino Administrator or Web Administrator, click the
server on which you want to delete a port.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the port you want to delete.
5. Click Delete.
6. Click OK.
7. Click the Server - Status tab.
8. Do one of these so that the change takes effect:
From the Domino Administrator’s Tools pane, choose Restart Port.
(If you can’t see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrator’s Ports tool, choose Restart.
2-40 Administering the Domino System, Volume 1
9. In the Server document, on the Ports - Notes Network Ports tab,
delete the contents of all the fields next to the name of the port you
are deleting.
10. Save the Server document.
Encrypting NRPC communication on a server port
You can encrypt network data on a server’s Notes network ports to
prevent the network eavesdropping that’s possible with a network
protocol analyzer. Network encryption occurs at the application layer of
a given protocol and is independent of other forms of encryption.
Network data is encrypted only while it is in transit. After the data is
received and stored, network encryption is no longer in effect.
Network data encryption occurs if you enable network data encryption
on either side of a network connection. For example, if you enable
encryption on a server’s Notes network port for TCP/IP, you don’t need
to enable encryption on the TCP/IP ports of workstations or servers that
connect to the server.
If you want the server to have one TCP/IP port for Notes traffic over the
Internet and another TCP/IP port for internal traffic over NRPC, you can
encrypt the port for Internet traffic and leave the port for internal traffic
unencrypted.
Be aware that multiple high-speed encrypted connections to a server can
affect server performance adversely. Encrypting network data has little
effect on client performance. For protocols other than NRPC, you use SSL
for encryption.
For more information, see the chapter “Setting Up SSL on a Domino
Server.”
To encrypt NRPC communication
1. From the Domino Administrator or Web Administrator, choose the
server for which you want to encrypt network data.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the port you want to encrypt.
5. Select “Encrypt network data.”
6. Click OK.
7. Click the Server - Status tab.
Setting Up the Domino Network 2-41
Installation
8. Do one of these so that the change takes effect:
From the Domino Administrator’s Tools pane, choose Restart Port.
(If you can’t see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrator’s Ports tool, choose Restart.
Compressing network data on a server port
To reduce the amount of data transmitted between a Notes workstation
and Domino server or between two Domino servers, enable network
compression for each enabled network port. Whether you should enable
compression on a network port depends on the type of network
connection and the type of data being transmitted.
For compression to work, enable it on both sides of a network
connection. To enable compression for a network port on a server, use
the Server tab in the Domino Administrator. To enable compression on
network ports on Notes workstations, from the Domino Administrator,
use a setup or desktop policy settings document or from a workstation,
use the User Preferences dialog box.
For information on policy settings, see the chapter “Using Policies.”
WAN connections
Enabling network compression on X.PC ports can significantly reduce
the time it takes to send and receive data over a remote connection
between a Notes workstation and a Domino server or between two
Domino servers.
You benefit from using network compression only if the data being
transmitted is not already compressed. In the case of a network dialup
service such as Microsoft’s Remote Access Service (RAS) which includes
built-in compression, enabling compression on Notes network ports does
not provide any additional benefit. The same is true of tasks involving
data that was compressed using the Lempel-Ziv algorithm (LZ1
compression) — such as replicating a mail file with a large number of
compressed attachments.
LAN connections
While compression decreases bandwidth use on a LAN, you must weigh
this gain against increased memory and processor use, since network
compression works by buffering data before compressing it. The cost of
compression might be worth it only for a heavily loaded network.
To compress data on a server port
1. From the Domino Administrator or Web Administrator, click the
server for which you want to turn on network compression.
2. Click the Configuration tab.
2-42 Administering the Domino System, Volume 1
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the port for which you want to turn on compression.
Note Make sure “Port enabled” is selected for that port.
5. Select “Compress network data.”
6. Click OK.
7. Click the Server - Status tab.
8. Do one of these so that the change takes effect:
From the Domino Administrator’s Tools pane, choose Restart Port.
(If you can’t see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrator’s Ports tool, choose Restart.
Server setup tasks specific to TCP/IP
After you run the Domino Server Setup program, complete these
procedures:
1. Set up a secondary name server for Notes clients.
2. Change the server’s connection-time-out interval.
3. For servers that provide services to Internet clients, enable Domino
support for IPv6.
4. For configurations involving multiple NICs on a server or
partitioned server:
Reorder multiple Notes network ports for TCP/IP.
Bind an NRPC port to an IP address.
Bind an Internet service to an IP address.
5. For a partitioned server with a single NIC for the entire computer,
assign an IP address to each server partition
6. Change a default TCP or SSL port number.
7. Confirm that TCP/IP is configured properly.
Setting Up the Domino Network 2-43
Installation
Setting up a secondary name server
To ensure that the Notes Name Service is always available to Notes
workstations, assign a secondary name server in users’ Location
documents. You can specify a different secondary name server for each
LAN location defined. The secondary name server is used when:
The user’s home server is down.
The user’s home server is not running TCP/IP.
The name of the user’s home server cannot be resolved over TCP/IP.
For examples of situations in which the name of a home server cannot be
resolved, see the topic “Ensuring DNS resolves in advanced TCP/IP
configurations” earlier in this chapter.
Note You can use setup or desktop policy settings to assign secondary
name servers to groups of users.
For more information, see the chapter “Using Policies.”
To set up a secondary name server
1. On the Notes workstation, choose File - Mobile - Locations, and open
the location for which you want to designate a secondary name
server.
2. Click “Edit Location.”
3. Click the Advanced - Secondary Servers tab. (The Advanced tab
appears only if you have a location defined as “Local Area Network”
or “Both Dialup and Local Area Network.”)
4. In the “Secondary TCP/IP Notes server name” field, enter one of the
following:
The common name of the Domino server — for example,
Notesserver1
The hierarchical name of the Domino server — for example,
Notesserver1/Acme
5. In the “Secondary TCP/IP host name or address” field, enter one of
the following:
IP address — for example, 197.114.33.22
The fully qualified domain name — for example,
notesserver1.acme.com
The simple host name — for example, notesserver1
If you specify only the host name in this field, the workstation
must use the Domain Name System (DNS) or local hosts file to
locate the secondary name server. When you specify the IP
2-44 Administering the Domino System, Volume 1
address in this field, Lotus Domino resolves the host’s IP address
without having to perform a DNS or hosts file lookup.
6. Click “Save and Close.”
Changing the TCP/IP connection-time-out interval
You might want to increase the number of seconds that Lotus Domino
waits before terminating a connection attempt. For example, increasing
the time-out interval is often necessary on a server that dials up other
Domino servers. The default time-out interval is 5 seconds.
1. From the Domino Administrator or Web Administrator, click the
server for which you want to change the time-out interval.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the TCP/IP port.
5. Click “TCPIP Options,” and enter a number.
Note Unless the connection is over a dial-on-demand ISDN modem,
remote bridge, or router, it is best to enter a number no greater than
10, as the Notes client or Domino server won’t retry the connection
until the timer has expired.
6. Click OK.
Enabling support for IPv6 on a Domino server
You can enable support for IPv6 on a Domino server that runs the IMAP,
POP3, SMTP, LDAP, or HTTP service.
To enable IPv6, add this NOTES.INI setting to the server’s NOTES.INI
file:
TCP_EnableIPV6=1
Reordering multiple server ports for TCP/IP
If a Domino server has multiple Notes network ports for TCP/IP, the
order in which these ports are listed in the NOTES.INI file and the Server
document affects how other servers and workstations connect to this
server. The Ports setting in the NOTES.INI file determines which port a
workstation or server tries first. In the absence of other settings that bind
an NRPC, POP3, IMAP, SMTP, or LDAP service to an IP address, all of
these services will try to use the port listed first in the NOTES.INI file.
Setting Up the Domino Network 2-45
Installation
Server-to-server communication
If you add a second Notes network port for TCP/IP in order to isolate
server-to-server communication — for example, a private network for
cluster replication — list this port first in the NOTES.INI file so that
server-to-server traffic will tend to occur over this connection, thus
decreasing the data flow on the port for the user network. To change the
port order in the NOTES.INI file, use the Port Setup dialog box.
For more information, see the topic “Reordering network ports on a
server” earlier in this chapter.
Note If you are setting up a private cluster network and do not list the
server port first, you must add the setting Server_Cluster_Default_Port
to the NOTES.INI file. The disadvantage of adding this setting is that if
the server encounters a problem connecting over this port, it will not try
another port, and replication will not occur.
For more information on the Server_Cluster_Default_Port setting, see the
appendix “NOTES.INI File.”
Workstation-to-server communication
If a Domino server has a port for workstations to connect on — for
example, over a LAN — and another port for servers to connect on — for
example, over a WAN — list the workstation port first in the Server
document so that users see only servers on the LAN when they choose
File - Database - Open.
To reorder the ports in the Server document, click the Ports - Notes
Network Ports tab, and edit the fields in the table.
Binding an NRPC port to an IP address
By default, all TCP/IP-based services on a Domino server listen for
network connections on all NICs and on all configured IP addresses on
the server. If you have enabled more than one Notes network port for
TCP/IP (TCP port for NRPC) on either a single Domino server or a
Domino partitioned server, you must associate the NRPC ports and IP
addresses by binding each port to an address.
For background information on Domino server setups with multiple IP
addresses, see the topic “Advanced Domino TCP/IP configurations”
earlier in this chapter.
To bind an NRPC port to an IP address
1. For each IP address, make sure you have added a Notes port for
TCP/IP. Also make sure that each port has a unique name.
For information on adding a Notes port, see the topic “Adding a
network port on a server” earlier in this chapter.
2-46 Administering the Domino System, Volume 1
2. In the NOTES.INI file, confirm that these lines appear for each port
that you added:
Ports=TCPIPportname
TCPIPportname=TCP, 0, 15, 0
Where TCPIPportname is the port name you defined.
3. For each port that you want to bind to an IP address, add this line to
the NOTES.INI file:
TCPIPportname_TCPIPAddress=0,IPaddress
Where IPaddress is the IP address of the specific NIC.
For example:
TCPIP_TCPIPAddress=0,130.123.45.1
Note For IPv6, enclose the address in square brackets, as it contains
colons. For example:
TCPIP_TCPIPAddress=0,[fe80::290:27ff:fe43:16ac]
4. (Optional) To help you later remember the function of each port, add
the default TCP port number for NRPC to the end of the line you
entered in Step 3, as follows:
:1352
Caution Do not change the assigned TCP port number unless you
have a way to redirect the inbound connection with Domino port
mapping or a firewall that has port address translation (PAT).
In a situation where you must change the default NRPC port
number, see the topic “Changing a TCP or SSL port number” later in
this chapter.
Binding an Internet service to an IP address
If the Domino server has multiple Notes network ports for TCP/IP
(NRPC ports) and the server is also hosting the SMTP, POP3, IMAP,
LDAP, or Internet Cluster Manager (ICM) service, you must specify the
NRPC port that you want the service to use in the NOTES.INI file. If you
do not specify an NRPC port for an Internet service, by default the
service will use the port listed first in the Ports setting in the NOTES.INI
file. You can specify the same NRPC port for multiple Internet services.
For the Domino Web server (HTTP service), you use the Server
document to bind HTTP to a host name IP address.
Setting Up the Domino Network 2-47
Installation
To bind the SMTP, POP3, IMAP, LDAP, or ICM service
1. Bind each NRPC port to an IP address.
2. In the NOTES.INI file, specify the appropriate NRPC port for each
Internet service as follows:
Note If you don’t know the port name to enter for an NRPC port,
open the Server document, click the Ports - Notes Network Ports tab,
and look at the ports associated with the TCP protocol.
Service Action
POP3 Enter POP3NotesPort=port name where port
nameis the name of the NRPC port that you
want to link the service to.
IMAP Enter IMAPNotesPort=port name where port
nameis the name of the NRPC port that you
want to link the service to.
SMTP Enter SMTPNotesPort=port name where port
nameis the name of the NRPC port that you
want to link the service to.
LDAP Enter LDAPNotesPort=port name where port
nameis the name of the NRPC port that you
want to link the service to.
ICM Enter ICMNotesPort=port name where port
nameis the name of the NRPC port that you
want to link the service to.
Example
The following example shows the lines (in bold) to add to the Ports
section of the NOTES.INI file to bind two NRPC ports to their IP
addresses and to specify the second NRPC port for the SMTP service.
Ports=TCPIP, TCP1P2
TCPIP=TCP, 0, 15, 0
TCPIP_TCPIPAddress=0,10.33.52.1
TCPIP2=TCP, 0, 15, 0
TCPIP2_TCPIPAddress=0, 209.98.76.10
SMPTNotesPort=TCPIP2
Note Domino adds the lines that are not bold when you use either
the Domino Server Setup program or the Domino Administrator’s
Setup Ports dialog box to enable a port.
To bind the HTTP service
1. On the Internet Protocols - HTTP tab of the Server document, enter
one or more IP addresses or FQDNs for the server in the “Host
name(s)” field.
2. Select Enabled in the “Bind to host name” field.
Note If the server is a partitioned server and has Web sites configured
with separate IP addresses, or has virtual servers (Domino 5) configured
for one or more partitions, enter the partition’s IP address, and each Web
site or virtual server’s IP address in the “Host name(s)” field, separated
by semicolons. Alternatively, you can use FQDNs in this field. Do not list
additional Web sites and virtual hosts that have IP addresses that are
already listed in this field.
Example 1 — Server partition with Web sites
The partition’s host name is app01 and there are two Web sites
configured for it: sales.acme.com and accounting.acme.com. The Web site
sales.acme.com uses the same IP address as the partition, and the Web
site accounting.acme.com has its own IP address. Enter the following in
the “Host name(s)” field:
9.88.43.113;9.88.46.110
where 9.88.43.113 is the IP address for both the partition and the Web
site sales.acme.com and 9.88.46.110 is the IP address for the Web site
accounting.acme.com.
Example 2 — Server partition with virtual servers
The partition’s host name is app01 and there are two virtual servers
(9.88.46.114 and 9.88.46.115) and one virtual host configured for it. Enter
the following in the “Host name(s)” field:
9.88.43.113;9.88.46.114;9.88.46.115
where 9.88.43.113 is the IP address for both the partition and the
virtual host sales.acme.com, 9.88.46.114 is the IP address for virtual
server 1 (accounting.acme.com), and 9.88.46.115 is the IP address for
virtual server 2 (northeastsales.acme.com).
For information on Web sites and Internet Site documents, see the
chapter “Installing and Setting Up Domino Servers.”
Setting Up the Domino Network 2-49
Installation
Assigning separate IP addresses to partitions on a system with a
single NIC
If you use a single NIC with multiple IP addresses, you must complete
additional configuration instructions, which are based on your operating
system, for each server partition.
Note Using separate IP addresses with a single NIC can have a negative
impact on the computer’s I/O performance.
For background information on partitioned servers and the TCP/IP
network, see the topic “Partitioned servers and IP addresses” earlier in
this chapter.
IBM AIX or Linux
You must be logged on as root.
To enable an IP address in IBM AIX
1. Add one entry in the local host names file /etc/hosts for each server
partition. The entry for the partition that uses the computer host
name should already exist.
2. To enable an IP address, enter this command under the heading
“Part 2 -Traditional Configuration” in the startup file (etc/rc.net). Do
not enter this command for the partition that uses the computer host
name.
/usr/sbin/ifconfig interface alias server_name
where interface is the name of the network interface, and server_name
is the name of the partitioned server — for example:
/usr/sbin/ifconfig en0 alias server2
3. Restart the system if necessary, and test the configuration. From
another computer, use the ping command with the server names. To
show the network status, use the netstat command.
To disable an IP address in IBM AIX or Linux
Do not remove the IP address of a server partition that uses the computer
host name as its server name.
1. Enter this command at the console:
/usr/sbin/ifconfig interface delete server_name
where interface is the name of the network interface, and server_name
is the name of the partitioned server.
2. Remove the partition’s name entry from the local host names
/etc/hosts file.
3. Remove the corresponding ifconfig command from the system
startup /etc/rc.net file.
2-50 Administering the Domino System, Volume 1
Sun Solaris
This procedure is for Sun Solaris 2.6. You must have superuser privileges
to configure the NIC.
To enable an IP address in Sun Solaris
1. Add one entry in the local host names /etc/hosts file for each server
partition. The entry for the partition that uses the computer host
name should already exist.
2. For each partition, create a file named:
/etc/hostname.device:n
where device is the device name of the NIC, and n is a number that
increments for each file name. The /etc/hostname.hme0 file should
already exist and contain the computer host name.
For example, if /etc/hostname.hme0 contains the name Server1,
create:
/etc/hostname.hme0:1
which contains the name Server2. and
/etc/hostname.hme0:2
which contains the name Server3.
3. Create the alias for each IP address that goes to the NIC which is
hme0. At the console, enter:
/sbin/ifconfig hme0 plumb
/sbin/ifconfig hme0:n IP_address
where n is the number you created in Step 2 for each file name, and
IP_address is the address assigned to the corresponding server in Step
1. For example:
/sbin/ifconfig hme0 plumb
/sbin/ifconfig hme0:1 111.123.11.96
/sbin/ifconfig hme0:2 111.123.11.22
4. To verify the IP addresses that you configured, enter:
/sbin/ifconfig -a
5. To enable each IP address that you configured in Step 3, enter:
/sbin/ifconfig hme0:n up
where n is the number assigned to the file that contains the server
name. For example:
/sbin/ifconfig hme0:1 up
/sbin/ifconfig hme0:2 up
Setting Up the Domino Network 2-51
Installation
To disable an IP address, enter:
/sbin/ifconfig hme0:n down
6. To configure the NIC to support multiple IP addresses at system
startup, add this ifconfig command to the startup file (probably
/etc/rc2.d/S30sysident):
/sbin/ifconfig hme0 plumb
/sbin/ifconfig hme0:n IP_address
/sbin/ifconfig hme0:n up
where n corresponds to the number you created in Step 2 for each
file name, and IP_address is the address assigned to the
corresponding server in Step 1.
7. Test the configuration. From another computer, use the ping
command with the server names. To show the network status, use
the netstat command.
To disable an IP address in Sun Solaris
Do not remove the IP address of the server partition that uses the
computer host name as its server name.
1. To disable the IP address, type:
/sbin/ifconfig hme0:n down
where n is the number assigned to the file that contains the server
name. For example:
/sbin/ifconfig hme0:1 down
2. Remove the corresponding /etc/hostname.hme0:n file. For example,
to remove Server2, remove the /etc/hostname.hme0:1 file, which
contains the name Server2.
3. Remove the partition’s server name entry from the local host names
/etc/hosts file.
Windows
To configure a single NIC for multiple IP addresses on Windows
systems, do the following:
On Windows NT, use the Network icon on the Control Panel. For
more information, see the Windows NT documentation.
For Windows 2000, use the Network and Dial-up Connections
icon on the Control Panel , and then the Local Area Connection
icon. Click the Properties button. For more information, see the
Windows 2000 documentation.
2-52 Administering the Domino System, Volume 1
Configuring a partitioned server for one IP address and port
mapping
To configure server partitions to share the same IP address and the same
NIC, you use port mapping. With port mapping, you assign a unique
TCP port number to each server partition and designate one partition to
perform port mapping. The port-mapping partition listens on port 1352
and redirects Notes and Domino connection requests to the other
partitions.
If the port-mapping partition fails, existing sessions on the other
partitions remain connected. In most cases, Notes clients will not be able
to open new sessions on any of the partitions. However, because each
Notes client maintains information in memory about recent connections,
including those redirected by the port-mapping partition, a client may be
able to connect to a partition even when the port-mapping partition is not
running. A client or remote server that has a Connection document
containing both the IP address and the assigned port can always access
the port-mapping partition.
Because the port-mapping partition requires extra system resources,
consider dedicating the partition to this task only. To do this, remove all
other server tasks, such as mail routing and replication, from the
partition’s NOTES.INI file.
Port mapping works for NRPC communication only. However, you can
use the Server document in the Domino Directory to configure IMAP,
LDAP, and POP3 services and Domino Web servers to use unique ports
for communication. When you do, you must make the port number
available to users when they try to connect to the servers.
Note Because Internet protocols carry a large amount of data, you may
encounter I/O bottlenecks if you use a single NIC with too many server
partitions. Consider adding additional NICs and isolating the data by
protocol.
To configure for one IP address and port mapping
When you set up port mapping, the port-mapping partition
automatically routes NRPC communication requests to the other server
partitions.
1. Decide which server partition will perform port mapping.
2. Choose a unique TCP/IP port number for each server partition on
the computer. The port-mapping partition uses the assigned port,
1352. It is best to use port numbers 13520, 13521, 13522, 13523, or
13524 for the additional server partitions.
Setting Up the Domino Network 2-53
Installation
3. In the NOTES.INI file of the port-mapping partition, include one line
for the port-mapping partition and one line for each of the other
partitions. For the port-mapping partition, enter:
TCPIP_TcpIpAddress=0,IPAddress:1352
where TCPIP is the port name, and IPAddress is the IP address of the
port-mapping partition.
For each of the other partitions, enter:
TCPIP_PortMappingNN=CN=server_name/O=org,IPaddress:TCP/I
P port number
where TCPIP is the port name, NN is a number between 00 and 04
assigned in ascending sequence, server_name is the server name of the
partition, org is the organization name, IPAddress is the shared IP
address, and TCP/IP port number is the unique port number you
chose for the partition.
Note You must assign the numbers for NN in ascending order
beginning with 00 and ending with a maximum of 04. If there is a
break in the sequence, Domino ignores the subsequent entries.
4. In the NOTES.INI file of each of the other partitions, include this line:
TCPIP_TcpIpAddress=0, IPAddress:IPport_number
where TCPIP is the port name, IPAddress is the shared IP address,
and IPport_number is the unique port number you chose for the
partitioned server.
5. In the Net Address field on the Ports - Notes Network Ports tab in
the Server document for each partition, enter the fully qualified
domain name — for example, sales.acme.com — or enter the
common server name — for example, Sales.
6. Create an IP address entry for the port-mapping partition in the
DNS, NIS, or the local hosts file.
7. Include each partition name as a separate CNAME entry in the DNS,
NIS, or the local hosts file.
8. If you also plan to set up the partitions for IMAP, LDAP, and POP3
services and Web server communication, assign to each protocol a
unique port number in the “TCP/IP port number” field on the
appropriate subtabs (Web, Directory, and Mail) on the Ports -
Internet Ports tab of the Server document.
Note You must make these port numbers available to users when
they try to connect to these servers. For example, if you assign port
12080 to the Web server acme.com, users must include
acme.com:12080 in the URL in order to connect to the server, unless
they have a means to redirect the connection to this port assignment.
2-54 Administering the Domino System, Volume 1
Example
This example shows the lines you add to the NOTES.INI files of the
server partitions to set up port mapping for six partitions.
Partition 1 (the port-mapping partition)
TCPIP_TcpIpAddress=0,192.94.222.169:1352
TCPIP_PortMapping00=CN=Server2/O=Org2,192.94.222.169:135
20
TCPIP_PortMapping01=CN=Server3/O=Org3,192.94.222.169:135
21
TCPIP_PortMapping02=CN=Server4/O=Org4,192.94.222.169:135
22
TCPIP_PortMapping03=CN=Server5/O=Org5,192.94.222.169:135
23
TCPIP_PortMapping04=CN=Server6/O=Org6,192.94.222.169:135
24
Partition 2
TCPIP_TcpIpAddress=0,192.94.222.169:13520
Partition 3
TCPIP_TcpIpAddress=0,192.94.222.169:13521
Partition 4
TCPIP_TcpIpAddress=0,192.94.222.169:13522
Partition 5
TCPIP_TcpIpAddress=0,192.94.222.169:13523
Partition 6
TCPIP_TcpIpAddress=0,192.94.222.169:13524
Changing a TCP or SSL port number
The following sections describe the TCP ports that Domino services use
and provide guidelines should you ever need to change these ports.
Default port for NRPC
By default, all NRPC connections use TCP port 1352. Because the Internet
Assigned Number Authority (IANA) assigned Lotus Domino this port
number, non-Domino applications do not usually compete for this port.
Do not change the default NRPC port unless:
You can use a NAT or PAT firewall system to redirect a remote
system’s connection attempt.
You are using Domino port mapping.
Setting Up the Domino Network 2-55
Installation
You create a Connection document that contains the reassigned
port number.
To change the default NRPC port number, use the NOTES.INI setting
TCPIPportname_TCPIPAddress and enter a value available on the system
that runs the Domino server. TCP ports with numbers less than 5000 are
reserved for application vendors. You may use any number from 1024
through 5000, as long as you don’t install a new application that requires
that number.
Default ports for Internet services
You may occasionally need to change the number of the TCP or SSL port
assigned to an Internet service. Lotus Domino uses these default ports for
Internet services:
Name Protocol
NwlnkNb Novell NetBIOS
Nbf NetBEUI
NetBIOS over TCP/IP (RFC
NetBT
1001/1002)
each network card or dialup network interface. For example, the
Network Route entry Nbf->Elnk3 is NetBEUI on a 3Com Etherlink III
card, and Nbf->NdisWan5 is NetBEUI on a Microsoft Remote Access
Service (RAS) connection.
To find the LANA number for a NetBIOS protocol on a Windows
95/98, XP, or 2000 system
Unlike a Windows NT system, a Windows 95/98, XP, or 2000 system
does not have a direct means to see the LANA associations. For
Windows 95/98, XP, or 2000 systems you can either review the system’s
registry bindings or use a Microsoft tool called LANACFG to see and
change the LANA number assignments.
The following is an example of the tool’s output from a Windows 2000
server. Note that the network route linkages shown are the same as in
Windows NT.
lanacfg [options]
showlanapaths - Show bind paths and component
descriptions for each exported lana
setlananumber - Change the lana number of a bind path
Setting Up the Domino Network 2-59
Installation
rewritelanainfo - Verify and write out lana info to the
registry
showlanadiag - Show lana diagnostic info
From the DOS prompt, enter
C:\>lanacfg showlanapaths
You see the following:
Lana: 4
-->NetBEUI Protocol-->3Com EtherLink III ISA
(3C509/3C509b) in Legacy mode
Lana: 7
-->NetBEUI Protocol-->WAN Miniport (NetBEUI, Dial Out)
Lana: 3
-->NWLink NetBIOS
Lana: 0
-->WINS Client(TCP/IP) Protocol-->Internet Protocol
(TCP/IP)-->3Com EtherLink III ISA (3C509/3C509b) in
Legacy mode
Creating additional network ports for NetBIOS
After you run the Domino Server Setup program, you can create network
segments for multiple NetBIOS interfaces on the same computer by
adding a Notes network port for NetBIOS for each additional NIC. The
NICs do not need to use the same transport protocol; each can use
TCP/IP, NetBEUI, or IPX.
In addition to adding each port for NetBIOS, do the following:
Associate each Notes network port for NetBIOS with a specific
NetBIOS interface by defining a LANA identifier for each port.
Make sure that all Domino servers that will access each other have an
interface that uses a common transport protocol. It is best if they are
also in the same Notes named network.
Make sure that the network segments to which the server system’s
NICs are attached do not have a pathway in common. The NetBIOS
name service (NetBIOS over IP) can fail if it detects the same system
name or Domino name echoing back between the pathways. If you
are using both the NetBIOS name service and DNS or a hosts file for
name resolution, make sure that the server name in DNS or the hosts
file is different from the system name.
2-60 Administering the Domino System, Volume 1
Server setup tasks specific to IPX/SPX
After you run the Domino Server Setup program, complete these
procedures:
1. Use the Domino Administrator to define a NetWare name service for
the server.
2. If the name service you use is NDS, record the server’s NDS
distinguished name in the Server document.
3. (Optional) Control which IPX/SPX address (socket number) the
server uses.
Defining a server’s NetWare name service in Lotus Domino
If you enabled the server’s Notes network port for SPX through the
Server Setup program, you must use the Domino Administrator to select
which NetWare name service a Domino server uses with IPX/SPX.
For descriptions of supported name services, see the topic “Server
name-to-address resolution over IPX/SPX” earlier in this chapter.
To select a name service
1. From the Domino Administrator or Web Administrator, click the
server for which you want to select an IPX/SPX name service.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the SPX port, and select “Port enabled” if it is not already
selected.
5. Click “SPX Options,” and choose a name service.
6. Restart either the server or the SPX port in order for the change to
take effect.
Tip Record any errors that appear on the console while the server is
restarting.
7. Click OK.
Setting Up the Domino Network 2-61
Installation
Recording a server’s NDS distinguished name
The Server Setup program adds the common name of the Domino server
to the Net Address field in the Server document. If you are using the
Novell Directory Service (NDS) for the IPX/SPX network, you must edit
this field to contain the server’s NDS distinguished name.
1. From the Domino Administrator, select the server for which you
want to record the NDS distinguished name.
2. Click the Configuration tab.
3. Expand the Server section in the view pane.
4. Click Current Server Document.
5. Click “Edit Server,” and then click the Ports - Notes Network Ports
tab.
6. In the Net Address field for the SPX port, enter the server’s NDS
distinguished name. For example, enter
CN=App04.OU=Chicago.O=Acme
Note NDS names are case-sensitive. Make sure that the NDS tree
object for the Domino server has exactly the same distinguished
name as the one you enter here.
7. Click Save and Close.
Assigning the IPX socket number for a Domino server
The IPX/SPX protocol provides two types of sockets: dynamic sockets
and static, or well-known, sockets. Novell assigns well-known sockets to
products for their exclusive use. Applications using well-known sockets
always listen on the same socket number. Novell manages the
registration of these sockets, allocating them from a range of 0x2000
through 0x3FFF. Dynamic sockets are allocated from a range of 0x4000
through 0x7FFF. Applications using dynamic sockets use whichever
socket number the IPX/SPX stack allocates during the registration of the
service to the local NetWare server by the application. Using dynamic
sockets usually ensures that a socket number is not used twice.
Connections initiated by a Domino server or Notes workstation use a
dynamic socket. For the listener socket, the SPX port driver uses a
modified algorithm for allocating sockets and always tries to use the
same socket number. If the socket number is unavailable, the Domino
server lets the IPX/SPX stack assign one. When a Domino server using
SPX starts for the first time, it uses a dynamic socket and then saves the
socket number. Subsequent invocations of the Domino server use the
saved socket number. Therefore, the socket is called a persistent dynamic
socket.
2-62 Administering the Domino System, Volume 1
If for some reason this saved socket number is in use — for example, if
another application using dynamic sockets allocated the socket — the
Domino SPX server allocates a new socket number and saves it for future
invocations.
Assigning a socket number
Controlling the socket number used by the Domino server is useful in
large IPX/SPX networks because an assigned socket number prevents
server name-to-address resolution problems that result when name
service records lag behind a dynamic socket number assignment when a
server is restarted.
To control the socket number, use the NOTES.INI setting
NetWareSocket. NetWareSocket applies only to the listener socket.
Connections initiated by a workstation or server still use a dynamic
socket.
Note If NetWareSocket is set in the NOTES.INI file and the Domino
server cannot bind to the specified socket on the local system’s IPX/SPX
protocol stack, the Domino server will not start. This condition may
occur if the socket number the server normally uses is in use by another
application on the same system.
For example, if the NOTES.INI file contains the setting
NetWareSocket=9135 (which is the decimal value of 23AF), and another
application is assigned that socket number through the dynamic
assignment process, the Domino server can fail to start.
To minimize the chance of the server’s not starting, assign the
NOTES.INI setting NetWareSocket to the address of a well-known
socket. If the problem still occurs, either close the application that is
using the same socket as Domino or reassign a new socket to the Domino
server.
To determine the socket number the Domino server is using, do one of
the following:
Enter SHOW PORT SPX at the console, where SPX is the SPX port
driver name.
Check the NetWareSpxSettings setting in the NOTES.INI file. The
number after the last comma in the value is the decimal value of the
server’s IPX socket. For example, in the setting
NetWareSpxSettings=0,0,0,0,0,3,17393, the 17393 is the socket’s
decimal value.
Setting Up the Domino Network 2-63
Installation
NOTES.INI settings for networks
The following tables contain the NOTES.INI settings that pertain
specifically to networks.
For more information on these settings, see the appendix “NOTES.INI
File.”
Settings for all NRPC networks
Setting Description
Restricts the number of
portname_MaxSessions
sessions on a
specified port.
Specifies which Notes network
Ports
ports are
enabled on a system.
Settings for the TCP/IP network
Setting Description
ICMNotesPort Specifies the name of the
Notes network port for
TCP/IP with which you are
linking the Internet Cluster
Manager (ICM) service.
IMAPNotesPort Specifies the name of the
Notes network port for
TCP/IP with which you are
linking the IMAP service.
LDAPNotesPort Specifies the name of the
Notes network port for
TCP/IP with which you are
linking the LDAP service.
POP3NotesPort Specifies the name of the
Notes network port for
TCP/IP with which you are
linking the POP3 service.
SMTPNotesPort Specifies the name of the
Notes network port for
TCP/IP with which you are
linking the SMTP service.
TCP_EnableIPV6 Specifies whether or not to
enable Domino for IPv6.
TCP/IPportname_PortMappingNN Specifies the TCP/IP port
number of each
partitioned server sharing
the IP address of the port-
mapping server.
TCP/IPportname_TCPIPAddress Defines the IP address and
the port number for a
Domino server.
Setting Description
Specifies the IPX socket
NetWareSocket
number used by
the Domino server.
Specifies the decimal value of
NetWareSpxSettings
the
Domino server’s IPX socket.
Specifies the password for
NWNDSPassword
Domino to
log in to the Novell Directory
Service
(NDS) tree on system startup.
Specifies the user ID for
NWNDSUserID
Domino to log
in to the Novell Directory
Service (NDS)
tree on system startup.
Chapter 3
Installing and Setting Up Domino Servers
This chapter describes how to plan a hierarchical name tree and how to
install, set up, and register Domino servers.
Installing and setting up Domino servers
Before you install and set up the first Domino server, you must plan
server and organizational naming and security. In addition, you must
understand your existing network configuration and know how Domino
will fit into the network. If you are adding an additional server to an
existing Domino infrastructure, you must have already registered the
server and its server ID and password must be available.
For information on system requirements, see the Release Notes.
To install and set up a server
Installing a Domino server — that is, copying the server program files
onto the designated machine — is the first part of deploying a server. The
second part is using the Domino Server Setup program to configure the
server.
1. Choose a name for the server. Refer to the hierarchical name scheme
that you created based on your company’s structure.
2. Identify the function of the server — for example, will it be a mail
server or an application server? The function of the server
determines which tasks to enable during configuration.
3. Decide where to locate the server physically and decide who
administers it.
4. Decide whether the server is part of an existing Domino domain or is
the first server in a new Domino domain.
For more information on Steps 1 through 4, see the chapter
“Deploying Domino.”
5. If this is the first server in a Domino domain, do the following:
a. Install the server program files.
b. Use the Domino Server Setup program to set up the server.
3-1
Installation
c. Complete network-related setup.
d. Create organization certifier IDs and organizational unit certifier
IDs, as required by the hierarchical name scheme.
e. Distribute certifier IDs to administrators.
f. Implement Domino security.
6. If this server is part of an existing Domino domain, do the following:
a. Use the Domino Administrator to register the server.
b. Install the server program files on each additional server.
c. Use the Domino Server Setup program to set up each additional
server.
For more information on Steps 5 and 6, see the procedures that
follow and the chapters “Setting Up the Domino Network” and
“Planning Security.”
7. Perform additional configuration procedures, based on the type of
services, tasks, and programs that you want to run on this server.
Entering system commands correctly
Some of the procedures that follow include instructions for entering
commands at the system command prompt. The instructions tell you to
enter the command from the “Domino program directory” or “Notes
program directory,” depending on whether you are performing the
procedure on a Domino server or a Notes workstation. Before entering
commands, make sure you understand the following definitions of these
terms as they apply to your operating system.
Windows operating systems
On a Domino server, the Domino program directory is c:\lotus\domino,
unless you installed the program files to a different location. On a Notes
workstation, the Notes program directory is c:\lotus\notes, unless you
installed the program files to a different location.
UNIX operating systems
For Domino on a UNIX® server, the actual location of the server program
files is different from the directory you use for entering commands.
Always use the following path for entering commands:
lotus/bin/server
The “server’” portion of the path is a script that initializes a UNIX shell
so that Domino programs can run on UNIX.
3-2 Administering the Domino System, Volume 1
While by default the actual location of the lotus directory is /opt/lotus,
you can change it to any location, for example, /local/lotus or
/usr/lotus.
Server installation
The first step in deploying a Domino server is installation, or copying the
program files to the system’s hard drive.
To install Domino, see the following procedures:
Installing Domino on Windows systems
Installing Domino on UNIX systems
For information on installing servers for hosted environments, see the
chapter “Setting Up the Service Provider Environment.”
Installing Domino on Windows systems
You can install Domino on a Windows system by following this
procedure, or you can do a silent install of a local server or remote
servers. To perform a silent install, use setup.exe -r at the command
prompt to record the install configuration to a file, and then use
setup.exe -s to install the configuration. For more information on silent
install, see the InstallShield documentation.
1. Before you install the Domino server program files on a Windows
system, do the following:
Make sure that the required hardware and software components
are in place and working.
Read the Release Notes for operating system and network protocol
requirements and for any last-minute changes or additions to the
documentation.
Temporarily disable any screen savers and turn off any
virus-detection software.
Make sure that all other applications are closed. Otherwise, you
may corrupt any shared files, and the Install program may not run
properly.
If you are upgrading to Domino from a previous release, see the
Upgrade Guide.
2. Run the install program (SETUP.EXE), which is on the installation CD.
3. Read the Welcome screen, and click Next. Then read the License
Agreement and click Yes.
Installing and Setting Up Domino Servers 3-3
Installation
4. Enter the administrator’s name and the company name.
5. Choose whether you want to install partitioned servers.
6. Choose the program and data directory in which to copy the
software, and then click Next. If you are installing partitioned
servers, you choose only a program directory.
7. Select the server type you acquired:
Domino Utility Server — Installs a Domino server that provides
application services only, with support for Domino clusters. The
Domino Utility Server is a new installation type for Lotus Domino
6 that removes client access license requirements. Note that it does
NOT include support for messaging services. See full licensing
text for details.
Domino Messaging Server — Installs a Domino server that
provides messaging services. Note that it does NOT include
support for application services or Domino clusters.
Domino Enterprise Server — Installs a Domino server that
provides both messaging and application services, with support
for Domino clusters.
Note All three types of installations support Domino partitioned
servers. Only the Domino Enterprise Server supports a service
provider (xSP) environment.
8. Click Customize to choose which components to install, or click Next
to accept all components.
9. If you are installing partitioned servers, specify a data directory for
each partition.
10. Specify the program folder or accept Lotus Applications as the
program folder that will contain the software.
11. Click Finish to complete the install program.
12. Choose Start - Programs - Lotus Applications - Lotus Domino Server
to start the Server Setup program.
Installing Domino on UNIX systems
Before you install the Domino program files on a UNIX system, do the
following:
Make sure that the required hardware and software components are
in place and working.
Read the Release Notes for operating system and network protocol
requirements and for any last-minute changes or additions to the
documentation.
3-4 Administering the Domino System, Volume 1
Temporarily disable any screen savers and turn off any
virus-detection software.
Make sure that all other applications are closed. Otherwise, you may
corrupt any shared files, and the Install program may not run
properly.
If you are upgrading to Domino from a previous release, read the
Upgrade Guide.
You can install multiple instances of the Domino server on a single
system. The instances can all be the same release of Domino or different
releases. If you install different releases, only one instance can be earlier
than Domino 6.
If you want all instances to be the same release, it is best to install a
Domino partitioned server. Then all Domino partitions share one
program directory and, by doing so, conserve system resources. If you
install a single Domino server and later want to make it a partitioned
server, you can do so without removing the initial installation. When you
have multiple instances of the Domino server, each with a separate
program directory, one or more of the instances may be a partitioned
server.
For more information on partitioned servers, see the chapter “Deploying
Domino.”
To install the Domino program files on a UNIX system, you can use
either interactive mode or script mode.
To use interactive mode
You use interactive mode to install the Domino program and data files
on the local machine or to use a Telnet connection to install the Domino
program and data files on specified remote systems.
During the interactive mode installation, you can use these keys at the
UNIX command prompt:
Type h for help
Type e to exit the Install program
Press ESC to return to the previous screen
Press the spacebar to change the setting until you get the one you
want
Press TAB to accept a setting and continue to the next screen
Installing and Setting Up Domino Servers 3-5
Installation
1. Make sure the Domino server kit is available from your network or
CD ROM drive.
2. Log in to the root account for Domino Server installation.
3. Change to the directory containing the “install” script.
4. Enter the following at the root command prompt to run the script:
./install
5. Follow the on-screen instructions and specify these options:
Option Action
Add data Choose one: • Yes to change a single
directories only Domino server into a partitioned server
or add data directories to an existing
partitioned server • No to keep a single
Domino server
Choose the server type that you
Domino Server
acquired. For an xSP
installation server, you must have the Domino
type Enterprise Server.
Install
Choose one:
template files
• Yes to install new templates
• No to retain templates from a
previous release
Install xSP
Choose one:
server
(for Domino
Enter- • Yes if this is an xSP server
prise Server
• No if this is not an xSP server
only)
Program Specify the directory in which Domino
directory will store
program files.
Create Choose one: • Yes if this system will
/opt/lotus soft have only one Domino installation
link (program directory) • No if this system
will have multiple Domino installations
(multiple program directories)
Specify the directory in which Domino
Data directory
will store
data files. If you are installing a
partitioned server,
indicate that and specify multiple data
directories.
UNIX User Specify the person who will own the
name server
configuration data. If you are installing
a partitioned
server, you may specify a different
person for each
data directory.
UNIX Group Specify the group to which the UNIX
name User belongs.
If you are installing a partitioned server,
you may
specify a different group for each data
directory.
Field Action
Click Registration to specify the registration
Registration
server.
Server
Certifier If the certifier ID displayed is NOT the one you
want to use for all servers registered in this
session, or if you want to use the Domino
server-based CA instead of a
certifier ID, click Certifier and you return to
Step 4.
Field Action
If you want the server to support SSL, select
Internet
an Internet
Certificate CA from the list.
Authority
Security
Choose either North American (default) or
type
International. In practice, there is no difference
between
a North American and an International ID type.
(Optional) To change the expiration date of the
Certificate
Server
expiration Certificate, enter the date in mm-dd-
yyyyformat in the
date Certificate Expiration Date box. The default
date is 100 years from the current date, minus
allowances for leap
years.
d. Click Continue.
6. If you are using the Web Administrator, do the following:
a. Select a registration server that includes the Domino Directory
that contains the Certificate Authority records, and the copy of
the Administration Requests database (ADMIN4.NSF) that will
be updated with the request for the new certificate.
b. Select a CA-configured certifier from the list, and click OK.
7. In the Register New Server(s) dialog box, complete these fields for
each server that you want to register:
Field Action
Server name Enter the name of the new server.
Server title Enter the server title, which appears on the
Configuration tab in the All Server Documents
view
and in the Server Title field of the Server
document.
Domino The default domain name is usually the same
domain as the
name name of the organization certifier ID.
Enter the name of the person who administers
Server
the
administrator server.
name
ID file Required if you are going to store the server ID
password in the Domino Directory.
Optional if you store the server ID in a file.
The password is case-sensitive and characters
you use will depend on the level you set in the
Password quality scale.
Password Choose the level of complexity for the
quality password. By
scale default, the level is 0, where 16 is the highest.
Field Action
Location for • Select “In Domino Directory”to store the
server ID in
storing server the Domino Directory.
ID
• Select “In File”to store the server ID file in a
file.
Then click “Set ID File,”select the name and
path for
the file, and click Save.
Note You don’t see this field from the Web
Administrator, as the server ID is stored in the
Domino
Directory.
Field Action
Enter the name of the organization. Enter a
Organization
name
different from the one used on the
name
organization certifier
ID created when you set up the first Domino
server.
(Optional) Adding an organizational country or
Country code
region
code for the country or region where the
organization’s
corporate headquarters are located minimizes
the
chance that another organization has the same
organization name as yours. Enter the country
or region
code only if you have registered your
organization
name with a national or international
standards body.
For multinational companies, you can enter a
country
or region in which the company has offices, as
long as
the organization name is registered there.
Enter a case-sensitive password for the
Certifier
certifier. The
password characters you use for this password depend
on the
level set in the “Password quality scale”field.
Password Choose the level of complexity for the
quality password. By
scale default, the level is 8, where 16 is the highest.
Security type Choose either North American (default) or
International. In practice, there is no
difference between
a North American and an International ID
type.
Mail Enter the name of the administrator who
certification handles
recertification requests. The name specified
requests to
here
(Administrator) appears in the Certifier document in the
Domino Directory. If you are creating a
certifier ID for an off-site administrator, enter
that administrator’s name in this
field.
(Optional) Enter text that appears in the
Location
Location field
of the Certifier document.
(Optional ) Enter text that appears in the
Comment
Comment field
of the Certifier document.
6. Click Register.
Creating an organizational unit certifier ID
You can create up to four levels of organizational unit (OU) certifiers. To
create first-level OU certifier IDs, you use the organization certifier ID.
To create second-level OU certifier IDs, you use the first-level OU
certifier IDs, and so on.
For background information on OU certifier IDs, see the chapter
“Deploying Domino.”
Installing and Setting Up Domino Servers 3-35
Installation
For background information on OU certifier IDs, see the topic “Certifier
IDs and certificates.”
Note The registration server is the server that initially stores the
Certifier document until the Domino Directory replicates. If you have not
specified a registration server in Administration Preferences, the
registration server is by default:
The
local server if there is one and it contains a Domino Directory
The server specified in NewUserServer setting of NOTES.INI
The Administration server
To create an organizational unit certifier ID
1. From the Domino Administrator, click the Configuration tab.
2. From the Tools pane, select Registration - Organizational Unit.
3. (Optional) To change the registration server, click Registration
Server, select the correct server, and then click OK.
4. Do one:
Select “Supply certifier ID and password.” Click Certifier ID,
select the certifier ID, click Open, and click OK. Enter the ID
password, and click OK.
Select
“Use the CA Process” and then choose a CA certifier from
the list.
5. Click OK. If you are supplying the certifier ID, enter its password
and click OK.
6. (Optional) To change the registration server, click Registration
Server, select the correct server, and then click OK.
7. (Optional) To change which certifier ID to use to register the new
certifier ID:
a. Click Certifier ID.
b. Select the certifier ID, click Open, and click OK.
c. Enter the ID password and click OK.
8. (Optional) Click “Set ID File” if you want to change the location
where Domino stores the certifier ID. Be sure to keep the certifier ID
file in a secure place so that it is readily accessible to register new
servers and users, but safe from misuse. By default the ID is stored in
C:\.
Field Action
Organizational Enter a name for the new organizational unit.
Unit
Enter a case-sensitive password for the
Certifier
certifier. The
password characters you use for this password depend
on the
level set in the “Password quality scale”field.
Password Choose the level of complexity for the
quality password. By
scale default, the level is 8, where 16 is the highest.
Security type Choose either North American (default) or
International. In practice, there is no
difference between
a North American and an International ID
type.
Mail Enter the name of the administrator who
certification handles
recertification requests. The name specified
requests to
here
(Administrator) appears in the Certifier document in the
Domino Directory. If you are creating a
certifier ID for an off-site administrator, enter
that administrator’s name
in this field.
(Optional) Enter text that appears in the
Location
Location field
of the Certifier document.
(Optional) Enter text that appears in the
Comment
Comment field
of the Certifier document.
Field Action
Descriptive name (Optional) Enter a name that differentiates
for this site
this site from all others that you create. This name
appears in the Internet Sites view in this
format: the type of Internet Site, the
descriptive name, and the host name or
address. For example:
Web Site: MyWebSite (www.acme.com)
If you do not enter a name, the default
name is the type of Internet Site document
with the host name or address appended.
For example:
POP3 Site: (www.acme.com)
4. For all Internet Site documents, complete the settings on the Security
tab.
5. Some Internet Sites require additional configuration. The table below
indicates the Internet Site documents that require additional
configuration, and the locations for settings in those documents for
enabling additional configuration information unique to those
protocols.
Document Complete
Web Site
Configuration tab Domino Web Engine tab
Field Enter
TCP Authentication
Anonymous (Applies to all Internet sites, except IMAP
and POP3) Choose one:
Field Enter
SSL Authentication
Anonymous (Applies to all Internet sites, except IMAP
and POP3) Choose one:
Field Enter
Accept expired Choose one: • Yes —To allow clients access,
SSL certificates even if the client certificate is expired
The Acme Corporation uses two mail servers — one for each geographic
location. All users send mail using a mail database located on either
Mail-E/East/Acme or Mail-W/West/Acme. The mail databases are
accessible to all mail client software — Notes workstations, IMAP, POP3,
and browsers.
Routing mail messages is similar to replicating changes made in
databases. In this example, the mail servers route messages through the
hub servers to the mail server in the other location. For example, when
4-12 Administering the Domino System, Volume 1
Alan Jones/Sales/East/Acme sends a message to Susan
Salani/HR/West/Acme, the message routes from Mail-E/East/Acme to
Hub-E/East/Acme, from Hub-E/East/Acme to Hub-W/West/Acme,
and then from Hub-W/West/Acme to its final destination
Mail-W/West/Acme. Susan Salani/HR/West/Acme reads the message
on her mail server, Mail-W/West/Acme.
Directory servers provide users and servers with information about other
users and servers — for example, information needed to address or send
mail. Directories contain information about how to communicate with all
Notes and Internet users and Domino servers. In many cases, you can set
up a mail server as a directory server.
In this example, a condensed directory catalog is on each Notes client
and a Domino Directory is on each server — Mail-E/East/Acme,
Hub-E/East/Acme, Hub-W/West/Acme, and Mail-W/West/Acme. To
resolve names, clients check the local directory catalog first; if the name is
not there, Domino checks the Domino Directory.
Domino uses replication, which is the process by which Domino updates
one directory database with changes from a directory database on
another server. For example, if a change is made on Mail-E/East/Acme,
the change is sent to the replicas on Hub-E/East/Acme,
Hub-W/West/Acme, and Mail-W/West/Acme. Users cannot access the
directories on the hub servers; users access directories only on the mail
servers.
At Acme Corporation, replication occurs automatically at a scheduled
time. The replication schedule determines how long it takes for changes
to appear on the directory servers.
Again, a firewall using a Domino server lets you use Domino features to
send information across the WAN — in this case, you use the mail
routing and replication features.
users and servers have access to the entire system by connecting to one
server (the passthru server). Acme uses the passthru to function only as a
bridge between the remote user or server and the rest of the system. To
keep the load on the passthru to a minimum, the server does not contain
application or mail databases.
Users who work remotely dial in through the passthru server and can
access any server in the system. As most of Acme’s users who dial in
remotely have only one modem on their system, using the passthru
server allows them to access multiple servers with one connection. To
reduce traffic on the passthru server, Acme recommends that its remote
users replicate databases and then work on the local replicas. Then users
can work in their local replicas and dial in and replicate occasionally with
the server replicas.
Acme dedicated five modems to the passthru server. The remote server
also dials into one of these modems for replication. Because this server
makes its connection in the early morning hours, the connection does not
conflict with users trying to access the system.
Acme uses a hunt group configuration for its modems so that users have
only one phone number to dial when connecting. Acme’s phone
infrastructure is set up so that multiple modems can have one phone
number. For this type of hunt group (all modems are on one server),
Acme does not need to create a Connection document to set up the hunt
group.
4-14 Administering the Domino System, Volume 1
The remote server is in Acme’s satellite office in Ohio. Employees who
work in this office focus on marketing and use this server to access
various marketing related databases. The remote server contains replicas
of relevant databases, and it replicates once a day to update the
databases. By using the remote server, users in the Ohio office save time
and resources because they don’t have to dial into Acme’s system as
often.
Creating a LAN connection
You must create a Connection document to schedule mail routing to and
replication between servers on a LAN. You might also need to create a
Connection document to provide the information needed to ensure a
server uses a certain protocol when connecting to another server on the
LAN.
A LAN Connection document can also be used to provide the
information needed for servers to make other types of connections, such
as constant connections to Internet servers.
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Click Add Connection.
5. Select Local Area Network in the “Connection type” field.
6. Complete these field
Field Description
Connection
Select Local Area Network.
Type
Source server The name of the connecting server.
Source The name of the connecting server’s domain.
domain This field is
required only for mail routing.
Use the The name of the network ports (or protocols)
port(s) that the
connecting or source server uses to connect to
the
destination server.
continued
Field Description
Usage priority Choose one: Normal (default) - Select this
option if this document defines the primary path
to a server. Low - Select this option to define a
backup path to a server. For more information
about the effect of specifying the usage priority
for a connection, see the topic “Forcing a server
connection to use a specific protocol”later in this
chapter.
Field Enter
Usage
Choose one:
priority
Normal - This Connection document defines a
primary path to the destination server. The
connecting server attempts to use this
Connection document to make the connection to
the destination server.
Low - This Connection document defines a
backup path to the destination server. The
connecting server uses this Connection
document only as a last resort when trying to
connect to the destination server.
Setting up external domain lookups
By default, a Notes user who wants to open a database on a server
outside the local Domino domain, can do so only if there is a Connection
document in either their Personal Address book, or in the Domino
Directory on their home server that describes how to reach the target
server. To enable Notes users to connect more easily to servers outside of
their domain, you can create an External Domain Network Information
(EDNI) document in the Domino Directory.
The EDNI document works in conjunction with a server task called
GETADRS to import address information from another Domino domain
so that Notes users can connect to servers in the external domain. In the
EDNI document, you specify the external Domino domain containing the
servers you want users to connect to and the protocols for which you
want connection information. In many cases, TCP/IP is the only protocol
for which you may need a document. You also specify a server in your
local domain that requests the information (Requesting Server) and a
server in the external domain that supplies the information (Information
Server).
To gather information, the requesting server runs the GETADRS
program, which asks the specified information server for a list of the
servers in the external Domino domain. GETADRS returns the address
information it obtains to an AdminP request for processing. When the
Administration server processes the request, it places the information in
the Domino Directory as a response document to the original EDNI
document.
After AdminP adds the server address information to the local Domino
Directory users attempting to open databases on servers in the external
domain can use the information from this document to make the
connection without requiring a connection document.
4-18 Administering the Domino System, Volume 1
Using EDNI documents, you can reduce the number of Connection
documents in the Domino Directory, eliminating those that are not
required for replication or routing.
Before creating an EDNI document, determine if the connection
information is useful for the domain. For example, if you are using the
NetBIOS protocol, which isn’t a routable protocol, a direct connection to
the external domain may not be possible even if you have the network
address of the server in an EDNI document. Also, if an external domain
server has multiple TCP/IP ports, the host name or address returned to
the EDNI document may not be the address of the appropriate port to
use. Because each protocol has its own restraints, you should thoroughly
research and test the external domain lookup capability using the
network system configuration at your organization before using it.
To share information across domains, the Domino domain requesting the
information must be cross-certified with the external domain.
Because the Requesting Server gathers information from Server
documents in an external domain, these documents need to be
configured properly to enable successful server name lookups. For
example, a document with a fully qualified host name or IP address
would enable a successful lookup, but a document with only the server
common name may not (unless that common name were a full host
name).
The data from an external domain server lookup resolves client requests
for a server address only; it does not add additional server names to a
client’s request for a list of servers.
To set up an External Domain Network Information document
1. Verify that the local domain is cross-certified with the external
domain.
2. From the Domino Administrator, click the Configuration tab.
3. Open the Server folder, and then click External Domain Network
Information.
4. Click Add Ext Domain Net Info.
5. Complete these fields, and then click Save & Close:
Field Description
The name of the local domain server that
Requesting
performs the
server request for external domain information. This
server runs the GETADRS task to obtain
information from the
information server in the external domain.
The name of the server in the external domain
Information
from
server which the requesting server obtains information.
The name of the external domain. Domain to
query
The name of one or more protocols in the
Protocols to
external
domain to query. Specify only protocols that are
query
used in
both domains.
6. Run the GETADRS program on the Requesting server. You run
GETADRS using any of these methods:
Run
the program manually from the server console by entering:
LOAD GETADRS
Create
a program document to run the program as a scheduled
task. Running GETADRS as a scheduled task ensures that
information in the local Domino Directory remains synchronized
with updates from the external domain.
For information about running server tasks in a program document,
see the appendix, “Server Tasks.”
Add GETADRS to the ServerTasks or ServerTasksAt lines in the
NOTES.INI file of the requesting server; the task runs at server
startup, or at the specified time, respectively.
After GETADRS obtains information from the external domain, for
each protocol specified in the EDNI, AdminP creates an External
Domain Network Address document as a response document to the
original EDNI. Each response document contains the names and
addresses of the servers in the queried domain that use that protocol.
By default, AdminP processes the information returned by
GETADRS to create the External Domain Network Address
documents at the interval scheduled in the Server document. You
can run AdminP manually to force it to process the request
immediately.
For more information about scheduling AdminP requests, see the
chapter “Setting Up the Administration Process.” For information
about Tell commands used with AdminP, see the appendix “Server
Commands.”
4-20 Administering the Domino System, Volume 1
Internet connections
To enable a Domino server to connect to another server across the
Internet, you must establish Internet access with an Internet Service
Provider (ISP) and register an Internet domain name with the ISP — for
example, acme.com. After you contract Internet service, create
Connection documents to instruct the local Domino servers how to
contact the target server.
Servers can connect to the ISP using a direct connection or by way of a
Domino or non-Domino proxy server. If the local network uses a proxy
server to connect to the Internet, the calling Domino server does not need
to connect to the ISP directly, because the proxy server establishes this
connection to the ISP.
Servers connecting to the Internet require networking software that is
compatible with the Internet. If TCP/IP is not already installed on the
Domino server, install the protocol using the installation instructions
included with the operating system. If you do not have a Domino
TCP/IP port enabled for the server, add and enable the port.
For information about adding a network port to a Domino server, see the
chapter “Setting Up the Domino Network.”
Direct (leased-line) connection
A leased-line connection is considered a direct connection to the Internet.
If you have a leased-line connection, Domino servers on the internal
LAN connect to the Internet through a firewall or router over a lease
A firewall filters traffic passing between the internal network and the
Internet and is usually part of a TCP/IP router. Most firewalls work by
hiding the IP addresses of computers on your internal network from the
Internet, thus breaking the connection between the internal and external
networks, so that while there is a connection between the internal LAN
and the firewall, and from the firewall to the Internet, there’s no direct
connection between the Internet and the local network.
To connect a Domino server to an Internet server over a direct
connection, create a LAN Connection document to the target server.
Setting Up Server-to-Server Connections 4-21
Configuration
For more on how to create a LAN Connection document, see the topic
“Creating a LAN connection” earlier in this chapter.
Proxy connections
A proxy is a server that provides indirect access to the Internet. A proxy
server usually runs in conjunction with firewall software to pass
incoming and outgoing requests between servers on either side of a
firewall. If your organization uses a proxy server for its Internet
connection, a Domino server on the internal LAN connects to the Internet
through the proxy and firewall servers, which, in turn, connect to your
ISP. Because the proxy server establishes the connection with the ISP, the
Domino server does not connect to the Internet directly.
ISP
Leased-line
Firewall/router Webstage-E
A Domino proxy server is one type of proxy server. You set up a Domino
passthru server as a proxy for the Internet the same way that you set up a
passthru server for internal Domino communication. You do not need to
configure the server differently for Internet connections. The proxy
server does not have to be a Domino server.
Creating a server-to-server Internet connection through a proxy
server
When two Domino servers both have direct, constant connections to the
Internet, each can use the IP address of the other to contact it as though
both servers were on the same LAN. To define the connections between
the two, you create a LAN Connection document.
However, when a server is connected through a proxy server, rather than
having a direct connection, after you create a LAN Connection document
to define the connection, you must complete the proxy information in the
Server document of the calling server as described in the following
procedure:
1. From the Domino Administrator, click the Configurations tab and
expand the Server view.
2. Select the Server document of the server to connect to the Internet
through the proxy, and click Edit Server.
4-22 Administering the Domino System, Volume 1
3. Click the Ports - Proxies tab, and then do one of the following:
To
connect through an HTTP proxy, in the HTTP Tunnel proxy
field, enter the proxy’s fully-qualified domain name or IP address
and specify the port to use for the connection. For example, enter
httpproxy.company.com:8080 or 192.168.77.34:8080.
To connect through a SOCKS proxy, in the SOCKS proxy field,
enter the proxy’s fully-qualified domain name or IP address of the
SOCKS proxy and specify the port to use for the connection. For
example, enter socks.company.com:1080 or 192.168.77.34:1080.
Note If you enter values for both fields, Domino uses the HTTP
Tunnel proxy.
4. Click Save & Close.
Note By default, if the server is configured to use a proxy, it uses the
proxy for all connections. To prevent use of the proxy for connections to
certain servers, enter the server names in the “No Proxy for these hosts or
domains” field on the Ports - Proxies tab on the Server document.
Passthru servers and hunt groups
Passthru is a process that runs on a server and establishes connections
between the users and servers connected to that server and other servers.
Passthru connections use an intermediary server as a “stepping stone” to
connect the two servers. Passthru is useful in two instances:
When
two servers connect directly — When a client (in this case,
either a Notes client or a Domino server) does not share a common
protocol with a destination server, you can set up an intermediary
server that runs both protocols as a passthru server to enable the
client to connect to the destination. For example, suppose that Server
A, which runs only NetBIOS, needs to connect to Server C, which
runs only TCP/IP. If Server B runs both NetBIOS and TCP/IP,
Server B can act as a passthru server to allow communication
between Server A and Server C.
When
you want to provide additional security — Domino lets you
apply additional access controls to passthru connections, enabling
you to use passthru connections to act as an proxy server for filtering
NRPC traffic. You can specify the users and servers that can access a
server as a passthru destination, as well as those that can use a server
to make passthru connections to another server. Internet protocols
such as HTTP, IMAP, and LDAP cannot use a Domino passthru
server to communicate with a destination server.
Setting Up Server-to-Server Connections 4-23
Configuration
You can set up a passthru server so that it leads to additional passthru
servers as well as directly to a passthru destination server. Thus, you can
chain together multiple passthru connections to enable a client to pass
through several servers until it connects to a given target server.
Passthru access is valuable to Notes client users as well. When you
provide a Notes client with access a to a passthru server, the client user
can connect to a single server to access other network servers. For mobile
users, this enables access to multiple destination servers on the same
LAN over a single phone connection. Using a passthru server this way
saves the time and expense of configuring many individual servers to
support modem connections and of requiring Notes client users to use
multiple phone calls to access multiple servers.
Passthru Logging
To enable to monitoring of passthru traffic for security reasons, after you
configure a server as a passthru server, the server log (LOG.NSF) records
information about passthru sessions established through that server. For
example, the log records information about users who access this server
for to make passthru connections to other servers.
For more information about server log files, see the chapter “Using Log
Files.”
Hunt groups
If your telecommunications infrastructure supports a hunt group — that
is, a pool of modems that are connected to different phone lines but that
use a single phone number — you can configure Domino servers and
Notes client users to connect to a hunt group on a passthru server.
Whenever a call is made to the hunt group number, the incoming call is
routed to the first available modem in the group.
You can use a hunt group with one or more passthru servers. If more
than one passthru server is used in the hunt group, to allow any passthru
server in the hunt group to receive a call and route it to the destination
server, the calling server or user must use a Hunt Group Connection
document.
For more information about configuring Lotus Notes clients to use a
passthru server, see Lotus Notes 6 Help.
4-24 Administering the Domino System, Volume 1
Planning the use of passthru servers
Perform these steps to set up passthru servers:
1. List all the workstations and servers that need to access a passthru
server. Also list the protocols that the workstations and servers run.
2. List the destination servers that the workstations and servers need to
access. Also list the protocols that the destination servers run.
3. Determine where in the topology to locate the passthru server based
on which workstations and servers need access and which servers
are the destinations. The passthru server must run all of the protocols
that the workstations and servers that access it run, as well as all of
the protocols of the destination servers. In addition, the passthru
server must have enough modem connections to handle the
anticipated dial-in traffic.
If you anticipate high traffic through the passthru server, create a
dedicated passthru server. A dedicated passthru server does not
contain applications and mail databases. It functions solely to
provide workstations and servers with access to destination servers.
Also, determine if you want to use more than one passthru server in
a hunt group. In a hunt group, one phone number represents all
passthru servers in the group, and the load is automatically spread
among the passthru servers. Be sure to set up all passthru servers in
a hunt group to pass through to the same destination servers.
4. Determine the users and servers whose access to the passthru servers
and destination servers you need to restrict. Create policy settings
documents that include setup and desktop settings to prevent access
to the servers.
5. List the Notes client users that need to use a passthru server and
determine a default passthru server for each. If you have many Notes
client users, create user setup policies to evenly assign them among
the default passthru servers to ensure optimal server performance.
If you plan to use hunt groups, list which Notes client users will
connect to each hunt group. Record the name and phone number of
the hunt group and the names of all the destination servers that
members of the hunt group pass through to.
For more information about using policies to manage server access, see
the chapter “Using Policies.”
The Acme company has a dedicated passthru server that functions only
to provide workstations and servers with access to destination servers.
This server does not contain any databases. The passthru runs all the
protocols that the destination servers run so that users and servers that
connect to it have access to the entire system.
Note that passthru can benefit users and servers on the same network as
the passthru server as well as remote users and servers. For example,
some of the Notes clients in the above diagram are on the same LAN as
Webstage-E and HR-E, but because they do not share any protocols, they
cannot access these servers without using passthru.
The above topology requires the following configuration:
Notes
Direct Dialup Connection document on the remote server for
connection to passthru server.
Passthru
Connection document on the remote server to specify
passthru.
Connection
documents on the remote server for connection to each
destination server.
Modified
Location document on local Notes clients to specify name
of passthru server.
Notes
Direct Dialup Connection document on remote Notes clients
for connection to passthru.
Passthru
Connection documents on remote Notes clients to specify
passthru connection.
4-26 Administering the Domino System, Volume 1
Modified
Server documents (to allow appropriate access rights) on
passthru and destination servers.
Setting up a server as a passthru server
Set up a server as a passthru server to enable users and other servers to
route through it to connect to a passthru destination server.
1. From the Domino Administrator, click the Configuration tab.
2. Click Server - All Server Documents.
3. Open the Server document for the server that you want to set up as a
passthru server, and click Edit Server.
4. Click the Security tab, and in the Passthru Use section, complete
these fields and then click Save & Close:
Field Description
If this server is not a passthru destination, leave
Access this
this field
server blank.
For information about setting up a server as a
passthru destination, see the topic “Setting up a
server as a passthru destination”later in this
chapter.
Route Specifies the names of the users, groups, and
through servers allowed to connect to a destination
server through this server. When this field is
blank (the default), the server does not allow
passthru connections.
Enter an asterisk (*) to provide passthru access
for all users and servers, even those not listed in
the Domino
Directory. Enter a hierarchical name with an
asterisk as the common name to provide access
for all users and servers certified by a particular
organization or organizational unit. For example,
the entry */Acme allows access to all users in
the Acme organization.
Separate multiple entries with commas or
semicolons.
Entries in this field are granted passthru access,
even if denied general access to the server in
the Server Access section of the Server
document Security tab.
Field Description
Cause calling Specifies the names of users, groups, and
servers allowed to use the modem on this server
to connect to a remote
destination server. By default, this field is blank
and the server prohibits all incoming connections
from generating calls to other servers. Enter an
asterisk (*) to allow incoming connections from
any source to initiate a call to a destination
server.
If you allow incoming connections from any
source to initiate calls, when recording the event
in the Passthru Connections view of the Notes
Log, Domino indicates only that the connecting
client was not authenticated, rather than
specifying the name of the source.
Specifies the names of the remote servers this
Destinations
server can
allowed connect to as passthru destinations.
By default, this field is blank and the server
allows routing to all servers configured as
passthru destinations. Adding entries to this field
restricts passthru access from this server to the
specified destination servers only.
5. Set up servers as passthru destinations.
For information about setting up a server as a passthru destination,
see the topic “Setting up a server as a passthru destination” later in
this chapter.
6. Create Connection documents as necessary to connect the passthru
server to destination servers that do not share the same LAN.
Setting up a server as a passthru destination
Set up a server as a passthru destination to enable users and servers to
access it through a passthru server.
1. From the Domino Administrator, click the Configuration tab.
2. Click Server - All Server Documents.
3. Open the Server document for the server that you want to set up as a
passthru destination, and click Edit Server.
4. Click the Security tab, enter values in this Passthru Use field, and
then save the document:
Field Description
Specifies the names of the users, groups, and
Access this
servers
server allowed to access the server as a passthru
destination. When this field is blank (the default),
the server is not available as a passthru
destination.
Enter an asterisk (*) to provide access for all
users and servers, even those not listed in the
Domino Directory. An asterisk followed by a
certifier name provides access for all users and
servers certified by a particular organization or
organizational unit. For example, the entry
*/Acme allows access to all users in the Acme
organization.
Separate multiple entries with commas or
semicolons.
Field Description
Connection type Select Passthru server
The name of the server connecting to the
Source server
passthru
server
Source domain The name of the connecting server’s domain
Use passthru The name of the passthru server or hunt
server group that
or hunt group this connection uses to reach the destination
server
Usage priority Choose one:
• Normal (default) - Select this option if this
document defines the primary path to a
server.
• Low - Select this option to define a backup
path to
a server.
For more information about the effect of
specifying the usage priority for a
connection, see the topic “Forcing a server
connection to use a specific protocol”earlier
in this chapter.
Destination The name of the destination server to
server connect to
through the passthru server.
Destination
The name of the destination server’s domain
domain
6. Click the Replication/Routing and Schedule tabs to define the tasks
you want to run, and select the times you want the server to call its
destination.
7. Click Save & Close.
Connecting a server to a hunt group
A hunt group is a collection of telephone extensions that is assigned one
phone number. Each call that comes in to that number is assigned to the
next free line in the group. If your telecommunications infrastructure
supports hunt groups, any passthru server in the hunt group can receive
a call and route it to a specified destination server.
After you set up a hunt group, create a Hunt Group Connection
document to enable servers to connect to the hunt group servers.
A Hunt group connection document is required whenever a hunt group
has multiple passthru servers. If a hunt group has a single passthru
server, create a Network dialup Connection document to define the
connection, rather than a hunt group Connection document.
To create a Hunt group connection document
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Click Add Connection.
5. Complete these fields and then click Save & Close:
Field Description
Hunt group
Connection
type
Source The name of the server connecting to the hunt
server group
Source The name of the connecting server’s domain.
domain Required
only if the source server and destination server
are in
different Domino domains.
Use the port The modem port
Always use Specifies when the modem on the source server
area includes
code the area code to dial a number. Choose one:
• Yes - The server always includes the area code
to dial,
even when dialing numbers in the local
exchange.
• No - (default) The server includes the area
code only
when dialing numbers outside the local area
code.
Field Description
Usage
Choose one:
priority
• Normal (default) - Select this option if this
document
defines the primary path to a server.
• Low - Select this option to define a backup
path to a
server.
For more information about the effect of
specifying the usage priority for a connection,
see the topic “Forcing a server connection to use
a specific protocol”earlier in this chapter.
Hunt group Enter a unique name to identify the hunt group,
for example, AcmeEastHuntGroup. If you create
passthru Connection documents that use this
connection, the hunt
group name you enter in them must match the
name entered here.
The name you enter name here is also used to
apply commands to the hunt group servers. For
example, to replicate a database that is located
on a hunt group
server, enter:
rep hunt_group_name database
In this case, the calling server initiates the
modem connection to the designated hunt group
and then replicates the specified database on
each server where it resides.
The name of the domain to connect to through
Destination
the hunt
domain group. Required only if the source server and
destination server are in different Domino
domains. Enter a domain
name to ensure that the hunt group connects to
a server in the specified domain.
The country code to use when dialing the
Destination
number of the
country code hunt group modem.
Destination The area code to use when dialing the number
area of the
code hunt group modem.
Destination The phone number of the hunt group modem.
phone
number
The name of the login script file to use when
Login script
connecting
name to the hunt group.
Arguments required during processing of the
Login script
specified
login script; for example, name and password.
arguments
Enter
arguments from left to right in the order of use.
Field Description
Source
The name of the calling server.
server
Source
The name of the calling server’s domain.
domain
Use the The name of the communications port that the
port(s) calling or source server uses.
Always use
Specifies whether the source server always uses
area code
the area code when dialing. Choose one: • Yes -
The server always includes the area code to dial,
even when dialing numbers in the area code
defined in the source server’s Server document.
Use this option if your phone system requires an
area code for local calls.
• No - (default) The server includes the area
code only when dialing numbers outside the
local area code.
Usage Choose one: • Normal (default) - Select this
priority option if this document defines the primary path
to a server. • Low - Select this option to define a
backup path to a server.
Field Description
Destination The name of the remote server.
server
Destination The name of the remote server’s domain.
domain
The country code for the remote server. Enter
Destination
this
country code number only if it’s required to complete the call.
Destination The remote server’s area/city code. Enter this
area number
code only if it’s required to complete the call.
Destination The phone number of the remote server.
phone
number
Login script The name of the connect script to use when
file connecting to
name the remote server. Supply this file name only if
additional information is required to authenticate
with
the destination server after dialing completes.
Between 1 and 4 values used by the login script
Login script
when
authenticating with the destination server. For
arguments
example,
enter a login name and password if the login
scripts must
provide these elements when connecting to the
destination server. The script uses the values in
the order
in which they are entered. Values entered in this
field are
not encrypted and are displayed in the clear.
Field Description
Network
Dialup
Connection
type
Source The fully-distinguished Notes name of the
server connecting
server. For example, Server1/Sales/ACME.
Source The name of the connecting server’s Domino
domain domain.
Required only if the source server and
destination server
are in different Domino domains
Use LAN Specifies the port that the server uses to
port(s) establish the
network dialup connection using the remote
access
service.
continued
Field Description
Usage Choose one: • Normal (default) - Select this
priority option if this document defines the primary path
to a server. • Low - Select this option to define a
backup path to a server. For more information
about the effect of specifying the usage priority
for a connection, see the topic “Forcing a server
connection to use a specific protocol”earlier in
this chapter.
Field Enter
Usage
Choose one:
priority
Normal - This Connection document defines a
primary path to the destination server. The
connecting server attempts to use this
Connection document to make the connection to
the destination server.
Low - This Connection document defines a
backup path to the destination server. The
connecting server uses this Connection
document only as a last resort when trying to
connect to the destination server.
Field Description
The name of the local domain server that
Requesting
performs the
server request for external domain information. This
server runs the GETADRS task to obtain
information from the
information server in the external domain.
The name of the server in the external domain
Information
from
server which the requesting server obtains information.
The name of the external domain. Domain to
query
The name of one or more protocols in the
Protocols to
external
domain to query. Specify only protocols that are
query
used in
both domains.
Field Description
Choose a Select Microsoft Dial-up Networking
service
type
Configure Lets you specify the Dial-up Networking entry that
service the server uses when connecting to this destination.
Click Edit Configuration, and complete this field in
the Microsoft Dial-up Networking dialog box:
• Dial-up Networking name - Name of the Microsoft
Dial-up Networking phonebook entry on the source
server containing the information on how to dialup
the remote
server.
Optionally, you can complete the following
additional fields in the dialog box. If you complete
these fields, the settings override those configured
in the specified Dial-up Networking entry on the
server. These settings are used by the remote
access service, not by Domino. Complete the fields
and then click OK
• Login name -The name that the server uses to log
in to the
remote access server.
• Password - The password the server uses to log in
to the remote access server. For security reasons,
when you enter
the password, it appears as a series of asterisks.
After you
save the Connection document, before storing the
document Domino encrypts the password with the
public
keys of the source server and the users and servers
listed in
the Owners and Administrators fields of the
document.
• Phone number - The phone number of the remote
access server. If the server uses pulse dialing, do
not enter a phone number in this field. Also, be sure
to select Pulse in the
server’s modem configuration options and in the
Microsoft Dial-up Networking dialog, provide a
phone number and check the Use Telephony dialog
properties box.
• Area code - Area code of the remote access
server.
• Country code - Country code of the remote access
server.
• Dial-back phone number - The phone number of
the source server. If the remote access server has
call-back enabled, it
calls this number after authentication completes.
• Domain - The Windows logon domain of the
remote access service
Field Description
AutoDialer Select Enabled
Task
Specifies a name for this AutoDialer connection.
AutoDialer
Enter
connection any unique name, for example,
name InternetReplication. It’s best to use a name
that’s short and descriptive.
The name you enter in this field must also
appear in the AutoDialer connection name field
in the Connection
document that provides the schedule for this
task (see Step 5).
Connect Specifies how many minutes before a scheduled
remote action
that this server will dial up to connect to the
server to
Internet. To
network ensure availability, specify a time value that
enables the server to be online several minutes
before the start of the
scheduled action.
3. Click Save & Close
4. Create a LAN Connection document that defines how the source
server for the scheduled task connects to the destination server.
5. Enter the following information in the Connection document you
created in Step 4 and the click Save & Close:
Field Description
AutoDialer
Select Enabled
Task
Specifies a name for this AutoDialer connection.
AutoDialer
Enter
connection any unique name, for example,
name AutoDialReplication. It’s best to use a name
that’s short and descriptive.
The name you enter in this field must also
appear in the AutoDialer connection name field
in the Connection docu-
Field Description
Associates a modem with a modem command file. If
Modem
none of
type the listed modems is an exact match for the
installed modem, select the closest match by brand
and speed. If the modem is 100% Hayes-
compatible, select “Auto Configure” (AUTO.MDM) for
Domino to determine the modem type automatically
and select the appropriate Hayes command file.
Because the Auto Configure modem file does not
provide optimal performance, use it only as a
temporary measure while obtaining an appropriate
modem
If there’s no match and your modem is not 100%
Hayes-compatible, you may need to edit an existing
modem command file or create a new one. For
information about
your modem, see your modem documentation.
For information about editing modem command
files, see the topic “Modifying a modem command
file”later in this chapter.
Field Description
Maximum Specifies the maximum speed at which the
port communication port on the computer sends data to
speed the modem and receives data from the modem.
Domino selects a maximum data transmission speed
based on the modem type you select. The maximum
speed is limited by the maximum speed specified in
the modem’s command file and may also be limited
by the server’s operating system. Default value is
19200. Specify the highest value supported by your
modem hardware. Select a lower port speed if you
are having trouble with a noisy phone line or cannot
establish the carrier. When using a null modem, the
maximum port speed on both computers must
match.
Speaker Specifies how loudly to amplify modem tones during
volume connection attempts. Choose the volume that best
allows you to monitor call progress: Low Medium, or
High; or choose Off to mute the modem.
Dial
Choose one:
mode
• Tone - For touch-tone phone lines. • Pulse - For
rotary phone lines or modems that do not support
touch-tone dialing.
Log Select this option to help troubleshoot modem
modem connection problems by recording modem control
I/O strings and responses in the Miscellaneous Events
view of the server’s Notes Log (LOG.NSF). To
conserve disk space, after the problem is fixed,
deselect this option to prevent the extra information
from being recorded.
Log script Select this option to help troubleshoot
I/O communication problems between servers that
occur after the modem establishes a connection.
The server records script file responses and replies
in the Miscellaneous Events view of the server’s
Notes Log (LOG.NSF). To conserve disk space, after
the problem is fixed, deselect this option to prevent
the extra information from being recorded.
Hardware Specifies how data is sent between the computer
flow and the modem. Select this option (the default on
control operating systems other than UNIX) to enable data
flow control. Deselect this option only if you’re using
a modem or external serial port that doesn’t support
flow control. When deselected, messages about
errors and retransmissions can appear in the Phone
Calls view of the log file (LOG.NSF).
Field Description
Select this option (the default) to require the
Wait for
modem to detect
dialtone a dialtone before dialing. Deselect this option on
phone
before systems where dial tone detection is a problem.
dialing
Dial Specifies the time, in seconds, that the source
timeout server
continues attempting to connect to the destination
server
before it cancels the attempt. Increase the dial
time-out
period when using pulse dialing or when calling
overseas.
The default value is 60.
Specifies the time, in minutes, that the modem on
Hangup if
the source
idle server waits before hanging up if there is no data
passing
through the connection. The default value is 15. For
ports
that workstation users dial into, specify a longer idle
time so
users have time to read or compose long
documents.
Port Specifies the port number for the current port type.
number Domino
automatically sets the port number to the number
specified
in the port name —for example, if COM7 is the port
name,
the port number is 7. On UNIX systems, specify a
port
number Nthat matches the /dev/cuaN device file
that you
linked to the asynchronous port.
11. To specify an acquire script for this port, click Acquire Script, select
the script in the Acquire Script dialog box, and then click OK.
For more information on acquire scripts, see the topic “Writing and
editing acquire and login scripts” later in this chapter.
12. If necessary, you can edit acquire scripts and modem command files.
For information about editing modem command files and acquire
scripts, see the topic “Modifying modem command files and acquire
scripts” later in this chapter.
Modifying modem command files and acquire scripts
When you modify a modem command file or acquire script, you can only
modify the file on the local server. To apply a modified modem file to a
remote server, edit the file locally and copy it to the Domino
Data/Modems subdirectory on the remote server. Then restart the server
so that the modifications take effect.
1. Use the documentation that came with the modem to determine
which additional commands you must add to the modem command
file.
2. From the Domino Administrator, select the Server - Status tab.
3. From the Tools pane, click Server - Setup Ports.
Setting Up Server-to-Server Connections
4. From the Communication Ports box, select the modem
communications port; for example, COM1.
5. Click portname Options, where portname is the name of the
communications port you selected in step 4.
6. To edit a modem file, in the Modem type field, select the modem
command file that you want to modify — typically, Generic
All-Speed Modem File and click Modem File.
To edit an acquire script, click “Acquire Script.”
7. Edit the content of the file as necessary. Refer to the comments at the
top of the file for instructions.
8. Click Save to save the file using the current name.
Or, to save the file under a new name, click Save As, enter a new
name for the modified file in the File name field, and the click Save.
9. Click Done to close the Edit dialog box, and then click OK to close
each of the remaining open dialog boxes.
Note To ensure the best performance for connections that use
data-compressing modems, don’t apply Domino network data
encryption to ports using these modems. Rather than reducing the size of
the transmitted data, the modem’s hardware compression techniques can
increase it, negating the benefits of the modem compression. For more
information about setting up network data encryption for a port, see the
chapter “Setting Up the Domino Network.”
Using acquire and login scripts
How you specify a script when making a call depends on the type of
script.
Type of
Steps
script
Acquire Specify the script when you set up the communication
script port.
When the server makes a call using the specified port,
Domino
uses that acquire script to obtain a modem from a
modem pool.
Domino runs the commands in the acquire script
before
running the commands in the modem script.
Specify a login script in the Notes Direct Dialup
Login script
Connection
document for connecting to a specified server. When
making a
call to that server, Domino uses the specified login
script.
To give Alan appropriate access within the system and to place him
appropriately in the hierarchy, the administrator uses the
Sales/East/Acme certifier ID to register him. Alan Jones’ full hierarchical
name then becomes Alan Jones/Sales/East/Acme.
Setting Up and Managing Notes Users 5-3
Configuration
The administrator specifies Mail-E, which is located on the East Coast
Acme LAN, as Alan’s mail server. Then Alan’s mail server is on the same
LAN as his workstation, so that when he receives and sends mail, he can
connect directly to the server that stores his mail file.
Robin Rutherford works in the Accounting department in Acme’s West
Coast division. The administrator uses the Accounting/West/Acme
certifier ID to register Robin. Mail-W is Robin’s mail server, and her full
hierarchical name is Robin Rutherford/Accounting/West/Acme.
Customizing user registration
You can define specific options to customize how Domino registers users.
If you choose to use a certifier ID and password instead of the Lotus
Domino 6 server-based certification authority (CA), Domino uses the
certifier ID specified in Administration Preferences; or if there is none, it
uses the ID specified in the CertifierIDFile setting in the NOTES.INI file.
1. Make sure to have the following before you begin customizing user
registration:
Access
to the certifier ID and its password, if you are not using a
certifier enabled for the CA process.
Editor
access or Author access with Create Document role and the
UserCreator privilege in the Domino Directory. UserCreator role
is required regardless of your access level.
Access
to the Domino Directory from the machine you work on.
Local or remote access to USERREG.NSF.
Create new databases access on the mail server to create user mail
files during registration.
Create document access to CERTLOG.NSF on the registration
server.
GroupModifier
role or at least Editor access to add users to
groups.
Note Do note modify the ACL for USERREG.NSF using the File -
Database - Access Control menu commands. Use the User
Registration Database Access button on the Advanced Person
Registration Options dialog box.
2. From the Domino Administrator, click the People & Groups tab.
3. From the Servers pane, choose the server to work from.
4. Select Domino Directories, and then click People.
5. From the Tools pane, click People - Register. Enter the password for
the certifier that you are currently using.
5-4 Administering the Domino System, Volume 1
Note While registering a user, you can specify whether you want to
register the user with the server-based CA, or with a certifier ID and
password. This selection is made on the ID Info panel in advanced
user registration.
6. Click the Options button, and then choose any of these options:
Option Purpose
Do not continue Stops registration if you have multiple users
on selected
registration and the registration encounters an error. The
errors default
is to continue on registration errors.
Keep Keeps successfully registered users in the
successfully queue. The
registered users default is to remove successfully registered
in users
the queue from the queue.
Try to register Tries to register queued users, even if their
queued people registration status contains errors. For
with example, if you
error status choose this option, a user whose password is
insufficiently complex will be registered. The
default
is not to register queued users who have
error status.
Allow Allows registration of users who were
registration previously
of previously registered in Notes. The default is not to
register
registered previously registered Notes users.
people
Checks every directory to see if the user’s
Search all
name
directories for already exists.
duplicate names
Enforce short Forces all short names to be different from
name one
uniqueness another.
Don’t prompt If you choose this option, these additional
for a options
duplicate person appear. Choose one:
• Skip the person registration —Skips the
user
registration for both short name and full
name
single matches.
• Update the existing address book entry —
Overwrites the existing user if the single
match
found is on the full name. Short name
uniqueness
is then required.
The default is to prompt for duplicate users.
Option Purpose
Don’t prompt
for a duplicate If you choose this option, these additional
mail file options appear. Choose one: • Skips the
person registration. • Generates a unique
mail file name by appending a number
beginning with 1, then 2, etc., to a non-
unique mail file name until a unique name is
found.
• Replaces the existing mail file - option does
not apply when the mail file is being created
in the background via the Administration
Process, or if the current ID does not have
delete access to the mail file that is being
replaced. The default is to prompt for a
duplicate mail file.
Don’t prompt If you choose this option, these additional
for a duplicate options appear. Choose one: • Skips the
roaming person registration. • Generates a unique
directory roaming directory name by appending a
number beginning with 1, then 2, etc., to a
non-unique roaming file name until a unique
name is found. The default is to prompt for a
duplicate roaming directory.
Generate Click this check box to automatically set
random user random passwords for the users you are
passwords registering. If you select this option, you do
not need to specify passwords for the users
you are registering.
User Displays the Registration Database Access
Registration Control Settings dialog box, where you can
Database add or remove members from the access
Access control list as well as change access control
settings.
7. Click OK.
Registering users
You can use any of these methods to register Notes users:
Basic
user registration
Advanced
user registration
Text file registration
Registration
settings
Migration
tools (for people using an external mail system or
directory) registration
5-6 Administering the Domino System, Volume 1
Basic
user registration from the Web Administrator
Advanced
user registration from the Web Administrator
The method you use to register people depends on a number of issues,
including whether you have defined default settings, whether you want
to assign users more advanced options (such as alternate names),
whether you need to import users from a foreign mail system or
directory, and whether your user settings are in a text file.
Note When registering users with non-ASCII characters in their user
names, Notes attempts to convert non-ASCII characters to ASCII. If one
or more characters cannot be converted to ASCII, the Internet address is
not generated. You need to be aware of this when registering users
whose names cannot be converted to ASCII characters because you will
need to create those Internet addresses manually.
Basic registration
For fast and easy registration, use the Basic user registration options.
Basic registration requires you to define user-specific settings, such as
user name and password, but also offers you the convenience of
applying some default settings to users. You can define default settings
in the Registration preferences (found in the Administration Preferences
dialog); you can define settings in the Register Person dialog; or you can
use Notes default settings. Some of the non-default settings you define in
Basic registration include the user name and password. You can also
assign users to specific groups.
All settings available in Basic registration are also available in Advanced
registration. You can choose to view and perform Advanced registration
at any time by clicking the Advanced check box in the Register Person
dialog.
Advanced registration
Advanced registration offers all the settings included in Basic registration
and also allows you to change default settings and define advanced or
specific settings — for example, assign an alternate name to a user or add
the user to a Windows NT or Active Directory group.
Text file registration
To register users from a text file — that is, a file that contains information
on one or more users — import them into the registration queue from the
Register Person dialog box. This action creates an entry for each user in
the User Registration Queue and allows you to modify user settings
individually.
Setting Up and Managing Notes Users 5-7
Configuration
Web registration
User registration can now be done using the Domino Web Administrator.
You register users via the Web in a manner that is very similar to user
registration done with the Domino Administrator.
For more information on registering users with the Web Administrator,
see the topic “Using the Domino Web Administrator to register users” in
this chapter.
If you are a service provider, for more information on registering users
from the hosted organization site, see the chapter “Managing a Hosted
Environment.”
Registration Settings
To simplify the process of registering users, you can create policies and
Registration Settings documents to preset registration settings for
different types of users. For example, users who work in Human
Resources may have different registration settings than users who work
in Sales. You can create Registration settings for both groups of users,
and use them to register everyone with the proper settings. In addition,
when you add new users to either group later, the same registration
settings apply.
Note Registration settings do not apply to user registration done with
the Web Administrator.
Migration from external mail system or directory
You can migrate users who use an external mail system or directory into
Notes. You register them using migration tools accessed through the
Migrate People button in the Register Person dialog box. After migrating
them, you can modify their settings.
The following list details the types of users you can migrate into Notes:
Lotus
cc:Mail
Microsoft
Exchange
LDIF (from an LDAP directory)
LDAP
Microsoft Mail
Windows NT/Windows 2000
Active Directory
5-8 Administering the Domino System, Volume 1
Roaming users
Users who access Notes from more than one Notes client can access their
customized settings and personal information automatically from any
Notes client in the domain. Data for these users, known as roaming users,
replicates between the user’s machine and a roaming user server, where
these files are stored. When a roaming user logs on from a different
Notes client, it automatically retrieves the user’s ID file, Personal
Address Book, bookmarks, and journal from the roaming user server.
Any changes the user makes in these files replicate to the roaming user
server. This enables the roaming user to have a consistent experience
from any Notes client.
Using default user settings when registering users
When you use default settings, the user registration process is fast and
easy. The default settings can originate from a variety of sources:
Notes
includes a set of default settings.
You can define default settings in the registration preferences in the
Administration Preferences dialog box. Define these settings before
registering users. The registration preferences do not offer all the
default settings, only some of the more basic ones, such as
designating the Registration server.
For more information on registration preferences, see the chapter
“Setting Up and Using Domino Administration Tools.”
You
can define default settings through the user registration
interface using either of two methods: one method uses settings for a
user previously added to the user registration queue, and the other
method uses settings defined on the Register Person - New Entry
dialog box.
For example, if you have already added users to the user registration
queue, the non-user-specific settings that were applied to the last
user, now serve as defaults for the next user. Similarly, you can
define settings on the Register Person - New Entry dialog box. If you
import or migrate users while in this mode, users inherit settings you
defined.
Only settings you define as registration preferences remain from session
to session. All other default settings return to Notes defaults each time
you begin a new registration session.
Default Notes user registration settings
This table lists all the default user registration settings that Notes
provides. The values in this table appear only under these conditions:
Previous
values have not been set in Registration preferences
Previous
values have not been set in the Register Person dialog box
User registration fields that do not appear in this table do not have
default values.
Field Default
Registration Local server if it contains a Domino Directory.
Server Otherwise, server specified in NewUserServer
setting of the NOTES.INI file, or the Administration
server.
Password 8
Quality Scale
Set Internet
Off
password
Internet FirstnameLastname@Internet domain —for
address example, RobinRutherford@Acme.com.
Internet
Current TCP/IP host domain
Domain
Address name
Firstname Lastname
format
Mail server Local server if it contains a Domino Directory or
Administration server
Mail file
Mail(R6)
template
Create file now On
Mail system Lotus Notes
Mail file name mail\<firstinitial><first7charactersoflastname>.nsf
Editor with Delete documents rights Mail file owner
access
Create full text
Off
index
Set database
Off
quota
Off Set
warning
threshold
Create a Notes On
ID for this
person
Let this person
Off
roam
Field Default
Certifier ID If you are not using the server-based
certification authority (CA), Notes uses the
certifier ID specified in Administration
Preferences; or if there is none, it uses the ID
specified in the CertifierIDFile setting of the
NOTES.INI file. If you are working in a hosted
environment and registering users to a hosted
organization, be sure that you are working with
a certifier that was created for that hosted
organization.
Security type Either North American or International
Certificate Two years from current date
expiration date
Location for In Domino Directory
storing user ID
Local
None
administrator
On Put roaming
user files on mail
server
Personal roaming roaming\
folder
Sub folder format FirstName LastName
Create roaming Selected
files now
Clean-up action Do not clean up
Field Enter
Registration Click Registration Server to change the
Server registration server (which is the server that
initially stores the Person document until
the Domino Directory replicates), select the
server that registers all new users, and
then click OK. If you have not defined a
registration server in Administration
Preferences, this server is by default one of
these: • The local server if it contains a
Domino Directory • The server specified in
NewUserServer setting of the NOTES.INI
file
• The administration server
First name, Middle The user’s first and last names and (if
name, Last name necessary) middle name. The user’s Short
name and Internet address are
automatically generated. To change the
Short name or Internet address, click the
appropriate space and enter the new text.
Short name A short name in the format
FirstInitialLastName is automatically
created as you enter the user’s name. For
example, JSmith is the short name for John
Smith. You can modify this field.
Password A password for the user ID.
Password options Click Password options to set a level for the
password in the Password Quality Scale.
The default level is 8. For more
information, see “Understanding the
password quality scale.” Click the check
box “Set Internet password”to give
Internet users name and password access
to a Domino server and to set an Internet
password in the Person document. This
field is automatically selected if you select
the Other Internet, POP, iNotes, or IMAP
mail types. Click “Synch Internet password
with Notes ID password”to make the
Internet password in the Person document
the same as the Notes password. This is a
requirement for users who want to use
iNotes Web Access to read encrypted mail
or work offline.
Mail system Click to change the user’s mail system
from the default of Lotus Notes to an
Internet-based system or iNotes Web
Access.
Field Enter
Explicit policy Select the explicit policy to apply to this
user. For more information on policies, see
“Policies.”
Policy synopsis Click to see a summary of this user’s
effective policies.
Let this person Click to enable roaming capabilities for this
roam user. Doing so enables the Roaming tab.
Create a Notes ID Click to create a Notes ID for this person
for this person during the registration process.
Field Enter
Mail system Choose one of the available mail types and
complete the necessary associated fields:
• Lotus Notes (default)
• Other Internet
• POP
• IMAP
• iNotes
• Other
• None
If you select Lotus Notes, POP, or IMAP,
the Internet address is automatically
generated.
If you select Other Internet, POP, or IMAP,
the Internet password is set by default.
If you select iNotes (iNotes Web Access),
you can change other user registration
selections to iNotes Web Access defaults by
clicking Yes when prompted.
If you select Other or Other Internet, enter
a forwarding address. This address is the
user’s current address, where the user
wants mail to be
sent. For example, if a user temporarily
works at a different location and/or uses a
different mail system, the user can have
her mail forwarded to that new address.
Or, a user may resign from the company
but leave a forwarding address so that mail
addressed to the old address is forwarded
to
the new location.
Field Enter
Mail server The user’s mail server. If you have not defined a
mail server in Administration Preferences, this
server is (by default) the local server if it contains
a Domino Directory; otherwise, it is the
Administration server.
Mail file The file name of the mail file. By default, the path
name and file name are
mail\<firstinitial><first7charactersoflastname>.nsf
.
Create file Choose one: • Create file now (default). • Create
now/Create file in background - Creating mail files in the
file in background forces the Administration Process to
background create the files and saves time during the user
registration process. When you migrate users who
have mail to convert, this field is automatically set
to Create file now.
Field Enter
Internet The Internet e-mail address assigned to this
address user.
Internet The domain to be used in the Internet address
Domain —for example, Acme.com.
Address name The format of the Internet address. The default
format format is FirstNameLastName@Internet
domain without a separator —for example,
RobinRutherford@Acme.com.
Separator The character inserted between names and
initials in the Internet address. The default is
None.
Field Enter
Create a
Click to create a Notes ID for this user.
Notes ID
for this person
Choose a certifier ID to use when creating the
Certifier Name
user
list name during user registration when a Notes
user ID is not being created for the user.
This field appears if the check box “Create a
Notes ID for this person”is not selected.
If you are working in a hosted environment
and are registering a user to a hosted
organization, be sure to register that user with
a certifier created for that hosted organization.
Use CA Click to use the Lotus Domino 6 server-based
process certification authority (CA) to register this user.
The certifier ID and password will not be
needed to complete the user registration
process if you use the Lotus Domino 6 CA.
If you are working in a hosted environment
and are registering a user to a hosted
organization, be sure to register that user with
a certifier created for that hosted organization.
This field appears if the check box “Create a
Notes ID for this person”is selected.
Field Enter
Click if you want to use a certifier ID and
Certifier ID
password
instead of the server-based CA. To change to a
different
certifier ID, click Certifier ID, select the new
ID, enter
the password, and then click OK.
If you are working in a hosted environment
and are
registering a user to a hosted organization, be
sure to
register that user with a certifier created for
that hosted
organization.
This field appears if the check box “Create a
Notes ID
for this person”is selected.
Choose either North American or International.
Security type
The
security type determines the type of ID file
created and
affects encryption when sending and receiving
mail
and encrypting data. North American is the
stronger of
the two types.
This field appears if the check box “Create a
Notes ID
for this person”is selected.
The expiration date of the user ID in mm-dd-
Certification
yyformat.
expiration The default is two years from the current date.
date
This field appears if the check box “Create a
Notes ID
for this person”is selected.
Location for Choose one:
storing user • In Domino Directory (default). The ID file is
ID stored as an attachment to the user’s Person
document.
• In file (default location:
<datadirectory>\ids\people\user.id). Click Set
ID file
to change path.
• In mail file. This option is only available with
iNotes Web Access and allows Notes users to
read their
encrypted mail while using iNotes Web Access.
This field appears if the check box “Create a
Notes ID
for this person”is selected.
Field Enter
Put roaming user Click to store the user’s roaming
files information on
on mail server the same server used for mail.
Click Roaming Server to open the Choose
Roaming Server
Roaming
User Files Server dialog box on which you
specify
the server that stores the user’s roaming
information. If you select Put roaming user
files on
mail server, the Roaming Server defaults
to the
user’s mail server.
The subdirectory that contains the user’s
Personal roaming
roaming
folder information. By default, this is based on
the
sub-folder format you specify, but you can
customize it.
The method used to name roaming
Sub-folder format
subdirectories
on the roaming server. This determines the
default
Personal roaming folder for each user.
Create roaming Choose one of these: • Create file now -
files now/Create Default. • Create roaming files in
roaming files in background - Click to create the user’s
background roaming files the next time the
Administration Process runs. Creating
roaming files in the background forces the
Administration Process to create the files
and saves time during the user registration
process.
Field Enter
Clean-up option Choose one of the following roaming user
client clean-up options. Clean-up will only
occur on clients that have been installed
and configured for multiple users.
• Do not clean-up (default). —Roaming
user data will never be deleted from the
Notes client
workstation to which the user roamed.
• Clean-up periodically. —Enables the
“Clean up every N days”field on which you
specify the number of days that should
pass before roaming user data is deleted
from the Notes client
workstation.
• Clean-up at Notes shutdown. —Roaming
user data will be deleted from the Notes
client
workstation immediately upon Notes
shutdown.
• Prompt user —The user is prompted on
exiting the client as to whether they want
to clean up their personal files. If the user
chooses Yes, the data directory on that
client workstation is deleted. If the user
chooses No, the user is
prompted as to whether they want to be
asked again on that client. If the user
chooses No, the user is not prompted
again. If the user chooses Yes, the user is
prompted again the next time the user
exits the client on that workstation.
Click this button to open the “Roaming
Roaming Replicas
Files
Replica Creations Options”dialog box on
which
you can designate to which servers a user’s
roaming files should replicate. This option
only
applies to clustered servers.
Field Enter
Setup profile Name of an R5 User Setup profile to assign.
Note If you are using policies, you cannot
use a
user setup profile.
A word that distinguishes two users who
Unique org unit
have the
same name and are certified by the same
certifier
ID.
Departmental or geographical location of
Location
the user.
continued
Field Enter
Local The name of a user who has Author access
administrator to the Domino Directory but who does not
have the UserModifier role. This setting
allows the local administrator to edit Person
documents.
Comment A comment about the user, regarding the
user’s registration.
Alternate name Choice of alternate name language. The
language certifier ID used to register this user must
contain the alternate name language for it
to appear here.
Alternate name The alternate name of the user. The
certifier ID used to register this user must
contain the alternate name language for it
to appear here.
Alternate org unit A word that distinguishes two users who
have the same name and are certified by
the same certifier ID. The certifier ID used
to register this user must contain the
alternate name language.
Preferred Choose a preferred language for the user,
language that is, the language that the user prefers
to use.
Windows User Click to set user options for Windows NT or
Options Windows 2000. Opens the “Add Person to
Windows NT/2000”dialog box on which you
can specify whether to add the user to
Windows NT and/or the Windows 2000
Active Directory. Enter the Windows
account name for the user, and select the
name of the Windows NT or Windows 2000
group to which you are adding the user.
15. Click the green check mark. The user name appears in the
Registration status view (the user registration queue).
16. Click Register and then click Done.
Registering users from a text file
When registering users from a text file, you can import them through the
Import Text File button on the Register Person dialog box, which places
users as entries in the User Registration Queue and allows you to modify
user settings individually.
If you want to add the text file to the NOTES.INI file so that Notes does
not prompt you to browse for the text file, enter BatchRegFile= filename to
the NOTES.INI file.
You can also define a separator for the text file by adding
BatchRegSeparator = character to the NOTES.INI file. The separator
character cannot be a character used in any of the user parameter settings
in the text file. If you do not specify a BatchRegSeparator, a semicolon (;)
separator is used.
For more information on this NOTES.INI variable, see the appendix
“NOTES.INI File.”
Settings applied to a group of users
These user settings are available for you to modify before using the menu
(choose People - People - Register) to import and register users. Notes
applies these settings to all users in the group.
Registration
Server
Password
Quality Scale
Set Internet password
Internet
address
Internet Domain
Format
Mail server
Mail file template
Mail system
Mail file name
Mail file owner access
Set database quota
Set warning threshold
Certifier ID
Security type
Certificate expiration date
Store user ID in Domino Directory or File
Add users to selected groups
Local administrator
Add
NT User Accounts
Setting up the text file
To set up a text file, create a line in the text file for each user. Enter the
parameters for each user in exactly the order shown in the table below.
Use one semicolon to separate parameters, and use one semicolon to take
the place of each contiguous parameter that you decide not to specify.
For example, this line in a text file specifies only a last name and
password:
Alexis;;;;password1
This line in a text file specifies a complete name, home server, and User
Setup policies:
Alexis;Catherine;R.;;password1;;;Marketing /
Acme;;;;;;Marketing Profile
Note that only the last name and password parameters are required.
Orde
Parameter Enter
r
The last name of the user. This parameter
1 Last name
is required.
2 First name The first name of the user.
3 Middle initial The middle initial of the user.
4 Organizational A name for another level to add to the
unit hierarchical name. This name distinguishes
between two users who have the same
name and are certified by the same
certifier.
A password for the user. This parameter is
5 Password
required.
6 ID file The directory in which you want to store
directory the user’s ID. You can store the ID in this
directory in addition to or instead of as an
attachment in the Domino Directory. You
must create the directory before
registration. For this parameter to take
effect, select the In File option on the ID
Info panel for storing the user ID. This
parameter overrides the default ID
directory shown in the Register Person -
New Entry dialog box.
7 ID file name The name you want to assign to the ID file.
This file name applies only if you store an
ID in an ID file directory. If you do not
specify a user ID file name, the name on
the ID is based on the person’s name.
8 The name of the user’s mail server. This
Mail server
parameter overrides the one you select
name
during registration.
9 Mail file The mail file directory for the user.
directory
10 Mail file name The name for the user’s mail file. If you do
not use this parameter, the name is based
on the person’s name if the person uses
Notes mail.
Orde
Parameter Enter
r
11 Location Descriptive location information that is
added to the user’s Person document. If
someone addresses mail to this user and
there is another user with the same name,
Notes displays the location to help the
sender distinguish the two users.
Field Action
Field Action
Mail System Choose one of the available mail types
and complete the necessary associated
fields:
• Lotus Notes (default).
• Other Internet —choosing this option
automatically selects the “Set Internet
password”check box.
• POP —choosing this option
automatically selects the “Set Internet
password”check box.
• IMAP —choosing this option
automatically selects the “Set Internet
password”check box.
• iNotes —You are prompted to make
other registration selections for iNotes.
• Other
If you select Lotus Notes, POP, or IMAP,
the Internet address is automatically
generated.
If you select Other Internet, POP, or
IMAP, the Internet password is set by
default.
If you select iNotes (iNotes Web
Access), you can change other user
registration selections to iNotes Web
Access defaults by clicking Yes when
prompted.
If you select Other or Other Internet,
enter a forwarding address. This
address is the user’s current address,
where the user wants mail to
be sent. For example, if a user
temporarily works at a different location
and/or uses a different mail system, the
user can have her mail forwarded to
that new address. Or, a user
may resign from the company but leave
a forwarding address so that mail
addressed to the old address is
forwarded to the new
location.
Set Internet
Click to set an Internet password.
password
Synch Internet Click to synchronize the Internet
password password
with Notes ID with the Notes ID password.
Create a Notes ID for
Click to create a Notes ID.
this
person
(Optional) To assign a policy to this
Explicit policy
user, select
one from the Explicit policy list.
Field Action
Mail System Choose one of the available mail types
and complete the necessary associated
fields:
• Lotus Notes (default).
• Other Internet —choosing this option
automatically selects the “Set Internet
password”check box.
• POP —choosing this option
automatically selects the “Set Internet
password”check box.
• IMAP —choosing this option
automatically selects the “Set Internet
password”check box.
• iNotes —You are prompted to make
other registration selections for iNotes.
• Other
If you select Lotus Notes, POP, or IMAP,
the Internet address is automatically
generated.
If you select Other Internet, POP, or
IMAP, the Internet password is set by
default.
If you select iNotes (iNotes Web
Access), you can change other user
registration selections to iNotes Web
Access defaults by clicking Yes when
prompted.
If you select Other or Other Internet,
enter a forwarding address. This
address is the user’s current address,
where the user wants mail to
be sent. For example, if a user
temporarily works at a different location
and/or uses a different mail system, the
user can have her mail forwarded to
that new address. Or, a user
may resign from the company but leave
a forwarding address so that mail
addressed to the old address is
forwarded to the new
location.
Set Internet
Click to set an Internet password.
password
Synch Internet Click to synchronize the Internet
password password
with Notes ID with the Notes ID password.
Create a Notes ID for Click to create a Notes ID.
this
person
(Optional) To assign a policy to this
Explicit policy
user, select
one from the Explicit policy list.
Field Action
First name,
Enter a first name, middle name (if
Middle name,
necessary), and last name.
Last name
Short name The user’s Short name is automatically
generated. To change the Short name, enter
the new text.
Password Enter the password for the user ID. Criteria
for this password is based on the level set in
the Password Quality Scale in the Password
Options dialog box.
Password Choose a password quality. The default level
quality is 8. The password you specify must
correspond to the password quality that you
select in “Password Options.”
Mail System Choose one of the available mail types and
complete the necessary associated fields: •
Lotus Notes (default). • Other Internet —
choosing this option automatically selects the
“Set Internet password” check box.
Field Action
Set Internet Click to set an Internet password.
password
Synch Internet Click to synchronize the Internet password
password with with the Notes ID password.
Notes ID
Fields Action
Mail System Choose one of the available mail types and
complete the necessary associated fields:
• Lotus Notes (default)
• POP
• IMAP
• iNotes
• Other Internet
• Other
• None
If you select Lotus Notes, POP, or IMAP the
Internet address is automatically generated.
If you select Other Internet, POP, or IMAP, the
Internet password is set by default.
If you select iNotes (iNotes Web Access), you
can change other user registration selections
to iNotes Web Access defaults by clicking Yes
when prompted.
If you select Other or Other Internet, enter a
forwarding address. This address is the user’s
current address, the address to which the user
wants mail to be sent. For example, if a user
temporarily works at a different location
and/or uses a different mail system, the user
can have her mail forwarded to that new
address. Or, a user may resign from the
company but leave a forwarding address so
that mail addressed to the old address is
forwarded to the new location.
Fields Action
Mail Choose a server to be assigned as the user’s mail
Server server.
Mail file The file name of the mail file. By default, the path
name and the file name are
mail\<firstinitial><first7charactersoflastname>.nsf.
Mail Choose a mail template from the list of available
template mail templates. For a description of the template,
select the template and click About. The default is
Mail(R6) (MAIL6.NTF).
Field Action
Create a Notes ID Click to create a Notes ID for this user.
for this person
Certifier name list Choose a certifier from the list if you are
not creating a Notes ID for this user. This
field is visible only if you do not select
the check box “Create a Notes ID for this
person.”
CA-configured Choose a CA-configured certifier to use to
certifier register the user. This field is only visible
if you select the check box “Create a
Notes ID for this person.”
Certificate
expiration Choose one: • Months —Enter the
number of months during which the
certifier is valid. • Date —Specify the
date on which the certificate expires. The
default is two year’s from the current
date.
This field is only visible if you select the
check box “Create a Notes ID for this
person.”
Security type Choose either North American or
International. The security type
determines the type of ID file created
and affects encryption when sending and
receiving mail and encrypting data. North
American is the stronger of the two
types. This field is only visible if you
select the check box “Create a Notes ID
for this person.”
Location for storing Non-modifiable field that displays the
user ID location in which the user’s ID will be
stored. This field is only visible if you
select the check box “Create a Notes ID
for this person.”
Field Actions
Create replica(s) Click this check box to create replicas of
of the mail
mail database. files on additional servers that you specify.
Select options for Use these options as necessary: • Add —
creation of mail Click to open the Server for Mail File
database replicas Replica Creation dialog box. Use this dialog
box to choose the server(s) on which to
create mail file replicas. • Remove —
Choose one or more servers to remove
from the list of servers on which to create
mail file replicas, and then click Remove. •
Remove All —Click to remove all servers
from this list. These options are available
only if the check box “Create replicas of
mail database”is selected.
Field Action
Click to activate the roaming user
Roaming user
registration
options to register this user as a roaming
user.
Put on mail
Choose one of these:
server/
• Put on mail server —Click to place the
Choose a server
user’s
roaming files on the user’s mail server.
• Server name —Click to store the user’s
roaming
file on the “Current Server”or select
another
server of your choice.
The subdirectory that contains the user’s
Personal roaming
roaming
folder information. By default, this is based on
the
sub-folder format you specify, but you can
customize it.
The method used to name roaming
Sub-folder format
subdirectories
on the roaming server. This determines the
default
Personal roaming folder for each user.
Field Action
Clean-up options Choose one of the following roaming user
client clean-up options. Clean-up will only
occur on clients that have been installed
and configured for multiple users.
• Do not clean-up (default) —Roaming user
data is not deleted from the Notes client
workstation
to which the user roamed.
• Clean-up every —Enables the “Clean up
every N days”field on which you specify the
number of days that should pass before
roaming user data is deleted from the
Notes client workstation.
• Clean-up at Notes shutdown —Roaming
user data is deleted from the Notes client
workstation
immediately upon Notes shutdown.
• Prompt user —The user is prompted on
exiting the client as to whether they want
to clean up their personal files. If the user
chooses Yes, the data directory on that
client workstation is deleted. If the user
chooses No, the user is
prompted as to whether they want to be
asked again on that client. If the user
chooses No, the user is not prompted
again. If the user chooses Yes, the user is
prompted again the next time the user
exits the client on that workstation.
Setting Description
User’s hierarchical name —for
Username
example,
John Smith/Acme
Directory path to the user’s ID file
KeyfileName
name
—for example, c:\program
files\lotus\notes\data\jsmith.id
Domino server in the same domain
Domino.Name
as the
user name. You do not need to
enter a
hierarchical name.
An address for the Domino server,
Domino.Address
such as
the IP address of the server, if
needed, to
connect to the server. For
example, server.acme.com or
123.124.xxx.xxx
Domino.Port Port type, such as TCPIP
1 to connect to the Domino server,
Domino.Server
0 for no
connection
1 forces display of the “Additional
AdditionalServices
Services”
panel even if sufficient information
is
provided for these services; the
Additional
Services panel lists Internet,
proxy, and
replication settings.
AdditionalServices.NetworkDial To configure a network dialup
connection to
Internet accounts created via
Additional
Services dialog box
Incoming mail (POP or IMAP)
Mail.Incoming.Name
server name
Setting Description
Mail.Incoming.Server 1 for POP; 2 for IMAP
Mail.Incoming.Protocol Mail account user name or login name
Mail.Incoming.Username Mail account password
Mail.Incoming.Password An address —such as the IP address
—of the home server, if needed to
connect to server
Mail.Incoming.SSL 1 to use SSL; 0 not to use SSL
Mail.Outgoing.Name Outgoing mail account name, a
friendly name used to refer to these
settings
Mail.Outgoing.Server Outgoing mail (SMTP) server name
Mail.Outgoing.Address User’s Internet mail address, such as
user@isp.com
Internet Mail domain name such as
Mail.InternetDomain
isp.com
Directory.Name Directory account name, a friendly
name used to refer to these settings
Directory.Server Directory (LDAP) server name
News.Name News account name, a friendly name
used to refer to these settings
News.Server News (NNTP) server name
NetworkDial.EntryName Name of remote network dialup phone
book entry
NetworkDial.Phonenumber Dial-in number
NetworkDial.Username Remote network user name
NetworkDial.Password Remote network password
NetworkDial.Domain Remote network domain
DirectDial.Phonenumber Phone number of Domino server
DirectDial.Prefix Dialup prefix, if required. For example,
9 to access an outside line.
COM port to which the modem is
DirectDial.Port
connected
DirectDial.Modem File specification of modem file
Proxy.HTTP HTTP proxy server and port —for
example, proxy.isp.com:8080
Proxy.FTP FTP proxy server and port —for
example, proxy.isp.com:8080
Proxy.Gopher Gopher proxy server and port —for
example, proxy.isp.com:8080
Setting Description
Proxy.SSL SSL proxy server and port —for
example,
proxy.isp.com:8080
HTTP tunnel proxy server and port —
Proxy.HTTPTunnel
for
example, proxy.isp.com:8080
Socks proxy server and port —for
Proxy.SOCKS
example,
proxy.isp.com:8080
Proxy.None No proxy for these hosts or domains
Use the HTTP proxy server for FTP,
Proxy.UseHTTP
Gopher,
and SSL security proxies
Proxy.Username User name if logon is required
Proxy.Password User password
Transfer outgoing mail if this number
Replication.Threshold
of
messages held in local mailbox
Replication.Schedule Enable replication schedule
Managing users
The Administration Process helps you manage users by automating
many of the associated administrative tasks. For example, if you rename
a user, the Administration Process automates changing the name
throughout databases in the Notes domain by generating and carrying
out a series of requests, which are posted in the Administration Requests
database (ADMIN4.NSF). Changes are made, for example, in the Person
document, in databases, in ACLs and extended ACLs. However, the
Administration Process can be used only if the database is assigned an
administration server.
Rename a user
There are several ways in which you “rename” a user. Usually they
involve changing a user’s common or alternate name. However, in
Domino Notes, the name hierarchy becomes part of the user’s name. So if
a user is moved and certified by a new hierarchy, then that too is
considered renaming. The rename tasks are:
Change
a Notes user’s common name
Notify
a user of a change to private design elements during a name
change
Rename
a Web user
Move a user name in the name hierarchy
Upgrade a user name from flat to hierarchical
5-54 Administering the Domino System, Volume 1
Change user roaming status
You can change a user’s roaming status via the following tasks:
Change
a roaming user to nonroaming
Change
a nonroaming user to roaming
Move a user's files
In contrast to moving a user from one hierarchy to another, which is a
simple renaming action, you may also need to move a user’s actual files.
To do so, you use the following task:
Moving
a user’s mail file and roaming files from the Domino
Administrator or the Web Administrator
Delete a user name
When you delete a user name, you have the option of maintaining some
of the files, while denying the user access to them. The Administration
Process helps you automate the following tasks:
Delete
a user name
Deleting
a user name with the Web Administrator
User maintenance
In addition to the tasks listed above, there may be times when you need
to locate a user, recertify a user’s ID, or another user-related task. Use the
following procedures:
Changing
a user’s Internet address
Finding
a user name in the domain with the Domino Administrator
or Web Administrator
Recertifying
user IDs
Monitoring
user licenses
While managing users, you may also need to recertify a certifier ID.
Recertifying
a user ID
Recertifying
a certifier ID
Synchronizing Windows NT or Windows 2000 Active Directory and
Notes users
You can synchronize Notes users with users in Windows NT and in
Windows 2000 Active Directory. You can also manage Notes users from
the Windows NT User Manager, and from the Windows 2000 Microsoft
Management Console.
Setting Up and Managing Notes Users 5-55
Configuration
For more information on synchronizing Notes users with Windows NT
users, see the chapter “Using Domino With Windows Synchronization
Tools.”
Changing Notes user names with the Administration Process
When you change the name of a user, the Administration Process
implements the name change by initiating requests to the affected
documents, databases, database ACLs, and Extended ACLs. In the
Domino Administrator, when you change the common name, alternate
name, or hierarchical name of a user, you “rename” them. Using rename,
you can change the name of one or more users in the following ways:
Change
a user’s common or alternate name
Add an alternate name to a user if one is not yet assigned
Move a user to a new hierarchy
Upgrade a user name from flat to hierarchical
Administration Process requirements
In order for the Administration Process to facilitate the name changes,
the databases must have an assigned administration server.
In addition, the certifier ID you use and any ancestor of the certifier must
have a Certifier document in the Certificates view of the Domino
Directory. For example, if you use the certifier ID for
/Sales/NYC/ACME, the Domino Directory must contain Certifier
documents for /ACME, /NYC/ACME, and /Sales/NYC/ACME.
For more information on assigning an administration server, see the
chapter “Setting Up the Administration Process.”
For more information on certifiers, see the chapter “Deploying Domino.”
Viewing user name change requests
To review the administration requests that are generated when renaming
a user name, open the Administration Request (ADMIN4.NSF) database
in your Domino Directory.
For more information on processing renaming requests in the
Administration Requests database, see the topic “Changing Notes user
names with the Administration Process” in this chapter.
5-56 Administering the Domino System, Volume 1
Notifying users of changes to private design elements during a
name change
You can enable an agent that sends to the user an e-mail message
notifying the user of a name change and containing links to databases in
which the user created or modified design elements such as a folder or
view. To update the private design elements with the user’s new name,
the user must then open the database via the database links in the e-mail
notification. This update to the user name allows the user to maintain
access to their own private design elements. Enable the Mail Notification
agent from within the administration requests database (ADMIN4.NSF).
Note The AdminP Mail Notification agent runs only on Domino Release
5.05 or more recent servers and sends e-mail to Notes Release 5.05 or
more recent clients.
1. From the Domino Administrator, click Server - Analyses.
2. Click Administration Requests (6).
3. Locate the administration request to rename the user and then open
the request.
4. Choose Actions - Enable/Disable User Notification. The agent is
enabled and automatically sends to the user an e-mail message
containing links to databases in which the user created or modified
design elements such as a folder or view.
5. Click OK.
Troubleshooting name changes
The public key in the Person document must match the one on the user
ID. If a public key has been changed or corrupted in some way, you see
this message in the Administration Requests database: “The name to act
on was not found in the Address Book.”
For more information on correcting this problem, see the chapter “Setting
Up the Administration Process.”
Renaming a Notes user’s common or alternate name
Use this procedure to make any of the following changes to a user or to
more than one user name:
Change
the common name
Change
or add an alternate name
Delete
the alternate name
Synchronize
the name change between Notes and Windows NT, or
Notes and Active Directory
Setting Up and Managing Notes Users 5-57
Configuration
When a user is renamed, the user’s Internet address often needs to be
changed accordingly. You can change a user’s Internet address as part of
a change to the user’s common or alternate name, but you cannot use this
rename procedure to change only the Internet address. If you attempt to
use this procedure to change only a user’s Internet address, you will
generate an error.
For more information on changing only a user’s Internet address, see the
topic “Changing a user’s Internet address” in this chapter.
For information on using an agent to notify a user of changes to private
design elements during a name change, see the topic “Changing Notes
user names with the Administration Process” in this chapter.
Note To use the Domino alternate name functionality, Domino R5.0.2 or
later must be running on all servers involved with the name change, the
user’s workstation, and the administrator’s workstation.
To rename a user's common name
1. To rename a user, you must have:
Editor
with Create documents access, or UserModifier role to the
Domino Directory
At least Author with Create documents access to the Certification
Log
2. From the Domino Administrator, click the People & Groups tab.
3. Click People and select a user name.
4. From the tools pane, click People - Rename.
5. In the Rename Selected Notes People dialog box, verify the number
of days you want to honor the old name. The default is 21 days. You
can change that value if desired.
6. Click “Change Common Name.”
5-58 Administering the Domino System, Volume 1
7. In the “Choose a Certifier” dialog box, do the following:
Field Action
Server Do one of these:
• If you are using the Lotus Domino 6
server-based CA, choose the server that is
used to access the Domino Directory to look
up the list of certifiers. • If you are supplying
a certifier ID, select the server that is used
to locate the list of certifiers so that the
Certifier ID file can be updated with the
latest set of certificates for itself and all of its
ancestors. This is also the server on which
CERTLOG.NSF is updated.
Use the CA Choose this option if you have configured
process the Lotus Domino 6 server-based CA.
• Select a CA configured certifier from the
list and click OK.
Supply certifier Choose this option if you are using a certifier
ID and password ID and password. • Choose the certifier ID
that certified the user’s ID and click Open.
For example, to rename Joe
Smith/Sales/NYC/ACME, use the certifier ID
named SALES.ID.
• Click “Certifier ID”to select an ID other
than the one displayed. • Enter the
password for the certifier ID and click OK.
Field Action
New Primary Name Information
First , Middle, This is the name with which the user was
and registered.
Last Name Make changes to the user’s name as
appropriate.
continued
Field Action
Qualifying Org. (Optional) A name to differentiate this user
Unit from another user with the same user name,
certified by the same certifier. This adds a
differentiating component that appears
between the common name and the certifier
name.
Short Name (Optional) Created at registration, the default
is first initial, last name. You can change this
name. It does not change automatically based
on changes to the primary name fields. You
must make this change manually.
Internet (Optional) Created at registration, the default
Address is first initial, last name. You can change this
name. It does not change automatically based
on changes to the primary name fields. You
must make this change manually.
Rename Available to Windows NT User Manager only.
Windows NT Check this box if you want to synchronize the
User Account name change in both the Domino Notes and
Windows NT or Active Directory account.
Complete this step only if the user has an alternate name or if you
are assigning alternate names. If you are not working with alternate
names, skip this step and go to Step 11.
Field Action
Server Do one of these:
• If you are using the Lotus Domino 6 server-
based
CA, choose the server that is used to access the
Domino Directory to look up the list of
certifiers.
• If you are supplying a certifier ID, select the
server
that is used to locate the list of certifiers so
that the
Certifier ID file can be updated with the latest
set of certificates for itself and all of its
ancestors. This is
also the server on which CERTLOG.NSF is
updated.
Field Action
Supply Choose this option if you are using a certifier ID
certifier and
ID and password.
password
• Choose the certifier ID that certified the
user’s ID and
click Open. For example, to rename Joe
Smith/Sales/NYC/ACME, use the certifier ID
named SALES.ID.
• Click “Certifier ID”to select an ID other than
the one
displayed.
• Enter the password for the certifier ID and
click OK.
Use the CA Choose this option if you have configured the
process Lotus Domino 6 server-based CA. • Select a
CA-configured certifier from the list and click
OK.
Field Action
Verify the information. If it is incorrect, cancel
Old Certifier
the
procedure and begin again.
Enter or select the new certifier. This is the
New Certifier
name
hierarchy that issues a certificate for the user
in the new hierarchy.
For example, to certify Joe Smith from
/Sales/NYC/ACME into /Service/NYC/ACME,
enter /Service/NYC/ACME or select from the
list.
Edit or inspect Selected by default. Do one: • Keep selected.
each entry The Rename Person dialog box appears with
before non-modifiable fields of Primary and Alternate
submitting Name information. Review the information for
request accuracy. Go to Step 9. • If you do not want to
verify each entry, clear the check box. Review
the processing information that displays to
verify that all name changes were successful.
If any fail, check the Certifier Log to determine
the reason for the failure. Go to Step 10, then
complete the procedure “To approve the name
change.”
Field Action
Server Do one of these:
• If you are using the Lotus Domino 6
server-based CA, choose the server that is
used to access the Domino Directory to look
up the list of certifiers. • If you are
supplying a certifier ID, select the server
that is used to locate the list of certifiers so
that the Certifier ID file can be updated with
the latest set of certificates for itself and all
of its ancestors. This is also the server on
which CERTLOG.NSF is updated.
Use the CA Choose this option if you have configured
process the Lotus Domino 6 server-based CA.
• Select a CA-configured certifier from the
list and click OK.
Supply certifier Choose this option if you are using a
ID and password certifier ID and password. • Choose the
certifier ID that certified the user’s ID and
click Open. For example, to rename Joe
Smith/Sales/NYC/ACME, use the certifier ID
named SALES.ID.
• Click “Certifier ID”to select an ID other
than the one displayed. • Enter the
password for the certifier ID and click OK.
Field Action
The name hierarchy of the certifier
Certifier
that will
issue the new certificate (non-
modifiable).
New certificate (Optional) Specify a certifier ID
expiration expiration
date date other than the default two years
from
the current date.
Edit or inspect each Selected by default. You can remove
entry the
before submitting check mark if you do not want to
request verify the
entries.
Field Action
New Primary Name Information
First, Middle, and This is the name with which the user
Last was
Name registered. Make changes to the user’s
name as
appropriate.
Qualifying Org. Unit (Optional) A name to differentiate this
user from another user with the same
user name,
certified by the same certifier. This adds
a
differentiating component that appears
between the common name and the
certifier name.
(Optional) Created at registration, the
Short Name
default is
first initial, last name. You can change
this
name optionally. It does not change
auto-
matically based on changes to the
primary name
fields. You must make this change
manually.
(Optional) Created at registration, the
Internet Address
default is
first initial, last name. You can change
this
name optionally. It does not change
auto-
matically based on changes to the
primary name
fields. You must make this change
manually.
Rename Windows NT Available to Windows NT User Manage or
User Account Active Directory users only. Check this
box if you want to synchronize the name
change in both the Domino Notes and
Windows NT or
Domino Notes and Active Directory
accounts.
Field Action
Server Do one of these:
• If you are using the Lotus Domino 6
server-based CA, choose the server that is
used to access the Domino Directory to look
up the list of certifiers. • If you are supplying
a certifier ID, select the server that is used
to locate the list of certifiers so that the
Certifier ID file can be updated with the
latest set of certificates for itself and all of its
ancestors. This is also the server on which
CERTLOG.NSF is updated.
Use the CA Choose this option if you have configured
process the Lotus Domino 6 server-based CA.
• Select a CA-configured certifier from the
list and click OK.
Supply certifier Choose this option if you are using a certifier
ID and password ID and password. • Choose the certifier ID
that certified the user’s ID and click Open.
For example, to rename Joe
Smith/Sales/NYC/ACME, use the certifier ID
named SALES.ID.
• Click “Certifier ID”to select an ID other
than the one displayed. • Enter the
password for the certifier ID and click OK.
Field Action
Where should Choose one: • Store on user’s mail server —
the user’s Places the user’s roaming files on the user’s
roaming files mail server. (The user’s mail server was
be stored? designated during user registration.) •
Roaming Server —Click the button to specify
the server on which you want to store the
user’s roaming files. • Store user ID in
personal address book —(Optional) Places the
user’s ID in their own local personal address
book.
User’s
Choose one: • Base folder —Name of the
personal
folder in which to store
roaming folder
the user’s roaming files. By default the user’s
base folder is located in the Domino\data
directory. For example, if you want the base
folder to be called Roaming for all your
roaming users, enter Roaming to create the
Domino\data\Roaming directory.
• Sub-folder format —The format to use when
naming the roaming user’s personal subfolder.
By default this is the user’s short name format.
You can
change this format if desired and you can
optionally choose a separator character. A
personal folder (subfolder) is created in the
Base folder for each user you upgrade to
roaming user.
If folder exists Choose one:
• Skip person —if a folder already exists.
• Generate folder name —to create a new
folder.
Field Action
Roaming user Choose one: • Do not cleanup —No cleanup is
client clean up performed on roaming user files. • Cleanup
options every <number> days —Specify a number
between 0 and 365. • Cleanup at Notes
shutdown —Cleans up files when Notes is shut
down. • Prompt user —The user is prompted
on exiting the client as to whether they want
to clean up their personal files. If the user
chooses Yes, the data directory on that client
workstation is deleted. If the user chooses No,
the user is prompted as to whether they want
to be asked again on that client. If the user
chooses No, the user is not prompted again. If
the user chooses Yes, the user is prompted
again the next time the user exits the client on
that workstation.
Field Enter
What should Choose the appropriate option(s): • Do not
happen with the delete the mail database —to delete the
user’s mail Person document but leave the user’s mail
database(s)? files intact. • Delete the mail database on
the user’s home server —to delete mail files
on the user’s home server only. • Delete
mail replicas on all other servers —this
option is active only if Delete the mail
database on the users home server was
chosen. This option deletes all mail database
replicas on other servers.
Add deleted user To deny a user access to servers
to Deny Access immediately: 1. Click Groups. 2. Select a
Group (This Deny Access Group from the list. 3. Click
option is active OK.
only if one or
more groups of
type Deny
Access exists.)
Select this option to delete the
Delete user’s
corresponding user
Windows account in Windows NT or Windows 2000
NT/2000 Active
account, if Directory account.
existing
Delete user from Select this option to remove the account
this from the
Domino Domino Directory immediately, while
Directory initiating
immediately Administration Process requests to remove
the
user’s name from ACLs, Names fields, etc.
Note If you choose to delete a user’s mail file, you must have at least
Editor with delete documents access to the Administration Requests
database and delete documents access to the Domino Directory.
6. Click OK.
For more information on shared mail databases, see the chapter “Setting
Up Shared Mail.”
To approve the mail file deletion
If you chose to delete any mail databases, including replicas, you must
approve the requests in the Administration Requests (ADMIN4.NSF)
database.
1. From the Domino Administrator, choose Server - Analysis -
Administration Requests (R6).
2. Select the Pending Administrator Approval view.
3. Depending on your choices when you deleted the user name, do one
of the following:
you are certain that you want to approve one or more requests
If
without looking at detail information for those requests, select the
request, and click Approve Selected Requests and then click OK.
If you would like to see detail on one or more requests before
approving the deletion, select and open the request, click Edit
Request, review the detail information, then choose Approve
Replica Deletion, or choose Reject Replica Deletion.
4. Click Save and Close.
Deleting a user name with the Web Administrator
You can delete user names via the Web Administrator, as well as from
the Domino Administrator. Review the introductory information in the
procedure “Deleting a user name with the Domino Administrator”
before initiating this procedure.
1. Make sure you have the following before you begin deleting user
names:
least Author access and “Delete documents” privileges in the
At
Domino Directory.
2. From the Domino Web Administrator, click the People & Groups tab.
3. Click People and select the user names you are deleting.
4. From the tools pane, click People - Delete.
Setting Up and Managing Notes Users 5-75
Configuration
5. Complete these fields:
Field Enter
What should Choose the appropriate option(s): • Do not
happen with the delete the mail database - to delete the
user’s mail Person document but leave the user’s mail
database(s)? files intact. • Delete the mail database on
the user’s home server - to delete mail files
on the user’s home server only. • Delete
mail replicas on all other servers - this
option is active only if “Delete the mail
database on the users home server”was
chosen. This option deletes all mail database
replicas on other servers.
Add user to To deny a user access to servers
Deny Access immediately: 1. Click Groups. 2. Select a
Group (This Deny Access Group from the list. 3. Click
option is active OK.
only if one or
more groups of
type Deny
Access exists.)
Select this option to delete the user’s
Delete user’s
corresponding
Windows domain Windows domain account.
account
Delete user from Select this option to remove the account
this from the
Domino Domino Directory immediately, while
Directory initiating
immediately Administration Process requests to remove
the
user’s name from ACLs, Names fields, etc.
Field Action
Server Do one of these:
• If you are using the Lotus Domino 6
server-based CA, choose the server
that is used to access the Domino
Directory to look up the list of
certifiers. • If you are supplying a
certifier ID, select the server that is
used to locate the list of certifiers so
that the Certifier ID file can be
updated with the latest set of
certificates for itself and all of its
ancestors. This is also the server on
which CERTLOG.NSF is updated.
Use the CA process Choose this option if you have
configured the Lotus Domino 6 server-
based CA.
• Select a CA configured certifier from
the list and click OK.
Supply certifier ID and Choose this option if you are using a
password certifier ID and password. • Choose
the certifier ID that certified the user’s
ID and click Open. For example, to
rename Joe Smith/Sales/NYC/ACME,
use the certifier ID named SALES.ID.
• Click “Certifier ID”to select an ID
other than the one displayed. • Enter
the password for the certifier ID and
click OK.
Field Action
New certificate expiration (Optional) Specify a certifier ID
date expiration
date other than the default two
years from
the current date.
Only renew certificates (Optional) Enter a date to recertify
that only a
will expire before subset of selected user IDs,
according to
their current expiration dates.
(Optional) Select the option to edit
Edit or inspect each entry
or
before submitting request inspect each entry before submitting
the
request if you want to view each
certificate
before it is renewed.
7. If you selected the option to view each entry prior to its being
submitted, the Recertify Person dialog box appears with
non-modifiable information in the primary and common name fields.
Review the information that displays, then select one of the
following:
OK
- to submit the name change.
Skip
- if you are recertifying more than one user ID and you want
to continue to the next without submitting a recertification for the
current name.
Cancel
Remaining Entries - to cancel this recertification, as well as
those for any other names you selected and have not yet
submitted.
8. When the Processing Statistics dialog box appears, review the
information to verify that all name changes have succeeded. Click
OK. If any fail, check the Certifier Log (CERTLOG.NSF) to determine
the reason for the failure.
Recertifying a certifier ID or a user ID
Use this procedure to recertify a certifier ID or a user ID with the same
certifier ID that was used previously to certify the certifier ID or user ID.
Certifier IDs are used to certify other certifiers, servers, and users. A
certifier ID issues a certificate to another user, server or certifier that is on
the hierarchical level immediately below the certifier. For example, in the
Organizational Unit Sales/NYC/ACME, NYC is the certifier for Sales;
ACME is the certifier for NYC. The Organization certifier, in this case
ACME, can certify itself.
You can also recertify a user ID with a different certifier ID, that is, a
certifier ID other than the one used to previously certify the user ID.
Although recertifying a user ID with a different certifier is allowed, it is
not recommended that you do so using this procedure. In this case, you
are renaming the user, which is a very complex process involving
changes to ACLs for various databases, changes to lists of group
members, and other related entries. Recertifying a user ID with a
different certifier does not invoke the Administration Process, so all
changes need to be made manually. To recertify a user with a different
certifier ID, we recommend using the Rename tool, and requesting a
move to a new certifier — see the topic “Moving a user name in the name
hierarchy” earlier in this chapter.
5-82 Administering the Domino System, Volume 1
When you recertify an ID you can:
Provide
a new expiration date for certificates about to expire
Add
a new alternate name to the certifier ID
Change
the minimum password quality
Types of IDs you can recertify
You can recertify any of the following types of IDs:
Organizational
unit
Server
User
Organization certifier (when it is used to certify itself)
For more information on certifier IDs, see the chapter “Deploying
Domino.”
To recertify a certifier ID or a user ID
1. From the Domino Administrator, click Configuration.
2. From the tools pane, click Certification - Certify.
3. In the “Choose a Certifier” dialog box, make the following selections:
Field Action
Server Do one of these:
• If you are using the Lotus Domino 6 server-based
CA,
choose the server that is used to access the Domino
Directory to look up the list of certifiers.
• If you are supplying a certifier ID, select the
server that is
used to locate the list of certifiers so that the
Certifier ID
file can be updated with the latest set of certificates
for itself and all of its ancestors. This is also the
server on
which CERTLOG.NSF is updated.
Choose the certifier ID that issued the original
Supply
certificate. For
certifier example, to recertify the certifier ID for
ID /Sales/NYC/ACME,
and choose the /NYC/ACME certifier ID, which is NYC.ID.
password • Click “Certifier ID”to select an ID other than the
one
displayed.
• Enter the password for the certifier ID and click
OK.
Note Although not recommended, you can choose a
different certifier ID to recertify a user ID, instead of
using
the original certifying ID.
Use the Choose this option to use the server-based
CA certification
process authority (CA).
• Select a CA-configured certifier from the list and
click OK.
Field Enter
The registration server for the current
Current Server
certifier ID.
(nonmodifiable)
The name hierarchy of the certifier that
Current certifier
issued the
certificate. (nonmodifiable)
(Optional) Specify a certifier ID expiration
Expiration date
date other
than the default two years from the current
date.
Public half of the primary RSA key pair stored
Primary key
in the
Notes ID file. This RSA key pair is used for
electronic
signatures on documents and certificates, and
on mail
encryption when both the sender and the
recipient
have a North American Notes license. This
key pair is
also used for network authentication.
(nonmodifiable)
International The public half of the international RSA key
key pair. This
key pair is used for mail encryption when
either the
sender or recipient are running with an
International
Notes license. (nonmodifiable)
Subject name
Certifier ID(s) you are working with.
list
Click to add and certify an alternate name.
Add
Select the
alternate language, country code (optional),
and the
organization identifier for the language.
Rename Rename the alternate name selected in the
Subject name list. This button is not available
when
recertifying user Ids. This button is enabled
only when alternate languages have been
assigned.
Removes the alternate name selected in the
Remove
Subject
name list.
Password Move the slider to change the level of
quality complexity and
variety of characters entered for the
password.
Chapter 6
Setting Up and Managing Groups
This chapter describes how to create and manage groups.
Using groups
Groups are lists of users, groups, and servers that have common traits.
They are useful for mailing lists and access control lists. Using groups
can simplify administration tasks. For example, if you create a group
called “Terminations” that lists all former employees, you can enter the
Terminations group name in the “Not access” field in the Server Access
section of the Security tab on each Server document. When an employee
leaves the company, you add the employee’s name to the Terminations
group and then force replication of the Domino Directory to prevent the
employee from having access to all servers in the domain. Using a
Terminations group saves you the time and effort of manually adding
individual employee names to each Server document when employees
leave the company.
To create a group, you create a Group document in the Domino
Directory. You can add registered users to the group as you create the
Group document and you can add new users to a group as you register
them. There is no limit to the number of names that you can add to a
group. However, the total number of characters used for names in the
group cannot exceed 15KB. To keep groups manageable, split a large list
of users into two or more groups.
By default, the Domino Directory contains two groups:
LocalDomainServers and OtherDomainServers. LocalDomainServers
includes all servers in the current domain. Domino automatically adds
servers that you register in the current domain to the
LocalDomainServers group. OtherDomainServers includes all servers
that are not in the current domain. For example, OtherDomainServers
might include the names of servers in other companies with which your
company communicates. If you set up a connection to a server in another
company or domain, add the server name to the OtherDomainServers
group.
6-1
Configuration
A third group, LocalDomainAdmins, may reside in the Domino
Directory if the “Add LocalDomainAdmins group to all databases and
templates” check box was selected during first server setup for a domain.
The LocalDomainAdmins group contains names of the domain
administrators.
Each group must have an owner — usually an administrator or database
manager.
Creating and modifying groups
Create and modify groups from the Domino Administrator. You can nest
one or more groups within an existing group, that is, create a group and
then add one or more existing groups as members of the new group. For
mail-routing, you can nest up to five levels of groups. For all other
purposes, you can nest up to six levels of groups. You can also use the
Web Administrator to create and modify groups.
Creating a group with the Domino Administrator
1. Make sure that you have Editor access or Author access with the
GroupCreator role in the Domino Directory.
2. From the Domino Administrator, click the People & Groups tab.
3. From the Servers pane, select the server to work from.
4. Select Domino Directories, and then select Groups - Add Group.
5. Complete these fields on the Basics tab:
Field Action
Group name Enter a name for the group, using any of these
characters: A - Z, 0 - 9, & - . _ ’(ampersand,
dash,
period, space, underscore, and apostrophe) for
the name. A group name can be a maximum
of 62
characters in length. For easier administration,
use a
name without spaces. Do not use a name that
is in use as the name of an organizational unit
in the
hierarchical name scheme.
Note Do not create group names containing
a / (slash) unless you are working in a hosted
environment. Using the / in group names in a
non-hosted environment causes confusion with
hierarchical naming schemes. Hierarchical
names are
required in a hosted environment.
Field Action
Group type Select a group type. The group type specifies
the purpose of the group and determines the
views in the Domino Directory where the
group name appears. For example, mailing list
groups appear in the Mail Users view, and
access control groups appear in the Access
Control view. Using specific group types
improves performance by reducing the size of
view indexes in the Domino Directory. • Multi-
purpose —Use for a group that has multiple
purposes —for example, mail, ACLs, and so
on. This is the default.
• Access Control List only —Use for server and
database access authentication only. • Mail
only —Use for mailing list groups. • Servers
only —Use in Connection documents and in the
Domino Administration client’s domain
bookmarks for grouping. • Deny List only —
Use to control access to servers. Typically
used to prevent terminated employees from
accessing servers, but this type of group can
be used to prevent any user from accessing
particular servers. The Administration Process
cannot delete any member of the group.
Field Action
Owners Add an owner name or modify the list of group
owners.
Add an administrator name or modify the list
Administrators
of group
administrators.
Allow foreign Choose one: • Yes —To allow synchronization
directory between a post office directory, such as the
synchronization cc:Mail post office directory or a Microsoft
Exchange Address Book, and the Domino
Directory • No —To prevent synchronization
between a post office directory, such as the
cc:Mail post office directory or a Microsoft
Exchange Address Book, and the Domino
Directory
Field Action
Group name Enter a name for the group, using any of these
characters: A - Z, 0 - 9, & - . _ ’(ampersand,
dash,
period, space, underscore, and apostrophe)
for the
name. A group name can be a maximum of 62
characters in length. For easier administration,
use a
name without spaces. Do not use a name that
is in use
as the name of an organizational unit in the
hierarchical name scheme.
Note Do not create group names containing
a / (slash) unless you are working in a hosted
environment. Using the / in group names in a
non-hosted environment causes confusion with
hierarchical naming schemes. Hierarchical
names are
required in a hosted environment.
Group type Select a group type. The group type specifies
the purpose of the group and determines the
views in the Domino Directory where the
group name appears. For example, mailing list
groups appear in the Mail Users view, and
access control groups appear in the Access
Control view. Using specific group types
improves performance by reducing the size of
view indexes in the Domino Directory.
• Multi-purpose —Use for a group that has
multiple purposes —for example, mail, ACLs,
and so on. This is the default.
• Access Control List only —Use for server and
database access authentication only.
• Mail only —Use for mailing list groups.
• Servers only —Use in Connection documents
and in the Domino Administration client’s
domain
bookmarks for grouping.
• Deny List only —Use to control access to
servers. Typically used to prevent terminated
employees from accessing servers, but this
type of group can be used to prevent any user
from accessing particular servers. The
Administration Process cannot delete
any member of the group.
(Optional) Choose a Category if you have
Category
created any.
Use the category field to categorize groups in
any way
that you need to.
(Optional) Enter a description of the group in
Description
the
Description field.
Field Action
Mail Domain Enter the Domino domain in which this group’s
mail address will reside in the Mail Domain
field.
Internet Enter the Internet e-mail address for this
address group in the Internet Address field.
Members Click the arrow to the right of the Members
field, select users, servers, or groups to add,
click Add, and then click OK.
Field Action
Owners Add an owner name or modify the list of group
owners.
Add an administrator name or modify the list
Administrators
of group
administrators.
Allow foreign Choose one: • Yes —To allow synchronization
directory between a post office directory, such as the
synchronization cc:Mail post office directory or a Microsoft
Exchange Address Book, and the Domino
Directory • No —To prevent synchronization
between a post office directory, such as the
cc:Mail post office directory or a Microsoft
Exchange Address Book, and the Domino
Directory
Field Action
Non-modifiable field. Displays the name of the
Selected
selected
directory and the server on which the directory
resides.
Non-modifiable field. Displays the number of
For:
groups
you have selected. This field is blank prior to
finalizing
the assignment of a policy.
Field Action
Non-modifiable field. Displays the number of
Users with an
users in
existing policy the selected groups who already have policies
applied
to them. Prior to finalizing the assignment of
the
policy, this field displays “Unknown.”After the
policy
is applied, this field displays a value.
Choose an explicit policy from the list. If this
Policy
field
displays “None Available,”you have not created
any
explicit policies that can be applied to a group.
Click this check box to allow policies that have
Allow
already
replacement been applied to users in the selected groups to
of be
policies replaced by the policy you are now assigning.
Click this check box only if you also assigning
View Policy
an
Synopsis organizational policy to the selected groups. A
policy
synopsis is composed of an explicit policy and
an
organizational policy. The synopsis shows the
net effect of the two policies.
When you click this check box, the Choose
Organizational Policy dialog box opens. Choose
the
Organizational policy that applies and click OK.
The
Policy Synopsis document appears.
Perform Click this check box to update in the
updates background, the
in background group settings according to what is specified in
the
policies. Performing all updates in the
background
allows you continue using the Domino
Administrator
client while updates are being performed.
Updates are
done directly to the Domino Directory without
using
the Administration Process.
5. Click OK.
Editing a group
Use this procedure to edit any of the group attributes that are listed on
the Group document in the Domino Directory. You can modify the group
name, group type, description, group membership, group owner,
administrator, and specify whether foreign directory synchronization is
allowed. Foreign directory synchronization allows synchronization
between a post office directory, such as the cc:Mail post office directory
or a Microsoft Exchange Address Book, and the Domino Directory.
With group renaming, there isn’t any tolerance for simultaneous
occurrences of the new and old names while the name change makes its
way across databases in the domain. For example, if a group name
changes in the Domino Directory before it has a chance to change in a
database ACL, the old group name in the database ACL is invalid. (This
limitation doesn’t occur with user and server renaming.) As a
workaround, you can initiate the group rename action during non-peak
work hours — for example, during the weekend — or you can
immediately process the requests, rather than waiting for the changes to
occur according to Administration Process schedules.
To edit a group
1. To edit a group, you must have:
Editor
with Create documents access, or the UserModifier role to
the Domino Directory
At least Author with Create documents access to the Certification
Log
2. From the Domino Administrator, click the People & Groups tab.
3. Select Domino Directories, and then select Groups.
4. Select the group that you want to edit, and click Edit Group.
5. Make changes to any of the following fields on the Basics tab:
Field Action
Group Enter a name for the group, using any of these
name characters: A
- Z, 0 - 9, & - . _ ’(ampersand, dash, period, space,
underscore, and apostrophe) for the name. A group
name
can be a maximum of 62 characters in length. For
easier
administration, use a name without spaces. Do not
use a
name that is in use as the name of an
organizational unit in
the hierarchical name scheme.
Note Do not create group names containing a /
(slash).
Using the / in group name causes confusion with
hierarchical naming.
Group
Select one of these:
type
Multi-purpose —Use for a group that has multiple
purposes —for example, mail, ACLs, and so on.
This is the default.
Access Control List only —Use for server and
database access authentication only.
Mail only —Use for mailing list groups.
Servers Only —Use in Connection documents and in
the Domino Administration client’s domain
bookmarks for
grouping
Deny List only —Use to control access to servers.
Typically used to prevent terminated employees
from accessing servers, but can be used to prevent
any user from accessing particular servers. The
Administration Process cannot delete any member
of the group.
Field Action
Category (Optional) Select a category to which you are
adding the group and click OK. The Category field
can be used to categorize your groups in any
manner that you want. If the category that you
want to use is not listed in the dialog box, add the
category name in the New Keyword field and click
OK.
Description Enter a description of the group.
Mail Enter the name of the mail domain for the group.
Domain This is especially useful for enterprises that have
more than one mail domain.
Internet Enter the Internet address that applies to the
Address group.
Members Add or remove group members. Type a member
name in the field or double-click this field to open
the Select Names dialog box, and then do any of
the following: • Open another address book by
selecting • Find names that begin with a specified
string if you are unsure of the spelling or the
complete name • Add a person or group to the
group by selecting the person or group and
clicking Add • Remove a group member by
selecting the member in the right pane and
clicking Remove • Remove all members of a group
by clicking Remove All • Add a member to a group
by clicking New, typing the member name, and
clicking OK • View detailed information by
selecting a person or group and clicking Details •
Copy an entry from the open address book to the
Local address book by selecting the name and
clicking the Address Book icon
Field Action
Add an owner name or modify the list of group
Owners
owners.
Add an administrator name or modify the list
Administrators
of group
administrators.
Foreign Choose one: • Yes —To allow synchronization
directory between a post office directory, such as the
synchronization cc:Mail post office directory or a Microsoft
allowed Exchange Address Book, and the Domino
Directory • No —To prevent synchronization
between a post office directory, such as the
cc:Mail post office directory or a Microsoft
Exchange Address Book, and the Domino
Directory
(Optional) To sort the list of group members before saving the Group
document, click Sort Member List.
8. Click Save and Close.
To immediately change the name of a group throughout the domain
1. To process the “Rename Group in Address Book” request
immediately, choose the group rename action from the
administration server for the Domino Directory and then enter this
server command:
tell adminp process new
2. To immediately process the “Rename in Person Documents” request,
from the administration server for the Domino Directory, enter the
command:
tell adminp process daily
3. Replicate the modified Domino Directory and Administration
Requests database from the administration server for the Domino
Directory to all other servers in the domain.
4. To force processing of the “Rename Group in Access Control List”
and “Rename Group in Reader/Author fields” requests on each
server, on each server in the domain, enter the command:
tell adminp process all
For more information on server commands, see the appendix “Server
Commands.”
Setting Up and Managing Groups 6-13
Configuration
Deleting a group with the Domino Administrator or the Web
Administrator
Follow these steps to use the Administration Process to delete a group
from the Domino Directory and from database ACLs and Extended ACLs.
If the server is running Windows NT or Active Directory and contains a
group account for this group, you can delete that group account, too.
For more information about synchronizing Domino and Windows NT or
Domino and Active Directory, see the chapter “Using Domino with
Windows Synchronization Tools.”
To delete a group with the Domino Administrator
1. To delete a group, you must have at least Author with delete
documents access and the GroupModifier role, or Editor access to the
Domino Directory.
2. From the Domino Administrator, click the People & Groups tab.
3. Select the name of the group you are deleting.
4. Click Delete Group and click Yes to continue.
5. If the server is running Windows NT or Active Directory, Domino
prompts you to delete the corresponding group account from the
Windows domain. Click Yes to delete the group account.
6. Select one of the following:
Yes
- to immediately delete all references to the group in this
replica of the Domino Directory.
No - to post a “Delete in Address Book” request in the
Administration Requests database and have the Administration
Process delete references to the group in the Domino Directory,
and database ACLs and Extended ACLs.
Cancel
- to cancel the request entirely.
7. Click OK.
Tip You can also delete a group from the Tools panel using Groups -
Delete.
6-14 Administering the Domino System, Volume 1
To delete a group with the Web Administrator
1. To delete a group, you must have at least Author with delete
documents access and the GroupModifier role, or Editor access to the
Domino Directory.
2. From the Web Administrator, click the People & Groups tab.
3. Select the name of the group you are deleting.
4. Click Tools - Groups - Delete.
5. Choose any of these options on the Delete Groups dialog box.
Field Action
Click this check box to immediately
Delete group from this
delete
Directory immediately. all references to this group in this
replica of the Domino Directory.
If you do not choose this option, a
“Delete in Address Book”request is
posted in the Administrator
Requests database and the
Administration Process deletes
references
to the group in the Domino
Directory, database ACLs, and
Extended ACLs.
Delete the groups Click this check box to delete the
Windows group’s
domain account. corresponding Windows domain
account
if one exists.
6. Click OK.
7. Click Close.
Finding a group name in the domain with the Domino Administrator
or Web Administrator
Use this procedure to locate every occurrence of one or more specific
group names within a domain. This is especially useful when moving
groups to other servers or domains or when verifying that you have
completely deleted a group name from your domain.
To find a group name with the Domino Administrator
1. From the Domino Administrator, click the People & Groups tab.
2. Select one or more group name(s) that you want to locate in the
domain.
3. From the Tools pane, click Groups - Find Group(s).
4. Click Yes to initiate the Administration Request to locate all the
occurrences of the selected group(s) in the enterprise.
To find a group name with the Web Administrator
1. From the Web Administrator, click the People & Groups tab.
2. From the Tools pane, click Groups - Find Group(s).
3. Enter a group name in the Find Groups dialog box and click Send.
4. (Optional)Continue adding group names that you want to search for.
5. Click Done.
To view the log of locations
To view the log of locations where the group name(s) are located:
1. From the Domino Administrator, click Server - Analyses -
Administration Requests (6).
2. Select the view All Requests by Action and access the “Find Name in
Domain” request.
3. Double-click the request to access the Administration Process - Log
document. Locate the “Links to items found within Domino
Directory documents:” field. This field contains the links to the
Group documents located using the Find Groups action.
Using the Manage Groups tool to manage groups
The Manage Groups option on the tools pane provides a quick and easy
method for managing existing Domino groups. You can open any
Domino Directory to which you have access, and you can then add or
remove people and groups from groups as necessary. You can also view
details on groups.
To use the Manage Groups tool
1. From the Domino Administrator, click the People & Groups tab.
2. From the tools pane, click Groups - Manage.
3. Complete these fields as necessary:
Field Enter
The directory that you want to open. A list
People and
of all users and groups in the directory is
Groups Look In
displayed.
Group Hierarchies The directory containing the group you are
Look in managing.
Field Enter
Show me Choose one:
• All group hierarchies - To display all of
the group hierarchies in the selected
directory. • Only member hierarchies - To
display all of the groups in which the
selected user is a member.
List alphabetically Lists alphabetically, all people and groups
in the selected directory.
List by Lists by organization, all people and groups
organization in the selected directory.
Show group type Multi-purpose —Use for a group that has
multiple purposes —for example, mail,
ACLs, and so on. This is the default. Access
Control List only —Use for server and
database access authentication only. Mail
only —Use for mailing list groups. Servers
Only —Use in Connection documents and in
the Domino Administration client’s domain
bookmarks for grouping. Deny List only —
Use to control access to servers. Typically
used to prevent terminated employees
from accessing servers, but can be used to
prevent any user from accessing particular
servers. The Administration Process cannot
delete any member of the group.
Note A database that doesn’t replicate should have at least one server in
its ACL to serve as the administration server for the database. This
allows the Administration Process on a server to update names in the
ACL when names in the organization change.
For more information on administration servers, see the chapter “Setting
Up the Administration Process.”
7-8 Administering the Domino System, Volume 1
Creating replicas using the Administration Process
Through the Domino Administrator you can use the Administration
Process to initiate the creation of one or more replicas. You can create
replicas on servers in the same domain or in another domain. You should
make sure that Connection documents are in place to schedule
replication between the source and destination servers, unless the servers
are members of the same cluster, in which case this is not strictly
necessary.
For more information on the administration requests that processed
while creating a replica see the appendix “Administration Process
Requests.”
1. If you are creating a replica on a destination server in another
domain, make sure that:
There
is an outbound Cross Domain Configuration document in
the Administration Requests database (ADMIN4.NSF) on the
source server that allows the Administration Process to export
Create Replica requests to the destination server.
There
is an inbound Cross Domain Configuration document in the
Administration Requests database on the destination server that
allows the Administration Process to import Create Replica
requests from the source server’s domain.
Connection
documents enabled for mail are in place that allow the
source server to send mail to at least one server in the destination
server’s domain.
You’ve set up cross-certification if servers in the two domains do
not share a common certifier.
2. Make sure that you:
Have Create Database access in the Server document of the
destination server(s).
Have at least Reader access in the ACL of the databases on the
source server.
3. Make sure that the source server:
Is running the Administration Process.
Has Create Replica access in the Server document of the
destination server(s).
Note Do not use the wild card character (*) in the “Create Replica”
field of the destination server’s Server document because this
character causes the request to fail.
Creating Replicas and Scheduling Replication 7-9
Configuration
4. Make sure each destination server:
running the Administration Process.
Is
Has
at least Reader access in the ACL of the source replica.
5. From the Domino Administrator, select the source server in the
server pane on the left. To expand the server pane, click the servers
icon in the server pane.
6. Click the Files tab.
7. In the files window, select one or more databases for which you want
to create replicas.
8. From the Tools pane, choose Database - Create Replica. Or, drag the
selected database(s) to the Create Replica tool.
9. (Optional) If the current domain includes a cluster, click “Show only
cluster members” to display only destination servers that are
members of the cluster.
10. Select one or more destination servers. To select a server if it doesn’t
appear in the list, select Other, specify the hierarchical server name,
then click OK.
11. (Optional) Select a destination server, click “File Names” to choose a
custom file path on the destination server for any database you’re
replicating, and then click OK. You can repeat this procedure for
each destination server. If you don’t choose this option, the database
is stored on the destination server in the same location as on the
source server.
To put the replica in a directory below the data directory, type the
directory name, backslash, and then the file name — for example,
JOBS\POSTINGS. If the specified directory does not exist, Domino
creates it for you.
12. Click OK. A dialog box shows the number of databases processed
and indicates if any errors occurred.
Creating replicas by dragging databases to a destination server
You can drag and drop databases to a destination server icon to create
replicas on that server. When you use this method, store all replicas in
one, preexisting directory on the destination server. This method uses the
Administration Process to automate creation of the replica.
1. From the Domino Administrator, click the Files tab.
2. Select one or more databases you want to replicate in the files pane.
3. Drag the selected databases to a destination server in the server pane
on the left.
7-10 Administering the Domino System, Volume 1
4. In the dialog box that appears, select “Create replica,” select a
directory on the destination server in which to store the replica(s),
then click OK.
Table of replication settings
By default, two replicas exchange all edits, additions, and deletions if the
servers the replicas are on have the necessary access. However, you can
customize replication. For example, to save disk space, you can prevent
the transfer of documents that are not pertinent to your site.
You can specify replication settings on a new replica as you create it or
on an existing replica. You can specify some replication settings for
multiple replicas at once from a central source replica. You must have
Manager access to a replica to set replication settings for it.
Caution Replication settings are not intended to be used as a security
measure.
This table summarizes the available replication settings.
You can manage these settings for multiple replicas from a central source
replica.
For more information, see the topic “Specifying replications settings for
multiple replicas from one source replica” in this chapter.
Limiting the contents of a replica
Use the following replication settings to limit the size of a replica or to
display a subset of information relevant to a particular group of users.
Remove documents not modified in the last x days
The number of days specified here, known as the purge interval, controls
when Domino purges deletion stubs from a database. Deletion stubs are
markers that remain from deleted documents so that Domino knows to
delete documents in other replicas of the database. Because deletion
stubs take up disk space, Domino regularly removes deletion stubs that
are at least as old as the value specified. It checks for deletion stubs that
require removal at 1/3 of the purge interval. For example, assuming the
default value, 90 days, when a user opens a database, Domino checks if it
has been at least 30 days since it removed deletion stubs, and if so it
7-12 Administering the Domino System, Volume 1
removes any deletion stubs that are at least 90 days old. The Updall task,
which runs by default at 2:00 AM, also removes deletion stubs.
You can shorten the purge interval, if you want, but be sure to replicate
more frequently than the purge interval; otherwise, deleted documents
can be replicated back to the replica.
Optionally, you can select the check box to remove documents in the
replica that haven’t changed within the purge interval. If you select the
check box, when Domino removes deletion stubs it also removes
documents that haven’t changed within the specified number of days.
These documents are purged, meaning no deletion stubs remain for the
documents, so the documents aren’t deleted in other replicas. The “Only
Replicate Incoming Documents Saved or Modified After: date” setting
prevents the purged documents from reappearing through replication. If
the other replicas have this check box selected, similar document purging
occurs in them.
Caution If you select the check box on a non-replicated database,
documents are lost and you can only recover them from a system
backup.
Note Domino regularly removes deletion stubs according to the purge
interval even if you don’t select the check box.
Only Replicate Incoming Documents Saved or Modified After: date
A replica can only receive documents created or modified since the date
specified. If you clear the database replication history, during the next
replication, Domino scans only documents created or modified since the
date specified here. If you clear the date before clearing the replication
history, Domino scans all documents in the database.
Use this option in conjunction with clearing the replication history to
solve replication problems. If you clear or change this date, when
Domino next purges deletion stubs, it resets the date to correspond to the
number of days specified in “Remove documents not modified in the last
x days” setting. For example, if Domino purges deletion stubs on 1/1/99
and the “Remove documents not modified in the last x days” setting is
90, on 1/1/99 Domino resets the date to 10/1/98. If the check box is
selected in the “Remove documents not modified in the last x days”
setting — meaning documents that meet the purge interval criteria are
purged as well as deletion stubs — this automatic date reset insures that
the purged documents aren’t replicated back into the replica.
Creating Replicas and Scheduling Replication 7-13
Configuration
Receive summary and 40KB of rich text only
If you select this setting, Domino prevents large attachments from
replicating and shortens the documents that this replica receives. The
shortened documents contain only a document summary that includes
basic information, such as the author and subject, and the first 40K of
rich text.
When users open a shortened document, they see “(TRUNCATED)” in
the document title. To view the entire document, users open it and
choose Actions - Retrieve Entire Document.
Keep the following points in mind when using this setting:
Users
can’t categorize or edit shortened documents.
Agents
don’t work on shortened documents.
Shortened
documents do not replicate unless the destination replica
also has this option selected.
Replicate a subset of documents
Use this setting to specify that a replica receives only the documents in a
specific directory or view or only documents that meet selection criteria
specified in a formula. Replication formulas are similar to view selection
formulas.
Keep in mind the following points when you use replication formulas:
You
cannot use @DbLookup, @UserName, @Environment, or @Now
in a replication formula.
Using
@IsResponseDoc in a replication formula causes all response
documents in a database to replicate, not just those that meet the
selection criteria. To avoid this, use @AllChildren or
@AllDescendants instead. If you use @AllChildren or
@AllDescendants, make sure the database performance property
“Don’t support specialized response hierarchy” is not selected.
7-14 Administering the Domino System, Volume 1
Replicate
Use this setting to control which non-document elements a replica
receives. This table describes the options:
Field Enter
Usage Choose “Normal”to force the server to use the
priority network information in the current Connection
document to make the connection.
Source
The name of the calling server.
server
Source
The name of the calling server’s domain.
domain
Use the The name of the network port (or protocol) that
Port(s) the calling server uses. If you don’t want to
specify the actual port for making a local area
network connection, but would prefer to have
Domino determine the port used, don’t list any
ports in the Use the Port(s) field in the LAN
Connection document. Domino uses all the
information it has, including all enabled LAN
ports and all enabled or disabled Connection
documents, to determine the best path to use to
connect with the other server.
Destination The name of the answering server. You can also
server specify a Group name that contains server
names so that the Source server replicates with
each server listed in the group you specify. To
do this, you create a group that contains servers
only, and specify “Servers only”as the group
type. The group cannot contain the names of
other groups of servers.
Destination The name of the answering server’s domain.
domain
Click the Replication/Routing tab, and then complete
these fields:
Field Enter
Replication
Choose Enabled.
task
Replicate Choose one: • High • Medium & High • Low &
databases of Medium & High (default)
Priority
Replication Choose one: • Pull Pull • Pull Push (default) •
type Pull Only • Push Only
Field Enter
Files/Directories The names of specific databases or directories
to Replicate of databases that you want to replicate.
Separate entries with semicolons (;) and
specify the names as they exist on the calling
server. If the database is in a subdirectory to
the data directory, include the path relative to
the data directory —for example,
EAST\SALES.NSF. To specify all files within a
directory and any of its subdirectories, enter
the directory name relative to the data
directory with the directory slash, for example
EAST\. You can’t use wild cards (*).
Replication The amount of time, in minutes, that
Time Limit replication has to complete.
Method Steps
From the Edit the Replicators or ServerTasks setting in
NOTES.INI file the NOTES.INI file.
From the console Enter the Load Replica command at the
console. Use this method if you need more
replicators and you don’t want to shut down
the server to change the NOTES.INI file. Each
time you enter this command, the server loads
another replicator.
For more information on settings in the NOTES.INI file, see
the appendix “NOTES.INI File.”For more information on
entering server commands, see the appendix “Server
Commands.”
Command Result
Replicate Replicates changes to databases in both
directions; Domino performs Pull-Push
replication.
Pull Replicates changes to databases in one
direction where the initiating server pulls
changes from the other server.
Push Replicates changes to databases in one
direction where the initiating server
pushes database changes to the other
server.
Chapter 8
Setting Up Calendars and Scheduling
You can set up the calendar and scheduling features to allow users to
schedule meetings and reserve resources.
Calendars and scheduling
The calendar and scheduling features allow users to check the free time of
other users, schedule meetings with them, and reserve resources, such as
conference rooms and equipment. As an administrator, you can define
holidays that are particular to your organization or country. Lotus Domino
6 includes a set of default Holiday documents, which you can modify.
Users import this information directly into their personal calendars.
The calendar and scheduling features use the Schedule Manager (Sched
task), the Calendar Connector (Calconn task), and the Free Time system
(a combination of Sched, Calconn, and nnotes tasks) to operate. When
you install Lotus Domino 6 on a server (any server except a directory
server), the Sched and Calconn tasks are automatically added to the
server’s NOTES.INI file. When you start the server for the first time, the
Schedule Manager creates a Free Time database (BUSYTIME.NSF for
non-clustered mail servers and CLUBUSY.NSF for clustered mail
servers) and creates an entry in the database for each user who has filled
out a Calendar Profile and whose mail file is on that server or on one of
the clustered servers.
Each user can keep a personal calendar and create a Calendar Profile that
identifies who may access the user’s free time information and specifies
when the user is available for meetings. When users invite other users to
meetings, the Free Time system performs the free-time lookups. The Free
Time system also searches for and returns information on the availability
of resources. If the lookup involves searching in Free Time systems on
different servers or scheduling applications, the Calendar Connector
sends out the queries. When users schedule appointments in their
calendars and reserve resources, the Schedule Manager task collects and
updates that information in the Free Time database.
By default, the Schedule Manager has access to the Free Time database,
so you do not have to define the ACL for this database.
Chapter 8
Setting Up Calendars and Scheduling
You can set up the calendar and scheduling features to allow users to
schedule meetings and reserve resources.
Calendars and scheduling
The calendar and scheduling features allow users to check the free time of
other users, schedule meetings with them, and reserve resources, such as
conference rooms and equipment. As an administrator, you can define
holidays that are particular to your organization or country. Lotus Domino
6 includes a set of default Holiday documents, which you can modify.
Users import this information directly into their personal calendars.
The calendar and scheduling features use the Schedule Manager (Sched
task), the Calendar Connector (Calconn task), and the Free Time system
(a combination of Sched, Calconn, and nnotes tasks) to operate. When
you install Lotus Domino 6 on a server (any server except a directory
server), the Sched and Calconn tasks are automatically added to the
server’s NOTES.INI file. When you start the server for the first time, the
Schedule Manager creates a Free Time database (BUSYTIME.NSF for
non-clustered mail servers and CLUBUSY.NSF for clustered mail
servers) and creates an entry in the database for each user who has filled
out a Calendar Profile and whose mail file is on that server or on one of
the clustered servers.
Each user can keep a personal calendar and create a Calendar Profile that
identifies who may access the user’s free time information and specifies
when the user is available for meetings. When users invite other users to
meetings, the Free Time system performs the free-time lookups. The Free
Time system also searches for and returns information on the availability
of resources. If the lookup involves searching in Free Time systems on
different servers or scheduling applications, the Calendar Connector
sends out the queries. When users schedule appointments in their
calendars and reserve resources, the Schedule Manager task collects and
updates that information in the Free Time database.
By default, the Schedule Manager has access to the Free Time database,
so you do not have to define the ACL for this database.
8-1
Configuration
Using clustered Free Time databases
For clustered mail servers, the Schedule Manager creates the clustered
Free Time database (CLUBUSY.NSF) the first time a server starts. The
clustered version of the Free Time database works the same as the Free
Time database (BUSYTIME.NSF). Each clustered server has a replica of
the clustered Free Time database, which stores information about users
whose mail files exist on servers in the cluster.
If you add a previously non-clustered server to a cluster, the Schedule
Manager deletes the BUSYTIME.NSF database on that server and creates
CLUBUSY.NSF, which then replicates to all cluster members. If you
remove a server from a cluster, the opposite occurs: Schedule Manager
deletes CLUBUSY.NSF and creates BUSYTIME.NSF. Until the Schedule
Manager validates the database by checking to see if the location of
users’ mail files has changed, the clustered Free Time database contains
information about users whose mail server you removed from the
cluster. This validation also occurs once each day (at 2 AM) to update
free-time information for users whose mail files have been added to or
removed from a mail server. You can update the information at any time
by entering the Tell Sched Validate command at the console.
A benefit of clustered scheduling is that schedule information is always
available, even when users’ home servers are down. With non-clustered
scheduling, if users’ home servers are not available, the Free Time
database is not available for searching.
Other advantages of using clustered scheduling include improved
performance and reduced server traffic. Because the Free Time database
is available from other members in a cluster, the server that receives a
user’s query does not have to search another server’s Free Time database
for schedule information about a user whose mail server is in the cluster.
Example of scheduling a meeting
This section describes the process of scheduling a meeting when users
share the same mail server and domain, have different domains, and use
different scheduling applications.
In the following examples, Kathy wants to check the free time of and
schedule a meeting with three users — Bob, who is in the same domain
as Kathy; Robin, who is in a different domain; and Susan, who uses a
different scheduling application (Lotus Organizer®).
8-2 Administering the Domino System, Volume 1
Users in the same domain
1. Kathy creates a meeting invitation and chooses to search for Bob’s
free time.
2. A free time query is sent to Kathy’s mail server.
3. The Free Time system looks for Bob’s name in the Free Time
database (BUSYTIME.NSF or CLUBUSY.NSF) on Kathy’s mail
server.
Bob and Kathy have the same mail server or if Bob’s and
If
Kathy’s mail servers are part of a cluster, the Free Time system
finds the information and returns Bob’s free time to Kathy.
If the Free Time system does not find any information on Bob, it
converts Bob’s name into a fully qualified name.
If Bob’s mail server is unavailable and his Free Time database is
not clustered, a message appears indicating that the server is
unavailable, and the Find Time dialog box indicates that Bob’s
information is unavailable.
4. Kathy’s Domino Directory is checked for Bob’s Person document.
When the Person document is found, the Calendar Connector sends
the request to Bob’s mail server, the name of which is listed in Bob’s
Person document.
5. The Free Time system on Bob’s mail server looks in its Free Time
database and returns the information to Kathy via the Calendar
Connector. If the Free Time system doesn’t find any information, the
query fails, and the Find Time dialog box indicates that Bob’s
information is unavailable.
Users in different domains
1. Kathy creates a meeting invitation and chooses to search for Robin’s
free time. In addressing the invitation, Kathy specifies Robin’s
domain.
2. A query is sent to Kathy’s mail server.
3. The Free Time system looks for Robin’s name in the Free Time
database on Kathy’s mail server. It determines Robin’s mail server is
in a different domain.
4. Kathy’s Domino Directory is searched for a document that matches
Robin’s domain.
the Free Time system finds an Adjacent Domain document, it
If
looks at the Calendar server name field of the document for the
name of a server that accepts calendar queries for Robin’s domain.
The Free Time system then forwards the query to this server for
processing.
Setting Up Calendars and Scheduling 8-3
Configuration
the Free Time system finds an Adjacent Domain document with
If
an empty Calendar server name field, it fails; and the Find Time
dialog box indicates that Robin’s information is unavailable.
If the Free Time system finds a Non-adjacent Domain document, it
looks at the “Route requests through Calendar server” field of the
document for the name of the server (which is in a domain
adjacent to Kathy’s and Robin’s) that accepts calendar queries for
Robin’s domain. The Free Time system then forwards the query to
this server for processing.
If the Free Time system finds a Non-adjacent Domain document
with an empty “Route requests through Calendar server” field, it
fails; and the Find Time dialog box indicates that Robin’s
information is unavailable.
If the Free Time system doesn’t find any domain documents, the
query fails; and the Find Time dialog box indicates that Robin’s
information is unavailable.
Users in other calendar domains
1. Kathy creates a meeting invitation and chooses to search for Susan’s
free time.
2. A query is sent to Kathy’s mail server.
3. The Free Time system looks for Susan’s name in its Free Time
database. It does not find the information, so it converts Susan’s
name into a fully qualified one.
4. Kathy’s Domino Directory is searched for Susan’s Person document.
5. The Free Time system looks in Susan’s Person document and locates
the name of her mail server in the Mail server field and the name of
her calendar domain in the Calendar Domain field.
6. Because Susan is using Lotus Organizer as her scheduling
application, the Free Time system finds that her calendar domain
does not match her mail server domain. The Free Time system then
looks for a Domain document for the calendar domain.
7. The Free Time system finds a Foreign Domain document for Susan’s
calendar domain. The Calendar server field in the Foreign Domain
document identifies the name of the server that accepts queries for
Susan’s domain; the “Calendar system” field identifies the name of
the add-in program — for example, Organizer or IBM®
OfficeVision® — that actually does the free-time lookup on Susan’s
server. The Free Time system forwards the query to the appropriate
server (the server listed in the Calendar server field) for processing.
8-4 Administering the Domino System, Volume 1
If the Free Time system doesn’t find a Foreign Domain document, the
query fails; and the Find Time dialog box indicates that Susan’s
information is unavailable.
Setting up scheduling
How you set up scheduling depends on where users are located — that
is, in the same Domino domain or in different Domino domains — and
whether users use alternate scheduling applications, such as Lotus
Organizer and IBM OfficeVision.
For users in the same Domino domain
Scheduling is automatically set up for non-clustered and clustered Free
Time databases. You need to create the Resource Reservations database
so that users can search for and reserve resources.
For users in adjacent Domino domains
1. Make sure that you have set up Adjacent Domain documents in the
Domino Directory to establish communication between the domains.
For more information on Adjacent Domain documents, see the
chapter “Setting Up Mail Routing.”
2. From the Domino Administrator, click the Configuration tab.
3. Choose the Domino Directory in the “Use Directory on” box.
4. Click Messaging - Domains, and then open each appropriate
Adjacent Domain document.
5. Click the Calendar Information tab, complete this field, and save the
document:
The name of the server in the adjacent domain that
accepts and processes all scheduling queries for that
domain.
Calendar server
name
E
6. Set up the Resource Reservations database if you want to allow users
to search for and reserve resources.
Setting Up Calendars and Scheduling 8-5
Configuration
For users in non-adjacent Domino domains
In order for two non-adjacent domains to do free-time lookups between
each other, you need to define a Calendar server in an intermediate
domain that is adjacent to both the querying and the target domains.
Note Free-time lookups require reasonable network response time and
direct LAN connections from the intermediate domain to the two
separate non-adjacent domains.
1. Make sure that you have set up Non-adjacent Domain documents in
the Domino Directory to establish communication between the
domains.
For more information on Non-adjacent Domain documents, see the
chapter “Setting Up Mail Routing.”
2. From the Domino Administrator, click the Configuration tab.
3. Choose the Domino Directory in the “Use Directory on” box.
4. Click Messaging - Domains, and then open each appropriate
Non-adjacent Domain document.
5. Click the Calendar Information tab, complete this field, and save the
document:
6. Set up the Resource Reservations database if you want to allow users
to search for and reserve resources.
For users of Lotus Organizer or IBM OfficeVision
Lotus Domino 6 scheduling works with both Lotus Organizer® and IBM
OfficeVision®. If users want to keep their schedules in either program,
set up scheduling to include them. You need to create a Foreign Domain
document for each alternate scheduling application.
1. Make sure you already set up a Foreign Domain document in the
Domino Directory for each alternate scheduling application.
For more information on Foreign Domain documents, see the chapter
“Setting Up Mail Routing.”
2. From the Domino Administrator, click the Configuration tab.
Choose the Domino Directory in the “Use Directory on” box.
4. Click Messaging - Domains, and then open each appropriate Foreign
Domain document.
5. Click the Calendar Information tab, complete these fields, and save
the document:
For Notes mail users who use a different scheduling application,
enter the name of the foreign domain in the Calendar Domain field
of each user’s Person document.
7. Set up the Resource Reservations database if you want to allow users
to search for and reserve resources.
Setting up the Resource Reservations database
The Resource Reservations database is where users schedule and manage
meeting resources. Resources may include conference rooms and
equipment, such as overhead projectors and video machines. Users can
select a particular resource and reserve a time for it, or they can choose a
time and let the Resource Reservations database display resources
available during that time.
The Resource Reservations database contains three types of documents:
Site Profile, Resource, and Reservation. A Site Profile document identifies
the site where particular resources are located. A Resource document
defines the resource name — for example, the name or number of the
conference room. After you create Site Profile and Resource documents,
the Schedule Manager tracks the free time of a resource the same way it
tracks free time for users. To reserve a resource, a user can either create a
Reservation document or add the resource to a meeting invitation.
Setting Up Calendars and Scheduling 8-7
Configuration
To set up the Resource Reservations database
1. From the Domino Administrator, choose File - Database - New.
2. Complete these fields on the New Database dialog box.
Field Action
Server Enter the name of the server on
which you are creating the
database.
Title Enter the name of the database.
File Name Enter a file name for the database.
Use the file name extension nsf.
Template server Choose the template server from
which you will be copying the
template.
Show advanced Click this check box to display
templates additional templates including the
Resource Reservations
(RESRC60.NTF) template.
Inherit future design Click the check box if you want the
changes database to inherit design changes
that will be made to the template in
the future.
Field Enter
A unique name that identifies the resource
Name
—for
example, a room number.
Click to display a list of available sites, and
Site
then
choose one.
Category Name for category of Resource —for
(Appears when example, Electronic or AV. This field also
you select Other displays names of all previously entered
as Resource Category values, from which you can
Type) choose.
Capacity The capacity of the resource, for example,
(Appears when the seating capacity of a room.
you select Room
as Resource
Type)
A description of the resource —for example,
Description
large
conference room with a video monitor.
Internet address An Internet address that iCalendar users
can use to reserve the resource.
The Internet Address field is not visible for
Online Meeting Place.
Field Enter
Owner Choose one: • None —Click if no owner is assigned
restriction to the resource and anyone can reserve the
s resource. • Owner only —Click to assign a
Resource owner. Only the Resource owner can
process Resource requests without special
approval. Enter the name of the resource owner in
the Owner’s name field. The owner is the person or
group to whom requests from other users (those
not listed in the List of names field) are forwarded
for approval and processing. • Specific people —
Click to allow only specified users access to the
resource. Enter the names of users allowed to
reserve this resource in the List of names field. •
Autoprocessing —Click to allow only specified users
and groups access to the resource and to assign a
resource owner. Enter the name of the resource
owner in the Owner’s name field. The owner is the
person or group to whom requests from other
users (those not listed in List of names field) are
forwarded for approval and processing. Enter the
names of users allowed to reserve this resource in
the List of names field. • Disable reservations —
Click to prevent users from reserving a resource
from a meeting notice and directly from the
Resource Reservations database.
Availability Choose one of these: • 24 hours everyday —The
settings resource is available 24 hours each day. When you
select this availability setting, other availability
settings are disabled. • Time zone —Specify the
time zone for the resource. The default is Local
Time, but you can specify others as applicable,
such as Eastern Time. • Days of week and hours of
days —Select the days of the week that the
resource is available. Specify availability start time
and end time for each available day selected.
Field Enter
Online
meeting The default database, stconf.nsf, is entered by
database default. This field cannot be modified.
Field Enter
Description Description of the resource.
Capacity (for The capacity of the resource, if it has one —
Rooms for
only) example, the seating capacity of a room.
Category (for Name for category of Resource —for
Other example,
only) Electronic or AV. This field also displays
names of
all previously entered Category values, from
which
you can choose. Non-modifiable field.
Owner
Choose one:
restrictions
• None —Click if no owner is assigned to the
resource and anyone can reserve the
resource.
• Owner only —Click to assign a Resource
owner. Only the Resource owner can process
Resource requests. Enter the name of the
resource owner in the Owner’s name field.
• Specific people —Click to allow only
specified users access to the resource. Enter
the names of
users allowed to reserve this resource in the
List
of names field.
• Autoprocessing — Click to allow only
specified users access to the resource and to
assign a resource owner. Enter the name of
the resource owner in the
Owner’s name field. The owner is the person
to whom requests from other users (those
not listed in List of names field) are
forwarded for approval and processing. Enter
the names of users allowed to reserve this
resource in the List of names field.
• Disable reservations —Prevent users from
reserving a resource from their mail file.
Field Enter
Availability
Choose one:
settings
• 24 hours everyday —The resource is
available 24
hours each day. When you select this
availability
setting, other availability settings are
disabled.
• Time zone —Specify the time zone for the
resource. The default is Local Time, but you
can
specify others as applicable, such as Eastern
Time.
• Days of week and hours of days —Select
the days
of the week that the resource is available.
Specify
availability start time and end time for each
available day selected.
Enter additional comments about the
Other comments
resource as
necessary.
An Internet address that iCalendar users can
Internet address
use to
reserve the resource.
Field Enter
To delete a resource
When you delete a resource, an administration request that requires
the administrator’s approval is also generated. After deleting the
resource in the user interface, open the Administration Requests
database and approve the deletion there. Instructions for both
procedures are included here.
1. Make sure that you have the [CreateResource] role in the ACL of the
Resource Reservations database.
2. From the Domino Administrator, click the Files tab.
3. From the Servers pane, select the server from which you want to
work.
4. Open the Resource Reservations database, and then click Resources.
5. Open the Resource document that you are deleting, and click Delete
Resource.
6. Click Yes and click OK.
To approve the resource deletion
To process the deletion, the request needs approval in the Administration
Requests database. Complete these steps to approve the “Approve
Resource Deletion” administration request.
1. From the Domino Administrator, click Server - Analysis -
Administration Requests (6).
2. Click Pending Administrator Approval.
3. Open the Approve Resource Deletion request document and click
Edit Document.
4. Click Approve Resource Deletion.
5. Choose Yes and then click OK to approve the deletion.
Setting user access rights to edit and delete reservations
To allow a user to delete a reservation in the Resource Reservations
database on a Notes Client, assign Editor access to that user in the
database ACL of the Resource Reservations database. The Delete
Reservation button is then enabled.
To allow a Web user to delete a reservation in the Resource Reservations
database, via a Web browser, assign Editor access to that user in the
database ACL of the Resource Reservations database. In a Web view, the
Move to Trash and the Empty Trash buttons are then enabled.
8-16 Administering the Domino System, Volume 1
Reservations that are created manually or with Calendaring and
Scheduling, can be deleted by a requester with Editor access to the
Resource Reservations database, a resource owner with Editor access to
the Resource Reservations database, or by a database manager with
Editor access to the Resource Reservations database and the
CreateResource role.
Single-room, non-repeating reservations that are created manually in the
Resource Reservations database can be edited by the requester of the
reservation, with Editor access to the Resource Reservations database, if
the reservation has a status of “waiting for approval” or if the reservation
has been accepted. Repeating room or resource reservations that are
created manually cannot be edited.
Creating Holiday documents
Holiday documents provide a way for your organization to have a
centrally managed collection of documents that contain information on
scheduled holidays and events. Users select the type of Holiday
documents to import and add the information to their personal
calendars. Lotus Domino 6 includes default Holiday documents that you
can modify or delete; you can also add Holiday documents specific to
your organization’s needs. Holiday documents are stored in the Domino
Directory.
You categorize Holiday documents according to a group name. For
example, you may have a group named “Full-time” that contains all the
company holidays for full-time employees. The default Holiday
documents included with Lotus Domino 6 have group names associated
with countries or religions — for example, United States or Italy — and
the groups contain documents specific to holidays in each country. As an
administrator, you may want to modify or delete these documents to
reflect your organization’s needs. Then you can advise all users to import
a specific group of Holiday documents.
To add a document to an existing group, select the group when you
create a new Holiday document. To create new groups, enter a new
group name in the Holiday document. Remember that your users import
Holiday documents according to group name, not document name, so be
sure to plan the organization of documents in groups.
Setting Up Calendars and Scheduling 8-17
Configuration
To create a Holiday document
1. From the Domino Administrator, click the Configuration tab.
2. Select the Domino Directory server in the “Use Directory on” field.
3. Click Miscellaneous - Holidays.
4. Click Add Holiday.
5. Complete these fields on the Basics tab:
Title Action
Group Do one of these: • Select a group from the list
• Add a new group in the New keyword field
and then click OK
Field Action
Repeat For Enter the number of months or years during
(Displays if which the holiday should repeat.
you select For
in the
Continuing
field.)
Repeat Choose how often the holiday repeats by
Interval month and day.
(Applies to
Monthly by
Date and by
Day)
If the date Choose one: • Don’t Move • Move to Friday •
falls on a Move to Monday • Move to Nearest Weekday
weekend
(Applies to
Monthly by
Date only)
Chapter 9
Using Policies
Using policies, you can distribute and control a standard set of
administrative settings for user registration and setup, desktop
configuration, mail archiving, and security.
Policies
Using a policy, you control how users work with Notes. A policy is a
document that identifies a collection of individual policy settings
documents. Each of these policy settings documents defines a set of
defaults that apply to the users and groups to which the policy is
assigned. Once a policy is in place, you can easily change a setting, and it
will automatically apply to those users to whom the policy is assigned.
Policy settings documents cover these administrative areas:
Registration
— If a policy including registration policy settings is in
place before you register Notes users, these settings set default user
registration values including user password, Internet address format,
roaming user designation, and mail.
Setup
— If a policy including setup policy settings is in place before
you set up a new Notes client, these settings are used during the
initial Notes client setup to populate the user’s Location document.
Setup settings include Internet browser and proxy settings, applet
security settings, and desktop and user preferences.
Desktop
— Use desktop policy settings control and update the user’s
desktop environment or to reinforce setup policy settings. For
example, if a change is made to any of the policy settings, the next
time users authenticate with their home server, the desktop policy
settings restore the default settings or distribute new settings
specified in the desktop policy settings document.
Mail
archiving — Use archive policy settings to control mail
archiving. Archive settings control where archiving is performed and
specify archive criteria.
9-1
Configuration
Security
— Use security settings to set up administration ECLs and
define password-management options, including the
synchronization of Internet and Notes passwords.
Organizational and explicit policies
There are two types of policies: organizational and explicit.
Understanding the differences between the types helps you plan the
implementation.
Organizational policies
An organizational policy automatically applies to all users registered in a
particular organizational unit. For example, to distribute default settings
to all users registered in Sales/Acme, create an organizational policy
named */Sales/Acme. Then when you use the Sales/Acme certifier ID to
register a user, that user automatically receives the settings in the
corresponding organizational policy.
If you move a user within the hierarchical structure — for example,
because the user transfers from the Sales department to the Marketing
department — the organizational policy for the corresponding certifier
ID is automatically assigned to the user. For example, if you move the
user from Sales/Acme to Marketing/Acme, all settings defined in the
desktop, archiving, and security policy settings documents associated
with the */Marketing/Acme organizational policy are assigned to the
user. The new policy settings become effective the first time users
authenticate with their home server.
Explicit policies
An explicit policy assigns default settings to individual users or groups.
For example, to set a six-month certification period for contract workers
in all departments, create an explicit policy and then assign it to each
contract employee or to the group that includes all contract employees.
There are three ways to assign an explicit policy: during user registration,
by editing the user’s Person document, or by using the Assign Policy
tool.
For information on assigning an explicit policy, see the topic “Assigning
an explicit policy,” later in this chapter.
9-2 Administering the Domino System, Volume 1
Using Exceptions
You can assign an exception attribute to either an organizational or
explicit policy. You use an exception to allow the user to override a
policy setting that is otherwise enforced throughout an organization.
When you create an exception policy, you specify only the settings that
will not be enforced. Then when you assign the exception policy, it
exempts users from enforcement of those settings only.
Exception policies are a way to give someone in an organization special
treatment, possibly because of their position or job requirements. For
example, the */Acme policy includes a Registration policy setting that
enforces a mail database quota of 60 MB. However, a small group of
employees in Acme need to exceed this quota. The solution is to create an
“exception” policy that includes only a Registration policy settings
document, that does not set a quota limitation on the mail database.
When this exception policy is assigned to users, they can override the
database quota setting. Because exception policies defeat the
enforcement of policy settings, use them sparingly.
Policy hierarchy and the effective policy
The effective policy for a user is a set of derived policy settings that are
dynamically calculated at the time of execution. The field values in an
effective policy may originate from many different policy settings
documents. Each hierarchical level can have an associated policy, so
users may have a combination of policy settings that include the values
set at their OU level, and those inherited from a parent policy. The
resolution of those settings, stepping up through the organizational
hierarchy, determines the effective policy for each user.
In addition to organizational policies, users may also have explicit
policies assigned to them. In that case, the order of resolution is that all
organization policy settings are resolved first, then any explicit policy
settings are resolved.
For example, if you want all users to use the same Internet mail name
format, set that value in the Registration policy settings document for the
top-level policy. Once you have set this value, you do not have to change
it or reenter it in subsequent child policies. You simply “inherit” this
value from the parent by selecting the inherit option. However, if you
have a select group of international users for whom this setting is a
problem, you can create an explicit policy that applies to the select group
only. The combination of the explicit and organizational policies together
provide the control and the flexibility you need.
Using Policies 9-3
Configuration
There are two tools that help you determine the effective policy
governing each user. The Policy Viewer shows the policy hierarchy and
associated settings documents, and a Policy Synopsis report shows the
policy from which each of the effective settings was derived.
Inheritance and the child policy relationship
Inheritance plays an important role in determining a user’s policy
settings in both organizational and explicit policies. Through the
parent-child relationship, you create a hierarchy of policies to set your
administrative practices across the enterprise. In a policy hierarchy,
policy documents build the relationship, and policy settings documents
determine the value of the fields based on their position in the hierarchy.
Using field inheritance and enforcement, you control the default settings.
In organizational policies, the hierarchy of policies is determined
automatically based on the Organization’s hierarchy. The policy
*/Sales/Acme is the child policy of */Acme. Since explicit policies do not
follow the organizational structure, when you create explicit policies, you
build in the hierarchy, based on the naming structure. For example, if
you create an explicit policy named /Contractors that includes several
settings that apply only to contract employees who may be employed for
six month to a year. However you want short-term temporary
employees, employed for only one or two weeks, to inherit only some of
those settings. You create a child explicit policy called Short
term/Contractors.
The following figure shows a policy hierarchy. In this hierarchy, the policy
at each organizational level has set its own password quality setting.
In the following figure, Joe User inherits a password quality setting from
a parent policy. Inheriting a setting occurs in the child policy at the field
level in a policy settings document.
Field Action
Name Enter a name that identifies the users
that use these settings. If you are a
server provider, enter the name of the
hosted organization.
Field Action
Use mail Do one: • Select to store the user’s roaming
server for information on the same server used for mail. •
roaming Deselect and enter the name of the server to
server store the user’s roaming information.
Create Choose one: • Create roaming files now —to
roaming create the user’s roaming files during user
files options registration. • Create roaming files in background
—to use the Administration Process to create the
user’s roaming files after user registration.
Field Action
Mail system Choose a mail system. • If you are a service
provider, choose Lotus Notes only if you run
Domino Off-Line Services (DOLS) in the hosted
organization. • If you choose Other, Other
Internet, or None, continue with Step 8.
Mail server Choose the server that stores the user’s mail file.
• If your organization supports DOLS, choose a
DOLS-enabled server.
Mail Choose one: • MAIL6.NTF —if the organization
template uses Lotus Notes, POP3, or IMAP. • INOTES5.NTF
—if the organization uses iNotes. • Your
organization’s custom mail template
Field Action
Security Type Choose North American or
International
Certificate Expiration Choose one: • Static date —and then
Date enter an expiration date. The default
static date is 24 months from the
creation. • Months from user creation
—and then enter the number of
months. The default is 24 months.
Field Action
Choose the group to which you will
Group assignments
add all
users you register using these
registration
settings. Leave this field blank if you
are not
registering all users into one group.
Local administrator Enter the name of the administrator.
If you are a service provider, enter
the name of the administrator at the
hosted
organization in this format:
administrator name/certifying hosted
organization
Field Action
Name Enter a name that identifies the users (and, if
you are a service provider, the hosted
organization) that use these settings.
Description Enter a description of the settings.
Catalog/Domain Choose the name of the server used for
Search server domain searches.
Directory Enter the name of the server whose Domino
server Directory you want users to use.
Sametime Enter the name of the server used to connect
server to Sametime.
Local mailfile Choose this option to create a local copy of
the user’s mail file.
Internet Choose the Internet browser used from this
browser location.
Retrieve/open If you chose Notes or Notes with Internet
pages Explorer as the Internet browser, choose the
location from which to run the Web Retriever
process.
Field Action
Default Create a link for each database to add to the
databases user workspace. If the server that stores a
added to database is down during setup, a bookmark
bookmarks will not be created.
Field Action
Trusted hosts Enter the name of trusted hosts.
Network access for trusted
Choose one:
hosts
• Disable Java
• No access allowed
• Allow access only to originating
host • Allow access to any trusted
host • Allow access to any host
• No
Field Action
Catalog/Domain Choose the name of the server used for
Search server domain searches.
Domino
Enter the name of the server whose Domino
Directory
Directory you want users to use.
server
Sametime Enter the name of the server used to connect
server to Sametime.
Local mailfile Check the field Create local mailfile replica to
create a local copy of the user’s mail file.
Deploy version If you use Smart Upgrade, enter the Notes
version to which you want users to upgrade.
Upgrade If you use Smart Upgrade, use
deadline mm/dd/yyyyformat to enter the date by
which users must upgrade. If users to do not
upgrade by this date, the upgrade happens
automatically.
Field Action
Prompt user Do one: • Check yes to inform users before
before upgrading their mail files. Allows users to
upgrading mail defer upgrade. • Uncheck (default) to upgrade
file without notification.
Field Action
By default the number of folders created
Ignore 200
during
category limit conversion is limited to 200 folders. Do one:
• Check yes to override that limit and create
as many
folders as necessary (default).
• Uncheck to enforce the limit.
Field Action
Corporate Add the database link to the database
Welcome Pages containing custom welcome pages. Note
database You cannot use the Web Administrator to
create links.
Field Enter
Create As new Create a link for each database to add as
replicas a new
on user’s machine replica to the user workspace.
Create a link for each mobile directory
Mobile directory
catalog to
catalogs add automatically to the user workspace.
Bookmarks to Drag and drop or copy links to add to the
merge user’s
with bookmarks. Arrange links in the order
users’bookmarks you want
them to display. However, do not add any
links
above the Favorites folder, because they
will be
added to the bottom of the user’s
bookmarks list.
Field Action
Trusted hosts Enter the name of trusted hosts.
Network access for trusted
Choose one: • Disable Java
hosts
• No access allowed
• Allow access only to originating
host • Allow access to any trusted
host • Allow access to any host
Field Action
Name Enter a name that identifies the users (and,
if you are a service provider, the hosted
organization) that use these settings.
Description Enter a description of the settings.
Field Action
Required Enter the number of days a password can be
change in effect
interval before it must be changed.
Enter the number of days users have to
Allowed grace
change an
period expired password before being locked out.
Password Enter the number of expired passwords to
history store.
(Notes only) Storing passwords prevents users from
reusing old
passwords.
Field Action
The default administration ECL is the default
Admin ECL
value
for this field.
Choose one:
• Edit —to edit the default administration ECL.
• New —to create a new administration ECL.
Enter
the name of the new ECL and choose options
in the
Workstation Security: Execution Control List
dialog
box. The name of the new ECL appears in this
field.
Update Mode Choose one:
• Refresh —to update workstation ECLs with
changes made to the Administration ECL. If a
setting appears in both the administration and
workstation ECL, the administration ECL
setting
overrides the workstation ECL setting.
• Replace —to overwrite the workstation ECL
with
the Administration ECL. This option overwrites
all
workstation ECL settings.
Field Action
Update
Choose one:
Frequency
• Once Daily —to update the workstation ECL
when
the client authenticates with the home server
and
either it has been a day since the last ECL
update or the administration ECL has
changed.
• When Admin ECL Changes —to update the
workstation ECL when the client authenticates
with the home server and the administration
ECL
has changed since the last update.
• Never —to prevent the update of the
workstation
ECL during authentication.
Field Action
Allow end user to Do one: • Check to allow users to modify the
modify schedule archive schedule. You can enable this setting
settings even though private archive settings are
prohibited. • Uncheck (default) to prohibit
users from modifying the archive schedule.
15. Under Location, specify the locations from which to archive. For
example, if you are using client-based archiving, you may want to
archive only from a user’s office workstation, not from an island or if
the user has dialed in. Choose one:
Any
location — to archive from any location.
Specific
location — and then specify one or more locations.
16. On the Advanced tab, the field “Don’t delete documents that have
responses” do one:
Check (default) to archive but not delete documents that have
responses.
Uncheck to archive and then delete documents that have
responses.
17. Save the document.
Creating criteria for mail archiving
You use an Archive Criteria policy settings document to define sets of
criteria to use when archiving a Notes user’s mail documents. You create
an Archive Criteria policy settings document from within an Archive
policy settings document. After you create archive criteria, you can use it
in one or more archive policy settings documents.
When you specify archive criteria, you determine what to do with old
documents in a user’s mail file. Do you archive them (copy them to an
archive database) or just delete them? If you archive them, you
9-28 Administering the Domino System, Volume 1
determine how to “clean up” the copies of the archived mail documents
that remain the user’s mail file. And finally, you define what an old
document is.
Mail file criteria answers these questions:
How
should documents be archived? Archiving can be a
combination of copying old documents to an archive database and
then performing clean-up tasks on the users mail file, or just deleting
them
How should documents be cleaned up? Once documents have been
copied to an archive database, you can either delete the copies that
remain in the user’s mail file, or reduce the size of the document.
Which documents should be cleaned up? You provide a definition of
an “old document” by specifying age criteria, and then applying that
age criteria either to all documents or all documents in specified
folders.
Specifying the name and location for the Archive database
By default, the archive mail database is stored in the directory archive,
located in the data directory. Archive is the default name for the archive
directory. The default name format for a user’s archive database file is
a_xxxx.nsf, where a_ is the prefix and xxxx is the name of the mail
database. The name of the archive database is based on a specified
number of characters (the default is 6) from the user’s mail file. For
example, for the end user John Smith, whose mail file is jsmith, the
archive database name is a_jsmith.nsf.
To create archive criteria policy settings
1. From the Domino Administrator, select the People & Groups tab,
and then open the Settings view.
2. Do one:
Select
the Archive policy settings document for which you want to
create archive criteria settings, and then click “Edit Settings.”
Click
“Add Settings” and then select Archive to create a new
Archive policy settings document.
3. Select the Archive Criteria tab, and then click “New Criteria.”
Field Action
Name Enter a name that identifies the archive
criteria. When you add criteria to a criteria
policy settings document, this is the name
that appears in the selection box. This
name also appears in the user’s mail folder
outline under tools - archive.
Description Enter a description of the criteria.
Archiving is Do one: • Check to enable this archive
enabled criteria. • Uncheck if you are creating
archive criteria to use later.
Field Action
Name Enter a name that identifies the archive
criteria. When you add criteria to a criteria
policy settings document, this is the name
that appears in the selection box. This
name also appears in the user’s mail folder
outline under tools - archive.
Description Enter a description of the criteria.
Archiving is Do one: • Check to enable this archive
enabled criteria. • Uncheck if you are creating
archive criteria to use later.
Field Action
Archive Directory The default is archive. Enter a new
name if you want to change it.
Archive Prefix The default is the letter a, followed by
an underscore (_). Enter a new prefix
if you want to change it.
Archive suffix The default is no suffix. Enter a suffix
for the archive database name if you
want to add one.
Task Action
View a list of all Expand the functional areas in the left
policy pane.
settings documents
in
your domain
View a list of all 1. In the left pane, select a policy
policies that use a 2. settings document. View the policies
policy settings that use that policy settings
document (display document display in the right pane.
in the right pane)
View and edit a Select a policy settings document in
1.
policy the left
settings document pane.
The selected policy settings
2.
document
displays in bottom pane. Double-click
the
document to edit it.
View the effective 1. Select a policy settings document in
policy settings for a 2. the left pane. Select a policy
functional area 3. document that uses those settings in
(displays in the the right pane. View the effective
bottom pane) policy in the bottom pane.
Task Action
View the policy 1. In the field “Show policy hierarchy
hierarchy for the a 2. for,” select a domain. View the
domain domain’s policy hierarchy in the
upper left pane.
Task Action
View the differences 1. In the top right pane, selects a policy
between the 2. settings document and make any
effective policy and changes to the settings. In the
the policy settings bottom pane choose one of the
for a policy settings “Show”options to view either the
document effective policy settings or the actual
policy settings document.
Chapter 10
Setting Up Domain Search
This chapter describes how to set up Domain Search, which Lotus Notes
or Web users can use to search an entire Domino domain for documents,
files, and attachments from a centralized server.
Domain Search
Notes and Web users can use Domain Search to search an entire Domino
domain for database documents, files, and attachments that match a
search query.
To support Domain Search, you need to designate a Domino server as
the indexing server, which builds a domain wide index that all Domain
Search queries run against. In order for the indexing server to build the
index, you must first create a Domain Catalog on the server — a database
that controls which databases and file systems get indexed. The indexing
server then spiders, or crawls, the servers that contain the content to be
indexed.
When a user submits a query, the results that the indexing server returns
contain only database documents to which that user has appropriate
access.
If the indexing server is set up as a Domino Web server, it can support
searches from both Lotus Notes and Web browsers.
Support for multiple languages
With Domain Search, you can index and search on documents regardless
of their language. Even multiple-language documents can be indexed.
If users choose to display document summaries in their search results,
Domain Search cannot create these summaries in all languages. You can
use the NOTES.INI setting FT_Summ_Default_Language to specify
which language the summary should default to in these cases.
For more information, see the appendix “NOTES.INI File.”
10-1
Configuration
Domain Search and single-database full-text search
Single-database full-text indexing and domain indexing are distinct
processes in Lotus Notes/Domino, and most likely you will want to use
both.
Use Domain Search for less active databases such as archives and
product specifications. Use full-text indexes for single databases for
active databases such as mail files, discussion databases,
problem-tracking databases, or any database used for generating reports.
You might also want to have single-database full-text indexes on servers
with restricted user access, or in cases where users already know what
database they want to search in.
For information on setting up full-text indexes for single databases, see
the chapter “Setting Up and Managing Full-text Indexes.”
Implementing Domain Search
Implementing Domain Search in a Domino domain involves these major
tasks:
Planning
the Domain Index
Creating
the Domain Index
Customizing
Domain Search forms
Setting up Notes users for Domain Search
Setting up Web users for Domain Search
Server configurations for Domain Search
This topic describes required and optional configurations for the servers
you use for Domain Search.
Configuration for the Domain Catalog
It is best to set up the Domain Catalog on the same server that indexes
the Domino domain. If you have a very large number of databases to
catalog, you can decrease network traffic by running the Catalog task
nightly on all servers. That way, when the Catalog task runs on the
server that contains the Domain Catalog, the Domain Catalog uses pull
replication from the local catalogs rather than spiders every database.
You can shorten the time it takes to run the Catalog task by splitting it
among several servers: Server A catalogs servers 1 to 25, Server B
catalogs servers 26 to 50, Server C catalogs servers 51 to 75, and so on.
You can also limit the scope of the Domain Catalog by using the “Limit
domain cataloging to the following servers” field.
10-2 Administering the Domino System, Volume 1
Configurations for the Domain Index
The indexing server must be capable of handling the load of creating
indexes and handling user queries. The indexing server should be fast,
powerful, and have a large amount of disk space. Multiple processors, a
large amount of RAM, and multiple high-volume drives will increase the
efficiency and capabilities of searches.
For indexing servers running Windows NT or Windows 2000, the
following minimum configuration is required:
An
Intel Pentium II 350MHz processor
256MB
RAM
Free disk space equal to approximately 30 percent of the size of the
data being indexed
For information on estimating the size of the data to be indexed, see
the topic “Estimating the size of the Domain Index” later in this
chapter.
If your organization has more than six Domino servers, dedicating one
server as the indexing server provides optimal performance.
Consider clustering indexing servers to ensure greater reliability and
fault-tolerance and to balance the load from user queries. If you use
clustered indexing servers, create a replica of the Domain Catalog on
each of those clustered servers.
For more information, see the book Administering Domino Clusters.
Domain Search over a WAN
If your organization is geographically dispersed, cataloging databases
over a WAN is the only way that different locations can share a single
Domain Index. The cataloging server should access the WAN directly
rather than through a hub server, because cataloging uses large amounts
of processing resources.
To index data in different locations, you can choose to replicate all
databases to be indexed to servers in the same location as the indexing
server, thus eliminating the need for the indexing server to spider over
the WAN. The servers containing the databases to be indexed should be
ones with fast LAN connections. Even within the same location,
databases on servers with slow LAN connections should be replicated to
ones with fast connections.
Tip You can use replication events in the Notes Log as a guide for
determining which servers have fast connections by looking at the
information for the Domain Catalog database (CATALOG.NSF).
Setting Up Domain Search 10-3
Configuration
Determine which servers the Catalog was able to do pull replication with
in an average time of less than 1 minute.
Reset the “Include in multi database index” database property for each
replica on the servers to be indexed, because this setting does not always
replicate.
When you create the Domain Index, use the “Limit domain wide
indexing to the following servers” field to limit indexing to these servers.
Planning the Domain Index
Because the initial process of spidering databases and file systems and
creating a full-text index for an entire Domino domain can take days or
even weeks, it is important to plan carefully before starting the indexing
server. The more you have thought about what data sources should be
indexed, how they should be categorized in the Domain Catalog and
search form, and how much space your Domain Index requires, the less
work you will have to do.
Note Indexing unnecessary databases causes users’ search results to be
less meaningful, takes up space on the server, and adds time to the
indexing process, which indexes about 700MB to 1GB of information per
hour, depending on hardware and the content being indexed. At a
minimum, avoid indexing the following types of databases:
Administration Requests databases, database catalogs, database libraries,
Event message databases, log databases, mail databases, portfolio
databases, and server statistics databases.
Here is a methodology for planning the Domain Index.
1. Use the Domain Catalog to control settings for which databases to
index.
2. (Optional) Use the Domain Catalog to control settings for which file
systems to index.
3. (Optional) Estimate the size of the Domain Index.
4. (Optional) Prevent attachments from being indexed.
5. Use the Domino Administrator to assign each database to be indexed
to one or more categories in the Domain Catalog and the search
form.
6. Analyze any security issues that implementing Domain Search in
your organization might raise.
10-4 Administering the Domino System, Volume 1
The Domain Catalog
The Domain Catalog, a database that uses the CATALOG.NTF template,
controls which databases and file systems get indexed for Domain
Search. Even if your organization is not implementing Domain Search,
the Domain Catalog is a useful administrative tool for such tasks as
keeping track of the location of database replicas.
You create the Domain Catalog by enabling the Catalog task on the
server that will index the Domino domain.
The portions of the Domain Catalog of interest to the Domain Search
administrator are those that indicate which databases and file systems
the indexing server will include in the Domain Index, as well as the
forms used to search the index. Database designers and managers select
a database for indexing by enabling the database property “Include in
multi database indexing.” (Administrators can configure this setting for
multiple databases using the Domino Administrator.) These settings are
saved to the Domain Catalog when the Catalog tasks runs.
Administrators can also control which databases are included in the
Domain Index by customizing the selection formula for a hidden view
($MultiDbIndex) in the Domain Catalog.
Administrators specify which file systems to index by adding a File
System document to the Domain Catalog for each file system on a server.
Because the Catalog task creates the Domain Catalog by using pull
replication of the database catalogs on individual servers, updating the
Domain Catalog is usually not a lengthy process if you have already
created a database catalog on every server. What can be time consuming,
however, is rebuilding the views in the Domain Catalog after an update.
For more information on creating database catalogs, see the chapter
“Setting Up Database Libraries and Catalogs.” For more information on
rebuilding views, see the chapter “Maintaining Databases.”
Setting Up Domain Search 10-5
Configuration
Domain Catalog views
The Domain Catalog’s views provide information about the databases,
servers, and users in the Domino domain.
Hidden views
You can display hidden views in the Domain Catalog by holding down
CTRL-SHIFT as you open the Catalog. Server tasks use hidden views to
access information quickly. The hidden views $MultiDbIndex and
$FileSystem are the work queues for the Domain Indexer task. These
views show which databases and file systems will be spidered to create
the Domain Index. The $MultiDbIndex view is sorted by replica ID,
number of documents in the replica, and server to ensure that the most
recent replica (the one containing the greatest number of documents) is
the one included in the Domain Index.
Creating the Domain Catalog
You create the Domain Catalog by enabling the Catalog task on the
server that hosts the Catalog for the Domino domain. The Catalog task
uses pull replication to create the Domain Catalog from the individual
catalogs you have created on servers throughout the Domino domain.
You can replicate the Domain Catalog to other Domain Catalog servers
(such as those in a cluster).
1. From the Domino Administrator, select the server that you want to
contain the Domain Catalog.
2. Click the Configuration tab.
3. Expand the Server section in the view pane.
4. Click Current Server Document.
10-6 Administering the Domino System, Volume 1
5. Click Edit Server, and then click the Server Tasks - Domain Catalog
tab.
6. In the Domain Catalog field, select Enabled.
7. Click OK.
8. To change the scope of the Domain Catalog, select the servers that
you want to include in the “Limit domain cataloging to the following
servers” field. Use wildcard characters to index all servers certified
with a specific certifier — for example */Sales/East/Acme. If the
field is blank (default), all servers in the domain are cataloged.
Tip Use this field to limit the scope of the Domain Catalog to
regional locations or to expand its scope to multiple Domino
domains by cataloging multiple Domain Catalog servers.
9. Click “Save and Close.”
10. Make sure the Catalog task is included in the ServerTasksAt1 setting in
the server’s NOTES.INI file, or use another method (start the Catalog
task at the console or create a Program document) to run the task.
When the Catalog task starts for the first time, Domino creates the
Domain Catalog database based on the CATALOG.NTF template and
adds entries to the ACL so the database replicates properly within the
domain. The Administration Process creates the group
LocalDomainCatalogServers in the Domino Directory and adds the
server that contains the Domain Catalog to that group.
Selecting which databases to include in the Domain Index
The indexing server spiders databases that have the option “Include in
multi database indexing” selected on the Design tab of the Database
Properties box.
Begin by using the hidden view $MultiDbIndex in the Domain Catalog to
see which databases have already been selected to be included in the
Index by database managers. If you see databases in the view that should
not be in your Domain Index, such as personal mail databases or
databases of limited interest, or if important databases are missing from
the view, either customize the $MultiDbIndex view’s selection formula or
use the Domino Administrator to include or exclude databases.
Using $MultiDbIndex to view which databases will be indexed
1. From the Domino Administrator, choose File - Database - Open.
2. Select the cataloging server for the domain, and then select Domain
Catalog.
3. Hold down CTRL-SHIFT and click Open.
The Domain Catalog opens and displays its hidden views.
Setting Up Domain Search 10-7
Configuration
4. In the view pane, click $MultiDbIndex.
The view displays the replica ID of each database that will be
included in the Domain Index, followed by a line of information
about each replica.
Note If multiple replicas of a database were selected for indexing,
Domain Search selects the replica containing the greatest number of
documents.
Using $MultiDbIndex to change which databases will be indexed
Customizing the selection formula for the $MultiDbIndex view is the
simplest and best way to control which databases are included in the
Domain Index.
The following is an example of a custom selection formula. In this
example, the indexing server will ignore “Include in multi database
indexing” settings and index only databases in the smoketestdata
directory on servers that contain “hub” in the server name.
SELECT @IsAvailable(ReplicaID) &
@IsUnavailable(RepositoryType) & @Contains((pathname);
"smoketestdata") & @Contains((server); "hub")
Using Domino Administrator to change which databases will be
indexed
You can use the Domino Administrator to select or deselect the “Include
in multi database indexing” option on multiple databases at the same
time.
1. From the Domino Administrator, select the server that contains the
databases you want to include in or exclude from the Domain Index.
2. Click the Files tab.
3. Make sure you have Manager access in the ACL for each database
you want to include or exclude.
Tip On the Files tab, you can right-click a database and choose
Access Control - Manage to display its ACL.
Note If you want to include databases whose ACLs restrict default
access, make sure that the LocalDomainServers or
LocalDomainCatalogServers group has at least Reader access to each
database you want to include.
4. Select the databases you want to include or exclude.
Note If you plan to limit the servers to be indexed and have placed
replicas on those servers, you might need to select those replicas
now, even if the “Include in multi database index” database
property was set in the original databases, because this setting does
not always replicate.
10-8 Administering the Domino System, Volume 1
5. In the Tools pane on the right, select Database - Multi-Database
Index.
6. Select Enable or Disable.
7. Click OK.
8. Assign categories for each database that you included.
For information on assigning categories, see the topic “Assigning
database categories for the Domain Search form” later in this
chapter.
Selecting which file systems to include in the Domain Index
For each server in a domain, you can create a File System document in
the Domain Catalog to specify which file system directories to include in
the Domain Index. You can index any file system that resides on the
indexing server or on a network resource mapped to that server, as long
as the server has at least Read access to the file system.
For file system searches, the indexing server must also be set up as a
Domino Web server. This allows the server to return links to documents
in the file system and to return those documents in response to queries
from both Notes and Web clients.
For information on setting up a Web server, see the chapter “Setting Up
the Domino Web Server.”
Caution Domain Search filtering of results to users based on access
works only with Domino databases.
For more information on file system security and Domain Search, see the
topic “Domain Search security” later in this chapter.
To select which file systems to include
Add a reference to each file system in the File System document, and
then map the URL path to the file system directory so that the Domino
Web server can retrieve the found documents for users. Complete the
following steps for each server that has file systems you want to index.
1. Start the Domino Administrator or Notes client.
2. Choose File - Database - Open.
3. In the Server field, select the server that contains the Domain
Catalog.
4. Select the Domain Catalog and click Open.
5. In the view pane, click File Systems.
6. Click “Add File System.”
7. Select the server that contains the file system you want to index.
Setting Up Domain Search 10-9
Configuration
8. Beside the “Current file system list” box, click Add.
9. In the Add File System dialog box, enter the location of a file system
to include, for example c:\lotus\domino\data\files.
10. Enter a keyword, such as “files,” to associate with the file system.
You need to use this keyword in Step 14, as the portion of the
incoming URL pattern that follows the forward slash (/).
11. Click OK to add the file system to the list.
12. Repeat Steps 8 through 11 to add more file systems to the list.
13. When you have completed the list, click “Save and Close.”
14. Create a Web Site Rule document for the Web site for this file system.
This step is needed to map the incoming URL pattern to the file
system directory on the target server.
For more information, see the chapter “Setting Up the Domino Web
Server.”
15. Restart the server, or enter this command at the server console so
that the mapping settings take effect:
tell http restart
Assigning database categories for the Domain Search form
On the Design tab of the Database Properties box, you can assign one or
more categories to each database to be included in the Domain Index.
These categories appear on the search form to provide a user with a way
to narrow a search. Categories are also displayed in views of the
database catalog and Domain Catalog. You must have Manager access to
a database to create the categories.
Note Searching within categories is supported only for Domino
databases. Whenever a user specifies a category on the search form,
search results will not include any documents from file systems.
Use the Categories view in the Domain Catalog to see whether database
managers have assigned databases to appropriate categories. To edit or
add categories, use Database Properties for each database.
To view the search categories
1. Open the Domain Catalog.
2. In the view pane, click Databases and then click By Categories to
view a list of categories.
3. To see information on the databases that have been included in each
category, select View - Expand All.
10-10 Administering the Domino System, Volume 1
To add or change search categories
1. From the Domino Administrator, select the server that contains the
databases to which you want to assign categories.
2. Click the Files tab.
3. Make sure you have Manager access in the ACL for each database to
which you want to assign a category.
Tip On the Files tab, you can right-click a database and choose
Access Control - Manage to display its ACL.
4. Select the database that you want to categorize.
5. Choose File - Database - Properties.
6. Click the Design tab.
7. Make sure “List in Database Catalog” is selected.
8. In the Categories box, enter one or more categories for the database.
Separate category names with a comma.
Estimating the size of the Domain Index
The size of a Domain Index is related to the size of the data being
indexed, not to the size of the database. A small database with a lot of
text can generate a larger index than a large database that has a lot of
design elements. There is no easy way to measure the data in a database,
but you can use a percentage of database size to estimate the size of the
Domain Index.
You can use the hidden view $MultiDbIndex in the Domain Catalog to
find the sizes of all databases selected for indexing. You can also use this
view to find out which of these databases have already been indexed
individually by their database managers — and use full-text index size as
a more accurate indicator of the space a database will take up in the
Domain Index.
1. From the Domino Administrator, choose File - Database - Open.
2. Select the cataloging server for the domain, and then select Domain
Catalog.
3. Hold down CTRL-SHIFT and click Open.
4. In the view pane, click ($MultiDbIndex).
Setting Up Domain Search 10-11
Configuration
5. For each database listed, double-click the database entry to display
the Database Entry document.
Note If more than one replica of a database is listed, the indexing
server indexes the replica on the server you include in the “Limit
domain wide indexing to the following servers” field when you
create the index. If this field is blank, the indexing server indexes the
replica with the greatest number of documents.
6. Do one of the following for each database set to be part of the
Domain Index:
there is a value in the “Number of bytes indexed” field on the
If
Full Text tab, record it.
If there is no value in the “Number of bytes indexed” field, record
a number between 20 and 40 percent of the value in the Database
size field on the Database tab. Record 20 percent if the database is
heavy on design, 40 percent if it is heavy on text.
7. Add the values from Step 6 to obtain an estimate of the Domain
Index in bytes.
Tip To convert your estimate to megabytes, divide by 1024 twice.
Excluding attachments from the Domain Index
The following types of attachments are excluded from the Domain Index
by default: .au, .cca, .dbd, .dll, .exe, .gif, .img, .jpg, .mp3, .mpg, .mov, .nsf,
.ntf, .p7m, .p7s, .pag, .sys, .tar, .tif, .wav, .wpl, .zip.
To exclude all other types of document attachments, set the following
NOTES.INI variable for the indexing server:
FT_Index_Attachments=2
Domain Search security
When a user performs a Domain Search on Domino databases, Domain
Search checks each result against the ACL of the database in which the
result was found to verify that the user has access to read the document.
To perform this check, the Domain Catalog contains a listing for all
databases that includes each database’s ACL. For Domino to include a
link to a result document in a user’s result set, the user must have the
necessary access to read the document — that is, have at least Reader
10-12 Administering the Domino System, Volume 1
access to the database that includes the document and be included in the
Readers field, if the document has one. The security check works as follows:
1. Domino checks the -Default- entry in the database access control list.
the -Default- entry has Reader access or greater, the user can
If
read the document, and Domino returns the result in the result set.
If the -Default- entry has less than Reader access, Domino checks
whether the user has Reader access or greater in the ACL. If not,
Domino does not include the document in the result set because
the user is not authorized to read that document.
2. If the user has Reader access or greater, Domino checks whether the
result document has a Readers field.
If the result document does not have a Readers field, the user can
read the document, and Domino returns the result in the result set.
If the result document has a Readers field, Domino checks
whether the user is included in the Readers field. If not, Domino
does not include the document in the result set because the user is
not authorized to read that document.
If the user is included in the Readers field, the user can read the
document, and Domino returns the result in the result set.
Caution The security checking works only for search results from
Domino databases. Results from file system searches depend on file
system security — users see the search result even if they are not
authorized to view the document. Thus, users may not be able to access
all search results or they might be able to discern confidential
information from the existence of a particular search result. Be sure to set
file system security properly and index only file systems for which
security is not a high priority.
Tip If you want to index file systems for which security is a high
priority, you can attach the files to Notes documents in a database
selected for indexing.
Search security and server access lists
If you use server access lists within a domain to limit access to
information, you might need to check the ACLs of databases on those
servers to ensure that results are filtered. Otherwise, a search might
return a result to a user who cannot access the result document. In some
cases, users might be able to discern confidential information from a
search result.
Setting Up Domain Search 10-13
Configuration
For example, the Acme corporation has two application servers,
App-E/East/Acme and App-W/West/Acme. Acme users are certified
with one of two organizational unit certifiers: /East/Acme or
/West/Acme. App-E/East/Acme does not allow access to any user with
a /West/Acme certificate. Databases on the server have the -Defaultsetting
in their ACLs set to Reader to ensure that /West/Acme users
cannot access those databases.
When Acme implements Domain Search, /West/Acme users who query
Domain Search might receive search results that include links to and
summaries of documents in databases on App-E/East/Acme, because
the ACLs of those databases do not prohibit /West/Acme users from
seeing those results. (On Windows systems, document summaries are
included in the search results if users select the Detailed Results option.)
The server access lists continue to maintain database security in this
environment, because /West/Acme users cannot access documents from
those links, but the mere existence of links and summaries could reveal
confidential information to the /West/Acme users.
To avoid this issue, check the ACLs for databases that are protected by
server access lists to ensure that they are set to filter correctly. To do this,
assume that the server access list does not exist. Change the ACL so that,
in the absence of a server access list, the database would be secured
appropriately. This ensures that when Domain Search checks the
database ACL, it filters out results that users cannot access.
If you are running Domino on Windows and are not sure that you can
properly maintain database ACLs, you might want to prevent anyone
from seeing document summaries by setting the indexing server’s
NOTES.INI variable to FTG_No_Summary=1.
Note This example assumes that the indexing server has a certificate
that allows access to both App-E/East/Acme and App-W/West/Acme.
Creating and updating the Domain Index
The indexing server relies on the Domain Catalog to tell it which
databases and file systems to include in the Domain Index. You use the
Server document to enable the Domain Indexer task and set a schedule
for it to run. By default, the Domain Indexer task runs once an hour.
10-14 Administering the Domino System, Volume 1
To set the Domain Indexer task
1. If you have Web clients, make sure you have set up the indexing
server, as well as each server to be spidered by the indexer, as a
Domino Web server.
For more information on setting up a Domino Web server, see the
chapter “Setting Up the Domino Web Server.”
2. Make sure you have created the Domain Catalog on the indexing
server.
For more information, see the topic “The Domain Catalog” earlier in
this chapter.
Note The Catalog task that creates the Domain Catalog must have
finished before you start the Domain Indexer task.
3. From the Domino Administrator, select the server that you want to
be the indexing server.
4. Click the Configuration tab.
5. Expand the Server section in the view pane.
6. Click Current Server Document.
7. Click “Edit Server,” and then click the Server Tasks - Domain
Indexer tab.
8. In the Schedule field, select Enabled.
9. Click OK.
10. Set the indexing schedule to meet the needs of your organization.
11. Select the servers that you want to include in the index in the “Limit
domain wide indexing to the following servers” field. Use wildcard
characters to index all servers certified with a specific certifier — for
example */Sales/East/Acme. If the field is blank (default), the
Domain Indexer indexes all databases for which the “Include in
multi database indexing” property is enabled.
12. If you have Web clients, do the following to allow the indexing
server to form valid URLs when the results of a search are displayed
in a browser:
a. Click the Internet Protocols - HTTP tab.
b. For the host name, enter the fully qualified name of the computer
that serves as the indexing server, for example,
servername.acme.com.
c. Click the Domino Web Engine tab.
Setting Up Domain Search 10-15
Configuration
d. Under Generating References to this Server, enter the
information for the indexing server. Make sure you use the
server’s fully qualified domain name in the Host name field.
e. Under Conversion/Display, in the “Redirect to resolve external
links” field, select “By Database.”
Selecting “By Database” allows the indexing server to resolve more
URLs for users. If the indexing server can’t resolve the database link
in a URL, it checks with the Domain Catalog to locate a replica of the
database.
13. Click “Save and Close.”
14. Restart the server by entering this command:
restart server
The Domain Indexer runs when next scheduled.
Note The indexing server must complete the initial indexing pass before
users can perform searches. Check the Domain Indexer Status view in the
Domain Catalog to be sure the initial pass is complete.
Tuning Domain Indexer performance
Each time the Domain Indexer task runs, it looks in the Domain Catalog
for new databases that have the “Include in multi database indexing”
property enabled. It then looks for documents and files in existing
databases and file systems that are new or changed since the last time it
ran, and adds them to the Domain Index.
To meet the specific needs of your organization, adjust the frequency
with which the Domain Indexer runs. Greater frequency results in more
up-to-date indexes, but consumes greater CPU resources. By default, the
Domain Indexer task runs every 60 minutes. Experiment with different
indexing frequencies to yield the best results for your organization.
You can also enhance search performance by tuning the number of
indexing threads used by Domain Search. Each indexing thread indexes
one repository at a time. With a greater number of threads, the indexing
server can index more databases simultaneously, but this requires more
CPU utilization, and response to search queries may be slow. With fewer
indexing threads, response to queries is faster because of greater CPU
availability, but changes are not reflected in the index as quickly.
10-16 Administering the Domino System, Volume 1
By default, the indexing server uses two indexing threads per CPU, so a
server with two CPUs uses four indexing threads when indexing. By
adding the variable FT_Domain_Idxthds=n to the NOTES.INI file of the
indexing server, you can control the total number of threads used for
indexing on that server. For example, by adding
“FT_Domain_Idxthds=8” to the NOTES.INI file of an indexing server
with two CPUs, you change the number of indexing threads to eight.
Note Do not exceed eight threads per server or you may degrade the
performance of the server, even on servers with more than four CPUs.
Changing the location of Domain Index files
By default Domain Index files are placed in a directory named
FTDOMAIN.DI in the Domino data directory of the indexing server. You
can change the location of the Index files by specifying a different
directory in the following NOTES.INI setting:
FT_Domain_Directory_Name=directory
Deleting databases from the Domain Index
You must have Manager access to a database to delete it from the
Domain Index.
The database will be deleted from the index after the next update has
been performed by both the Catalog task and the Domain Indexer task.
1. From the Domino Administrator, select the server that contains the
databases that you want to delete from the Domain Index.
2. Click the Files tab.
3. Make sure you have Manager access in the ACL for each database
you want to delete.
Tip On the Files tab, you can right-click a database and choose
Access Control - Manage to display its ACL.
4. Select the databases you want to delete.
5. In the Tools pane on the right, click Database and then select
Multi-Database Index.
6. Select Disable.
7. Click OK.
Note Removing a database from the Domain Catalog or deleting every
copy of a database also has the effect of deleting the database from the
Domain Index.
Setting Up Domain Search 10-17
Configuration
Backing up the Domain Index and Catalog
Back up the Domain Index and the Domain Catalog as often as necessary
to be useful to your organization. Weekly backups are probably sufficient
for most organizations.
Backing up the Domain Index
Make sure you back up the entire FTDOMAIN.DI subdirectory on the
indexing server as soon as the server has completed building the index
for the first time.
Caution Before you back up the Domain Index, check the Domain
Indexer Status view in the Domain Catalog to make sure that the Domain
Indexer task has finished — if you attempt to back up the Domain Index
while the Domain Indexer task is running, catastrophic data loss can
result.
Backing up the Domain Catalog
You can include the Domain Catalog (CATALOG.NSF) in the databases
for transaction logging. However, do not back up the Catalog while the
Catalog task is running.
For more information on transaction logging, see the chapter
“Transaction Logging and Recovery.”
Customizing Domain Search forms
Domain Search includes several default forms, including forms for
searching, specifying file systems, and presenting results.
Both the search and results forms can be customized to suit
organization-specific needs. An application developer can, for example,
add a corporate logo to either form, or rearrange the fields.
For more information on customizing search forms, see the book
Application Development with Domino Designer.
The developer can create additional search forms, and you can use setup
policy settings (for new users) or desktop policy settings (for existing
users) to provide bookmarks to the new forms to users. For example,
users might use one form to search only Human Resources databases, or
use another form to store searches for future use. The bookmarks for
search forms appear in the user’s More Bookmarks folder.
For more information on using policy settings, see the chapter “Using
Policies.”
10-18 Administering the Domino System, Volume 1
Results forms — where do the document titles come from?
When viewing a Domain Search results form, it can be helpful to know
where the Domain Indexer finds the document titles that it displays in
the results. The Indexer checks each document for the following Notes
fields or items that might represent the document’s title: Title, Subject,
Headline, and Topic field; window title (as designated by the developer
of that Domino application); and view summary (using the default form
and default view). If the Indexer can’t find any of these items,
“Document has no title” is displayed in the results.
Note Computing the window title for large numbers of documents
requires CPU utilization. You can omit this computation by adding the
following setting in the indexing server’s NOTES.INI file:
FT_No_Compwintitle=1
In file systems such as IBM Lotus SmartSuite® or Microsoft® Office, the
title and author are extracted from the document properties fields. For
HTML files, TITLE and AUTHOR tags are used.
Setting up Notes users for Domain Search
Notes users can perform domain searches as soon as you add the
designated indexing server to the “Catalog/Domain Search server” field
in their Location documents.
For information on how users perform domain searches, see Lotus Notes
6 Help.
Using Policies
After you set up a Domain Search server for a Domino domain, you can
use policies to automate the process of setting up Domain Search for new
or existing Notes users in that domain. For new users, record the name of
the Domain Search server in setup policy settings; for existing users,
record the server’s name in desktop policy settings. Setup policy settings
populate the new user’s Location document at registration. Whenever
existing users authenticate with their home server, Lotus Notes checks
desktop policy settings and updates the current Location document with
the name of the Domain Search server.
For more information on policy settings, see the chapter “Using Policies.”
Manual setup from a Notes workstation
The following circumstances require users to set up Domain Search at
their workstations.
Setting Up Domain Search 10-19
Configuration
A new user wants to do a domain search before the workstation has
authenticated with its home server.
A user wants to be able to do domain searches from alternate Notes
locations.
A user wants to do a domain search in a Domino domain other than
the one to which the user belongs.
To perform the setup:
1. Start the Notes client.
2. Choose File - Mobile - Edit Current Location.
3. Do the following for each location for which you want to use Domain
Search:
a. Click the Servers tab.
b. In the “Catalog/domain search server” field, enter the name of
the indexing server.
c. Click Save and Close.
Note If the user enters the name of the indexing server incorrectly or
specifies a server that is not an indexing server, Notes returns an error.
Tip If users enter the name of an indexing server in a Domino domain
other than their own but you have included the name of their indexing
server in the desktop policy settings applied to them, the
“Catalog/domain search server” field reverts to the policy setting the
next time the users authenticate with their home server. To preserve links
to an indexing server in another Domino domain, users can bookmark
the search form from that server while they are performing a search.
Setting up Web users for Domain Search
For Web users to have access to Domain Search functionality, the
indexing server, as well as all the servers being spidered by the indexer,
must be set up as Domino Web servers.
For information on setting up a Domino Web server, see the chapter
“Setting Up the Domino Web Server.”
When you are ready to roll out Domain Search to Web users, the Web
application developer must add to the site’s home page a link to the
search form, which is contained in the Domain Catalog on the indexing
server.
10-20 Administering the Domino System, Volume 1
To see for yourself what performing a domain search is like for a browser
user, you can use a URL command in your browser to simulate such a
link. Enter the following command in your browser, substituting the
common name of your indexing server for servername:
http://servername/catalog.nsf?domainquery
When the search form displays, you can define your search. If you have
properly configured the indexing server and the servers holding the
data, your search results display links that can be successfully followed
to each document found.
Using content maps with Domain Search
Content maps let users browse for information rather than search for it
using full-text search. Content maps organize documents by topics, or
content, into categories that are similar to the categories on sites such as
AltaVista and Yahoo!
You can assign document content categories for documents in the
Domain Catalog to organize information in a content map.
To assign content categories
You can assign content categories to both Lotus Notes documents and
Web URLs. You assign content categories from a Lotus Notes client, and
you must have Author access to the Domain Catalog database.
1. Start the Lotus Notes client.
2. Do one of the following:
To
categorize a Notes document, navigate to the document. You
must have at least Editor access to the document (or Author access
if you created the document).
To categorize a Web URL, make sure that the default browser in
your Location document is set to Lotus Notes. Then, in the Lotus
Notes client, navigate to the Web page by clicking the Open URL
icon (top right) and entering the URL in the Address field.
3. Choose File - Document Properties.
4. Click the Meta tab (plus sign).
5. Do one of the following:
To assign the document to an existing category, click Categorize,
select one or more categories, and click OK.
To assign the document to a new category, type the category name
in the Keywords field.
Setting Up Domain Search 10-21
Configuration
6. Click “Post to Catalog.”
Note If the “Post to Catalog” button is dimmed, try clicking another
field on the Meta tab, or click another tab and then return to the Meta
tab, to enable it.
For a Lotus Notes document, click the “Post to Catalog” button to
add content category information to hidden meta fields in the
document header and to add a content categories document for the
document to the Content by Category view in the Domain Catalog.
For a Web URL, click this button to add a content categories
document for the URL to the Content by Category view in the
Domain Catalog.
To view content categories
The Domain Catalog displays content categories in the Content - By
Category view.
1. Start the Lotus Notes client.
2. Click the arrow to the right of the search icon:
3. Choose Domain Search.
4. Click Browse Catalog.
5. In the view pane, click Content and then click By Category.
6. Expand the categories to display document and URL titles.
7. Double-click a document or URL title to open a link to the document
or URL.
You can customize the Content by Category view to suit
organization-specific needs.
For more information on customizing views, see the book Application
Development with Domino Designer.
To change content categories
You change content categories by editing the DocContent Link
documents in the Domain Catalog. You must have Editor access to the
Domain Catalog.
1. Start the Lotus Notes client.
2. Click the arrow to the right of the search icon.
3. Choose Domain Search.
4. Click Browse Catalog.
5. In the view pane, click Content and then click By Category.
6. Expand the categories to display document or URL titles.
10-22 Administering the Domino System, Volume 1
7. Select an entry to re-categorize and choose Actions - Edit Document.
This displays the DocContent Link document for the entry.
8. Specify a new category in the Keyword field.
9. Click “Save and Close.”
Note This procedure updates the category information for this entry in
the Domain Catalog but does not change the category information saved
in the meta fields of the document itself.
NOTES.INI settings for Domain Search
The following table describes the NOTES.INI settings that pertain
specifically to Domain Search.
For more information on these settings, see the “NOTES.INI File”
appendix.
Setting Description
Specifies the directory for the
FT_Domain_Directory_Name
Domain Index
files on the indexing server.
Specifies the total number of
FT_Domain_Idxthds
threads used for
indexing by the indexing server.
Specifies whether to exclude
FT_Index_Attachments
document
attachments not already excluded
by default
from the Domain Index.
Specifies whether to compute the
FT_No_Compwintitle
window
titles for documents that are
returned by a
search.
FT_Summ_Default_Language Specifies the language for document
summaries in search results
whenever the
language in the document is not
supported by the summary feature.
Specifies whether to display
FTG_No_Summary
document
summaries in search results.
Chapter 11
Setting Up Domino Off-Line Services
This chapter explains how to enable an application to go offline with
Domino Off-Line Services (DOLS) and how to administer DOLS
applications on the Domino 6 server.
Domino Off-Line Services
Domino Off-Line Services (DOLS) provides a way for users to take IBM
Lotus Domino Release 6 Web applications offline, work in them, and
synchronize the changes with an online replica on the Domino server.
Users are not required to have IBM Lotus Notes 6 client because the
applications are accessed with a browser.
Nearly all Notes functionality is retained when a DOLS-enabled
application (called a subscription) is taken offline. Users can compose,
edit, delete, sort, and categorize Notes documents, and perform full-text
searches. DOLS subscriptions can make full use of Java applets, agent
execution, and workflow. DOLS also supports full data replication,
retains application logic, and supports the full Notes security model.
The developer and administrator must set up and configure a DOLS
subscription for offline use.
The developer copies a number of elements into the subscription, makes
design changes if necessary, and configures the subscription in the
Offline Subscription Configuration Profile document.
The administrator makes sure DOLS is installed properly on the server,
sets security for the subscription, sets up agents, makes changes to the
Offline Subscription Configuration Profile document if necessary, and
helps users install the subscription.
11-1
Configuration
Once the subscription is enabled, users can access it on the server using a
browser. The user clicks in a new frame on the subscription’s main page
to open a JavaScript menu. When the user selects “install” from the
menu, the subscription is installed on their computer.
Also installed on their computer is the Lotus iNotes™ Sync Manager, a
utility for managing DOLS subscriptions. Users can open subscriptions
online or offline, synchronize, and set subscription properties with the
Sync Manager.
For more information, see the Lotus iNotes Sync Manager Help
(available from the Help menu of the Lotus iNotes Sync Manager).
Overview of DOLS administrator tasks
Developers and administrators perform different tasks to prepare a
DOLS subscription for users. Administrators perform the following
tasks:
1. Setting up DOLS on a server.
For more information on setting up DOLS on a server, see the
chapter “Installation.”
2. Creating a DOLS Offline Security Policy document.
3. Increasing security for DOLS subscriptions.
4. Increasing the server’s output timeout for DOLS downloads.
5. Configuring the DOLS subscription.
6. Setting up agents for the DOLS subscription.
7. Send users the URL of the subscription. If the offline security policy
is “Prompt for ID,” also make sure they have a Notes user ID and
Internet password so they can open the subscription.
Typically, the first step is for a user to enter the URL of a Domino server,
along with the path and name of a DOLS-enabled Web application on
that server, into their browser. The browser contacts the server through
the Web Server task, also called the nHTTP task (1a), and the Web Server
then communicates with the Web application (1b).
If the Web application has appropriate security levels set in the ACL, the
user is prompted to log into the Web application using their name and
Internet password. This authentication is also handled by the Web
Server.
Once the DOLS File Sets are downloaded, they are uncompressed, and
the iNotes Sync Manager launches (3). The Sync Manager then
configures the client for the incoming application, and launches a Sync
Task, which initiates a Remote Procedure Call (nRPC) connection with
the Domino server (4a). This secure, Domino replication connection
performs a number of operations to download and initialize the
application on the client (4b). When synchronization is complete, a
subscription of the application exists on the client. A subscription
includes all databases that were listed in the OCD as making up the
application. Their contents are adjusted according to Administrator and
user settings, as well as security information to ensure that the user on
the client has access to only the data to which they had access on the
server. Also, full-text indexes of all offline databases can be created if the
user requests it.
Setting Up Domino Off-Line Services 11-5
Configuration
When the user wants to
open the application offline, they select it from a
list in the Sync Manager and click “Open Offline.” The Sync Manager
launches a local copy of the Web Server and the local browser (5a). The
Sync Manager tells the local Web server to connect with the local browser
(5b), and with the offline copy of the application (5c). The local Web
Server then validates the user’s login and password information, and
displays the application offline (locally) just as it would display it online
(on the server). Any data the user creates, modifies, and saves while
using the offline application is stored in the local version of the
application.
11-6 Administering the Domino System, Volume 1
Field Description
Security domain Enter the domain that this policy affects.
For example, /US/Company, or /Company
(include the leading slash). All users in this
domain are subject to the deployment
policy you set in this document. The
domain specified in this field includes
users one level down from the root. For
example, /Cambridge/Lotus includes users
in /Security/Cambridge/Lotus and
/Dev/Cambridge/Lotus.
Field Description
Attach a certifier ID to this rich text field.
Certifier ID to use
The
certifier ID must support the Security
domain specified in the “Security
domain”field.
For example, if the Security domain is
/A/B/C, then either /A/B/C, /B/C, or /C
would be acceptable certifiers.
The certifier ID file attached here must
share the
same root certifier as the server’s ID for
DOLS. If
they do not share the same root certifier,
the user may receive replication errors
about a lack of cross-certifiers.
Password for Enter the password for the certifier ID.
certifier The
ID password, which is case-sensitive, must
be correct or the user will not be able to
install.
Make sure you protect stored passwords
by appropriately restricting the ACL of this
database (doladmin.nsf).
Expiration date to Select or enter an expiration date for the
set ID. For
on created user example, 03/31/2006.
IDs
Field Description
Address book to look up Enter the database filename, with
ID relative
files from path, of the directory where your
server’s
user IDs reside. The target database
must
have standard NAB views and
documents,
with ID files attached to each person
document.
Option Description
Tighten access to the Open the ACL for the subscription
database and add the users and groups to
whom you want to grant access.
Anonymous must have “No Access.”
Tighten security on the To limit who can open and edit the
configuration document Offline Subscription Configuration
Profile document for a particular
subscription, open the subscription’s
“DOLS Offline Configuration”form in
Lotus Domino Designer 6 and
change security settings in the Form
properties.
Tighten security on To ensure that unsanctioned users
offline data cannot access the subscription data
offline using another software
product, encrypt the subscription in
the Offline Subscription
Configuration Profile document.
Tighten security for all To propagate a security setting to
subscriptions on the all the existing DOLS subscriptions
server on a server, make sure the
subscriptions are set to inherit
design changes from the DOLS
Resource template (DOLRES.NTF);
change the setting in DOLRES.NTF;
then run the Designer task. For
more information on the Designer
task, see the topic “Synchonizing
databases with master templates.”
Chapter 12
Planning the Service Provider Environment
This chapter describes the server and IP configurations and discusses
configuration-related decisions that you will make before you set up an
xSP server.
Planning the xSP server environment
The generic term “xSP” can refer to many different types of service
providers — application, Internet, storage, and management — to name
just a few.
A Domino service provider delivers services to small-and medium-sized
businesses, or multiple hosted organizations from a single Domino
domain. To those hosted organization, the service provider offers
Internet protocol-based access to a specific set of applications running on
Domino servers. By using a service provider, a company can outsource
the administration of applications and services that were formerly run on
the company’s computer infrastructure.
This portion of the documentation focuses on the decisions you will be
making when planning and setting up your xSP server environment. You
can then use your xSP server to host small and medium businesses.
The Domino service provider administrator
The responsibilities of a service provider administrator, include
maintaining both the server environment at the host site and to varying
degrees, the hosted organizations.
First and foremost, the service provider administrator is responsible for
setting up and maintaining xSP servers — that is, protocol and database
servers — as well as any Domino clusters and network routers.
12-1
Service Provider
Although the hosted organization administrator can perform some of the
user and group maintenance, the service provider administrator
performs a significant amount of the administrative tasks required to
maintain a hosted organization. At a minimum, the service provider
administrator is responsible for registering and maintaining hosted
organizations and controlling which applications the hosted organization
uses. In addition, the service provider administrator must create and
maintain a mechanism that the hosted organization’s administrators use
to communicate problems and issues that require the intervention of the
service provider administrator.
Ways to set up a service provider environment
There are two ways to set up a service provider environment. You can set
up an xSP server, which features a shared Domino Directory or you can
user server partitioning. The term “shared Domino Directory” indicates
that there is one Domino Directory shared by multiple hosted
organizations. All data is secured and accessible only by the small or
medium business that owns the data. A second option is Domino server
partitioning, which you use to run multiple instances of the Domino
server on a single computer.
Set up an xSP server to offer pure Internet protocol-based access to a
specific set of applications on Domino servers. For example, iNotes Web
Access is such an application. Using an xSP server reduces the total cost
of ownership for a designated set of services, offered to several
customers accessing the server through standard Internet protocols. In a
service provider environment, you are hosting multiple companies in one
Domino domain.
Use Domino partitioning to offer a Domino server where the customer
can have Notes Client access and can create and run their own Domino
applications. Setting up a partitioned server is particularly effective when
the partitions are in different Domino domains. Partitioning provides a
completely separate server for each customer, as well as a completely
separate Domino Directory.
For more information on partitioned servers, see the chapter “Setting Up
the Domino Network.”
12-2 Administering the Domino System, Volume 1
Securing the service provider environment
The Domino service provider environment uses all of the standard
Domino security features to ensure complete security for the service
provider and the hosted organizations that subscribe to the service
provider services. An xSP environment that has multiple hosted
organizations has potentially thousands of users whose access must be
restricted to their own data only.
In addition, the service provider configuration uses extended ACLs in
the Domino Directory to protect the data of each hosted organization
from access by users in other hosted organizations. The extended ACLs
required to support the xSP security model are automatically established
when new hosted organizations are created. Plan and test carefully if you
want to modify ACLs and extended ACLs in an xSP environment —
security is extremely important.
The authentication controls in Site documents control only who can
authenticate and use the Internet protocols. After authentication, ACLs
and extended ACLs control the data that can be read from and written to
the Domino Directory.
For more information on extended ACLs, see the chapter “Setting Up
Extended ACLs” and for more information on ACLs, see the chapter
“Controlling User Access to Domino Databases.”
A user in a hosted organization cannot directly access databases in any
subdirectories other than the hosted organization’s directory. Exceptions
are the “help” and “common” subdirectories of the Domino data
directory which contains databases accessible to users in all hosted
organizations.
To provide users with access to databases outside that of the hosted
organization’s subdirectory, create a directory link within the hosted
organization’s directory.
For more information on how directory links work and how to create
them, see the chapter “Organizing Databases on a Server.”
Planning the Service Provider Environment 12-3
Service Provider
Using Domino features in a hosted server environment
There are several Domino features that need to be set up for a hosted
environment, just as they would need to be set up in a non-hosted,
enterprise environment. This section describes the features are required
in a hosted environment and explains when to set them up.
Domino certificate authority
For some Internet certificates and for Domino Off-Line Services (DOLS),
you must use the Domino certificate authority (CA). The Domino CA is
required only if a hosted organization uses DOLS or wants to generate
Notes IDs. For example, a hosted organization may require Notes IDs for
its users if it uses a third-party application that uses the C API to perform
a function. If a hosted organization uses the Web Administrator to
manage their own users and groups, the hosted organization must use
certifiers issued by the Domino server-based CA.
If a hosted organization’s users are registered at the service provider site,
they can be registered with certifier IDs and passwords or with the
Domino server-based CA.
Using SSL in a hosted environment
To use SSL in a hosted environment, you must do the following for each
hosted organization:
Create
a new Domino server-based Certificate Authority (CA). Two
or more hosted organizations cannot share the same Domino CA.
Create
a Certificate Requests database.
For more information on setting up and using the Domino server-based
CA and creating the Certificate Requests database, see the chapter
“Setting Up a Domino Server-Based Certification Authority.”
Policies
Policies are required when using the Domino service provider software.
Before registering a hosted organization, the service provider
administrator must decide which policy settings to implement. Before
registering a hosted organization, the service provider administrator can
create policy documents and policy settings documents and then assign
those documents during registration, or the service provider
administrator can create the documents during the hosted organization
registration process.
12-4 Administering the Domino System, Volume 1
For more information on policies, see the chapter “Using Policies” and
see the topic “Using Policy Documents in a hosted environment” later in
this chapter.
Domino Off-Line Services
Domino Off-Line Services (DOLS) is supported in a hosted environment.
If a hosted organization uses DOLS, the hosted organization must be
registered with the Domino server-based CA. The registration process for
hosted organizations that support DOLS is almost identical to the setup
and registration of hosted organizations that do not support DOLS.
For more information on Domino Off-Line Services (DOLS), see the
chapter “Setting Up Domino Off-Line Services.”
Using the C API Extension Manager in a hosted environment
The C API Extension Manager is fully supported in a hosted
environment; however, there can be only one Extension Manager on a
server. If the Extension Manager must provide different services for each
hosted organization, program the Extension Manager to do the filtering.
For more information, see the C API User’s Guide and the C API Reference
Guide on the IBM Web site, www.ibm.com.
Planning the IP Address configurations in a hosted environment
A crucial step in planning an xSP configuration is to determine which of
the following IP address configurations to use:
One
IP address that is shared by multiple hosted organizations
One IP address for each individual hosted organization
A combination of the above two configurations
The IP address configuration that you choose will have an impact on
your entire xSP configuration.
Planning the Service Provider Environment 12-5
Service Provider
One IP address that is shared by multiple hosted organizations
The following figure shows xSPserver1 supporting multiple hosted
organizations sharing IP address 92.32.2.0.
xSPserver1 supports three hosted organizations with one
shared IP Address.
Protocol/Service Requirement
When sending mail via iNotes Web Access,
HTTP with iNotes
enable HTTP on the server that stores the mail
Web Access
file.
IIOP Domino IIOP is required to run Java code.
LDAP If you use POP3 or IMAP and the client mail
application supports LDAP, you can also use
LDAP to provide the mail clients with addressing
services. Lightweight Directory Access Protocol
(LDAP) is a standard Internet protocol for
accessing and managing directory information.
If LDAP will be used with the Domino Directory,
the LDAP protocol must be started.
POP3 and IMAP POP3 and IMAP are access protocols only, that
is, they retrieve mail. SMTP is required to
enable POP3 and IMAP users to send mail.
Additionally, the POP3 or IMAP client must be
configured to send mail via an SMTP server.
SSL SSL can be used in addition to Domino’s security
services. SSL supports data encryption to and
from clients and provides message-tampering
detection and optional client authentication.
Note SSL is supported only for hosted
environments that use a unique IP address
configuration.
Name Protocol
Server host name For POP3 and IMAP clients use server
example, host names to locate host servers
serverA.corporation.com when retrieving mail. Inbound
HTTP transactions can use server
host names when resolving
transactions. LDAP clients use
server host names when
performing directory lookups. Web
browsers can use server host
names in URLs, in addition to other
types of DNS names.
Field Action
Registration Server Enter the name of the server to use
during the registration process. The
Domino Administrator contacts the
registration server while performing
registration tasks.
Organization name Enter a unique name for the hosted
organization. The name must be fewer
than 28 characters and cannot contain a
period (.) because the hosted organization
name is also used as the hosted
organization’s virtual Domino domain
name for routing purposes. For ease-of-
administration, use a short name with no
spaces. Organization name is a required
entry that is also used in the Internet Site
documents.
Choose this option if the hosted
Organization
organization supports Domino Off-Line
supports DOLS
Services (DOLS).
Password Enter a case-sensitive password for the
certifier. The characters you use for this
password depend on the level set in the
Password quality scale.
Password quality Displays the Password Quality Scale that
you can use to define the complexity of
the password. Do not choose “Password is
optional.”
Explicit Policy Choose the explicit policy document that
is the ancestor of the registration policy
settings document you are assigning to
the hosted organization. Click None
Available if you have not yet created the
necessary policies and/or settings
documents.
First Name, Middle Enter the name of the hosted organization
Name, Last Name administrator.
Password Enter a password for the hosted
organization administrator.
Field Action
Internet Domain Enter the name of the Internet domain.
By default, the exact Internet domain
name that you specified for this hosted
organization on the Mail tab of the
registration policy settings document is
entered. For example, enterprise.com.
HTTP Host/Address Enter the host name or IP address of the
HTTP server for the hosted organization.
SMTP Host/Address Enter the host name or IP address of the
server that receives SMTP transactions
for the hosted organization.
POP3 Host/Address Enter the host name or IP address of the
POP3 server for the hosted organization.
IMAP Host/Address Enter the host name or IP address of the
IMAP server for the hosted organization.
Directory Enter the host name or IP address of the
Host/Address LDAP server for the hosted organization.
IIOP Host/Address Enter the host name or IP address of the
Domino IIOP server for the hosted
organization.
Field Action
Field Action
Mail Server By default, this field contains the name of the
mail server for the hosted organization
exactly as you entered it in registration policy
settings document for the hosted
organization. The hosted organization and the
administrator’s mail file will be stored on this
server. This field cannot be modified.
Directory By default, this field contains the name of the
directory in which the hosted organization’s
data resides. For ease-of-administration, the
directory name is created for you and is
identical to the hosted organization name.
This field cannot be modified.
Host Indicates whether the corresponding server
hosts the hosted organization. This field
cannot be modified for the first entry in this
list. The first server entry in this list has a
check mark because that server is identified
in the registration policy settings document
as the mail server for the hosted
organization. For all other servers, a check
mark in this box identifies that server as a
host server for the hosted organization.
Server Name Name of the server that is hosting the hosted
organization. If multiple server names appear
in this list, the first server in the list is the
hosting server; other servers are the cluster
mates.
Physical The directory name that is displayed is an
Storage location alternate location where the hosted
organization’s data directory will reside if you
do not use the default location.
Physical Use this field to create a directory link to an
Storage location additional storage location for the hosted
for <server organization you are registering. This field is
name> activated when you select a server in the
Server Name field. The check box for the
server must be checked in order to select it.
To add a directory link, enter the full path for
the storage location and then click the check
box so that the directory link displays in the
Physical Storage Location field. To delete a
directory link, select the link in the
ServerName/Physical Storage Location fields.
When the path displays in the modifiable
“Physical Storage Location for <server>”field,
click the X.
Field Action
Location Enter text to define the location of the
hosted organization.
Comment Enter text to define the hosted organization’s
name and other information.
Internet Site
Description
document
Web Site documents are generated for the
Web Site document
HTTP
protocol. Each hosted organization has one
Web site
document that can be created during hosted
organization registration. If a hosted
organization has
multiple Web sites, you must create one Web
Site
document for each additional Web site.
Note See the chapter “Installing and Setting
Up
Domino Servers,”for information on
configuring
Web Site documents.
IMAP Site document These are the mail protocol Internet Site
POP3 Site documents. An individual Internet Site
document SMTP document is created for each mail protocol for
Inbound Site which you enter an IP address on the Internet
document panel of the Register Hosted Organization
interface.
LDAP Site
This document is generated for LDAP servers.
document
Domino IIOP (DIIOP) uses the information in
IIOP Site document
the
IIOP Internet Site document to define the
scope of the
Domino Directory used to validate users.
DIIOP
enables you to use any Java code running on
any
server on the network. DIIOP is not yet
supported in
a shared IP address configuration.
The Global Web Settings document applies
Global Web Settings
one or
document more Web Site Rule documents to all servers
in the
Domino domain or only to specified servers in
the Domino domain. The Global Web Settings
document is automatically created during
setup of a hosted organization.
Web Site Rule The Web Site Rule document is created from
document within
the corresponding Web Site document. The
three Web Site Rule documents that are
automatically created in a hosted
environment are DOLS, iNotes help files, and
iNotes.cab.
Field Action
Descriptive name Enter a name that describes the Web Site
for Rules that
this site will be associated with this document.
Domino servers Enter one: • An asterisk (*) if the
that host this site document is to apply to all servers in the
Domino domain. • One or more names of
servers to which this document applies.
Field Action
Select this check box to enable activity
Activity logging is
logging on
enabled each server that you designate.
Select all logging types for which you want
Enabled Logging
to
Types collect billing information.
Checkpoint
Enter the number of minutes that transpire
interval
between activity logging updates to
LOG.NSF.
The checkpoint interval applies to the
logging
types that you selected and that have
open, active
sessions.
(Optional) Select this check box to create
Log checkpoint at
Notes
midnight session and Notes database checkpoint
records
every day at midnight.
Log checkpoints (Optional) Select this check box to create
for Notes
prime shift session and Notes database checkpoint
records at
the beginning and end of a specific time
period.
Specify the start and end times for the
time period.
Field Action
Select server Click the check box to and then do one of
activity types to these: • Select an activity type to view,
search for and then click Add. Repeat to continue
adding types. • Click Select All to view all
activity types.
Select the start date and end date of the
Start Date
time
End Date period for which you want to analyze
logged activity data. Activity data for the
time period you specify is stored in the
Results database.
Select the start time and end time of the
Start Time
logged
activity data you want to analyze. Activity
End Time
data
for the specified time period is stored in
the
Results database.
Results Database Do the following:
1. Click this button to open the Results
Database
dialog box.
2. Specify the server on which the Results
database will reside, the title (name) of
the database, and the file name.
3. Click OK.
4. Choose one:
Append
to this database — To append the data to the existing
Results database.
Overwrite
this database — To overwrite the data in the existing
Results database with new data.
5. Click OK. When the message box displays “Analysis Completed,”
click OK. The Log Analysis - Log Events view opens.
Chapter 14
Managing a Hosted Environment
This chapter contains instructions for moving a hosted organization from
one server to another, modifying the Server document, adding a hosted
organization to a server to provide new Web applications, viewing
hosted organizations, using the Web Administrator to manage users and
groups at a hosted organization site, and performing other actions
required to maintain a hosted environment.
Maintaining hosted organizations
As a service provider administrator, maintaining the hosted
organizations in your hosted environment is of primary importance.
Responsibilities include maintaining the servers that host your
organizations, maintaining the hosted organizations and their data, as
well as the users at those sites.
The majority of the administration activities that are performed in a
hosted environment are exactly the same as the same activities in a
non-hosted environment. The following topics explain how to complete
activities that are unique to or different in a hosted environment. Where
necessary, there is also explanatory information.
Adding
a hosted organization to an additional server to provide new
Web applications
Deleting
a hosted organization
Disabling
services temporarily for a hosted organization
Enabling
anonymous access to a hosted organization’s database
Managing Users at a hosted organization
Moving a hosted organization from one server to another server
Removing a hosted organization from a backup or load-balancing
server
Restoring a hosted environment after a server crash
14-1
Service Provider
Temporarily
disabling services for a hosted organization
Using
a browser to access a hosted organization’s Web site
Using
the Resource Reservations database in a hosted environment
Viewing
a hosted organization
Web Administration from the hosted organization site
Adding a hosted organization to an additional server to provide
new
Web applications
A hosted server environment can be configured to allow multiple servers
to provide Web applications to one or more hosted organizations. Part of
managing a hosted environment is enabling additional servers to serve
Web applications to a hosted organization. Web applications can be
distributed across multiple servers, while serving as many hosted
organizations as you designate.
You can enable a hosted organization that is currently being served
applications by one or more servers to be served a Web application by an
additional server.
To add a hosted organization to an additional server to provide new
Web applications
1. Create a data directory for the hosted organization on the target
server.
2. Create an ACL file for the hosted organization in the data directory
of the target server.
3. Create a Web Site document for the hosted organization, where the
new Web Site document’s DNS name resolves to the target server’s
IP address or name. This new Web Site document allows servers and
routers to distinguish between servers. Use the Basics tab on the new
Web Site document to enter the host names or addresses that map to
the site and the Domino servers that host the site.
4. To support the hosted organization, make other Web
application-specific modifications — for example, configure the
Welcome page.
5. For Web applications only, create the DNS names that direct users to
this server and to this hosted organization’s Web site.
For more information on setting up a Web Site document, see the chapter
“Setting Up a Domino Web Server.”
14-2 Administering the Domino System, Volume 1
Deleting a hosted organization
The service provider administrator is responsible for deleting a hosted
organization when the hosted organization stops subscribing to a service
provider’s services. When you delete a hosted organization, the
following documents, files, and directories for the hosted organization
are deleted:
Data
directory
Cross
certificates
ACL file
Extended
ACL entries in the Domino Directory’s ACL file
HostedOrganizationAdmins
group
Global Domain document
Internet Site documents
Policy document
To delete a hosted organization
1. From the Domino Administrator, click the Configuration tab.
2. Click Tools - Hosted Organization - Delete.
3. Select the name of the hosted organization to delete.
4. Choose one of these Processing types:
Immediately
clean up Domino Directory — To remove all
references to the hosted organization from the Domino Directory
immediately
Use Administration Process only — To remove all references to
the hosted organization from the Domino Directory when the
“Delete hosted organization” administration request runs
Note Both processing types generate administration requests and
both require that you open the Administration Requests
(ADMIN4.NSF) database and approve the deletion of hosted
organization storage.
5. Click OK. You are prompted to confirm the deletion. Click Yes, and
then click OK.
To approve the deletion request
1. Click the Server - Analyses tabs.
2. Click Administration Requests (6).
3. Open the “All Requests by Name” view.
Managing a Hosted Environment 14-3
Service Provider
4. Open the “Approve Deletion of Hosted Organization Storage”
request.
5. Click Edit Document. Click “Approve Hosted Organization Storage
Deletion” to approve the request.
6. Click Yes, and then click OK.
Temporarily disabling services for a hosted organization
To disable all Internet services for a hosted organization, use the Internet
Site documents to set all authentication options to No for all Internet
protocols for a hosted organization. To enable Internet service for that
hosted organization at a later time, set the authentication options to Yes.
1. From the Domino Administrator, choose Files and open the Domino
Directory (NAMES.NSF).
2. Choose Servers - Internet Sites.
3. Select the Internet Site document that contains the settings you want
to modify, and click Edit Document.
4. Click Security. Set the “Anonymous” and “Name and Password”
fields to No to disable the service for the hosted organization. To
enable the service at a later time, reset these same fields to Yes.
For more information on the Authentication fields on the Security tab of
the Site documents, see the chapter “Installing and Setting Up Domino
Servers.”
Enabling anonymous access to a hosted organization’s database
To make a hosted organization’s database available to anonymous Web
site users, add “Anonymous” to the ACL file. Adding Anonymous to the
ACL file does not expose all of the hosted organization’s data to
anonymous users. For example, anonymous Web users cannot browse a
hosted organization’s directory because browsing is disabled.
Do not confuse an ACL file, which provides security for the hosted
organization itself, with a database ACL, which controls the access that
server, users, and groups have to a database.
14-4 Administering the Domino System, Volume 1
Sample ACL file
The content of a sample ACL file for a hosted organization named
company1 with Anonymous access is shown below.
.
ASP Admin/ASP
*/company1
Anonymous
LocalDomainServers
LocalDomainAdmins
[owner=company1]
In addition to modifying the ACL file, modify the hosted organization’s
database ACL to allow anonymous access to the database.
For more information on modifying a database ACL, see the chapter
“Controlling User Access to Domino Databases” and for more
information on modifying the Web Site document security settings, see
the chapter “Installing and Setting Up Domino Servers.”
Moving a hosted organization to another server
You may need to modify some of the procedures in this section to better
fit your individual configuration. For example, you may need to modify
your network router configuration if your configuration includes a
network router.
Moving a hosted organization that has a unique IP address varies
somewhat from moving a hosted organization that has a shared IP
address.
Moving a hosted organization that has a unique IP address
To move a hosted organization that has a unique IP address, complete
these procedures:
1. Re-create the hosted organization infrastructure on the destination
server.
2. Open the registration policy settings document for the hosted
organization that you are moving and change the original mail
server name to the name of the destination server — that is, the new
mail server.
Managing a Hosted Environment 14-5
Service Provider
3. Use the Domino Administrator to move databases and move users
that have mail files from the source server to the destination server.
4. Prohibit access to the source server.
5. Move non-database files from the source to the destination server.
6. Enable access to the destination server.
7. From the source server, remove the infrastructure for the relocated
hosted organization.
Moving a hosted organization that has a shared IP address
To move a hosted organization that shares an IP address with other
hosted organizations, you must change the IP address of the hosted
organization that you are moving. In addition, you must modify the
server information in the documents, as well as the DNS entries for the
hosted organization you are moving. DNS entries are often cached and
may require a substantial amount of time to process a change.
Complete these procedures:
1. Prohibit access to the source server.
2. Enter the destination server name in the “Domino servers that host
this site” field in all of the Site documents for the hosted
organization.
3. Create a hosted organization infrastructure on the destination server.
4. Open the registration policy settings document and change the
original mail server name to the name of the destination server —
that is, the new mail server.
5. For users who have mail files, use the Domino Administrator to
move the users from the source server to the destination server.
6. Move nondatabase files from the source server to the destination
server.
7. Enable access to the destination server.
8. Remove the infrastructure from the source server.
To create the hosted organization's infrastructure on the destination
server
1. On the destination server, do one of these:
Create
a subdirectory of the data directory. The new subdirectory
name must be identical to the subdirectory name on the source
server.
Create
a new data directory and a directory link.
14-6 Administering the Domino System, Volume 1
2. If any directory links, database links, or Web site directory references
are located outside of the hosted organization’s subdirectory, create
new directories for those links.
3. Copy the hosted organization’s ACL file from the source server’s
data directory to the destination server’s data directory.
4. If any Web application requires a “per hosted organization
infrastructure,” create that infrastructure.
To edit the hosted organization's registration policy settings
document
1. From the Domino Administrator, open the Domino Directory.
2. Choose Policies - Settings.
3. Select the registration policy settings document you want to edit.
4. Click Edit Settings.
5. On the Mail tab, choose the name of the destination mail server from
the list displayed in the “Choose the mail server” field.
6. Click Save and Close.
To move the mail file and other databases
Caution During this procedure, do not approve the mail file deletion in
the Administration Requests database (ADMIN4.NSF) If you approve
the deletion too soon, the user will not have access to the mail file on the
source server. Approve the mail file deletion later, when doing so will
not impact user access to the mail file.
1. Make sure that you and the source server have Create Replica access
to the destination server.
2. From the Domino Administrator, click People & Groups.
3. Select the person whose mail file you are moving.
4. From the Tools panel, click People - Move.
5. Enter the destination mail server name in the Destination field.
Include the hosted organization subdirectory.
6. Select the server and paths on which you want to create mail files.
Replicas will be created at the location you select.
7. Click OK.
For more information on moving mail files, see the chapter “Setting Up
and Managing Notes Users.”
Managing a Hosted Environment 14-7
Service Provider
To enable access to the destination server
1. Associate the hosted organization’s IP address with the destination
server according to your particular setup. You may need to update
host files, DNS server settings, and the IP address assigned to the
TCP/IP stack.
2. You may need to stop and restart the server depending on your
TCP/IP stack. Whether or not you can modify the IP addresses that
are served without restarting the server depends on your individual
configuration.
To prevent access to the source server
Complete this procedure after you have successfully initiated as many
“Move mail file” actions as necessary. This procedure applies only to
moving a hosted organization that has a unique IP address.
1. Shut down the Domino server on the source server.
2. Disassociate the hosted organization’s IP address from the source
server. You may need to modify host files or DNS server settings, as
well as the IP address assigned to the TCP/IP stack.
To move non-database files from the source server to the
destination server
1. Copy all database files from the source server to the destination
server.
2. From the source server, recursively delete the non-database files that
you copied to the destination server.
3. Copy all non-database files in directories that are not within the
hosted organization’s data directory. Copy the files from the source
server to the destination server.
4. Determine whether any Web application requires
per-hosted-organization data that has not already been copied. Copy
that data to the destination server, and then delete it from the source
server.
5. (Optional) Replicate the data from the source server to the
destination server to ensure that all changes made to the source
server appear on the destination server.
6. Change the IP addresses hosted by the destination server to include
the new addresses — that is, those formerly hosted by the source
server. Modify all Internet Site documents as necessary.
7. Restart the Domino server on the destination server.
14-8 Administering the Domino System, Volume 1
For more information on the Internet Site documents, see the chapters
“Setting Up the Service Provider Environment” and “Installing and
Setting Up Domino Servers.” For more information on the Web Site
document, see the chapter “Setting Up a Domino Web Server.”
To remove the infrastructure from the source server
1. Open the Administration Requests database (ADMIN4.NSF) and
approve the requests to delete the source databases. When all
requests have been successfully processed — that is, when the
databases have been deleted — proceed to the Step 2.
For more information on approving administration requests, see the
chapter “Setting Up the Administration Process.”
2. Delete the hosted organization’s subdirectory from the source server.
3. Delete any directories that are specific to the hosted organization and
that reside outside of the hosted organization’s data directory.
4. Delete the hosted organization’s ACL file from the data directory on
the source server.
To prevent access to the source server
1. Shut down the Domino server on the source server.
2. Disassociate the hosted organization’s DNS names from the source
server’s IP address. Associate those DNS names with the destination
server’s IP address.
3. If SSL was used for encryption, do not copy the old key ring file to
the destination server. Use the destination server’s key ring file.
4. Open each Internet Site document to modify the IP address for the
hosted organization on the destination server. Make sure that Web
site names are correct.
For more information on Internet Site documents, see the topics
Internet Site documents and Using Internet Site documents in a
hosted environment.
5. Restart the Domino server on the source server.
Managing a Hosted Environment 14-9
Service Provider
Removing a hosted organization from a backup or load-balancing
server
Use this procedure to remove a hosted organization and all of its services
from a server that provides hot-backup or load-balancing capability. In
this configuration, one unique IP address is used for each hosted
organization. You do not need to modify the Internet Site documents
because the network router controls redirection connections for
load-balancing and for hot-backups.
To remove a hosted organization from a backup or load-balancing
server
1. Perform the necessary steps to do one of these:
Prevent
the network router from distributing the data from this
hosted organization to the destination server
Deconfigure
the hot-backup server
2. Delete files and databases from the hosted organization’s data
directories and from any other directories in which hosted
organization files reside.
3. Delete the hosted organization’s data directory.
4. Delete the hosted organization’s ACL file from the Domino data
directory.
To remove a hosted organization from a server that provides
Web-application support
1. Remove the DNS name for the Web application.
2. Delete the Web Site document for the Web application.
3. Modify common data for the application to remove support for the
hosted organization.
4. Delete the content of the hosted organization’s data directory.
5. Delete the hosted organization’s ACL file.
14-10 Administering the Domino System, Volume 1
Restoring a hosted environment after a server crash
To recover quickly from various system failures and server crashes,
implement transaction logging in the hosted environment. Also, create a
daily backup so that you can restore current data if necessary.
Restoring the Domino Directory and extended ACLs
If the Domino Directory in a hosted environment becomes corrupted,
you also lose the extended ACLs for NAMES.NSF and for
ADMIN4.NSF.Restart the servers so that transaction logging will restore
the data, including the content of the Domino Directory. You cannot
recreate the Domino Directory from the template. You must use
transaction logging and/or a recent backup of NAMES.NSF in order to
restore the Domino Directory and the extended ACLs.
If you are not using transaction logging, restore the Domino Directory
from the most recent daily backup.
For more information on transaction logging, see the topics Transaction
logging and How transaction logging works.
For more information on transaction logging, see the chapter
“Transaction Logging.”
How the Domino service provider software responds to a DNS
outage
The Domino service provider software can withstand DNS outages. After
the Internet Site documents have been loaded into the Domino ASP
cache, on subsequent loading of the cache, if there are any DNS-lookup
errors, cache entries are not immediately removed but are instead
removed slowly over time. DNS-lookup errors occur when DNS is
unavailable or host names cannot be resolved into IP addresses. If there
are any invalid host names in your Internet Site documents or if DNS is
unavailable, then the DNS recovery code is activated. Cache deletions
then require more time — up to two hours.
For example, a cache deletion results when you remove an IP address or
host name from an Internet Site document or remove a server from the
list of Domino servers that host the site.
The Domino service provider software recognizes Internet Site
documents during the resulting time-out period. To minimize this
recovery time-out, ensure that there are no invalid host names in your
Internet Site documents. If there are no invalid host names and DNS is
available, then cache deletions occur within five minutes.
Managing a Hosted Environment 14-11
Service Provider
The following console message is logged if there are invalid host names
in the Internet Site documents (excluding the Web Site document):
Lookup of IP address for host hostname.com failed
Using a browser to access a hosted organization’s Web site
Use a browser to access a hosted organization’s Web site; include the
name of the hosted organization’s directory in the URL. Use this syntax:
http://Web_site_name/hosted_organization/database_name
For example, to access the home page for the hosted organization Acme
Printing, enter:
www.acmeprinting.com/acme_printing/homepage.nsf
For example, to access your own mail file named JSMITH.NSF, at the
hosted organization named Acme Printing, enter:
www.acmeprinting.com/acme_printing/mail/jsmith.nsf
Note You can use a Web Site document to redirect users to other Web
sites.
For more information on redirecting users to other Web sites, see the
chapters “Setting Up the Domino Web Server” and “Installing and
Setting Up Domino Servers.”
Using the Resource Reservations database in a hosted
environment
You can create a Resource Reservations database that can be used for the
service provider site and for all hosted organizations. This Resource
Reservations database is created in the Domino data directory.
To create the Resource Reservations database
1. Use the template RESRC60.NTF to create the Resource Reservations
database.
For information on creating a database, see the topic Creating a
Database[[ if you have installed Lotus Notes 6 Help. Or, go to
http://www.notes.net/doc to download or view Lotus Notes 6
Help.
2. After creating the database, open the new database.
14-12 Administering the Domino System, Volume 1
3. Edit the database ACL as follows:
a. To the service provider administrator, assign the “Create
Resource” role which allows the administrator to create new
entries in the database.
b. To default users, assign the “NoAccess” role to prevent users
outside of the hosted organization from accessing the database.
4. Close the database.
Caution Do not assign access rights and roles directly to a hosted
organization. Because the Resource Reservations database is not
automatically protected by an extended ACL, if you assign access rights
and roles to a hosted organization, users in the hosted organization will
be able to open the Resource Reservations database for other hosted
organizations.
To create a Site Profile document to support a hosted organization
In the Resource Reservations database, each hosted organization is
treated as a site. Create a Site Profile document for each individual
hosted organization.
1. From the Domino Administrator, open the new Resource
Reservations database.
2. To add a new hosted organization, click Add Site.
3. Enter the hosted organization name in the Site name field. Using the
hosted organization name sets the extended ACLs on the
Resource/Reservations database for the site, thereby preventing
unauthorized users from accessing this database.
4. Enter the name of the hosted organization in the Domain name field.
5. Click Save and Close.
6. Add resources and reservations to the database.
For more information on the Resource Reservations database, see the
chapter “Setting Up Calendars and Scheduling.”
Managing a Hosted Environment 14-13
Service Provider
Viewing hosted organizations
The People and Groups views in the Domino Administrator are
categorized by organization name or by non-hierarchical (flat) name. The
non-hierarchical view is the default. To use the organization view, click
People or click Groups and then click by Organization.
You can view a list of the hosted organizations and corresponding Site
documents in the Domino Directory.
For more information on viewing Web Site and Internet Site documents,
see the chapter “Setting Up the Service Provider Environment”
Managing users at a hosted organization
As a service provider administrator, you have varying levels of
responsibilities for user management, according to the agreements you
have with your various hosted organizations. To perform user
management actions from the service provider site, use the Domino
Administrator to register, delete, or perform any user or group
management action.
If you will be performing all user management actions from the service
provider site, see specific areas of the documentation that explain the
actions you want to perform. For example, you would most likely want
to access these areas of the documentation:
Registering
users
Managing
users
Creating
and modifying groups
Managing
groups
Deleting a group with the Domino Administrator or the Web
Administrator
User management from the hosted organization site
To enable hosted organizations to use the Web Administrator to add and
delete users and groups, see the topic “Web Administration from the
hosted organization” in this chapter.
14-14 Administering the Domino System, Volume 1
Using the Web Administrator to manage users at a hosted
organization
The hosted organization administrator can use the Domino Web
Administrator to maintain users and groups. Before using the Web
Administrator, the hosted organization administrator must be familiar
with the Web Administrator.
For more information on the Web Administrator, see the chapter “Setting
Up and Using Domino Administration Tools.”
To use the Web Administrator, you must also use the server-based
certification authority (CA). Set up and load the CA before attempting to
access and use the Web Administrator.
For more information on the server-based CA, see the chapter “Setting
Up a Domino Server-Based Certification Authority.”
Note If a hosted organization’s users are registered at the service
provider site, they can be registered with certifier IDs and passwords or
with the Domino server-based CA. To register a user for a particular
hosted organization, ensure that the service provider administrator is
using a certifier created for that hosted organization. Users registered by
the hosted organization administrator at the hosted organization site
must be registered using the Domino server-based CA.
To set up access to the Web Administrator at a hosted organization
site
Before using the Web Administrator, the hosted organization
administrator must have rights in the ACL for WEBADMIN.NSF,
NAMES.NSF, and ADMIN4.NSF. The service provider administrator
must assign these rights to the hosted organization administrators who
are responsible for managing users and groups with the Web
Administrator.
Add
the hosted organization administrator to the
HostedOrganizationAdmins group and assign Author access with
the People&Groups role in the ACL.
Add the hosted organization administrator to the
LocalDomainAdmins group and assign Manager access and All roles
in the ACL.
Managing a Hosted Environment 14-15
Service Provider
The hosted organization administrator needs special access in
NAMES.NSF. The service provider administrator assigns these rights to
the hosted organization administrators:
Add
the hosted organization administrator to the
HostedOrganizationAdmins group and assign Editor access with
default roles — that is, Create documents, Delete documents, Read
public documents, Write public documents, and Replicate or copy
documents. Also assign the GroupCreator, GroupModifier,
UserCreator, UserModifier roles.
Give the hosted organization administrator the following access to the
Administration Request Database (ADMIN4.NSF):
Author
access with the Create documents and Read public
documents roles.
To use the Web Administrator to manage users and groups
To maintain users and groups with the Web Administrator, the hosted
organization administrator performs these tasks:
Registering
users with the Web Administrator
Deleting
a user name with the Web Administrator
Creating
a group with the Web Administrator
Deleting
a group with the Web Administrator
Addressing messages to users at a hosted organization
To send mail to users and administrators at a hosted organization, the
user names and group names in the senders address book must contain
full name references that include the Internet domain name in the
address or that use a Notes address that includes the domain name. For
example:
An
address that includes the Internet name:
Robert_Owens@Acme.com
Where Acme is the Internet domain name
A Notes address that includes the domain name: Robert
Owens/hosted_organization@Acme
Where “hosted_organization” is the hosted organization name and
Acme is the Internet domain name
14-16 Administering the Domino System, Volume 1
Chapter 15
Setting Up the Administration Process
This chapter describes how to set up the Administration Process, a
program that simplifies administrative tasks, such as deleting users,
creating replicas, and editing ACLs.
The Administration Process
The Administration Process is a program that automates many routine
administrative tasks. For example, if you delete a user, the
Administration Process locates that user’s name in the Domino Directory
and removes it, locates and removes the user’s name from ACLs, and
makes any other necessary deletions for that user. If you want to delete
all replicas of a database, the Administration Process finds the replicas on
servers in the domain and provides an interface for deleting them.
The Administration Process automates these tasks:
Name
management tasks, such as rename person, rename group,
delete person, delete group, delete server name, recertify users, and
store Internet certificate.
Mail
file management tasks, such as delete mail file and move mail
file.
Server
document-management tasks, such as store CPU count, store
platform, and place network protocol information in Server
document.
Roaming user management, such as roaming user setup, move
roaming users to other servers, upgrade a nonroaming user to
roaming status, and downgrade roaming user to nonroaming status.
User mail file management tasks, such as performing Access Control
List (ACL) changes and enabling agents. For example, the “Out of
Office” agent is enabled and disabled by Notes client users.
Person
document management tasks, such as storing the user’s Notes
version and client platform information.
Replica
management tasks, such as create replica, move replica, or
delete all replicas of a database.
15-1
Administration
Administration servers
Administration servers control how the Administration Process does its
work. You specify an administration server for the Domino Directory
and for specific databases. By default, the first Lotus Domino server you
set up in a domain is the administration server for the Domino Directory.
The administration server for the Domino Directory maintains the
Domino Directory’s ACL, performs deletion and name change operations
in that Domino Directory, and these changes are replicated to other
servers in the domain. If you have multiple directories in your domain —
not replicas of other domain’s directories, but more than one of your own
— you can specify an administration server for each of the directories in
your domain. Do not specify an administration server in your domain for
a replica of another domain’s Domino Directory.
All databases need an administration server to manage name changes
and deletions that apply to the database — for example, changes to the
ACL, Readers and Authors fields, or Names fields. If a database has
replicas, you assign an administration server to only one replica. Then
the Administration Process makes all changes to that replica, and
replication for that database carries out the changes in all other replicas.
You can also set up one or more extended administration servers to
distribute across multiple servers the processing of administration
requests that modify the Domino Directory.
For more information on extended administration servers, see the topic
“Using an extended administration server” later in this chapter.
The Administration Requests database
The Administration Requests database (ADMIN4.NSF) is created on the
administration server for the Domino Directory when that server starts
for the first time. Requests for work to be done by the Administration
Process are stored in the Administration Requests database. The status of
work done by the Administration Process is also stored there as response
Log documents to the requests, in the form of Administration Request
documents. To complete tasks, the Administration Process posts and
responds to requests in the Administration Requests database. Domino
servers use replicas of this database to distribute requests made on one
server to other servers in the domain.
When other servers start, if the Administration Requests database does
not exist, the server creates a replica stub of the Administration Requests
database and waits for it to be initialized from another server in the
domain. Every server in the domain stores a replica of the
Administration Requests database and the Domino Directory.
15-2 Administering the Domino System, Volume 1
The Administration Requests database also acts as the interface to the
Domino Certificate Authority requests. It is the responsibility of the
Registration Authority to monitor the status of the Certification
Authority (CA) Requests. The CA requests can be removed from the
view or resubmitted for processing in the same manner as the
Administration Process Requests.
For more information on working with requests see the topics “The
Administration Requests database” and “Managing Administration
Process requests” in this chapter.
For more information on the Registration Authority (RA), see the chapter
“Setting Up a Domino Server-Based Certification Authority.”
The Certification Log
To use the Administration Process to perform name changes and
recertifications, the Certification Log (CERTLOG.NSF) must reside on the
server that stores the Domino Directory in which you will initiate the
name change or recertification. If the Certification Log exists on another
server, move the Certification Log to the server containing the Domino
Directory on which you are initiating the name change or recertification.
The Certification Log contains a permanent record of how you register
servers and users, including information about the certifier ID. The
Certification Log also contains messages that describe the results of
recertification requests that the Administration Process is processing.
For more information on the Certification Log, see the chapter “Installing
and Setting Up Domino Servers.”
Specifying the administration server for the Domino Directory
Choosing the administration server for the Domino Directory depends on
your network setup, the available equipment, and the anticipated
changes that will be made to the Domino Directory via the
Administration Process. Large numbers of name-management operations
— rename and delete requests for example — result in many changes to
the Domino Directory with the subsequent view rebuilding and thereby
affecting performance. Making a heavilly-accessed server the
administration server of the Domino Directory results in slow server
performance from a user’s perspective. Giving only one, or a few servers
the responsibility of being the administration server of many databases
may result in that server continually processing delete and name change
requests. Choosing the administration server also involves planning how
to assign administration servers for other databases in the domain
because all name management operations require extensive searching of
databases to determine which server is the administration server for the
Setting Up the Administration Process 15-3
Administration
ACLs, Reader and Author fields, Name fields and unread lists. When
choosing the administration server for databases in a domain, your
choices include:
Using
a hub server as the administration server for the Domino
Directory and for other databases.
Using
a dedicated registration server as the administration server for
the Domino Directory and using one or more separate hub servers as
administration servers for other databases.
Using a multifunction server as the administration server for the
Domino Directory and distributing administration responsibilities
for the other databases to other servers.
Setting multiple administration servers, called extended
administration servers, for the Domino Directory to provide for less
centralized, more regional, directory management.
If the domain has only a few servers, consider using one administration
server for both the Domino Directory and for other databases. The
majority of the administration server resources are used for updating the
Domino Directory and replicating to keep the Domino Directory
consistent across the domain. The responsibility of the administration
server of other databases is to maintain ACLs, Reader, Authors, and
Names fields; and unread lists during name management operations.
While this option centralizes administration, it may result in slower
server performance as the domain grows and the use of the
Administration Process to update the Domino Directory and maintain
databases increases.
A second option involves using a dedicated registration server as the
administration server for the Domino Directory. You limit this server’s
responsibility to the processing of Domino Directory changes. You can
then use other servers, such as database hubs, for processing ACL
changes to other databases. To do so, specify the database hub as the
administration server for those databases. You can divide the
responsibility for database ACL changes among several administration
servers; but, you must make sure that when there are multiple replicas of
a database in the domain, you assign an administration server for only
one replica.
A third option involves using multiple servers to maintain the Domino
Directory. If your domain is geographically dispersed, having a single
administration server for the Domino Directory means all administration
requests for Domino Directory changes have to replicate to this one
server and the resultant changes have to replicate back. If your company
is organized hierarchically, that is, it is composed of multiple
organizations and organizational units, extended administration servers
15-4 Administering the Domino System, Volume 1
can be assigned to maintain the directory documents associated with
people, groups, and servers whose names have that organization or
organizational unit component.
Using a server that contains mail and other databases as the
administration server for the Domino Directory is possible, but is not
recommended for performance reasons.
Always run the most recent version of Lotus Domino 6 on the
administration server of the Domino Directory and the extended
administration servers, so that you can use all of the newest
Administration Process features.
Note If you use an LDAP client to administer the Domino Directory, the
Administration Process is not aware of these changes and does not
extend the changes to other databases. For example, if you delete a
Person document, you must manually remove references to that person’s
name in other places that it occurs because the Administration Process
does not do this for you.
For more information on extended administration servers, see the topic
“Using an extended administration server” later in this chapter.
Setting up the Administration Process
To set up the Administration Process, you must complete these tasks:
1. Specify the administration server for the Domino Directory in the
domain. This is done during installation.
For more information on installing a server, see Installing and Setting
Up Domino Servers.
2. Specify an administration server for databases in the domain.
3. (Optional) Set up cross-domain processing to enable an
administration server in one domain to export requests to and/or
import requests from an administration server in another domain.
4. Verify that the administration process is set up correctly.
5. Set up ACLs for the Administration Process.
Setting Up the Administration Process 15-5
Administration
Specifying an administration server for databases
The Administration Process uses administration servers to manage
administrative changes that apply to databases. Either the administrator
or the database manager can specify the administration server for a
database. Perform this procedure on an as-needed basis.
Note To change the administration server for a database, you must have
Manager access to the database or be designated as a Full access
administrator on the Security tab of the Server document.
1. From the Domino Administrator, open the domain containing the
server with the database for which you are setting an administration
server.
2. From the Servers pane, select the server containing the database you
are setting as an administration server.
3. Click the Files tab and then select the database to which you are
assigning an administration server.
4. From the Tools pane, click Tools - Database - Manage ACL.
5. Click Advanced.
6. Complete these fields and then click OK:
Verifying that the Administration Process is set up correctly
After you set up the administration server and the Administration
Process, verify that both are running correctly.
1. From the Domino Administrator, click Server - Analyses -
Administration Requests(6).
2. Open the “All Requests by Action” view.
3. Verify that the request “Put server’s Notes build number into Server
record” appears in the view.
4. Sixty minutes after the Administration Process begins running, open
the Administration Requests database again and open the response
Log document for the request.
Note Log documents are listed directly beneath the request that the
document pertains to. The heading Administration Request - Log
appears at the top of each Log document.
5. Review the information in the response Log document to ensure that
the request has run.
6. Complete the procedure, “Setting up ACLs for the Administration
Process.”
Administration Process support of secondary Domino Directories
Domino supports the use of secondary Domino Directories for
maintaining user names and groups that you want to store in a directory
other than your primary Domino Directory, NAMES.NSF. For example,
you may want to maintain Notes users with Notes IDs in NAMES.NSF,
but maintain Web-only users in a secondary Domino Directory.
A secondary Domino Directory can use the same administration server
as your primary Domino Directory, NAMES.NSF, or you can designate
another server as the administration server for the secondary directory.
When you initiate a name-management or group-management action
from a secondary Domino Directory, the administration process records,
in the Administration Request document, the replica ID of the secondary
directory. When a server locates and then attempts to process a
name-management or group-management administration request, the
server checks for the replica ID. If there is no replica ID stored in the
Administration Request document, the administration server for
NAMES.NSF processes the request.
If a replica ID is located, the server attempts to open the database. If it is
successful, the server checks the ACL to determine whether it is the
Setting Up the Administration Process 15-7
Administration
administration server for that directory. If so, the server processes the
request. If it is not the administration server for that directory, the server
leaves the request to be processed by the appropriate administration
server. If the server is unable to open the database, it ignores the request.
For more information on secondary Domino Directories, see the chapter
“Setting up Directory Assistance.”
For more information on designating a server as an administration
server, see the topic “Specifying an administration server for databases”
earlier in this chapter.
Processing administration requests across domains
You set up Cross-domain Configuration documents to enable a server in
one domain to mail administration requests to a server in another
domain. Set up the Cross-domain Configuration document after you
specify an administration server for the Domino Directory in each
domain. The Administration Process for the Domino Directory must be
set up on a server in each domain. Cross-domain processing works only
when the administration server of the Domino Directory is a Lotus
Domino Release 5 or more recent server.
These tasks can be processed across domains:
Delete
person in Domino Directory
Delete
server in Domino Directory
Rename
server in Domino Directory — that is, upgrade the server
name from flat to hierarchical
Rename person in Domino Directory
Create replica
Get replica information for deletion — This request is generated
when you delete a database and its replicas
Note During cross-domain processing, any requests imported from
another domain and any subsequent requests created by the imported
requests are processed by Lotus Domino Release 5 and more recent
servers only.
15-8 Administering the Domino System, Volume 1
Setting up cross-domain processing of administration requests
To set up cross-domain processing of administration requests, you need
to do the following:
Create
the necessary cross-certificate documents in the Domino
Directory. Requests going to another domain require cross
certificates between the two domains.
Create
a Connection document in the Domino Directory allowing a
server in one domain to connect to a server in another domain. Each
domain must have a Connection document.
Create
one or more Cross-domain Configuration documents in the
administration requests database for each domain from which you
will import administration requests and to which you will export
administration requests.
Edit the Directory Profile document for the Domino Directory to include
the names of anyone allowed to create a Cross-domain Configuration
document. On the Directory Profile document, add the administrators
names to the “List of administrators who are allowed to create
Cross-domain Configuration documents in the administration requests
database” field. If a Cross-domain configuration document is created by
someone whose name is not in that field or who is not a manager of the
Domino Directory, that configuration will be ignored.
The Administration Requests database contains Cross-domain
Configuration documents that specify how domains exchange and
process administration requests. When you configure a Cross-domain
Configuration document, you designate the trusted entities, which are
persons, servers, or certifiers. All requests received from the domain
must be signed by one of its trusted entities. Rename requests are the
exception; they are signed by certifiers so their validity is determined by
the certificates and the cross-certificate in the destination domain’s
Domino Directory. For Rename requests going to another domain, there
must be appropriate cross-certificates between the two domains.
Additionally, the Domino Directory of the destination domain must
either have all Certifier documents, with the certifier’s public key, for the
organizational structure represented in the name change request, or it
must be able to access those Certifier documents from a trusted Directory
specified via Directory Assistance.
For more information on setting up trusted directories via Directory
Assistance, see the chapter “Setting Up Directory Assistance.”
For more information on Certifier documents, see the chapter “Installing
and Setting Up Domino Servers.” For more information on
cross-certificates, see the chapter “Protecting and Managing Notes IDs.”
Setting Up the Administration Process 15-9
Administration
Benefits of cross-domain processing
Cross-domain processing offers these benefits:
1. Processing administration requests across domains can protect the
integrity of the data in databases. For example, if a person is deleted
from the directory in one domain, corresponding deletions occur in
the other domains.
2. Access to information is enhanced because a name change is
propagated to other domains. For example, people and servers
registered in one domain can also be listed in the directory
documents and database ACLs in another domain. Cross-domain
processing allows users and servers to have access to databases and
servers in both domains.
3. Applications are easily distributed because databases are easily
replicated from servers in one domain to servers in other domains.
Administrators do not have to install and update applications
individually on all servers.
Creating a Cross-domain Configuration document
1. Make sure that you have already set up the necessary Connection
documents and cross certificates to allow communication between
the servers.
2. From the Domino Administrator, choose Server - Analysis -
Administration Requests(6).
3. Choose the Cross Domain Configuration view and click “Add
Configuration.”
4. On the Configuration Type tab, choose one of these:
Inbound
to create an inbound request configuration
Outbound
to create an outbound request configuration
5. If you chose Inbound in Step 4, click Inbound Request Configuration
and then complete these fields
Field Enter
Receive AdminP requests The name of one or more
from domains domains from which this server
will receive requests.
List of AdminP requests Select any of these requests
allowed from other domains that this server will accept from
other domains and then click
OK.
• Create Replica • Delete Person
in Address Book • Delete Server
in Address Book • Get Replica
Information for Deletion
Field Enter
The name of one or more
Domains to submit
domains to which this server will
AdminP requests to
send requests.
List of AdminP requests to
submit will send and then click OK.
• Create Replica • Delete Person
in Address Book • Delete Server
in Address Book • Get Replica
Information for Deletion •
Rename Person in Address Book •
Rename Server in Address Book
Administrator
Task Administrator Administrator
needs
this access in needs this needs this
the access access in
Domino in other
Directory ADMIN4.NSF databases
Add a None. However,
Author with CreateResource
resource to the
or delete a Administration Create role in the
resource from Process updates
documents Resource
the the
Resource Domino Reservations
access
Directory to
Reservations reflect the database
change
database
Author with
Add group Author with
Create
documents and Create
the
ServerModifier
documents
role
access and
GroupModifier
role
Add users to Author with
group GroupModifier
role. If
administrator
has
access greater
than Author,
that access is
sufficient
Add servers to
One of these: Author with None
and
remove • Author access
Create
servers and
from a cluster ServerModifier documents
role access
• Editor access
Approve a
One of these: Editor access Author with
request
to move a • Author with Create
user Create documents
name to documents access to the
another access
hierarchy and Certification
UserModifier/ Log
Server Modifier
role
• Editor access
Delete
Approve the Editor access None
documents
deletion of a access
resource from
the
Resource
Reservations
database
Create mail Author access
Author with Create new
files and the
database
automatically UserCreator role Create
access
during user documents on the
registration
registration access server
Task Administrator
Administrator Administrato
needs this
needs this access r needs this
access in
in the Domino access in
other
Directory ADMIN4.NSF
databases
Create replicas No requirement Author with All of these: •
of databases Create Create replica
documents access to the
access destination
server
• Reader
access to the
database on
the source
server
• In addition,
the source
server must
have Create
replica access
to the
destination
server, and
the
destination
server must
have Reader
access to one
replica of the
database.
Delete group One of these: • Author with None
Author with Create
Delete documents documents
access and the access
GroupModifier
role • Editor
access
Delete servers One of these: • Author with None
Author with Create
Delete documents documents
and the access
ServerModifier
role
• Editor access
Delete users* One of these: • Author with None
Author with Create
Delete documents documents
access and the access
UserModifier role
• Editor access
Task Administrator
Administrator Administrato
needs this
needs this access r needs this
access in
in the Domino access in
other
Directory ADMIN4.NSF
databases
Delete users One of these: • Editor None
and their mail Author with
files* Delete Delete
users and their documents and
private design the UserModifier
elements role • Editor with
Delete
documents
access
Enable Editor access Author with None
password- Create
checking documents
during access
authentication
Find name Editor access None None
with UserModifier
role
Move replicas None Author with Both of these:
from a cluster Create • Same access
server documents as “Create
access replicas of
databases”
• Manager
access to the
original
database
Move replicas None Editor Both of these:
from a non- • Same access
clustered as “Create
server replicas of
databases”
• Manager
access to the
original
database
Task Administrator
Administrator Administrator
needs this
needs this access needs this
access in
in the Domino access in
other
Directory ADMIN4.NSF
databases
Move user to One of these: • Editor Create replica
another server Author access access on the
and UserModifier new mail
role • Editor server In
access addition, the
old mail
server must
have Create
replica access
to the new
mail server,
and the
person whose
mail file is
being moved
must be
running a
Notes Release
5 or higher
client.
Recertify user One of these: • Author with Author with
IDs and server Author with Create Create
IDs Create documents documents
documents access access to the
access and Certification
UserModifier/ Log
Server Modifier
role
• Editor access
Register user Author with Author with If creating
Create Create mail
documents documents files/roaming
access and access if using files, Create
User/Creater role Administration database
Process for access on the
background mail server
processing and/or
roaming
server,
accordingly. If
creating
replicas,
Create Replica
access on the
replica
servers. If
CERTLOG.NSF
resides on the
registration
server, Create
document
access to
CERTLOG.NSF
is required.
Task Administrator
Administrator Administrato
needs this
needs this access r needs this
access in
in the Domino access in
other
Directory ADMIN4.NSF
databases
Remove all None None None
replicas of a
database
Rename users One of these: • Author with Author with
and convert Author with Create Create
users and Create documents documents
servers to documents access access to the
hierarchical access and Certification
naming UserModifier/ Log
Server Modifier
role
• Editor access
Sign database None None None
Specify the One of these: • Author with None
Master Address Author access Create
Book name in with documents
Server ServerModifier access
documents role
• Editor access
Add Internet Editor Author with None
certificate Create
documents
access
View Displays
Requests that warrant attention and may require
Administrative
action on
Attention the part of the administrator.
Required
Requests that require administrator approval
Pending
before
Administrator processing can be completed.
Approval
All Activity by Responses to requests, sorted by server.
Server
Responses with errors encountered, sorted by
date. All Errors by Date
Responses with errors encountered, sorted by
All Errors by
server.
Server
All Requests
Requests and responses, sorted by action.
by
Action
All Requests
Requests and responses, sorted by name.
by
Name
All Requests
Requests and responses, sorted by server.
by
Server
Requests to move a user’s name in the name
Name Move
hierarchy.
Requests
View Displays
Cross Domain Cross-domain configurations sorted by domain and
- then by
Configuration inbound requests that are accepted and outbound
requests
that are accepted.
Cross Domain Requests that cannot be delivered to the inbound
- domain.
Delivery
Failures
Requests to create an Internet certificate and
Certificate
requests to
Requests create a Notes certificate. This view is typically
monitored
by the administrator who has been designated
Certification
Authority and Registration Authority.
Requests to revoke an Internet certificate. This
Revocation
view is
Requests typically monitored by the administrator who has
been
designated Certification Authority and Registration
Authority.
Requests that have generated updates to the
Configuration
Certifier
Updates document in the Domino Directory and the
Certificate
Authority Configuration document in the Issued
Certificate
List (ICL) database.
Requests to update the recovery information for a
Recovery
certifier.
Information This view is typically monitored by the
administrator who
Updates has been designated Certification Authority and
Registration Authority.
For more information on ID recovery, see the
topics “ID
recovery”and “Recovering an ID”in the chapter
“Protecting and Managing Notes IDs.”
Field Enter
The number of minutes that pass between
Interval
the
processing of name-management requests —
rename,
delete, and recertify. The default is 60
minutes.
Execute once a The time when updates to Person documents
day occur
and “Rename person in unread lists”requests
requests at
run.
The default is 12 AM.
Interval The number of days that pass between
between running the
purging mail file Object Collect task against a mail file that
uses shared
and deleting mail and deleting the mail file. The default is
when 14 days.
using object
store
Start executing The day on which Updates to Authors and
on Readers
fields in a database and discovery of shared
and
private design elements for a deleted person
occur.
The default is Sunday.
Start executing The time when the updates to Authors and
at Readers
fields in a database and discovery of shared
and
private design elements for a deleted person
occur.
The default is 12 AM.
The number of days during which the Notes
Mail file moves
client
expire after will update mail-related changes. The default
is 21
days. Valid values are 7 to 60, inclusive.
Store Admin Logs a “No change”status entry in the
Process log Administration Process log each time a
entries database is
when status of scanned to determine whether an
no administration
change is request requires a change to that database
recorded and no change is made. The default is No.
Keeping this field set to “No”may greatly
reduce the size of the Administration Request
database.
For more information controlling the size of
the Administration Requests database, see
the topic “Controlling the size of the
Administration Requests database.”
Field Enter
(Optional) Time when the Administration
Suspend Admin
Process
Process at stops processing requests. To conserve
server
resources, suspend the Administration
Process during peak computer hours.
For more information on suspending the
Administration Process, see the topic
“Suspending
administration request processing.”
(Optional) Time when the Administration
Restart Admin
Process
Process at starts processing requests again. To
conserve server
resources, set the Administration Process to
restart
during non-peak computer usage hours. For
more
information on suspending the Administration
Process, see the topic “Suspending
administration
request processing.”
Administration Process
Reason for update to statistic
Statistic
ACLsModified Statistic is updated when the
Administration Process modifies a
database ACL.
ReaderAuthorModified Statistic is updated when the
Administration Process modifies a
database due to a user name change,
resulting in a change to Reader
and/or Author fields for that
database.
Administration Process
Reason for update to statistic
Statistic
DirectoryDocumentsModified Statistic is updated when the
Administration Process modifies
entries in the Domino Directory, for
example, when a user is renamed.
DirectoryDocumentsAdded Statistic is updated when the
Administration Process updates
entries in the Domino Directory, for
example, when Mail-In database
entries are added for future
processing.
Cross Domain Request Sent Statistic is updated when the
Administration Process sends
requests from one domain to another
domain. This occurs when cross-
domain processing is enabled.
Cross Domain Request Statistic is updated when the
Rejected Administration Process receives or
rejects requests from another
domain. This occurs when cross-
domain processing is enabled.
Cross Domain Request Statistic is updated when the
Accepted Administration Process receives or
accepts requests from another
domain. This occurs when cross-
domain processing is enabled.
Corrective action to
Message Occurs during
take
The time after which When thetimearrives,
Renaming
this select
request can be “Perform request
processed Recertification again”in
has not been reached. the response Log
This document.
request cannot be
processed
until time; check the
Perform request again?
box
after time.
The date after which Resubmit the request
Renaming
this from
request is no longer the Domino Directory.
valid Recertification
has passed. This
request
could only be
processed
until time; the current
date
and time is time.
This name does not
Renaming None
appear
in the ACLs of any Deletion
databases designating
server
as their Administration
Server.
The mail file was Delete all
None
previously replicas
deleted on serverby a of a mail file
Delete when
Mail File administration deleting a user
request. name
The mail file specified Delete all
None
for replicas
this person in the of a mail file
Address when
Book does not exist on deleting a user
this
server. name
A replica of this Delete all
None
person’s replicas
mail file does not exist of a mail file
on when
this server. deleting a user
name
Resubmit the request
The signature on this Renaming
from
request has expired. the Domino Directory.
The issuer of this Resubmit the request
Renaming
request from
does not have the the Domino Directory.
proper Be
authority. sure to use a certifier
ID that
is an ancestor of the
user ID.
Corrective action to
Message Occurs during
take
All of the required Resubmit the request
Any request
fields in from
the request have not the Domino Directory.
been
signed.
Cause of error- An
unauthorized person or
a
non-Domino program
edited a posted
request.
This indicates a failed
security attack.
The request’s new Copy Server’s Delete the request, and
public key does not Certified Public then shut down and
match the designated Key restart the appropriate
server. Cause of server to issue a new
error- The key in the request. Delete the
request doesn’t match public key from the
that in the Server Server document.
document.
The existing public key
Copy Server’s None
is
newer than the public Certified Public
key Key
in the request.
Cause of error- The
server
was recertified before
this
request could be
carried
out.
The request’s signer Place Server’s Delete the original
and the designated Notes Build request and then
server are not the number into restart the server. Click
same. Cause of error- Server Record “Perform request
The server specified in again”in the response
the request did not Log document.
sign the request. This
may indicate a failed
security attack from a
forged request or a
request generated by a
non-Domino program.
The selected certifier is Request Move
Reissue the request and
not to
the target certifier in New Certifier specify the correct
the certifier.
move request.
Cause of error- The
target
certifier is not the one
you
specified when you
issued
the original request.
Corrective action to
Message Occurs during
take
A required certifier was Initiate Rename Do the following: 1.
not found in the in Domino Create the necessary
Address Book. If you Directory Certifier document(s) in
see the error when the Recertify Server the Domino Directory.
administrator is in Domino 2. For each Certifier
performing an action, Directory docu-ment, copy the
the Certifier or Cross- Recertify Person certified public key from
Certifier document is in Domino the certifier ID to the
identified in the Notes Directory Certifier document in
Log on the Rename Person the Domino Directory.
administrator’s client. in Domino 3. At the server
If the Administration Directory console, enter load
Process reports the Rename Server updall names.nsf -t
error, the Certifier or in Domino $certifiers. 4. Click
Cross-domain Certifier Directory “Perform request
document is identified again”in the response
in the log (LOG.NSF) of Log document.
the server that
reported the error.
The change request Resubmit the request
Rename
was not from
for a server or person. the Domino Directory.
Cause of error- An
unauthorized person or
a
non-Domino program
edited a posted
request.
This can indicate a
failed
security attack.
The Administration Restart the server, and
Delete Unlinked
Process then
cannot set the target Mail File click “Perform request
time again”
for processing in the response Log
requests. document.
This type of All requests
Upgrade the server to
Administration except
Request cannot be Copy Server’s hierarchical naming so
you
performed on a Certified Public can complete all
Key
non-hierarchical and Place Administration Process
server. Server’s
Notes Build requests on it.
Number Into
Server
Record
Corrective action to
Message Occurs during
take
The Administration Upgrade the server to
When a server
Process the
is not designed to running an current release.
support older
this type of version of Notes
Administration
Request. encounters a
Domino 5.0
Administration
Request. An
older server is
unable to
process the
request.
The name to act on Renaming Delete the corrupted
was not found in the Recertification public key from the
Address Book. Cause Server or Person
of error -The public document. From a
key is corrupt in the Server document: 1.
Person or Server From the Domino
document. Administrator, select a
server and click the
Configuration tab. 2.
Click Edit document. 3.
Click the Miscellaneous
tab. 4. Delete the
public key from the
Certified Public Key
field, or if you are
adding one, enter a
public key. 5. Click
Save and Close. From
a Person document:
1. From the Domino
Administrator, click the
People & Groups tab. 2.
Select the person
whose Person
document you are
modifying. 3. Click Edit
Person. 4. Click the
Public Keys tab. 5.
Delete the public key
from the Certified Public
Key field, or if you are
adding one, enter a
public key. 6. Click
Save and Close.
Corrective action to
Message Occurs during
take
Delete user, Give the person making
The administrator or
server, the
database manager or group request the appropriate
requesting the delete access to the Domino
action
needs Author access Directory, and then
(or select
greater) to the Address “Perform request
again”in
Book. the response Log
document.
The requests require at
least
Author (with Delete
documents) access
with the
appropriate role
(UserModifier,
ServerModifier, or
GroupModifier). The
person must have
access to
the replica of the
Domino
Directory used to
submit
the request and to the
replica on the
administration server
for
the Domino Directory.
The person requesting Delete users, The person submitting
the delete action servers, groups, the request doesn’t
cannot delete or resources have appropriate access
documents in the to the replica of the
Address Book. Cause Domino Directory. Give
of error- This can the person making the
indicate a failed request the appropriate
attempt by an access to the Domino
unauthorized person to Directory.
delete documents from
the Domino Directory.
The Administration Restart the server and
Delete Mail file
Process then
cannot set the
click “Perform request
execution
time for a spawned again”in the response
request. Log document.
This server is not
Remove Server Manually delete the
currently
a member of a cluster. from Cluster database.
This
database cannot be
marked
for deletion.
Give the person making
The Author of the Create Replica
the
Administration Request request Create
Move Replica
is Database
not allowed to create access to the
destination
databases on this server. Then click
server. “Perform
request again”in the
response Log
document.
Corrective action to
Message Occurs during
take
Mail file already exists. Create Mail File None
New mail file not
created.
The person requesting Move Replica Give the person making
this move action needs Non-cluster the request Manager
at least Manager move replica with Delete documents
access to the access. Then select
database. “Perform request
again”in the response
Log document.
Server name not found Rename in Wait for the name
in Access change to
Public Address book. Control List replicate to the Domino
Directory on this
server.
Then select “Perform
request
again”in the response
Log
document.
Chapter 16
Setting Up and Using Domino Administration
Tools
This chapter explains how to install and navigate the Domino
Administrator. It also includes information on setting up and using the
Web Administrator, which allows you to administer a Domino server
using a browser.
The Domino Administrator
The Domino Administrator is the administration client for Notes and
Domino. You can use the Domino Administrator to perform most
administration tasks. You can administer the Domino system using the
local Domino Administrator or using the Web Administrator.
Information about the Domino Administrator in this section includes:
Domino
Administrator installation
Setting
up and starting the Domino Administrator
Selecting
a server to administer in the Domino Administrator
Setting Domino Administrator preferences
Navigating
Domino Administrator
How administrative tasks are organized on the Domino
Administrator tabs.
Installing the Domino Administrator
When you install and set up a Domino server, the Server Setup program
does not install the Domino Administrator, which is the administration
client. You must run the Domino Administrator client setup to install the
Domino Administrator client. There are many ways to set up your
Administrator client installation.
Do not install the Domino Administrator on the same system on which
you installed the Domino server. Doing so compromises Domino’s
security and impairs server performance.
16-1
Administration
For more information on installing the Domino clients, including the
Domino Administrator, see the chapter, “Setting Up and Managing
Notes Users.”
Setting up the Domino Administrator
1. Make sure the Domino server is running.
2. Start the Domino Administrator.
3. The first time you start the Domino Administrator, a setup wizard
starts. After you answer the questions displayed by the setup wizard,
the Domino Administrator client opens automatically.
Starting the Domino Administrator
There are several ways to start Domino Administrator.
1. Make sure the Domino server is running.
2. Do one:
From
the Windows® control panel, click Start - Programs - Lotus
Applications - Lotus Domino Administrator.
Click
the Domino Administrator icon on the desktop.
From
the Notes client, click the Domino Administrator bookmark
button or choose File - Tools - Server Administration
Navigating Domino Administrator
The user interface for the Domino Administrator is divided into four
panes. Clicking in one pane dynamically updates information in other
panes. The following figure shows the user interface for the Domino
Administrator.
Server pane
The server pane displays the servers in the domain, grouped in different
views. For example, you can view all servers in the domain or view them
by clusters or networks. To “pin” the server pane open, click the pin icon
at the top of the server pane.
Task pane
The tasks pane provides a logical grouping of administration tasks
organized by tabs. Each tab includes all the tasks associated with a
specific area of administration. For example, to manage the files located
on a particular server, select a server and click the Files tab.
Results pane
The appearance of the results pane changes, based on the task you are
performing. For example, the results pane may display a list of files, as
on the Files tab, or an active display of real-time processes and statistics,
as on the Server - Monitoring tab
Tools pane
The tools pane provides additional functions associated with a selected
tab. For example, from the Files tab you can check disk space and
perform tasks associated with files.
Window tabs
Use window tabs to switch from one open window to another in the
Domino Administrator. Every time you open a database or a document,
a new window tab appears beneath the main menu bar.
Domains
You can access the servers in each domain that you administer. Click a
domain to open the server pane.
Bookmark bar
The Bookmark bar organizes bookmarks. Each icon on the Bookmark bar
(running down the left edge of the Domino Administrator window)
opens a bookmark or a list of bookmarks, which can include Web
browser bookmarks.
Selecting a server to administer in the Domino Administrator
To administer a server, you select the server from a server list. You can
have multiple server lists, each of which is represented by a button. After
you select a server, information about that server appears in all the tabs.
Button Description
Lists your “favorite”servers —that is, those you
Favorites
administer most
frequently. To add a server to Favorites, choose
Administration -
Add Server to Favorites, and then specify the name of
the server to
add.
Lists all servers in a domain. You can also view servers
Domain
by
hierarchy or by network.
For more information on adding domains, see the topic “Setting Basics
Preferences,” later in this chapter.
To update a server list
The first time you start the Domino Administrator, the system
automatically creates a server list, based on the domains listed in
Administration Preferences. If you add new servers to the list, choose
Administration - Refresh Server List.
16-4 Administering the Domino System, Volume 1
Setting Domino Administration preferences
To customize the Domino Administrator work environment, set any of
these administration preferences
Preference Description
Basics • Select domains to administer
• Add, edit, or delete domains Set domain
• location setting Select domain directory server
• Specify Domino Administrator startup settings
•
Field Action
Enter the name of the domain to
Domain name
add,
or edit an existing name.
Domino directory servers for Enter one or more directory
this servers,
domain separated by commas, or edit
the list. For example:
Mail-E/East/Acme Mail-
W/West/Acme
What location settings do Choose one: • Do not change
you want to use for this location • Change to this
domain? location. Specify the location
from which you want to manage
this domain.
Field Action
On startup Do one:
• Choose “Don’t connect to any
server”
• Choose “Connect to last used
server”
• Choose “Connect to specific
server”
and then specify the startup
domain and startup server.
Show Administrator Welcome Do one:
Page • Check this box to see the
Welcome
page each time you start the
Domino Administrator.
• Uncheck this box if you do not
want
to see the Welcome page.
Field Action
Enter the maximum amount of
Do not keep more than <n>
virtual memory, in MB, used to
MB of monitoring data in
store monitoring data. Default is
memory (4 - 99MB)
4.
Not responding status Enter the amount of time after
displayed after <n> minutes which the “not
of inactivity responding”status displays. The
default is 10 minutes.
Generate server health Select this option to include
statistics and reporting health statistics in charts and
reports. Note You must enable
this option to use the Server
Health Monitor, which is part of
the IBM Tivoli Analyzer for Lotus
Domino.
In the Location section, complete these fields:
Field Action
When using this location Choose the Location document.
Monitor servers Do one:
• Choose “From this
computer”to monitor servers
from the local Domino
administration client.
• Choose “From server”and then
click Collection Server. Select
the Domino server running the
Collector task for the servers
being monitored by the location
you selected.
Poll server every <n> Enter the server’s polling
minutes (1-60 minutes) interval, in minutes. • If “From
this computer”is selected, the
default is 1 minute.
Field Action
Registration Select a domain from the list. The registration
Domain domain is the domain into which users and
servers are registered.
Create Notes
Click to create a Notes ID for each new user
IDs for new
during the registration process.
users
Certifier name Choose a certifier ID to use when creating the
list user name during user registration when a
Notes user ID is not being created for the user.
This field appears if the check box “Create a
Notes ID for this person”is not selected. If you
are working in a hosted environment and are
registering a user to a hosted organization, be
sure to register that user with a certifier
created for that hosted organization.
Certifier ID Do one:
• Choose “Certifier ID”to use the certifier ID
and password. Then click Certifier ID, select
the certifier ID file, and click OK to select the
certifier ID used to register new certifiers,
servers, and users. • Choose “Use CA
Process”to use the Domino server-based
certification authority.
Registration Click Registration Server to change the
Server registration server, which is the server that
initially stores the Person document until the
Domino Directory replicates. Select the server
that registers all new users, and then click OK.
If you do not explicitly define a registration
server, it is, by default: • The local server if it
contains a Domino Directory • The server
specified in NewUserServer setting in the
NOTES.INI file
• The administration server
Field Action
Explicit policy If you already created explicit policies, select
the policy from the list. If you have not created
explicit policies, this field displays “None
Available.”
User Setup Select a profile. The default is none. You can
Profile assign either a policy or a user setup profile,
but you cannot assign both to the same users.
Mail Options Click Mail Options to display the Mail
Registration Options dialog box. Choose one of
the following and complete any required
associated fields: • Lotus Notes (default) —The
Internet address is automatically generated. •
Other Internet —The Internet password is set
by default during registration. Enter a
forwarding e-mail address.
Field Action
Click Advanced Options to open the Advanced
Advanced
Person
Options Registration Options dialog box on which you
can specify the following:
• Whether to keep registered users in the
registration
queue
• Whether to attempt to register users with an
error
status from a previous registration attempt
• Whether to prompt for duplicate files
• Whether to search all directories for
duplicate names
• Other registration settings
Click to open the Server Certifier ID File
Server/Certifier
Settings dialog
Registration box on which you can define the directories in
which to
store certifier IDs and server IDs and specify
the
default password quality setting for each.
4. Click OK.
For more information on explicit policies, see the chapter “Using
Policies.” For more information on Advanced Options, see Domino
Administrator 6 Help.
Setting Statistics preferences
You set statistics preferences to enable statistics reporting and statistics
charting. The Statistics section in Administration preferences is also
where you specify the polling and reporting time interval used for
gathering and reporting statistics.
You also enable statistic alarms for use with statistic event generators. If
you create statistics event generators to report alarms, you must enable
statistics alarms.
To set statistics preferences
1. From the Domino Administrator, choose File - Preferences -
Administration Preferences.
2. Click Statistics.
Setting Up and Using Domino Administration Tools 16-11
Administration
3. Complete these fields
Field Action
Generate statistic reports Do one: • Enable the field and
while monitoring or charting then specify, in minutes, how
statistics often to create statistics reports
in the Monitoring Results
database (STATREP.NSF).
Default is 45 minutes. The value
must be greater than the
monitoring poll interval specified
in the Monitoring preferences. •
Disable the field if you do not
want to create statistics reports
or charts.
Check statistic alarms while Do one: • Enable the field to
monitoring or charting report an alarm when a statistic
statistics exceeds a threshold. You must
enable this field to generate a
statistic events. Alarms are
reported to the Monitoring
Results database
(STATREP.NSF). • Disable the
field if you do not want to
generate alarms.
Chart statistic using same Do one: • Enable the field to use
poll interval as monitoring the poll interval specified in the
Monitoring preferences. •
Disable the field to set a
charting interval that is different
than the poll interval. Then
specify a time interval in which
to chart statistics. The default is
20 seconds.
Tab Tools
People & Groups •
People Groups
•
Files •
Disk Space Folder
•
• Database
Server - Status • Task
• User
• Ports
• Server
Server - Analysis • Analyze
Messaging • Messaging
Tab Tools
Configuration • Certification
• Registration
• Policies
• Hosted Org
• Server
• Miscellaneous
Web Administrator
If you have a browser and want to manage and view settings for a
Domino server, you can use the Web Administrator to perform most of
the tasks that are available through the Domino Administrator. This
section includes the following information about the Domino Web
Administrator:
Setting
up the Web Administrator
Setting
up access to the Web Administrator database
(WEBADMIN.NSF)
Giving
additional administrators access to the Web Administrator
and assigning roles
Starting
the Web Administrator
Using the Web Administrator
Setting up the Web Administrator
The Web Administrator uses the Web Administrator database
(WEBADMIN.NSF). The first time the HTTP task starts on a Web server,
Domino automatically creates this database in the Domino data
directory. However, you need to make sure that the Web browser and
server meet these requirements for the Web Administrator to run.
Web browser requirement
You must use one of these browsers with the Web Administrator:
Microsoft
Explorer 5.5 on Windows 98, Windows NT® 4, Windows
2000 or Windows XP
Netscape
4.7x on Windows 98, Windows NT 4, Windows 2000,
Windows XP or on Linux 7.x
For the most current information about supported browsers, see the
Release Notes.
Domino server tasks required
You must have the following Domino server tasks running:
The
Administration Process (AdminP) server task must be running
on the Web Administrator server.
The Certificate Authority (CA) process must be running on the
Domino 6 server that has the Issued Certificate List database on it to
register users or servers.
The HTTP task must be running on the Web server so that you can
use a browser to access it.
To set up the Web Administrator
1. Make sure that the server you want to administer is set up as a
Domino Web server and that it is running the HTTP task. The
Domino Web server does not have to be a dedicated server, you can
use it for other server tasks, such as mail routing and directory
services. You can administer only the servers you set up as Domino
Web servers.
2. Set up administrator access to the Web Administrator database
(WEBADMIN.NSF).
For more information on setting up the Domino Web server, see the
chapter “Setting Up the Domino Web Server.”
Windows integration
To take advantage of certain Windows OS integration features, you must
install the Microsoft Windows Management Instrumentation Software
Development Kit (WMI SDK) if you are running NT 4. Windows 2000
automatically includes WMI.
Setting up access to the Web Administrator database
Domino automatically sets up default database security when the Web
Administrator database (WEBADMIN.NSF) is created for the first time.
At that time, all names listed in either the Full Access Administrators or
Administrators fields of the Server document are given Manager access
with all roles to the Web Administrator database. In addition, the HTTP
server task periodically (about every 20 minutes) updates the Web
Administrator database ACL with names that have been added to the
Server document in either the Full Access Administrators or
Administrators fields, but only if the names are not already on the ACL
list
For more information on how the HTTP server task synchronizes names
in the Server document with those on the Web Administrator database
ACL, see “Giving additional administrators access to the Web
Administrator,” later in this chapter.
Default database security
The default ACL settings for the Web Administrator database are listed
below. You do not need to change these settings if the administrator’s
name appears in the Administrators field of the Server document.
Authenticating administrators
You can use either an Internet password or an SSL client certificate to
access the Web Administrator. The Web Administrator uses either
name-and-password or SSL authentication to verify your identity. The
method the Web Administrator uses depends on whether you set up the
server or the Domino Web Administrator database (WEBADMIN.NSF),
or both to require name-and-password or SSL authentication.
To access the Web Administrator database, you must have
name-and-password authentication or SSL client authentication set up on
the server. Name-and-password authentication is enabled for the HTTP
protocol by default.
To use name-and-password authentication, you must have an Internet
password in your Person document. To use SSL client authentication,
you must have a client certificate, and SSL must be set up on the server.
For more information, see the chapters “Setting up Name-and-Password
and Anonymous Access to Domino Servers,” “Setting up Clients for
S/MIME and SSL,” and “Setting up SSL on a Domino Server.”
Giving additional administrators access to the Web Administrator
You can use the Server document as a convenient way to give additional
administrators access to the Web Administrator. To add an administrator
to the Web Administrator database (WEBADMIN.NSF) ACL, simply add
the name to either the “Full Access Administrators” or “Administrators”
field of the Server document. The HTTP server task routinely
synchronizes the names listed in those fields of the Web Server document
with those listed on the Web Administration database ACL. Names that
are not already listed in the ACL are added with Manager access and all
roles. Names that are already listed in the ACL, keep the access granted
to them in the ACL. This preserves custom ACL settings, such as limiting
the ACL roles of a particular administrator, from being overwritten. It
also allows you to restrict administrators from using the Web
Administrator, even though they are listed as administrator in the server
document. If you delete an administrator’s name from the Server
document, the name is also deleted from the Web Administrator
database ACL automatically at the next synchronization.
You can also give administrators access to the Web Administrator
manually by adding them directly to the Domino Web Administrator
database ACL. You can give an administrator full or partial access by
restricting the roles assigned. The role assigned to an administrator
determines which commands are available to the administrator, and
which tabs appear in the Web Administrator client. You cannot restrict
roles when you add administrator access to the Web Administrator using
the Server document. If you add a name using the server document, you
must manually restrict access to the web Administrator through the
Domino Web Administrator database ACL. To prevent an administrator
from access, assign No access in the ACL.
For more information on Web Administrator roles, see the topic
“Administrator Roles in the Web Administrator” later in this chapter.
To update access to the Web Administrator database automatically
1. From the Domino Administrator, click the Configuration tab.
2. Select the Server view, and open the Current Server Document for
the Web Administration server.
3. Select the Security tab.
4. In one of these fields, enter the name of the administrator to whom
you want to give access to the Web Administrator:
Full
Access Administrators
Administrators
5. Click Save & Close
To update the Web Administrator database ACL list manually
You can manually add an administrator to the Web Administrator
database ACL list.
1. From the browser using the Web Administrator, click the Files tab.
2. Select the Web Administrator database (WEBADMIN.NSF).
3. From the Tools menu, select Database - Manage ACL.
4. Click Add and add the administrator or group name to the ACL of
the Web Administrator database.
5. In the Access field, select Manager.
6. Assign the roles. Assigned roles determine which commands and
tabs appear in the Web Administrator.
Tip To select more than one role, hold down the Shift or Control
key while selecting roles. Selected roles appear highlighted.
7. Do one of the following:
If the server requires name-and-password authentication, edit
each administrator’s Person document and enter an Internet
password.
If the server requires SSL client authentication, set up the browser
for SSL.
For more information on Managing ACL roles, see the chapter
“Controlling User Access to Domino Databases.” For more information
on SSL authentication, see the chapter “Setting Up Clients for S/MIME
and SSL.”
Administrator roles in the Web Administrator
By default, the ACL gives Manager access and all roles to users named in
the Administrators and Full Access Administrators fields on the Server
document. However, you can restrict a Web administrator’s access to
parts of the Domino Administrator by limiting the assigned roles. Each
role has a corresponding tab and associated commands. When you
restrict access, you also restrict which tabs appear in the Web
Administrator.
For example, if you assign only the People&Groups role to a Web
Administrator, the People & Groups tab is the only tab that appears when
that administrator uses the Web Administrator. The following table shows
the roles that have been predefined for the Domino Web Administrator.
Role Tab
Files Files
People&Groups People & Groups
Replication Replication
Configuration Configuration
Mail Messaging - Mail
MsgTracking Messaging - Tracking Center
ServerStatus Server - Status
ServerAnalysis Server - Analysis
ServerStatistic Server - Statistic
Role Tab
Files Files
People&Groups People & Groups
Replication Replication
Configuration Configuration
Mail Messaging - Mail
MsgTracking Messaging - Tracking Center
ServerStatus Server - Status
ServerAnalysis Server - Analysis
ServerStatistic Server - Statistic
Field Action
Allowed to track messages Select both of these: • Your
name • LocalDomainServers
Example (Windows
Result
NT)
nserver -jc Runs the Server Controller, the server, and
the Domino Console
nserver -jc -c Runs the Server Controller and the server
Runs the Server Controller and the Domino
nserver -jc -s
Console
nserver -jc -c -s Runs only the Server Controller
Field Enter
To enable all Notes synchronization operations
Enable all
listed
synchronization under the “Select synchronization operations
to enable”
operations field. Whenever you perform one of the
synchronization
operations in User Manager for Domains, you
are
prompted to decide whether or not to perform
the same
operation in Notes.
Select Choose one of these to enable and disable
synchronization selected Notes synchronization operations: •
operations to “User / Group registration”to register new or
enable existing Windows NT users and groups in
Notes. This option enables the Add Selected
NT User / Group to Notes, Registration Setup,
and Mail / ID Registration Options on the
Notes menu. • “User / Group deletion”to
delete a user or group from Windows NT and
have that user or group deleted from the
Domino Directory. Enables the “Delete / User
Synch Options”command on the Notes menu.
• “User synching”to change a user account
name in User Manager and duplicate that
name change in the Network account name
field of the Person document in the Domino
Directory, allow changes to the user’s full
name and copy the new name to the “User
name” field in the Person document, enable
the Notes menu command “Synch Selected NT
Users with Notes,”and activate the “Set
common password on user synching” field.
To synchronize the Windows NT password and
Set common
the
password on Notes Internet password when you
synchronize users.
user synching (Available only if you selected “User
synching.”)
Prompt to Choose one: • Prompt for all operations
confirm/cancel (default) • Prompt only for user / group
synchronization deletions • Do NOT prompt for any operations
operations
3. To save and re-apply the settings in the next User Manager session,
choose Options - Save Settings on Exit.
4. Complete the procedure “Synchronizing Windows NT and Notes
users.”
Synchronizing Windows NT and Notes users
If your system includes Windows NT user accounts that correspond to
Person documents in the Domino Directory, you can keep the
information synchronized between the products. When you synchronize
Windows NT and Person documents, these changes occur:
The
“Network account name” field on the user’s Person document is
updated with the account name of the Windows NT user.
The full name of the Windows NT user is added to the “User name”
field on the Person document if that name does not already exist in
the names list. Existing full names in the Person document are not
modified.
(Optional)
The Windows NT password and the Internet password on
the Person document are replaced with a common password that
works for both Windows NT and Domino Web server access. The
Internet password is encrypted when entered in the Person
document.
User synching also takes place when a Windows NT user is renamed in
User Manager and Notes user synching is enabled. In this case, the
“Network account name” field and the “User name” field in the Person
document are updated, but passwords are not synchronized.
User synching does not register a Notes user — that is, a Person
document, Notes ID, and mail file are not created. User synching can
only modify information in an existing Person document.
Note If an error occurs during user synchronization — for example, a
Person document cannot be found for the NT server — an error message
appears. Details on errors/status are also entered in the NT Event
Viewer application log.
If you change the Windows NT user account name or the full name, run
synchronization again. You should also run synchronization if you want
to synchronize the Windows NT password with the Notes password.
User synching is successful if these conditions exist:
The NT user account name matches the name in the “Short name
field” in the Person document.
The Windows NT full name matches an entry in the “User name”
field in the Person document.
Using Domino with Windows Synchronization Tools 17-5
Administration
The
Windows NT last name matches the name in the “Last name”
field in the Person document.
The name in the “Network account name” field — if there is one in
the Person document — matches the Windows NT user account
name.
To synchronize Windows NT and Notes users
Synchronizing Windows NT users and Notes users may result in changes
to Person documents and to the Domino Directory.
1. Make sure that you already enabled user synching in Windows NT
User Manager.
2. In the User Manager Username window, select the users you want to
synchronize.
3. Choose Notes - Synch Selected NT Users with Notes.
4. When prompted to continue, click Yes.
5. If you enabled password synching, enter and confirm the password
for the first user you are synchronizing, and then click OK.
6. Enter and confirm passwords for additional users you are
synchronizing, and then click OK.
Setting policy-based registration options for use with Notes
synchronization
Use policy-based registration options to apply registration settings to
multiple users, instead of specifying individual settings for each user,
and use the new registration options available with Lotus Domino 6. The
registration settings are applied to all users registered during the
registration session, thereby making the registration process fast and
simple. Prior to completing this procedure, do one of the following:
Create
an explicit policy with an associated Registration settings
document
Create
an organizational policy with an associated Registration
settings document
Note If you have not created the appropriate policy documents prior to
setting the policy-based registration options, you are prompted to do so
during this procedure.
For more information on using policies, see the chapter “Using Policies.”
17-6 Administering the Domino System, Volume 1
For more information on the Notes Synchronization Options, see the
topic “Enabling Notes synchronization operations in Windows NT User
Manager” earlier in this chapter.
To enable this option, select the “Use Policy-based registration” option
on the Notes Synchronization Options dialog box.
1. From the User Manager, choose Notes - Policy-based Registration
Options.
Note If there are no registration policies, you are prompted to create
one now. Choose Yes and create the policy, or choose No.
2. Complete these fields:
Field Action
Registration A registration server for this session, that is,
server the Domino server on which to create Person
documents in the Domino Directory. Users
are automatically assigned the same Domino
domain as that of the selected server. You
must have a properly certified Notes ID and
sufficient access to the specified server to
register Notes users. Default - Local
Field Action
Certifier name Choose the certifier name to use to certify
users with a Notes certifier ID. Default - No
certifier chosen.
Field Enter
Internet Creates Person documents in the Domino
registration only Directory with an Internet password, but user
(No Notes ID or IDs and mail files are not created. Allows
mail file Web or LDAP users to gain authenticated
created) access to the Domino Web server without
running Notes workstation software. Hides
dialog controls related to the Notes ID
(Certified ID, Security Type, Certificate
expiration date) and mail-related dialog
controls, such as the Internet address fields.
Default - Not selected
Use common Supplies a single password for both Windows
password NT and Notes (and the Notes Internet
password, if applicable). You can override
this option for individual users at registration
time. Causes the existing NT password for an
NT user to be replaced with the common
NT/Notes password when users are
registered. This field is not visible when the
existing users are registered with random
generated passwords. Default - Selected
Field Enter
Assign new The Notes group to which new Notes users
users to Notes will be added from User Manager. Enabled
group only if Notes groups exist. Default - Not
assigned
Internet domain The last part of the Internet address for each
user registered. This field displays if the Mail
Type selected on the Notes Mail / ID
Registration Options dialog box is Notes, POP,
or IMAP. Default - Current host domain
(example: @acme.com)
Address name Choose the address name format that you
format want to use for Internet mail. This field
displays if the mail type is Notes, POP, or
IMAP.
For more information on the User Setup Profile and the alternate name
language, see the chapter “Setting Up and Managing Notes Users.”
To change default Mail / ID Registration options
Mail / ID Registration options are not available if you selected
Internet-only registration in the Registration Setup dialog box.
1. Before changing the default Mail/ID Registration options, enable
user and group registration.
For more information on synchronizing user and group registration,
see the topic “Enabling Notes synchronization operations in
Windows NT User Manager” earlier in this chapter.
2. From the User Manager, choose Notes - Mail/ID Registration
Options.
3. (Optional) To create user mail files on a server other than the local
server, click Mail Server, select another server, and then click OK.
4. Change these settings, and then click OK:
Field Enter
Click to select a mail server to be used as the
Mail Server
default mail
server, and then click OK.
Mail Type Choose one:
• Notes to use Notes mail.
• Other Internet Mail to use Internet mail on a
server that
is not part of your organization. If you choose
this option, Domino does not create a mail file for
the user.
• POP to use POP3 mail to access the mail file on
a
Domino server.
• IMAP to use IMAP mail to access the mail file on
a
Domino server.
• Other to have mail forwarded to a non-Notes
mail
address. No mail file is created.
• None for no mail.
• Default - Notes
Create a mail file in a directory other than the
Mail file
default Mail
directory directory by entering the full path name for a
mail file. This file name applies to the next user
you register. For subsequent users, only the
directory portion of the path is used. You can
specify a directory other than the default.
Default - Mail file in the Notes/data directory
Create mail Create a mail file during Notes user registration
files now Default - Selected
Field Enter
Use the Administration Process to create a mail
Create mail
file after
Notes user registration. An administration
files in
request is
background generated and stored in the Administration
Requests database, then processed as usual.
To limit the size of the mail database. Enter the
Set mail
database
database size, up to 9999MB, in the field that becomes
quota activated
when you select this option.
To notify the administrator when a user’s mailbox
Set warning
is
threshold almost at its maximum size. Enter the threshold
size, up
to 9999MB, in the field that becomes active when
you
select this option.
Create full Select to create a full-text index of the entire
text mail
index database.
Store User
Choose one, both, or neither:
IDs
• In Address Book to store the mail user’s ID in
the
Domino Directory
• In file to store the mail user’s ID in a file
• Choosing neither option results in no ID file
being
created.
Set ID path The path and file name in which to store user
IDs. If you chose Store User IDs in file, you can
select a file other than the one that is displayed.
This button is activated only if you chose In file in
the Store User IDs field. The default is <Data
directory>\ids\people
Field Enter
First name, Accept the default names derived from the
middle user’s full
name and last name in Windows NT.
name
The name of the organizational unit the user
Org unit
is
included in. For example, if user John Smith is
part of
engineering, the organizational unit could be
Eng. The user name would be John
Smith/Eng.
Organizational units are useful for
differentiating between users of the same
name. For example, John
Smith/Eng/Acme and John Smith/Doc/Acme,
where
one employee is a member of Engineering
and the other is a member of Documentation.
Each is assigned
a different organizational unit name.
Assigns to the user the same password for
Use common
Notes,
password Windows NT, and Notes Internet. Activates
the Notes password for user name and the
Confirm password fields.
To preserve the existing Windows NT
password, enter that password as the
common password.
If Use common password is not selected,
activates the Notes password for user name
and the Confirm password fields.
Field Enter
The password you are assigning to this user
Notes/Common
when
password for using Notes.
user
name
Confirm Enter the new Notes password for this user
password again.
Enters the Internet address in the user’s
Set Internet
Person
password in document in the Domino Directory. This field
Notes applies only if the user is registered for Notes
mail. Activates the following fields:
• Internet address
• Internet password for user name
• Confirm Internet password
Internet Accept the default Internet address as derived
address from the Windows NT user name and the
current host
domain —for example, KCarter@domain.com
This field displays if POP, IMAP, or Notes mail
type is selected.
Internet
Enter an Internet password for this user.
password
Confirm Enter the Internet password for this user
Internet again.
password
Field Enter
First Name, The default name as derived from the
Middle Windows
Name, Last Name NT full name. You can accept this name or
change
it.
Assigns to the user the same password for
Use common
Notes,
password Windows NT, and Notes Internet. If you are
registering this user as an Internet Only
user, this
password field supplies the Internet or
common NT/Internet password.
To preserve the existing Windows NT
password, enter that password as the
common password.
The password you want to use, or leave
Notes/Common
blank to
Password for user use a blank password. This field displays if
you
name selected “Use common password.”
Enter the Notes password for this user
Confirm password
again.
Set Internet Enters the Internet address in the user’s
password Person
in Notes document in the Domino Directory. This
field applies only if the user is registered
for Notes mail. Activates the following
fields:
• Internet address
• Internet password for user name
• Confirm Internet password
Field Enter
Internet address Accept the default Internet address as
derived from the Windows NT user name
and the current host
domain —for example,
KCarter@domain.com
This field displays if POP, IMAP, or Notes
mail type is selected. The Internet address
is required for Notes mail routing in Domino
5.0.
Internet password Enter an Internet password for this user.
Enter the Internet password for this user
Confirm Internet
again.
password
6. When User Manager asks if you want to register the new Windows
NT users in Notes, do one of the following:
Click
Begin Registration to register new users immediately.
Click
Cancel to register new users later.
7. If you chose “Register users at once without additional prompts” in
Step 4, distribute the passwords to users so they can install their
Notes workstations. After installation, users can create new
passwords.
Note Automatically generated passwords apply only to Notes user IDs
and not to Windows NT or Notes Internet passwords.
To register new users later
If you choose not to register users immediately or if you click Stop
Registration to pause registration, use this method to register the users
later.
1. From User Manager, choose Notes - Register Notes Users Now.
2. Click Begin Registration.
3. Click OK.
Adding Windows NT groups to Notes
When you add an NT group to Notes, you can also create a Group
document in Notes and register individual group members. If the NT
group is a local group and contains global groups as group members,
you can add these global groups to Notes and register individual
members as Notes users. You can modify group membership (based on
the Windows NT group) before adding it to Notes without affecting the
NT group.
To create a new Windows NT group and simultaneously add it to
Notes
1. Before you create a Windows NT group and add it to Notes, you
must:
Make
sure that Notes user registration is enabled in Windows NT
User Manager.
Customize
default Notes registration for Windows NT users.
2. Create a new Windows NT group as instructed in the Windows NT
documentation.
3. If prompted, enter the password for your Notes user ID.
4. Select “Create Notes group with the following settings,” complete
these fields, and then click OK:
Field Enter
Name of the corresponding Windows NT
Notes Group Name
group.
Group Type Choose one: • Multi-purpose (default) •
Mail only • Access Control List only •
Deny List only
Field Enter
Remove from this list those users who are no
Members
longer
members of the group, or add to this list the
names of
new users. User names removed from this list
display in
the Not members list.
Add to this list those users who are not
Not members
members of the
group, or remove from this list user names that
you
want to include in the Members list.
Note If there are global groups in the members list and you want to
add those groups to the Domino Directory, select “Synchronize
groups in Members list with Notes also.”
6. If you are registering group members in Notes, User Manager
prompts you for registration options. Choose one of the following:
“Prompt
for the name and password for each user” to enter user
information manually for each user.
“Register
users at once without additional prompts” to use
Windows NT full names as Notes user names and to generate
random passwords. If you choose this option, go on to Step 7.
7. If you chose to manually enter user information in Step 6, complete
these fields, and then click OK:
Field Enter
First name, middle Accept the default names derived from
name the
and last name user’s full name in Windows NT.
Org unit The name of the organizational unit
the user is included in. For example, if
user John Smith is part of engineering,
the organizational unit may be Eng.
The user name would be John
Smith/Eng.
Organizational units are useful for
differentiating between users of the
same name. For example, John
Smith/Eng/Acme and John
Smith/Doc/Acme, where one employee
is a member of Engineering and the
other is a member of Documentation.
Each is
assigned a different organizational unit
name.
Field Enter
Use common password Assigns to the user the same
password for Notes, Windows NT, and
Notes Internet. Activates the Notes
password for user name and the
Confirm password fields. To preserve
the existing Windows NT password,
enter that password as the common
password. If Use common password is
not selected, activates the Notes
password for user name and the
Confirm password fields.
Notes/Common The password you are assigning to this
password for user user.
name
Confirm password Enter the new Notes password for this
user again.
Set Internet password Enters the Internet address in the
in Notes user’s Person document in the Domino
Directory. This field applies only if the
user is registered for Notes mail.
Activates the following fields: •
Internet address
• Internet password for user name •
Confirm Internet password
Internet address Accept the default Internet address as
derived from the Windows NT user
name and the current Notes domain,
for example, KCarter@domain.com
This field displays if POP, IMAP, or
Notes mail type is selected. The
Internet address is required for Notes
mail routing.
Enter an Internet password for this
Internet password
user.
Confirm Internet Enter the Internet password for this
password user again.
Field Enter
Notes Group Name of the corresponding Windows NT
Name group.
Group Type Choose one: • Multi-purpose (default) •
Mail only • Access Control List only • Deny
List only
Note If there are global groups in the members list and you want to
add those groups to the Domino Directory, select “Synchronize
groups in Members list with Notes.”
6. If you are registering group members in Notes, User Manager
prompts you for registration options. Select one of the following:
“Prompt
for the name and password for each user” to enter user
information manually for each user.
“Register
users at once without additional prompts” to use
Windows NT full names as Notes user names and to generate
random passwords. If you choose this option, continue with Step 7.
7. If you chose to manually enter user information in Step 6, complete
these fields and then click OK:
Field Enter
First name, Accept the default names derived from the
middle user’s
name and last full name in Windows NT.
name
Org unit The name of the organizational unit the user
is included in. For example, if user John
Smith is part of engineering, the
organizational unit may be Eng. The user
name would be John Smith/Eng.
Organizational units are useful for
differentiating between users of the same
name. For example, John Smith/Eng/Acme
and John Smith/Doc/Acme, where one
employee is a member of Engineering and
the other is a member of Documentation.
Each is
assigned a different organizational unit
name.
Assigns to the user the same password for
Use common
Notes,
password Windows NT, and Internet. Activates the
“Notes password for user name”and
“Confirm password” fields.
To preserve the existing Windows NT
password, enter that password as the
common password.
If “Use common password”is not selected,
activates the “Notes password for user
name”and “Confirm password”fields.
Notes password The password you are assigning to this user
for when
user name using Notes.
Confirm Enter the new Notes password for this user
password again.
Field Enter
Set Internet Enters the Internet address in the user’s
password Person document in the Domino Directory.
This field applies only if the user is
registered for Notes mail. Activates these
fields:
• Internet address
• Internet password for user name • Confirm
Internet password
Internet Address Accept the default Internet address as
derived from the Windows NT user name and
the current host domain —for example,
KCarter@domain.com
Internet
Enter an Internet password for this user.
password
Confirm Internet Enter the Internet password for this user
password again.
Field Enter
Select a Notes The name of the server containing the
server Domino
for deleting Directory from which the user or group is
being
users/groups deleted. If you are deleting a group,
continue with
Step 4 without specifying User deletion
options.
User deletion
Choose one:
options
• Don’t delete the mail file
• Delete just the mail file specified in the
Person
record
• Delete mail file specified in Person record
and all
replicas
Select a Notes The name of a local or remote Notes server
server on
for synching which synchronization operations are
users performed.
Field Action
Enable all Click to enable all Notes
synchronization synchronization operations. All
operations Windows 2000 and Domino Notes
operations will be synchronized.
Select synchronization Click to activate all the fields on this
operations to enable dialog box. When this check box is
not selected, all of the other options
on this dialog box are not enabled.
User/group registration Click this check box to register new
or existing Windows users and
groups in Notes. When you click this
check box the “Synchronize if new
user/group already exists in
Notes”field becomes active.
Synchronize if new Click this check box to prevent the
user/group already synchronization options from
exists in Notes creating is active only if you select
the “User/group registration”check
box.
User/group deletion Click this check box to synchronize
user and group deletions. User and
groups that are selected for deletion
are then deleted from the Windows
2000 Active Directory as well as
from the Domino Directory.
User/group Click this check box to copy the
synchronization values from Active Directory objects
fields to Domino Directory fields,
according to the field mapping
specified in the Field Mapping tab.
Member lists in groups are
synchronized when you enable this
option. Synchronization occurs when
you select a Synchronize menu item,
or click a toolbar button, or after an
Active Directory object is modified.
When you click this check box, these
fields are activated:
• Recertify users on rename • Set
common password on user
synchronization
Field Action
Recertify users on Click to use the Domino
rename Administration Process to rename a
Notes user if the corresponding
Windows 2000 user is renamed. This
field is active only if the “User/group
synchronization”check box is
selected.
Set common password Click to set a new password when you
on user synchronization synchronize users. The password will
be used as the Windows and Notes
Internet password. The Notes User ID
password does not change. This field
is active only if the “User/group
synchronization”check box is
selected.
Prompt to Click to use one of the options for
confirm/cancel confirming or canceling
synchronization synchronization operations. Choose
operations one: • Prompt for all operations -
prompt prior to initiating all
synchronization operations. • Prompt
only for user/group deletions
-prompts only when deleting users or
groups. • Do not prompt for any
operations - no prompts are issued
prior to performing any
synchronization options.
Use CA process for user Click this check box to use the new
ID certification Domino 6 server-based certification
authority (CA) when registering new
users.
Field Action
Use Registration Click this check box to use the server that
server for all you designated as the Registration server
operations for all synchronization operations and for
deletions. When you deselect this option,
these fields are enabled:
Notes server for Click this check box to open the Choose
deletion Server dialog box from which you can select
a deletion server. All deletions are
performed on this server. This check box is
enabled only if the “Use Registration server
for all operations”check box is not selected.
Administration ID Click this check box to open the Choose
Notes Administrator ID dialog box in which
you can specify another Notes User ID as
the administrator ID. The initial user ID file
name is taken from current Notes client
settings.
On user deletion Click this check box to specify options for
mail file deletion when the user is deleted.
Choose one:
• Don’t delete mail file —To delete the
Person document but leave the user’s mail
files intact.
• Delete just the mail file specified in the
Person record —To delete only the mail file
specified in the Person document. No
replicas of the mail file are deleted.
• Delete mail file specified in the Person
document and all replicas —Deletes all mail
database replicas on other servers in
addition to the mail file specified in the
user’s Person document.
Field Action
Default certifier Click to specify a certifier that will be used
name during user registration. ADSync uses this
certifier if mapping was not set for a
particular Active Directory container on the
Container Mappings tab.
Default explicit Click to specify the explicit policy (and its
policy related settings) to be applied to users
during user registration.
Register security Click to assign a group type when
groups in Notes registering security groups in Notes. Choose
as one: • Multi-purpose —Use for a group that
has multiple purposes, for example, mail
and ACLs. • Mail only —Use for mailing list
groups. • Access Control List only —Use for
server and database access authentication
only. • Deny List only —Use to control
access to servers. Deny List only is typically
used to prevent terminated employees from
accessing servers, but this type of group can
be used to prevent any user from accessing
particular servers. The Administration
Process cannot delete any member from this
group.
Register Click to assign a group type when
distribution registering distribution groups in Notes.
groups in Notes Choose one: • Multi-purpose —Use for a
as group that has multiple purposes — for
example, mail and ACLs. • Mail only —Use
for mailing list groups. • Access Control List
only —Use for server and database access
authentication only. • Deny List only —Use
to control access to servers. Deny List only
is typically used to prevent terminated
employees from accessing servers, but this
type of group can be used to prevent any
user from accessing particular servers. The
Administration Process cannot delete any
member from this group.
Fields Action
Register in Click this check box to register this user in the
Domino Windows Active Directory and in the Domino
Directory Directory. Other fields on this dialog box are
enabled when you click this check box.
First name, Enter the user’s first name and last name, and
Middle name, optionally, enter a middle name. Note The
Last name user’s Short name and Internet address are
automatically generated. To change the Short
name or Internet address, click the appropriate
space and enter the new text.
Fields Action
Explicit
Choose an explicit policy from the list.
Policy
Click this check box if you want to use one
Use common
password for
password Windows, Notes, and Notes Internet. The
existing Windows password is then replaced by
the password you enter here.
To preserve the existing Windows 2000
password, enter that password as the common
password.
If the Use common password check box is
selected, the Notes password for the user name
field and the Confirm password field are enabled.
Password Enter the new password.
Confirm Enter the same password again to confirm it.
password
Internet
The default Internet address as derived from the
address
Windows 2000 user name and the current Notes
domain
—for example, KCarter@domain.com
Short name The short name by which the user will be known
in in
Notes Notes. By default, the short name consists of the
user’s
first initial and last name.
4. Click Next.
5. Review the settings you specified for the user you are registering and
click Finish.
Reviewing ADSync operations in the Application Log
You can examine the Windows 2000 event viewer for more information
about any errors that may occur. Look for “NUMEEvent” messages in
the Application Log. All ADSync operations are recorded in the
Application Log.
Registering existing Active Directory users and groups in Notes
There are two procedures available for registering existing Active
Directory users and groups in Notes.
When you are registering user and groups, all groups are registered first.
Registering existing users or groups quickly without prompts
Use this method to register many existing users or groups at one time.
Users and groups are registered using the existing information in the
registration queue so that you are not prompted to enter user-specific or
group-specific information on multiple dialog boxes for every user or
group that you are registering. This is the recommended method for
registering multiple users and groups at one time, but this method can be
used to quickly register an individual user or group.
1. From the MMC, click Users.
2. On the Results pane, right-click the users and/or groups you are
registering and then click Register in Domino. You can choose
multiple users and/or groups and then click Register in Domino
once for all of your selections.
3. Choose “Register users and groups at once without additional
prompts; use defaults.” This button registers users and groups
without prompts.
4. Choose one of these options:
Field Action
If error happens Click this check box to register any users
during or
registration of some groups whose registrations fail on the
users first try.
and/or groups, try to If not selected, users and groups are not
register them later registered if the first attempt fails.
If registration is Click this check box to allow to attempt
canceled to
for some users register any users or groups whose
and/or registrations
groups, try to are canceled on the first try. If not
register selected,
them later users and groups will not be registered if
the first attempt is canceled.
This option is active only if “Prompt for
the name and password of each user,
and for the
name and members of each
group”button is
selected.
Field Action
If error happens Click this check box to attempt to
during register at a
registration of some later time, any users or groups whose
users
and/or groups, try to registrations fail on the first try. If not
register them later selected, users and groups are not
registered if
the first attempt fails.
If registration is Click this check box to attempt to
canceled register at a
for some users and/or later time, any users or groups whose
groups, try to register registrations are canceled on the first
them try. If
later not selected, users and groups will not
be
registered if the first attempt is
canceled.
This option is active only if “Prompt for
the
name and password of each user, and
for the name and members of each
group”button is
selected.
Fields Action
Register in Click this check box to create a Notes group to
Domino correspond to the Windows group. Deselect to
Directory create the group only in the Active Directory.
When this option is selected, all other fields on
this dialog box are active.
Group name Enter a group name. This field is active only if
you select the “Register in Domino
Directory”check box.
Mobile
Feature Condensed Directory Directory
Directory
Catalog Directory assistanc assistanc
e for e
Catalog secondar for
y remote
on server Domino LDAP
Directory directory
or
Extended
Directory
Catalog
Notes client
Yes Yes Yes Yes
mail
addressing
Notes client Yes Yes Yes No
LDAP-style
searches
Notes client Yes Yes Yes No
directory
browsing
Notes client Yes Yes (if no Yes (if no No
type-ahead Mobile Mobile
addressing Directory Directory
Catalog) Catalog)
Notes client
Yes Yes Yes No
F9
address
resolution
LDAP client No Yes Yes No
search and (search) No
write (write)
operations
Mobile
Feature Condensed Directory Directory
Directory
Catalog Directory assistanc assistanc
e for e
Catalog secondar for
y remote
on server Domino LDAP
Directory directory
or
Extended
Directory
Catalog
LDAP client No No No Yes
referrals
Internet client No Yes Yes Yes
authentication
Group No No Yes Yes
authorization
(enabled for
one
secondary
directory only)
Provides
servers with Configuration Directories quick access to new
information because the servers aren’t required to wait for the
information to replicate to them.
Enables
servers that store Configuration Directories to run on less
powerful machines because they don’t have to store and maintain
the primary Domino Directory.
Provides
tighter administrative control over directory management
because only a few directory replicas contain user and group
information.
A server with a Configuration Directory connects to a remote server with
a primary Domino Directory to look up information in the following
documents that it doesn’t store locally:
Person
Group
Mail-in Database
Resource
Any custom documents you add
For example, to authenticate a user, a server with a Configuration
Directory looks for the user credentials in a Person document in a remote
primary Domino Directory on another server in the domain.
You can set up a Domino Directory as a Configuration Directory when
you set up an additional server in the domain. If a server is already set
up, you can use replication settings for the directory to change a primary
Domino Directory to a Configuration Directory or change a
Configuration Directory to a primary Domino Directory.
Setting Up the Domino Directory 19-3
Directory Services
Planning a central directory architecture for a domain
The central directory architecture is most useful for an enterprise
organization that has a domain with a large Domino Directory. Using a
central directory architecture requires network speeds that make remote
directory lookups feasible. In addition, servers that store primary Domino
Directories that function as remote primaries must have the capacity to
handle the additional workload generated by the remote lookups.
Only an application that does a NAMELookup or similar directory call
can use a Configuration Directory to do a lookup in a remote primary
Domino Directory.
Deciding which servers should use primary Domino Directories
The administration server for the Domino Directory must store a primary
Domino Directory. For failover, at least one other server in the domain
should store a primary Domino Directory. There may be additional
servers that require primary Domino Directories as well, depending on
network bandwidth and stability, server usage patterns and locations,
and so forth. You may want servers that use primary Domino Directories
that function as remote primaries to be within a cluster to provide
failover and workload balancing.
If there is a network congestion point in the domain, at least one server
on each side of the congestion point should have a primary Domino
Directory that functions as a remote primary.
Using a combined central and distributed directory architecture
You can use a hybrid directory architecture within one domain. For
example, suppose at a company’s headquarters there are multiple servers
connected via fast network connections. There are also smaller remote
offices that have limited network bandwidth but are within the same
domain. Servers at corporate headquarters can use the central directory
model that includes a combination of primary Domino Directories and
Configuration Directories, while the remote satellite offices can continue
to use the distributed directory architecture in which each server stores a
primary Domino Directory.
Using a combined primary Domino Directory and Extended
Directory Catalog
Although not a typical configuration, you can integrate an Extended
Directory Catalog with a primary Domino Directory to collect users and
groups from the primary domain and secondary domains into one
directory database. A server that stores a Configuration Directory can
use this combination directory on a remote server as a remote primary
Domino Directory.
19-4 Administering the Domino System, Volume 1
When you use this combination directory, all the users from the
aggregated secondary directories are automatically trusted for
authentication, and all the groups can be used in database ACLs for
database authorization.
For more information on integrating an Extended Directory Catalog with
a primary Domino Directory, see the chapter “Setting Up Directory
Catalogs.”
Managing Domino Directories in a central directory architecture
To manage a central directory architecture, in which there are a
combination of Configuration Directories and primary Domino
Directories in a domain, you can:
Change
the directory type of a Domino Directory
Control
how a server finds a remote primary Domino Directory to use
Prevent
the use of a Domino Directory replica as a remote primary
Show the primary Domino Directories that servers with
Configuration Directories can use
Changing the directory type of a Domino Directory
The first server set up in a domain is always set up with a primary
Domino Directory. When you set up an additional server in the domain,
you choose whether to set up the replica of the Domino Directory on the
server as a Configuration Directory or as a primary Domino Directory.
The default selection is a primary Domino Directory.
After server setup, you can change the directory type. After you change
directory type, the Administration Process generates a “Store Directory
Type in Server Record” request to change the value of the Directory Type
field on the Basics tab of the Server document.
Changing a primary Domino Directory to a Configuration Directory
Note Do not change the primary Domino Directory on the
administration server to a Configuration Directory.
1. From the Domino Administrator, connect to the server that stores the
replica of the Domino Directory you want to change.
2. Click the Files tab.
3. Select the Domino Directory, and then double-click.
Setting Up the Domino Directory 19-5
Directory Services
4. Choose File - Replication - Settings, and change the replication
settings for the directory as follows:
a. Click Space Savers in the Replication Settings dialog box.
b. Next to Include, select “Configuration Documents only.”
c. Click OK.
5. Use the server command Replicate to replicate the Domino Directory
that has the changed settings with a primary Domino Directory on
another server. Do a push-pull replication.
6. Restart the server that stores the Domino Directory replica you
changed.
Changing a Configuration Directory to a primary Domino Directory
1. From the Domino Administrator, connect to the server that stores the
replica of the Domino Directory you want to change.
2. Click the Files tab.
3. Select the Domino Directory, and then double-click.
4. Choose File - Replication - Settings, and change the replication
settings for the directory as follows:
a. Select Space Savers in the Replication Settings dialog box.
b. Next to Include, select All Fields.
c. Deselect “Documents that meet a selection formula.”
d. Click Yes when you see the following prompt:
“Switching to Folders will clear the current selection formula. Are
you sure you want to do this?”
e. Click OK.
5. Use the server command Replicate to replicate the Domino Directory
that has the changed settings with a primary Domino Directory on
another server. Do a push-pull replication.
6. Restart the server that stores the Domino Directory replica you
changed.
19-6 Administering the Domino System, Volume 1
Controlling how a server finds a remote primary Domino Directory
to use
To locate a remote primary Domino Directory, a server with a
Configuration Directory can use a default logic or can use a directory
replica specified through directory assistance.
The default logic to locate a remote primary Domino Directory
The Directory Servers view in a Domino Directory list the replicas of the
primary Domino Directories in the domain that are available for use as
remote primary directories by servers with Configuration Directories.
The views sort these replicas alphabetically by their server names.
A server that stores a Configuration Directory uses the following logic to
build a list in memory of the five best remote primary Domino Directory
replicas to use. If the first replica in the list is unavailable, the server uses
the next replica in the list, and so on.
1. Look in the replication history and find the remote primary directory
replica with which the server most recently replicated. Then look for
the replica with which it replicated prior to that, and so on.
2. If the list in memory does not yet include five replicas of a remote
primary directory, look for a primary directory replica in the same
Notes named network. If there is more than one such replica, order
them alphabetically by their server names.
3. If the server has not yet located five replicas, refer to the Directory
Servers view to order the remaining remote primary directory replicas
alphabetically by their server names, until there are five primary
directories in the list or until all the primary directories are listed.
Setting up directory assistance to locate a primary Domino
Directory
You can use directory assistance rather than the default logic to control
which remote primary Domino Directory replicas in a domain servers
with Configuration Directories use. For example, if servers with primary
Domino Directories are in a cluster, you can use directory assistance to
use cluster failover to locate the primary Domino Directory replicas.
To create a Directory Assistance document in a directory assistance
database that servers with Configuration Directories use:
1. Make sure you have set up a directory assistance database on servers
with configuration Domino Directories.
2. From the Domino Administrator, connect to a server that is set up to
use the directory assistance database.
3. Click the Configuration tab.
Setting Up the Domino Directory 19-7
Directory Services
4. Expand Directory and select Directory Assistance.
5. Click “Add Directory Assistance.”
6. On the Basics tab, do the following:
a. Next to Domain Type, select Notes.
b. Next to Domain Name, enter the domain of the servers that store
the remote primary Domino Directories. This domain should be
the same domain as that of the servers with configuration
Domino Directories.
c. Next to Search Order, select 1.
d. Next to Group Authorization, select No. A server can always use
groups in a primary Domino Directory replica to authorize
database access, regardless of what you select for this option.
Select No to reserve the use of the Group Authorization option
for a secondary directory.
7. On the Replicas tab do one of the following:
the servers that store the primary Domino Directories are
If
clustered, to user cluster failover specify one replica within the
cluster. If that replica is unavailable, cluster failover takes effect
automatically. To use cluster failover, specify only one replica in
the cluster.
If the servers that store primary Domino Directories are not
clustered, for failover specify at least two replicas of the primary
Domino Directories to use.
Note A server always trusts the primary Domino Directory for client
authentication, so it is not necessary to enable a trusted rule in the
Directory Assistance document.
For more information on directory assistance, see the chapter “Setting Up
Directory Assistance.”
Preventing the use of a Domino Directory replica as a remote
primary
Do the following to prevent servers with Configuration Directories from
using a specific replica of the Domino Directory as a remote primary.
You can prevent a replica from being used only when servers with
Configuration Directories use the default logic, and not directory
assistance, to locate a remote primary Domino Directory. You might
prevent the use of a specific replica to avoid the use of a server that has
limited connectivity or CPU capacity.
19-8 Administering the Domino System, Volume 1
1. From the Domino Administrator, select the server that stores the
primary Domino Directory.
2. Select the Configuration tab, and select Server - Current Server
Document.
3. Click Edit Server.
4. On the Basics tab, in the Directory Information section, below the
Directory Type field, deselect “Allow this directory to be used as a
remote primary directory for other servers.”
5. Click Save & Close.
Showing the Domino Directory replicas that can function as remote
primaries
The Directory Servers view in the Domino Directory lists the primary
Domino Directories that are in the domain and that have the option “Allow
this directory to be used as a remote primary directory for other servers”
selected on the Basics tab of their Server documents. The Central Directories
view sorts the primary Domino Directory replicas by server name.
1. From the Domino Administrator, in the server pane on the left, select
any server in the domain. If you don’t see the server pane, click the
servers icon.
2. Click the Files tab and open the Domino Directory.
3. Select the view Servers - Directory Servers.
Tip Use the Show Xdir command on a server that uses a Configuration
Directory to show the remote primary Domino Directory replica the
server last used.
Controlling access to the Domino Directory
Do the following to control access to the Domino Directory:
Set
the Domino Directory ACL to control overall access.
Assign
administrators to the roles in the Domino Directory ACL that
correspond to their administrative tasks.
(Optional)
Use the Administrators field to control access to
individual documents.
(Optional)
Use the extended ACL to set access at the form and field
level.
For information on setting up an extended ACL, see the chapter “Setting
Up Extended ACLs.”
Setting Up the Domino Directory 19-9
Directory Services
Setting overall access levels in the Domino Directory ACL
The Domino Directory, like all Notes databases, has an access control list
(ACL) that controls the overall access that users and servers have. The
following table shows the default name entries in the Domino Directory
ACL and the default access settings for each entry.
stricter control over database access, you might change the access for the
-Default- entry to No Access and explicitly add the names of groups of
users to the ACL that you want to allow access.
Note The default access for the -Default- entry allows users only to
change some of the fields in their Person documents.
Using administration roles in the Domino Directory ACL
The Domino Directory ACL includes Creator and Modifier roles that you
assign to administrators so they have the authority to create and edit
specific types of documents. By assigning one or more roles along with
general access levels, you can limit an administrator’s access to some
types of documents but allow greater access to other types of documents.
Roles are useful when groups of administrators have specialized
responsibilities. If all of the administrators in your organization have
identical administrative responsibilities, assign them to all roles.
19-10 Administering the Domino System, Volume 1
The access defined in the ACL by a role never exceeds a general access
level. For example, even if you give the UserCreator role to an
administrator who has Reader access in the ACL, the administrator
cannot use the Create menu to create Person documents.
For more general information on roles in an ACL, see the chapter
“Controlling User Access to Domino Databases.”
Creator roles
Assign creator roles to control who can create documents in the Domino
Directory. To create documents in the Domino Directory, administrators
must have:
The
“Create documents” privilege
The Creator role that corresponds to the type of document being
created
The following table describes the available Creator roles.
Role Allows
GroupCreator Administrators to create Group documents
NetCreator Administrators to create all documents except
Person, Group, Policy, and Server documents
PolicyCreator Administrators to create Policy documents
ServerCreator Administrators to create Server documents
UserCreator Administrators to create Person documents
Caution Assigning Creator roles does not provide true security because
Domino sometimes ignores Creator roles when administrators add
documents to the directory programmatically. For example, an
administrator who does not have the UserCreator role can still use the
User Registration program to register a user.
Modifier roles
Rather than assigning Editor access which allows administrators to
modify all documents, assign administrators Author access along with
one or more Modifier roles to control the types of documents they can
edit. For example, assign the UserModifier role to administrators who are
responsible for managing users. Unlike Creator roles, Modifier roles are a
true security feature.
Role Allows
GroupModifier Administrators to edit Group documents
NetModifier Administrators to edit all documents except Person,
Group, Policy, and Server documents
PolicyModifier Administrators to edit Policy documents
ServerModifier Administrators to edit Server documents
UserModifier Administrators to edit Person documents
Field Enter
Domain defined by
The name of the Domino domain for this
this
Domino Directory directory. Domino completes this field
automatically as part of first server
setup.
Condensed server The file name for a condensed Directory
directory catalog for Catalog used by servers in the domain.
As an
domain alternative to using this field, you can
specify the file names for individual
condensed
Directory Catalogs in the “Directory
catalog database name on this
server”field in the Basics
Field Enter
Allow the creation of Choose one: • Yes (default) to allow you
Alternate Language to create Alternate Language
Information Information documents that enable
documents LDAP clients to search for user
information in an alternate language. •
No to prevent the creation of Alternate
Language Information documents.
For information on the NOTES.INI file and on server commands, see the
appendices.
Preventing the LDAP service on the administration server for the
Domino Directory from processing LDAP client requests
You can prevent the administration server for the Domino Directory
from processing LDAP requests, and leave this processing to another
server or servers in the domain that run the LDAP service. Prevent the
administration server from LDAP request processing, for example, if the
LDAP ports on the administration server conflict with the operating
system. When you disable the LDAP ports on the Domino Directory
administration server, the LDAP service on the server continues to run
the schema daemon and verify the directory tree for the domain, but
does not accept LDAP client requests.
To disable the LDAP ports:
1. Open the Server document of the Domino Directory administration
server.
2. Click Edit Server.
3. Click the Ports - Internet Ports - Directory tab.
4. In the “SSL port status” and “TCP/IP port status” fields, choose
Disabled.
5. Click Save & Close.
20-8 Administering the Domino System, Volume 1
6. If necessary, wait for the change to replicate to the Domino Directory
administration server for the domain, then enter this command on
the Domino Directory administration server to put the changes into
effect:
Restart Task LDAP
The server console displays the message:
"LDAP Server: No ports enabled, listener not started but
control task running to maintain schema."
Disabling the LDAP service in a domain
If you do not want to run the LDAP service on any server in a domain,
you can stop the LDAP service from running on the administration
server for the Domino Directory. Do the following on the administration
server:
1. Add the NOTES.INI setting DisableLDAPOnAdmin=1.
2. Remove LDAP from the ServerTasks NOTES.INI setting.
Customizing the LDAP service configuration
The default LDAP service configuration works without modification, but
you can customize it to suit your needs. The following table describes the
LDAP service configuration settings. In addition to the settings in the
table, there are NOTES.INI settings you can use to configure the LDAP
service.
For more information, see the topic “NOTES.INI settings for the LDAP
service” later in the chapter.
Except where noted in the table, restarting the LDAP task or the Domino
server is unnecessary after changing a setting because the task checks for
setting changes automatically, by default at three-minute intervals. You
can use the NOTES.INI setting LDAPConfigUpdateInterval to change the
interval at which the LDAP service checks for changes to its settings.
For more
Setting Description
information
Port and port Controls the ports LDAP See the topic
security clients can use to connect “Changing the
settings1 to the LDAP service, and LDAP service port
the authentication methods and port security
enabled for each port configuration.”
Default: TCP/IP port 389
enabled for name-and-
password authentication
and for anonymous access
Changing requires
restarting the LDAP task
“Automatically Controls whether the LDAP See the topic
Full Text service creates and “Full-text
Index updates indexing
Domino full-text indexes on the directories served
Domino by
Directory?” 4 Directories it serves the LDAP
service.”
Default: does not create
full-text
indexes
“Choose fields If the port settings allow See the topic
that anonymous access, “Configuring
anonymous controls which attributes anonymous LDAP
users can anonymous LDAP users can search access to
query via search Changing requires a directory.”
LDAP” 2, 3, restarting the server
For more
Setting Description
information
“Maximum Controls the maximum See the topic
number of number of entries that the “Customizing
entries LDAP service can return in search processing
returned” 4 response to an LDAP to improve LDAP
search Default: no limit service
performance.”
Controls the minimum
“Minimum See the topic
number
characters for of characters users must “Customizing
place search
wildcard before the first wildcard in processing to
search” 4 a
substring search filter improve LDAP
service
Default: 1
performance.”
“Allow Controls whether LDAP See the topic
Alternate users can do alternate “Enabling LDAP
Language language searches Default: alternate
Information not allowed language
processing” 4 searches.”
“Enforce Controls whether directory See the topic
schema?” 4 modifications through LDAP “Enabling or
must conform to the disabling
schema Default: schema schema-
enforced checking.”
“DN Required Controls whether the LDAP See the topic
on Bind?” 4 service requires clients to “Requiring
log on with distinguished distinguished
names for name-and- logon names for
password authentication LDAP name-and-
Default: distinguished password
logon names not required security.”
1Set in the Server document of each server that runs the LDAP service. To
configure authentication options for the ports enabled in a Server
document, you can instead use a Directory Site document. Using the site
document to configure authentication options is required in a hosted
organization environment.
2 Alternatively, use the database ACL/extended ACL to specify
Directory and Extended Directory Catalog the LDAP service serves. Each
directory can have different settings.
4 Set in the domain Configuration Settings document of the primary
Domino Directory of the servers that run the LDAP service in a domain.
Setting applies to the LDAP service running on any server in the domain.
For information on the “Activity Logging truncation size” setting, see the
chapter “Setting Up Activity Logging.” For information on the “Enforce
schema?” setting, see the chapter “Managing the LDAP Schema.”
Changing the LDAP service port and port security configuration
By default, LDAP clients can connect to the LDAP service over TCP/IP
port 389, anonymously or using name-and-password authentication. By
default, LDAP clients cannot connect using SSL.
Note To authenticate using name-and-password security some LDAP
clients, for example Netscape Mail, Microsoft Internet Explorer, and
Notes clients with LDAP accounts, first do an anonymous search to
retrieve the distinguished names used for the authentication, so that
users don’t have to specify the distinguished names themselves. To
enable such clients to authenticate using names and passwords, you
must enable anonymous access, as well as name and password
authentication, for the LDAP service port the clients use to connect. You
must also allow anonymous read access to the attribute(s) the clients use
to search the directory anonymously to retrieve the distinguished names.
Attributes typically searched for are cn, uid, sn, givenname, or mail.
Follow these steps to change the LDAP service port and port security
configuration on a specific server that runs the LDAP service:
1. From the Domino Administrator, click the Configuration tab.
2. In the left pane, expand Server and open the Server document for the
server that runs the LDAP service.
3. Click Edit Server.
4. Click the Ports - Internet Ports - Directory tab.
20-12 Administering the Domino System, Volume 1
Note If you are administering a hosted organization environment,
an asterisk (*) in the following tables indicates options you must
specify instead in a Internet Site document. In a non-hosted
organization environment, you can use the Internet Site document,
but you aren’t required to.
For information on using Internet Site documents, see the chapter
“Installing and Setting Up Domino Servers.”
5. To change the TCP/IP port configuration for the LDAP service,
complete these fields:
Field Enter
Choose 389 (default) to use the industry
TCP/IP port
standard port for
number LDAP connections over TCP/IP. You can specify
a
different port, but 389 works in most
situations.
TCP/IP port Choose one: • “Enabled”(default) to allow LDAP
status clients to connect to the server without using
SSL. • “Redirect to SSL”to direct LDAP clients
connecting without using SSL to use SSL
instead. The LDAP service returns a message to
LDAP clients indicating that they must connect
over SSL. • “Disabled”to prevent LDAP clients
from connecting using the TCP/IP port.
Field Enter
Choose 636 (default) to use the industry
SSL port
standard port
number for LDAP connections over SSL. You can specify
a
different port, but 636 works in most
situations.
SSL port
Choose one:
status
• “Enabled”to allow LDAP clients to connect to
the
LDAP service over SSL.
• “Disabled”(default) to prevent LDAP client
connections over SSL.
Authentication If “SSL port status”is set to Enabled, choose
options: one: • Yes to allow LDAP clients to use client
Client certificate authentication when connecting. •
certificate* No (default) to prevent the LDAP service from
using client certificate authentication.
These attributes were not listed listed in previous releases because you
could not prevent anonymous LDAP access to them — in previous
releases anonymous LDAP users always had search access to these
attributes. In Lotus Domino 6, you can deny anonymous LDAP search
access to the attributes above, although they are allowed for anonymous
search access by default to be consistent with the anonymous search
behavior of previous releases.
Using the domain Configuration Settings document to customize
anonymous LDAP search access to a directory
To use the domain Configuration Settings document to customize
anonymous LDAP search access to a specific Domino Directory or
Extended Directory Catalog served by the LDAP service, first open the
document, then configure anonymous search access.
Step 1: Open the domain Configuration Settings document in the
directory
To open the domain Configuration Settings document for the primary
Domino Directory:
1. From the Domino Administrator, open a server within the domain
that runs the LDAP service.
2. Click the Configuration tab.
3. In the left pane, expand Directory, then LDAP, and then select Settings.
4. Do one of the following:
If you see the prompt “Unable to locate a Server Configuration
document for this domain. Would you like to create one now?” click
Yes, then click the LDAP tab on the document.
If you do not see the prompt, click “Edit LDAP Settings.”
To open the domain Configuration Settings document for a secondary
Domino Directory or an Extended Directory Catalog:
To open the domain Configuration Settings document in a Domino
Directory that is not the directory for a domain, or to open the document
in an Extended Directory Catalog:
1. From the Domino Administrator, open the directory.
2. Select the Servers - Configurations view.
3. If you do not see a domain Configuration Settings document in the
view, a document named * - [All Servers], skip to step 4. If you do
see this document, do the following:
a. Open the document
b. Click the LDAP tab.
c. Click Edit Server Configuration.
4. If you do not see a domain Configuration Settings document in the
view, create one by doing the following:
a. Click Add Configuration.
b. On the Basics tab select Yes next to “Use these settings as the
default settings for all servers.”
c. Click the LDAP tab.
Step 2: Customize anonymous LDAP search access to the directory
After you have opened the domain Configuration Settings document for the
directory, follow these steps to customize anonymous LDAP search access:
1. Next to “Choose fields that anonymous users can query via LDAP”
select “Select Attribute Types” to open the LDAP Attribute Type
Selection dialog box.
The “Queriable Attribute Types” box at the right of the dialog box
shows the attributes anonymous LDAP users can access.
2. To add an attribute to the “Queriable Attribute Types” box to allow
anonymous LDAP users to access the attribute:
a. In the Object Classes box, select an object class that contains the
attribute.
b. Click “Display Attributes” to display in the “Selectable Attribute
Types” box all the attributes defined for the selected object class(es).
c. Select the attribute in the “Selectable Attribute Types” box that
you want to allow anonymous LDAP users to access, and click
Add to add the attribute to the “Queriable Attribute Types” box.
You can select more than one attribute.
Or, to add all the attributes listed in the “Selectable Attribute
Types” box, click Add All.
When you allow anonymous access to an attribute, the access applies
to all object classes for which that attribute is defined.
3. To remove an attribute from the “Queriable Attribute Types” box to
prevent anonymous LDAP users from accessing the attribute, select
the attribute and click Remove. Or, to remove all attributes, click
Remove All.
Tip To revert the “Queriable Attribute Types” box to the attributes
the LDAP service allows for anonymous LDAP access by default,
click “Use Default Values.”
4. Click OK to close the LDAP Attribute Type Selection dialog box.
5. Click Save & Close to save the changes in the Configuration Settings
document.
6. Do the following for each server in the domain that runs the LDAP
service:
a. If you made the changes to a Domino Directory replica on a
different server, replicate the changes to the server.
b. Enter the following command on the server to put the changes
into effect:
Converting the default anonymous access settings to database ACL
and extended ACL settings
As soon as you select the advanced ACL option “Enable Extended
Access” for a directory served by the LDAP service, the “Choose fields
that anonymous users can query via LDAP” setting stops controlling
anonymous LDAP search access and is no longer visible in the domain
Configuration Settings document.
To convert the default anonymous search access settings set in the
domain Configuration Settings document to database ACL and extended
ACL settings for a Domino Directory or Extended Directory Catalog, do
the following:
1. Make sure you have read thoroughly the documentation on
Extended ACLs.
For more information, see the chapter “Setting Up Extended ACLs.”
2. Open the directory and select “Enable Extended Access” in the
Advanced tab of the database ACL.
3. On the Basics tab of the ACL, give the Anonymous entry Reader
access.
4. Click Extended Access and set the access as follows:
5. Select / (root) as the target.
6. Add Anonymous as a subject at / (root).
7. Leave “This container and all descendants” selected as the scope.
8. For the default privileges, click Allow Browse and click Deny Create,
Delete, Read, and Write.
9. Click Form and Field Access.
10. Next to Schema, select Domino.
11. In the Forms box, select Person.
12. With the Person form still selected, select each of the following fields
in the Fields box, and for each field click Allow Read:
AltFullName
Certificate
FirstName
InternetAddress
LastName
Location
MailAddress
20-20 Administering the Domino System, Volume 1
MailDomain
O
OfficeCity
OfficeCountry
OfficeState
OU
PublicKey
ShortName
Street
Type
UserCertificate
13. In the Forms box, select Group.
14. With the Group form still selected, select each of the following fields
in the Fields box, and for each field click Allow Read:
InternetAddress
MailDomain
Members
Type
15. Next to Schema, select LDAP.
16. In the Object Classes box, select dominoPerson.
17. With the dominoPerson object class still selected, in the Attributes
box select cn and click Allow Read.
18. Click OK twice, and when you see the prompt “Save changes before
exiting?” Click Yes.
Note If you disable “Enable Extended Access” in a directory ACL, the
default settings in the “Choose fields that anonymous users can query via
LDAP” setting in the domain Configuration Settings document resume
control of anonymous LDAP search access for the directory.
Setting Up the LDAP Service 20-21
Directory Services
Using LDAP to modify a directory served by the LDAP service
By default, the LDAP service does not allow LDAP clients to modify the
directories the LDAP service serves. However, you can enable LDAP
write access for any of the following directories to allow LDAP users
with the required database access to modify the directories:
Primary
Domino Directory of the LDAP service
Secondary
Domino Directory or Extended Directory Catalog the
LDAP services serves
You control LDAP write access separately for each directory. For
example, you could enable write access for the primary Domino
Directory, and leave write access disabled for an Extended Directory
Catalog.
Note You cannot enable LDAP write access to a condensed Directory
Catalog served by the LDAP service.
Keep the following points in mind if you enable LDAP write access for a
directory:
1. Domino does not provide a tool for doing LDAP write operations,
you must develop or obtain one.
2. If you allow LDAP write access, use the directory database ACL, and
optionally, extended ACL, to control the directory changes that
LDAP users can make.
3. Enable schema checking for the LDAP service to require that
directory changes made via LDAP conform to the directory schema.
By default schema checking is disabled, if you allow LDAP write
operations, enabling it is recommended to maintain consistent
directory contents.
4. The Administration Process server task doesn’t respond to LDAP
write operations. For example, if an LDAP user deletes a Person
document, the Administration Process can’t delete the associated
user name from database ACLs.
5. The LDAP service can carry out an LDAP write operation in a
secondary Domino Directory or Extended Directory Catalog only if
that directory is stored locally on the server that runs the LDAP
service. If the LDAP service receives a write operation request for a
Domino Directory on a remote server, it sends an LDAP referral to
the client. The LDAP service refers the client to the administration
server for the directory. If there is no administration server specified,
it refers the client to the remote server that stores the directory. The
client must then follow the referral itself.
20-22 Administering the Domino System, Volume 1
Note If you enable LDAP write access to a secondary Domino
Directory, do not use a condensed Directory Catalog that aggregates
that directory on a server that runs the LDAP service.
6. The distinguished names of directory entries are limited to 256
characters. Distinguished names do not have to conform to the
standard Notes naming model of organizational unit (ou),
organization (o), and country (c). For example, distinguished names
such as these are acceptable:
dn:
cn=Jay Walker + uid=123456,u=Sales,o=Widget Inc.,c=GB
dn:
foo=Bar, o=Acme
dn: cn=L. Eagle,o=Sue\, Grabbit and Runn,c=GB
Names such as these are recommended primarily for entries that are
accessed through LDAP only, since Notes users may find them
confusing.
7. Prior to doing batch adds of 100 or more directory entries, you can
use the NOTES.INI setting LDAPBatchAdds to process the additions
more quickly. Disable the setting when the batch adds are complete.
8. You can’t modify the value of an entry’s structural object class
attribute.
Enabling or disabling LDAP write access to a directory served by
the LDAP service
By default, the LDAP service does not allow LDAP clients to modify the
directories the LDAP service serves. If you enable directory changes to be
made via LDAP, the directory database ACL and, optionally, an
extended ACL, control the extent to which authenticated and anonymous
LDAP users can modify directory entries. For example, an LDAP user
with Editor database ACL access can modify all entries, whereas an
LDAP user with only Author database ACL access and the UserModifier
role can modify only Person entries and not other entries.
To enable or disable LDAP write access to the primary Domino Directory
of the LDAP service, or to a secondary Domino Directory or Extended
Directory Catalog the LDAP service serves:
1. From the Domino Administrator, open the directory for which you
want to enable write access.
2. Select the Servers - Configurations view.
Setting Up the LDAP Service 20-23
Directory Services
3. If you do not see a domain Configuration Settings document in the
view, a document named * - [All Servers], skip to step 4. If you see
this document, do the following:
a. Open the document
b. Click the LDAP tab.
c. Click Edit Server Configuration.
4. If you do not see a domain Configuration Settings document in the
view, create one by doing the following:
a. Click Add Configuration.
b. On the Basics tab select Yes next to “Use these settings as the
default settings for all servers.”
c. Click the LDAP tab.
Tip If you are enabling write access for the primary Domino
Directory in the domain, a shortcut for steps 2-4 is: from the Domino
Administrator open the server that stores the directory; click the
Configuration tab; in the left pane expand Directory, then LDAP, and
then select Settings; click Edit LDAP Settings.
5. Next to “Allow LDAP users write access” choose one:
Yes
to allow directory changes via LDAP.
No (default) to prevent directory changes via LDAP.
6. Click Save & Close.
7. For each server in the domain that runs the LDAP service, do the
following:
a. If you made the changes to a Domino Directory replica on a
different server, replicate the changes to the server.
b. Enter the following command on the server to put the changes
into effect:
Restart Server
8. If you enabled LDAP write access, set up the database ACL, and
optionally extended ACL, to specify the directory contents that
LDAP users can modify.
For more information, see the chapters “Setting Up the Domino
Directory” and “Setting Up Extended ACLs.”
9. Configure how the LDAP service responds when it finds more than
one occurrence of a name specified in an LDAP write operation.
20-24 Administering the Domino System, Volume 1
Configuring how the LDAP service responds to multiple name
matches when processing write and compare operations
The LDAP service uses its “Rules to follow when this directory is the
primary directory and there are multiple matches on the distinguished
name being compared/modified” setting to determine how to responds
in either of these situations:
receives an LDAP modify, modify DN, delete, or compare request
It
and finds more than one entry, within one directory or across
directories, with a distinguished name that matches the one specified
in the request.
It receives an LDAP add request and finds more than one Domino
Directory enabled for LDAP clients in its directory assistance
database with a directory assistance naming rule that most
specifically matches the distinguished name specified in the request.
Note that if there is no Domino Directory enabled for LDAP clients in
directory assistance with a rule that matches the distinguished name
specified in an add operation, the LDAP service adds the entry to its
primary Domino Directory. If there is only one Domino Directory
enabled for LDAP clients in directory assistance with a rule that
matches the distinguished name specified in an add operation, the
LDAP service adds the entry to that directory.
For more information on the LDAP service and directory assistance, see
the chapter “Setting Up Directory Assistance.”
To specify the “Rules to follow when this directory is the primary
directory and there are multiple matches on the distinguished name
being compared/modified” for all servers in the domain that run the
LDAP service:
1. From the Domino Administrator, open the server that runs the LDAP
service, or a server in the same domain as the one that runs the
LDAP service.
2. Click the Configuration tab.
3. In the left pane, expand Directory, then LDAP, and then select
Settings.
4. Do one of the following:
If you see the prompt “Unable to locate a Server Configuration
document for this domain. Would you like to create one now?” click
Yes, then click the LDAP tab on the document.
If you do not see the prompt, click “Edit LDAP Settings.”
Setting Up the LDAP Service 20-25
Directory Services
5. In the “Rules to follow when this directory is the primary directory
and there are multiple matches on the distinguished name being
compared/modified” field, choose one to specify how the LDAP
service responds in the two situations described above:
“Rules to
Results
follow...”setting
Prevents the operation from occurring.
“Don’t modify any”
The
(default) LDAP service returns an error, and you
can
investigate the duplicate names/naming
rules.
Carries out the LDAP modify, delete,
“Modify first match”
• or
compare operation on the first entry
encountered in a directory enabled for
LDAP
write operations that matches the
distinguished name specified in the
operation.
Carries out the LDAP add operation in
•
the
Domino Directory configured in
directory
assistance database that is enabled
for LDAP
write operations and has the most
specific
matching rule and the lowest search
order
“Modify all Carries out the LDAP modify, delete,
•
matches” or
compare operation on all the entries
encountered that match the
distinguished
name specified in the operation.
Carries out the LDAP add operation in
•
all the
Domino Directories configured in the
directory assistance database with a
matching
rule that most specifically matches the
distinguished name specified in the
add
operation, and that are enabled for
LDAP
write operations.
“Rules Directory
Name of entry being added Explanation
to or
follow... directorie
” s to
setting which
entry
added
N/A cn=Kate Domain D Domain D
Power,ou=DomainD,o=Acme directory is
the only
directory
with a rule
that
most
specifically
matches a
name
added
cn=John
Modify Domain B Rules for
Ashby,ou=DomainC,o=Acme
first Domain B
and C
both match
match
the
name being
added;
entry added
to
Domain B
because it
has
lower
search
order than
Domain C.
cn=John Domains
Modify Rules for
Ashby,ou=DomainC,o=Acme B
all &C Domain B
and C
both match
matches
the
name being
added;
entry added
to both
directories.
cn=John
Don’t None Rules for
Ashby,ou=DomainC,o=Acme
modify Domain B
and C
both match
any
the
name being
added;
entry not
added.
Customizing search processing to improve LDAP service
performance
To improve the performance of the LDAP service, you can choose
options to customize how the service processes searches. These settings
apply to all servers in a domain that run the LDAP service.
“Timeout” and “Maximum number of entries returned”
By default, LDAP service takes as long as necessary to process searches,
and returns all entries it finds that match the search criteria. If LDAP
service performance is slow, consider using the “Timeout” and
“Maximum number of entries returned” fields on the LDAP tab of a
domain Configuration Settings document to set limits on the length of
searches and the number of entries returned. If the LDAP client that
sends a request also specifies limits, whichever setting is lower takes
precedence.
“Minimum characters for wildcard search”
Specify the minimum number of characters that users must place before
the first wildcard in a search filter when the wildcard is combined with a
substring. The default is 1 character. If you increase this value, users
must provide more specific substring search filters, and as a result, the
LDAP service searches fewer entries and processes the searches more
quickly. If LDAP service performance is slow, consider increasing the
minimum characters required for wildcard searches to 2.
If a filter begins with a wildcard followed by a substring, the LDAP
service removes the initial wildcard (unless “Minimum characters for
wildcard search” is set to 0), then uses what remains as the search filter.
For example, if the option is set to 2 and a user specifies the filter sn=*br*,
the LDAP service uses the filter br* to process the search. However, if a
user specifies the filter *b*, the LDAP service rejects the search request
because after the first wildcard is removed, b*, which is the remaining
search filter, contains only one character before the (now) first wildcard.
Note The “Minimum characters for wildcard search” option doesn’t
apply to search filters that use only a wildcard as a value, for example, a
search filter such as sn=* is always allowed. Because this kind of filter
searches only for the presence of an attribute, not for an attribute value, it
does not have the search performance implications associated with
wildcards in substring searches. To control the number of entries
returned as the result of a presence search filter, use the “Maximum
number of entries returned” option to set a maximum number of entries
that the LDAP service can return.
Specifying settings to improve LDAP service search performance:
1. From the Domino Administrator, open a server that runs the LDAP
service, or a open a server in the same domain as one that runs the
LDAP service.
2. Click the Configuration tab.
3. In the left pane, expand Directory, then LDAP, and then select
Settings.
4. Do one of the following:
If you see the prompt “Unable to locate a Server Configuration
document for this domain. Would you like to create one now?” click
Yes, then click the LDAP tab on the document.
If you do not see the prompt, click “Edit LDAP Settings.”
5. Change settings in any of these fields:
Field Enter
The maximum time, in seconds, allowed
Timeout
for
LDAP client searches; default is 0. For
example,
specify 60.
The maximum number of directory
Maximum number of
entries the
entries returned LDAP service returns to LDAP clients as
search
results; default is 0, meaning that there
is no limit. For example, specify 100.
Minimum characters The minimum number of characters that
for must
wildcard search precede the first wildcard in a search
filter when the wildcard is combined with
a substring; default is 1.
Field Enter
Inherit Default Select to inherit default account
Accounts settings from
Settings from Parent parent.
Enforce Default Select to enforce default account
Accounts settings in
Settings in Children children.
A descriptive name for the LDAP
Account Names
service
account; users see this name in the
list of
directories the client can search. If
you
specify more than one account —for
example, an account for another
Internet
service —separate account names
with
commas (,).
The host name of the server running
Server Addresses
the
LDAP service —for example,
ldap.acme.com.
Protocols LDAP
Use SSL Connection Yes to use SSL; otherwise, No.
Statistic Description
Total LDAP
Number of LDAP connections
Connections
Simple LDAP Number of LDAP connections using name-
Connections and-password authentication
Anonymous LDAP Number of anonymous LDAP connections
Connections
Strong Authentication Number of LDAP connections using X.509
Connections client certificate authentication
Failed LDAP
Number of LDAP connections that failed
Connections
Number of LDAP search requests
Total LDAP Searches
processed
Longest LDAP Search Longest amount of time taken to
time successfully complete an LDAP search
request that has been received so far. This
statistic does not include LDAP searches
that fail with any error.
Average LDAP Search Average amount of time taken to process
time LDAP search requests received so far. The
value includes time taken to process
search requests that fail, and so on
occasion it may exceed the Longest LDAP
Search time value.
Longest LDAP Search Longest amount of time to receive an
request LDAP search request
Number of LDAP modify requests
Total LDAP Modifies
processed
Number of LDAP compare requests
Total LDAP Compares
processed
Total LDAP Adds Number of LDAP add requests processed
Total LDAP Deletes Number of LDAP delete requests processed
Total LDAP ModifyDNs Number of modifyDN requests processed
Statistic Description
Total LDAP Extended Number of requests to extend the schema
Operations processed
Total LDAP Abandons Number of abandon requests processed
Total LDAP Searches Number of requests to search the
for Subschema subschema processed
Total LDAP Searches Number of requests to search the root DSE
for Root DSE processed
Total LDAP Referrals Number of referrals to remote LDAP
returned directories returned
Total LDAP Searches Number of requests to search the Domain
on Domain Catalog Catalog processed
Total LDAP Search Number of entries returned from search
Entries Returned requests
Total LDAP Search
Total time spent processing LDAP searches
time
Shows whether the LDAP service is
Server.Running
running
Statistic Description
Sessions.Inbound.Accept.Queue Number of new connections
waiting to be serviced by
threadpool
Sessions.Inbound.Active Number of currently running
inbound TCP/SSL connections
Sessions.Inbound.Active.SSL Number of currently running
inbound SSL connections
Sessions.Inbound.BytesReceived Number of bytes received by all
inbound TCP/SSL connections
Sessions.Inbound.BytesSent Number of bytes sent by all
inbound TCP/SSL connections
Sessions.Inbound.Peak Maximum number of concurrent
inbound TCP/SSL connections
Sessions.Inbound.Peak.SSL Peak number of concurrent
inbound SSL connections
Statistic Description
Sessions.Inbound.Total Number of all TCP/SSL inbound
connections since server
started
Sessions.Inbound.Total.SSL Number of all SSL inbound
connections since server
started
Total number of failed inbound
Sessions.Inbound.Total.SSL.Bad_
SSL handshakes since server
Handshake
started
Sessions.Outbound.Active Number of currently running
outbound TCP/SSL connections
Sessions.Outbound.Active.SSL Number of currently running
outbound SSL connections
Sessions.Outbound.BytesReceived Number of bytes received by all
outbound TCP/SSL connections
Sessions.Outbound.BytesSent Number of bytes sent by all
outbound TCP/SSL connections
Sessions.Outbound.Peak Maximum number of concurrent
outbound TCP/SSL connections
Sessions.Outbound.Peak.SSL Maximum number of concurrent
outbound SSL connections
Sessions.Outbound.Total Number of all TCP outbound
connections since server
started
Sessions.Outbound.Total.SSL Number of all SSL outbound
connections since server
started
Total number of failed outbound
Sessions.Outbound.Total.SSL.Bad
SSL handshakes since server
_Handshake
started
Sessions.Threads.Busy Total number of running
threads servicing network IO
requests
Sessions.Threads.Idle Total number of idle threads
waiting to service network IO
requests
Current number of threads in
Sessions.Threads.InThreadPool
threadpool
Peak number of threads in
Sessions.Threads.Peak
threadpool
Setting Description
Disables the LDAP service for a
DisableLDAPOnAdmin
domain
LDAPBatchAdds To speed processing of batch LDAP
adds to the Domino Directory,
specifies that the LDAP service
immediately updates only the
($LDAPRDNHier) view to reflect the
changes
LDAPConfigUpdateInterval Specifies how often the LDAP service
checks for and puts into effect
changes to its configuration settings
LDAPGroupMembership Controls how the LDAP service
responds to searches of Domino
“Mail only”groups and to searches of
groups without a GroupType
attribute value
LDAPNotesPort Specifies the name of the Notes
network for TCP/IP used by the LDAP
service on a partitioned server or by
the LDAP service on a single server
that uses more than one Notes port
for TCP/IP
LDAPPre55Outlook When the LDAP service receives a
search query that specifies country
(c=xx) as a search base, specifies
that it convert the search base to
root (“”) to accommodate pre 5.5
Microsoft Outlook Express client
behavior
Schema_Daemon_Breaktime Specifies how often (in seconds) the
schema daemon checks the status of
the LDAP task to see if it should shut
down
Schema_Daemon_Idletime Specifies how long (in minutes) the
schema daemon spawned by the
LDAP service remains idle after it
finishes its tasks
Setting Description
Specifies how often (in hours) the
Schema_Daemon_Reloadtime
schema
daemon spawned by the LDAP
service on the
Domino Directory administration
server loads
schema changes made using
Domino Directory
forms into memory
Specifies how often (in hours) the
Schema_Daemon_Resynctime
schema
daemon spawned by the LDAP
service on the
Domino Directory administration
server
updates the Domino LDAP Schema
database
when its in-memory schema differs
from the
schema published in the Schema
database
RFC Description
207 Definition of an X.500 Attribute Type and an Object Class to
9 Hold Uniform Resource Identifiers
222
Simple Authentication & Security Layer (SASL)
2
225
Lightweight Directory Access Protocol (v3)
1
225 Lightweight Directory Access Protocol (v3) Attribute Syntax
2 Definitions
225 Lightweight Directory Access Protocol (v3) UTF-8 String
3 Representation of Distinguished Names
225
The String Representation of LDAP Search Filters
4
225
The LDAP URL Format
5
225 A Summary of the X.500 (96) User Schema for use with
6 LDAPv3
259
Use of Language Codes in LDAP
6
279
Definition of the inetOrgPerson LDAP Object Class
8
Chapter 21
Managing the LDAP Schema
This chapter defines the term LDAP schema and provides information
about the Domino LDAP schema and how to extend it.
LDAP schema
A directory entry contains information about a particular entity, for
example, a person or a group, and is associated with a distinguished
name. An LDAP schema is a set of rules that define what can be stored as
entries in an LDAP directory. Each LDAP directory has a default schema,
which organizations can customize, or “extend,” by adding elements to it.
The elements of a schema are attributes, syntaxes, and object classes.
LDAP directory servers provide the ability to enforce the schema to
ensure that directory changes made using LDAP operations conform to it.
Attributes
An attribute defines a piece of information that directory entries contain.
For example, some common attributes for entries related to people are cn
(common name), telephoneNumber, and userPassword.
An attribute is either mandatory or optional for a particular type of
entry. When an attribute is mandatory and directory administrators use
schema-checking to enforce the schema, administrators must provide a
value for the attribute when they add or modify the entries using LDAP
operations. An attribute can be defined to allow multiple values.
Multiple types of directory entries can use the same attribute.
Object classes
An object class defines a set of attributes for a type of directory entry.
Two or more object classes in an object class hierarchy define the
attributes for a type of entry. An object class inherits attributes from all
object classes above it in the hierarchy and then adds attributes of its
own; for example:
Object class 1: adds attribute A
Object class 2: inherits A; adds B, C, D
Object class 3: inherits A, B, C, D; adds E, F
There are three types of object classes: abstract, structural, and auxiliary.
21-1
Directory Services
Abstract object classes
An abstract object class defines an attribute or set of attributes that all
object classes in an object class structure inherit. Every object class
structure must have an abstract object class as the top-level object class.
A default LDAP schema typically uses the abstract object class top. top
includes only one attribute, objectClass, which defines an object class for
each entry in the directory.
Structural object classes
A structural object class defines a type of entry in an LDAP directory.
Examples of standard LDAP structural object classes are person,
organizationalPerson, and inetOrgPerson. An object class structure must
include at least one structural object class.
Auxiliary object classes
An auxiliary object class adds attributes to another object class, usually a
structural object class. An auxiliary object class is useful for defining a set
of attributes used by multiple object classes. An auxiliary object class
usually inherits from the abstract object class top. Object classes can’t
inherit attributes from an auxiliary object class. Instead, you must add an
auxiliary object class to each object class that uses it.
Syntaxes
A syntax defines the data format in which an attribute value is stored.
Directory String, Integer, and JPEG are examples of standard LDAP
syntaxes.
The Domino LDAP schema
The default Domino LDAP schema includes:
Domino-specific
schema elements defined by the default forms in the
Domino Directory
All LDAP-standard schema elements defined in RFCs 2252, 2256,
2798, 2247, and 2739. The LDAP service uses the file
LSCHEMA.LDIF to build these elements in the default schema.
You can extend the schema to add custom schema elements that your
organization needs.
To see detailed information about the Domino LDAP schema, open the
Domino LDAP Schema database (SCHEMA.NSF) on any server that runs
the LDAP service.
21-2 Administering the Domino System, Volume 1
For information relating to upgrading the LDAP schema, see the Upgrade
Guide.
How an LDAP object class relates to a Domino form
An LDAP object class is similar to a form in the Domino Directory, in
that each defines a set of information for a directory entry. A Dominospecific
object class — whose name usually begins with domino — always
maps to a form in the Domino Directory. For example, the object class
dominoPerson maps to the form Person, and the object class dominoGroup
maps to the form Group.
An object class that is not specific to Domino, for example a standard
LDAP object class defined in the LSCHEMA.LDIF file, maps to a
form only if you create such a form. For example, the object class
residentialPerson is part of the default Domino LDAP schema, but it has
no corresponding form in the Domino Directory. Therefore by default
you can use only LDAP operations to add, search, and modify,
residentialPerson entries. To give Notes and Web users access to these
entries, you must you create a corresponding form following a specific
procedure. If you create a corresponding form, residentialPerson entries
are created as documents that are visible to Notes and Web users.
For instructions on creating a form in the Domino Directory that
corresponds to an object class, see the appendix “Customizing the
Domino Directory.”
Domino forms that are not defined as object classes in the default
Domino LDAP schema
The following forms in the Domino Directory are not defined as object
classes in the schema because their designs do not include a field that
defines a distinguished name:
CrossCertificate
Location
Server\Configuration
Settings
Server\Connection
Server\Holiday
Server\Domain
Server\User Setup Profile
Managing the LDAP Schema 21-3
Directory Services
How an LDAP attribute relates to a Domino field
An LDAP attribute is similar to a field in the Domino Directory in that
each define a piece of information about a directory entry. An LDAP
attribute defined for a Domino-specific object class always maps to a
field in a form in the Domino Directory. The name of the attribute and
the name of the field may not be identical. This difference occurs when a
preexisting field in Domino has a purpose similar to an LDAP-standard
attribute. For example, the LDAP attribute uid maps to the Domino field
ShortName.
By default, an attribute that is not Domino-specific does not map to a
visible field in the Domino Directory.
LDAP-standard attributes on Domino forms
If a Domino object class inherits from an LDAP-standard object class, the
fields that represent the inherited attributes may be hidden in the
Domino Directory document. For example, the dominoPerson object class
inherits the attribute employeeNumber from the LDAP-standard object
class inetOrgPerson. However, the field employee number is only
apparent when you select a Person document, choose Edit - Properties,
and select the second tab in the Document properties box to see a listing
of all the fields. You can add the field to the $PersonInheritableSchema
subform to make the field visible.
How an LDAP syntax relates to a field type
There are some syntaxes in the default Domino LDAP schema that map
to Domino field types. For example, the LDAP syntax Integer maps to the
field type Number. To see whether a syntax maps to a Domino field, find
the document for the syntax in the Schema database (SCHEMA.NSF),
and compare the LDAP name field to the Notes mapping field.
Object class hierarchy for dominoPerson object class
The dominoPerson object class, which maps to the Person form in the
Domino Directory, is part of this object class hierarchy:
top
person
organizationalPerson
inetOrgPerson
dominoPerson
21-4 Administering the Domino System, Volume 1
Object class hierarchy for dominoGroup object class
The dominoGroup object class, which maps to the Group form in the
Domino Directory, is part of this object class hierarchy:
top
groupOfNames
dominoGroup
The schema daemon
When the LDAP service runs on a server, it spawns a schema daemon
that runs at regular intervals. The schema daemon running on the
administration server for the Domino Directory implements schema
changes and propagates the changes to other (subordinate) servers in the
domain that run the LDAP service. The schema daemon running on each
subordinate server updates its LDAP service with the schema changes
propagated from the administration server. The Domino LDAP Schema
database (SCHEMA.NSF) is the vehicle for propagating the schema
changes.
The schema daemon ensures that each LDAP service running in the
domain uses a schema that is up-to-date and consistent across servers.
The schema daemon runs when the LDAP service first starts, and then
after that at 15-minute intervals by default.
For information on NOTES.INI settings that are available to control the
schema daemon, see the topic “NOTES.INI settings related to the schema
daemon” later in this chapter.
The LDAP service runs by default on the administration server for the
Domino Directory. The schema daemon spawned by the LDAP service
on the administration server does the following to maintain the schema
for the domain:
1. Creates the Domino LDAP Schema database (SCHEMA.NSF) from
the SCHEMA.NTF template (the first time the schema daemon runs
in this release, and subsequently if the Schema database is ever
deleted).
Note Be sure the administration server for the Domino Directory is
the first server in the domain you upgrade to Lotus Domino 6 so that
it is the server that first creates the Schema database.
Managing the LDAP Schema 21-5
Directory Services
2. Builds the schema for the domain into memory by loading
information from the following files:
LDAP-standard
schema elements from the local LSCHEMA.LDIF
file — these elements do not change.
Forms
and fields from the primary Domino Directory, which
supply the Domino-specific schema elements, and optionally,
extended schema elements added as forms and fields. For
performance reasons, this step is done only once every 24 hours
by default. You can use the NOTES.INI setting
Schema_Daemon_Reloadtime to change the default interval.
Schema
elements from the Extended Documents view of its local
Domino LDAP Schema database.
Note If the schema daemon finds the same schema element defined
in more than one of these files, it uses this order of precedence to
determine which definition to use: 1) LSCHEMA.LDIF, 2) Domino
Directory, 3) Schema database.
3. The first time it runs, publishes the schema in memory to disk in the
All Schema Documents view of the Schema database. Subsequently,
it compares its in-memory schema to the on-disk schema published
in the Schema database, and if the two schemas are different, the
daemon updates the All Schema Documents view of the Schema
database with the more recent in-memory schema. For performance
reasons, this step is done only once every 24 hours by default. You
can use the NOTES.INI setting Schema_Daemon_Resynctime to
change the default interval.
4. Replicates its local Schema database with replicas on subordinate
servers that run the LDAP service if the contents of the two replicas
are different. This replication occurs without the use of Connection
documents immediately after step 3 is complete. If a subordinate
server does not yet have a local replica of the Schema database, the
schema daemon on the administration server creates one on the
subordinate server.
The schema daemon on each subordinate server in the domain that run
the LDAP service does the following:
1. Replicates information from the replica of the Schema database on
the administration server for the Domino Directory to its local
Schema database if the two replicas are different.
If the subordinate server doesn’t yet have a local replica of the
Schema database and the administration server is running, it pulls a
replica from the administration server. If the administration server is
unavailable, the subordinate server uses a local LSCHEMA.LDIF file
21-6 Administering the Domino System, Volume 1
and Domino Directory forms to determine the schema until the
administration server is available.
2. The first time it runs, loads the schema published on disk in the All
Schema Documents view of its local Schema database into memory.
Subsequently, it compares its in-memory schema to the on-disk
schema published in its local Schema database. If the two are
different, updates its in-memory schema with the more recent
schema published in the local Schema database.
Tip Use the server command Tell LDAP ReloadSchema to manually
initiate the steps described above.
Field Action
LDAP name Enter a name for the attribute. The name can
contain only ASCII characters and hyphens. Do
not include a space in the name.
OID Enter the object identifier.
Syntax name Select a syntax defined in the schema for the
new attribute, then click OK. The Syntax type
field automatically displays the OID for the
selected syntax.
Description (Optional) Enter a description for the attribute.
Equality (Optional) Select a matching rule to apply
match when the equality operator is used to search
for this attribute.
Ordering (Optional) Select a matching rule to apply
match when an ordering operator is used to search for
this attribute.
Substrings (Optional) Select a matching rule to apply
match when a substring operator is used to search for
this attribute.
Single valued Choose one: • Yes to allow more than one
value for the attribute (default) • No to allow
only one value
5. Click Save & Close. A draft document for the new attribute appears
in the Draft Documents - Draft Attribute Types view.
6. Complete the procedure “Approving draft schema documents in the
Schema database.”
Using the Schema database to add an object class to the schema
You can use the Domino LDAP Schema database (SCHEMA.NSF) to add
an object class to the schema.
1. Make sure you have Manager access to the Schema database.
2. Open the Schema database on any server in the domain that runs the
LDAP service.
3. Select the All Schema Documents view, then click New Document -
Add Object Class.
4. Complete these fields on the Basics tab:
5. Click Save & Close. A draft document for the new object class
appears in the Draft Documents - Draft Object Classes view.
6. Compete the procedure “Approving draft schema documents in the
Schema database.”
Field Action
LDAP name Enter a name for the object class.
OID Enter the object identifier.
Object Class Type Select the type of object class.
Superior Object
(Optional) Select the object class that is
Class
immediately superior to this one in the
object class
structure.
(Optional) If this is a structural object
Auxiliary Object
class, select
Classes each auxiliary object class to use with this
object
class.
(Optional) Enter a description for the object
Description
class.
Mandatory Select the attributes that are required to
attributes have values.
You can’t remove mandatory attributes
displayed that are inherited from a superior
object class.
Optional Select any attributes that may, but are not
Attributes required to, have values.
You can’t remove optional attributes
displayed that are inherited from a superior
object class.
Field Action
LDAP name Enter a name for the syntax type.
OID Enter the object identifier.
Chapter 22
Using the ldapsearch Utility
This chapter describes how to use the ldapsearch utility to search an
LDAP directory.
Using the ldapsearch utility to search LDAP directories
Domino and Notes provide a command-line search utility,
LDAPSEARCH.EXE, that you use to search entries in any LDAP
directory. ldapsearch connects to a directory server and returns results
that match search criteria you specify.
ldapsearch is available on Domino server and Notes client platforms.
Note To use this tool, the NOTES.INI file must be included in your
system’s path statement.
To use ldapsearch, enter the following command from the Domino or
Notes program directory:
ldapsearch parameters searchfilter attributes
Where:
parameters
are case-sensitive command-line parameters.
searchfilter
is a required search filter that specifies the attributes for
which to search.
attributes
are the attributes to return. Separate attributes with spaces.
If you don’t specify one or more attributes to return, ldapsearch
returns all attributes from entries that match the search filter.
You do not have to use ldapsearch from a machine that runs the Domino
LDAP service.
Note If you have a local condensed Directory Catalog that is encrypted,
to run ldapsearch from the Notes program directory, you must specify
the password associated with the Notes ID used to do the encryption.
22-1
Directory Services
Table of ldapsearch parameters
The following table describes the case-sensitive parameters you can use
with ldapsearch.
NOTES.INI settings related to the schema daemon
The following table contains the NOTES.INI settings that pertain to the
schema daemon.
For more information on these settings, see the “NOTES.INI File”
appendix.
Paramete
Use to
r
-? Print help on using ldapsearch.
-a deref Specify alias de-referencing. Enter never, always,
search, or find. Never is the default if you don’t use this
parameter.
Retrieve only attribute names, not the values for the
-A
attributes.
-b base Specify a distinguished name to use as the starting
dn point for beginning the search. Use quotation marks to
specify the value — for example:
“ou=West,o=Acme,c=US” You must use this parameter
if the server you’re searching requires you to specify a
search base. Otherwise, it is optional. Optionally use -s
along with -b to determine the scope of the search.
Without -s, -b searches the entry specified as the
starting point and all descendants of the entry.
-B Allow printing of non-ASCII values
-D bind Specify a distinguished name that the server uses to
dn authenticate you. The name must correspond to an
entry in the directory and must have the necessary
access to search the directory. Specify the name in
quotation marks —for example: “cn=Directory
Manager,o=Acme,c=US” If you don’t use this
parameter, the connection to the server occurs
anonymously. You must use -D if the server doesn’t
allow anonymous connections. Along with -D, you must
use the -w parameter to specify a password associated
with the distinguished name.
-f file Specify a file that contains search filters to use —for
example, -f filters. Place each search filter on a
separate line. ldapsearch performs one search for each
line. Optionally specify a filter pattern. For example,
specify -f filters “cn=%s”and enter a common name
value on each line in the file.
-F sep Print seprather than equal sign (=) between attribute
names and values. Use this parameter, for example, if
a tool that reads the ldapsearch output expects a
different separator.
-h host Specify the host name of the server to which you’re
name connecting — for example, -h server.acme.com.
Paramete
Use to
r
-l Specify a time limit (in seconds) for the search to
timelimit complete. If you do not specify this parameter or if you
specify a limit of 0, searches can take an unlimited
amount of time. ldapsearch never waits longer than a
search time limit set on the server, however.
-L Specify that the output is in LDIF format. LDIF format
uses a colon (:) as the attribute delineator rather than
an equal sign (=). LDIF is useful for adding or
modifying many directory entries at once. For example,
you can import the contents of the output into an
LDAP-compliant directory.
-M Manage referral objects as normal entries so that
ldapsearch returns attributes for the referral entries
themselves, rather than for the entries referred to.
-n Show how a search would be performed, but do not
actually perform the search.
-p port Specify the port that the server uses. If you don’t use
this parameter, ldapsearch uses port 389.
-R Do not automatically follow search references returned
by the server. Note that a Netscape Directory server
uses the term referrals for search references.
-s scope Specify the scope of the search when you use the -b
parameter: • base —to search only the entry specified
with the -b parameter • onelevel —to search only the
immediate children of the entry specified with the -b
parameter but not the entry itself • subtree —to search
the entry specified with the -b parameter and all of its
descendants. This is the default behavior when you use
-b without -s. The order in which you specify -b and -s
is unimportant.
-S
Sort the results by a specified attribute.
attribute
-z Specify the maximum number of entries to return. If
sizelimit you don’t specify this parameter or if you specify a limit
of 0, an unlimited number of entries are returned.
ldapsearch never returns more entries than the server
allows, however.
-u Specify that ldapsearch return distinguished names in a
user-friendly format.
-v Specify that ldapsearch run in verbose mode.
-w Specify the password associated with a distinguished
password name used with the -D parameter.
-x Use with -S to specify that that LDAP server sorts the
results before returning them. If you use -S without -x,
ldapsearch sorts the results.
Search Command
All entries on host
ldapsearch -h ldap.acme.com
ldap.acme.com
using port 389, and return all “objectClass=*”
attributes and values
Same as above, but return
ldapsearch -A -h ldap.acme.com“
only
attribute names objectClass=*”
All entries on host ldapsearch -a always -h
ldap.acme.com ldap.acme.com
using port 389, return all “objectClass=*”
attributes,
and de-reference any aliases
found
All entries on host
ldapsearch -h ldap.acme.com
ldap.acme.com
using port 389, and return “objectClass=*”mail cn sn
givenname
attributes=mail, cn, sn,
givenname
ldapsearch -b
(cn=Mike*) under base
“ou=West,o=Acme,c=US”
“ou=West,o=Acme, c=US”on -h ldap.acme.com “(cn=Mike*)”
host
ldap.acme.com using port 389,
and
return all attributes and values
One level on host ldapsearch -s onelevel -h
ldap.acme.com ldap.acme.com
using port 389, and return all “objectClass=*”
attributes and values
Same as above, but limit scope ldapsearch -s base -h
to ldap.acme.com
base “objectClass=*”
All entries on host
ldapsearch -l 5 -h ldap.acme.com
ldap.acme.com
using port 389; return all “objectClass=*”
attributes
and values; do not exceed the
time
limit of five seconds
All entries on host
ldapsearch -z 5 -h ldap.acme.com
ldap.acme.com
using port 389; return all “objectClass=*”
attributes
and values; do not exceed the
size
limit of five
Search Command
All entries on host
ldapsearch -h ldap.acme.com -D
ldap.acme.com
using port 389, binding as “cn=john doe,o=acme”-w
user password -L
“cn=John Doe,o=Acme”with a “objectClass=*”
password of “password”, and
return
all attributes and values in
LDIF
format
Search the host ldapsearch -h ldap.acme.com“-s
ldap.acme.com using base
port 389. All attributes that -b ”cn=john
doe,o=acme“objectClass=*”
anonymous are allowed to see
are
returned for the entry
“cn=John
Doe,o=Acme”
ldapsearch -h bluepages.ibm.com
All entries on a different host,
-p 391
bluepages.ibm.com, which is “objectClass=*”
configured to listen for LDAP
requests on port 391
Search bluepages.ibm.com on ldapsearch -h bluepages.ibm.com
port -p 391
391. Doing a subtree search -b “o=ibm”-l 300 -z 1000
(default)
starting in the organization “(&(objectclass=Person)(|(cn=jerry
“o=ibm”
for any object type of Person seinfeld*)(givenname=jerry
who
also has an attribute that seinfeld*)(sn=jerry seinfeld*)
matches (mail=jerry
any one of the attributes seinfeld*)))”cn
found in the
OR filter. There is a timeout
value of
300 seconds and the
maximum
number of entries to return is
set to
1000. And only the DN
(default) and
CN will be returned. (This is a
common filter for Web
applications).
Search bluepages.ibm.com on ldapsearch -h bluepages.ibm.com
port -p 391
391 starting at the base entry -b “cn=HR Group,ou=Asia,o=IBM”-
s
“cn=HR base -l 300
Group,ou=Asia,o=IBM” “(objectclass=*)”member
with a time limit of 300
seconds and
asking for all the members of
this
entry. (Another common filter
in
Web applications to determine
group membership).
Chapter 23
Setting Up Directory Assistance
This chapter describes directory assistance and how to set up and
monitor directory assistance in your organization.
Directory assistance
Directory assistance is a feature a server can use to look up information
in a directory other than a local primary Domino Directory
(NAMES.NSF). You can configure directory assistance to use a particular
directory for any of these services:
Client
authentication
Group
lookups for database authorization
Notes mail addressing
LDAP service searches or referrals
You can set up directory assistance for a remote LDAP directory or a
Domino directory. A remote LDAP directory can be any remote
LDAP-compliant directory, either one on a foreign LDAP directory
server or one on a Domino server that runs the LDAP service.
A Domino directory is a directory created form the PUBNAMES.NTF
template and accessed via NAMELookup calls. Servers can use directory
assistance to do lookups in either local or remote replicas of a Domino
directory. A Domino directory configured for directory assistance can be
a secondary Domino Directory, an Extended Directory Catalog, or a
primary Domino Directory.
A secondary Domino Directory is any Domino Directory that is not a
server’s primary Domino Directory. A secondary Domino Directory can
be a directory associated with another Domino domain. A secondary
Domino Directory can also be a Domino Directory created manually
from the PUBNAMES.NTF template that is not associated with a Domino
Domain, used, for example, to store and track Web user information.
23-1
Directory Services
An Extended Directory Catalog contains documents aggregated from
multiple secondary Domino Directories. A server must use directory
assistance to look up information in an Extended Directory Catalog,
unless you integrate the Extended Directory Catalog directly into the
primary Domino Directory.
For more information, see the topic “Directory assistance for an Extended
Directory Catalog” later in this chapter.
The primary Domino Directory is the directory a server searches first that
describes the Domino domain of the server. You can set up directory
assistance for a primary Domino Directory, usually to specify which
replicas of primary Domino Directories that servers with Configuration
Directories can use.
For more information, see the topic “Directory assistance for the primary
Domino Directory” later in this chapter.
For information on upgrading directory assistance from Domino Release
4.6 to Domino 6, see the Upgrade Guide.
How directory assistance works
To configure directory assistance, you create a directory assistance
database from the template DA50.NTF, and replicate it to the servers that
will use it. A Server must have a local replica of a directory assistance
database to use directory assistance. Then you add the database file
name to the “Directory Assistance database name” field in the Domino
Directory Server documents of these servers.
You create a Directory Assistance document in the directory assistance
database to describe a particular directory and how it will be used, and
to define how to connect to the directory and to find alternate replicas for
failover. To set up directory assistance for a Domino Directory or an
Extended Directory Catalog — you select “Notes” in the “Domain type”
field in the Directory Assistance document. To set up directory assistance
for a remote LDAP directory, you select “LDAP” in the “Domain type”
field. You use one Directory Assistance document to configure all the
services for a directory and its replicas.
23-2 Administering the Domino System, Volume 1
Each server process that provides directory services and detects a local
directory assistance database configuration loads directory information
configured in the directory assistance database into an internal memory
table. During server startup and thereafter at five-minute intervals each
server process checks for changes to the directory assistance database
configuration and if found, each process reloads its internal memory
table to reflect the changes.
To look up names in a Domino Directory or an Extended Directory
Catalog, a server uses NAMELookup calls. To look up names in a remote
LDAP directory, a server uses a gateway feature that translates
NAMELookup calls to LDAP operations, and then translates LDAP
operations back to NAMELookup calls — a Domino server doesn’t have
to run the LDAP service to use a remote LDAP directory for directory
services.
Directory assistance services
Before you set up directory assistance, read about the services directory
assistance can provide:
Client
authentication
Group
lookups for database authorization
Notes
mail addressing
LDAP service searches and referrals
Directory assistance and client authentication
To authenticate a user who is accessing a database on a Domino server
via any of the supported Internet protocols — Web (HTTP), IMAP, POP3,
or LDAP — a server can look up the users’ credentials in a directory that
is configured in its directory assistance database. Servers can use X.509
certificate security or name-and-password security for the authentication.
To allow a server to use a directory for Internet client authentication that
is configured in a directory assistance database, do the following in the
Directory Assistance document for the directory:
On
the Basics tab, next to “Make this domain available to,” select
“Notes clients and Internet Authentication/Authorization.”
On the “Naming Contexts (Rules)” tab, enable at least one rule that
corresponds to the distinguished names of the users in the directory
to be authenticated, and next to “Trusted for Credentials,” select Yes.
Setting Up Directory Assistance 23-3
Directory Services
For example, if your organization registers Web users in a foreign LDAP
directory, when a Web user attempts to access a database on a Domino
Web server, the server can connect to the remote foreign LDAP directory
server to look up the user name and password to do the authentication.
Field Enter
Domain
Choose Notes.
type
Domain The name of the Domino domain associated with
name the directory. If the directory isn’t associated with
a Domino domain because you created it manually
rather than through server setup, make up a
unique domain name for it. For more information,
see the topic “Directory assistance and domain
names.”
Company (Optional) The name of the company associated
name with this directory. Multiple Directory Assistance
documents can use the same company name.
Search (Optional) A number affecting the order in which
order servers search this directory relative to other
directories configured in the directory assistance
database. For more information, see the topic
“How naming rules relate to directory searcher
orders.”
Field Enter
Make this Choose one or both: • “Notes Clients and
domain Internet Authentication/Authorization” • “LDAP
available to Clients” Choose “Notes Clients and Internet
Authentication/Authorization”to use the directory
for Notes mail addressing, Internet client
authentication, or to look up the members of
groups for database authorization. By default,
the option is enabled. To prevent servers from
using the directory for these services, do not
choose this option. If the domain specified in the
“Domain name”field is the same Domino domain
(the primary domain) of the servers that use
directory assistance, the servers use the
directory for these three services automatically,
even if you do not choose this option. Choose
“LDAP Clients”to enable the LDAP service
running on servers to search the directory when
processing LDAP requests. By default, the option
is enabled. To prevent the LDAP service from
searching the directory, do not choose this
option. Fore more information, see the topic
“Directory assistance services.”
8. Click the Naming Contexts (Rules) tab, and for each rule you want to
define, complete the following fields. By default, an all-asterisk rule
is enabled with “Trusted for Credentials” set to No.
Field Enter
N.C. # A naming context (rule) that describes names in
the directory. For more information, see the topic
“Directory assistance and naming rules.”
Enabled Choose one:
9. Click the Replicas tab. Use either the “Database links” field or the
“Replica#” fields to specify replicas of the directory for servers to
use. If you make any entry in a Replica# field, then directory
assistance ignores all entries in the “Database links” field.
To set up directory assistance to use cluster failover to locate an
available replica of the directory, specify only one replica of the
directory within the cluster.
For more information on failover, see the topic “Directory assistance
and failover for a Domino Directory or Extended Directory Catalog.”
Field Enter
Databas For each replica you want to specify: • Open the
e links replica of the directory, and choose Edit - Copy As
Link - Database Link. • Select the “Database
links”field, and choose Edit - Paste. Using database
links may delay server startup. When you restart a
server that uses directory assistance, server tasks
retrieve database information from the remote
servers to which the links refer. Use database links
only if the servers to which the links refer are
consistently available.
Replica The server name and file name of a replica of the
# directory —for example:
Server Name: Mail1/West/Acme
Domino Directory File Name: EASTNAMES.NSF
Selected Enabled next to each replica you specify.
Field Enter
Domain
Choose LDAP.
type
Domain A domain name of your choice that is different
name from the
domain name specified for any other Directory
Assistance
document - Notes or LDAP - in the directory
assistance
database. For more information, see the topic
“Directory
assistance and domain names.”
(Optional) The name of the company associated
Company
with this
directory. Multiple Directory Assistance documents
name
can use
the same company name.
Search (Optional) A number affecting the order in which
order servers
search or refer LDAP clients to this directory
relative to
other directories configured in the directory
assistance
database. For more information, see the topic
“How
naming rules relate to directory search orders.”
Make this Choose one or both: • “Notes clients and Internet
domain Authentication/Authorization”to use this LDAP
available directory for Notes mail addressing, Internet client
to authentication, or to look up the members of
groups for database authorization. • “LDAP
Clients”to enable a server running the LDAP
service to refer LDAP clients to this LDAP directory.
For more information, see the topic “Directory
assistance services.”
Field Enter
Group Choose one: • Yes to search the members of
Authorization groups in this LDAP directory when authorizing
database access. • No (default) to prevent
searching the member of groups in the directory
when authorizing database access. Choose Yes
for only one directory, Notes or LDAP, configured
in the directory assistance database. You do not
have to enable a rule that is “Trusted for
Credentials.” If you select Yes, in the “Nested
group expansion”field that appears choose one:
• Yes (default) to search nested groups —groups
that are members of groups listed in database
ACLs. • No to search only the members of
groups listed in database ACLs, and not the
members of groups nested within those groups.
For more information on group authorization,
see the topic “Directory assistance and group
lookups for database authorization.”
8. On the Naming Contexts (Rules) tab, for each rule you want to define
for the directory, complete the following fields. By default, an
all-asterisk rule is enabled with “Trusted for Credentials” set to No.
Field Enter
N.C. # Enter a naming context (rule) that describes the
user names in the LDAP directory. For more
information, see the topic “Directory assistance
and naming rules.”
Enabled Choose one:
• Yes to enable a rule
• No (default) to disable a rule
Trusted for Choose one: • Yes to allow servers to use
Credentials credentials in the LDAP directory to authenticate
Internet clients whose distinguished names in the
directory correspond to the rule.
Field Enter
Hostname The host name for the remote LDAP directory
server —for example, ldap.acme.com. A
Domino server uses this host name to connect
to the remote LDAP directory server, or to refer
LDAP clients to the LDAP directory.
Enter an additional host name or host names so
that a
Domino server can use an alternate LDAP
directory server if the directory server
represented by the first host name specified is
unavailable. Separate host names with
commas.
If you specify more than one directory server
and each listens on a different port, specify the
ports after the host names. For example:
ldap1.acme.com:390, ldap2.acme.com:391
For more information, see the topic “Directory
assistance and failover for a remote LDAP
directory.”
(Optional) Below “Optional Authentication
Optional
Credential”
Authentication enter a user name and a password for a
Domino server to
Credential present when it connects to the remote LDAP
directory server. The LDAP directory server
uses the name and
password to authenticate the Domino server. If
you don’t
specify a name and password, a Domino server
attempts to connect anonymously.
For more information, see the topic “Specifying
a name and password for Domino servers in a
Directory
Assistance document for a remote LDAP
directory.”
A search base, if the LDAP directory server
Base DN for
requires one.
search For example:
o=Ace Industry
o=Ace Industry,c=US
Field Enter
Hostname The host name for the remote LDAP directory
server —for example, ldap.acme.com. A
Domino server uses this host name to connect
to the remote LDAP directory server, or to refer
LDAP clients to the LDAP directory.
Enter an additional host name or host names so
that a
Domino server can use an alternate LDAP
directory server if the directory server
represented by the first host name specified is
unavailable. Separate host names with
commas.
If you specify more than one directory server
and each listens on a different port, specify the
ports after the host names. For example:
ldap1.acme.com:390, ldap2.acme.com:391
For more information, see the topic “Directory
assistance and failover for a remote LDAP
directory.”
(Optional) Below “Optional Authentication
Optional
Credential”
Authentication enter a user name and a password for a
Domino server to
Credential present when it connects to the remote LDAP
directory server. The LDAP directory server
uses the name and
password to authenticate the Domino server. If
you don’t
specify a name and password, a Domino server
attempts to connect anonymously.
For more information, see the topic “Specifying
a name and password for Domino servers in a
Directory
Assistance document for a remote LDAP
directory.”
A search base, if the LDAP directory server
Base DN for
requires one.
search For example:
o=Ace Industry
o=Ace Industry,c=US
Field Enter
Channel Choose one: • SSL (the default) to use SSL when
encryption a Domino server connects to the remote LDAP
directory server • None to prevent SSL from being
used. Keep SSL selected in the “Channel
encryption”field if you use the remote LDAP
directory for client authentication or to look up
the members of groups for database
authorization.
Field Enter
Dereference Choose one to control the extent to which alias
alias on dereferencing occurs during searches of the
search remote LDAP directory: • “Never”
SSL protocol
Description
version
V2.0 only Allows only SSL 2.0 connections.
Attempts an SSL 3.0 connection. If the
V3.0 handshake
connection fails
and the requestor detects SSL 2.0, attempts to
use SSL 2.0
to connect.
V3.0 only Allows only SSL 3.0 connections.
Attempts an SSL 3.0 connection, but starts with
V3.0 with V2.0
an SSL 2.0
handshake handshake, which displays relevant error
messages.
Makes an SSL 3.0 connection if possible. Choose
“V3.0
and V2.0 handshake”to receive V2.0 error
messages that
may occur during a connection attempt. These
error
messages can provide information about
compatibility
problems found during the connection.
Negotiated Allows SSL to determine the protocol version and
handshake.
Search filter
Description
option
Standard Uses standard LDAP search filters that work with
LDAP most
LDAP directory servers, including Domino, IBM
(Default)
Directory
Server, Netscape/iPlanet Directory Server
Active
Uses predefined search filters that work with Active
Directory
Directory servers. Select this option if the remote
LDAP
directory is Active Directory.
Custom Use to define your own search filters.
Note The Active Directory search filter option replaces the Release 5
NOTES.INI setting WebAuth_AD_Group, which allowed for searches of
Active Directory groups.
Defining custom search filters
You might need to define custom search filters if searches are not
returning results or are returning results for the wrong entries. This
situation can occur if the remote LDAP directory server uses a
non-standard schema.
Selecting “Custom” in the “Type of search filter to use” field displays the
following three fields used to define the custom search filters.
Custom
Description
search
filter field
Mail Filter If directory assistance is set up so that Notes users
can look up mail addresses in the directory, specify a
search filter to use to look up the names in the
directory. Leave the field blank to use the following
default search filter:
(|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)
(givenname=%a))))
Authentication Specify a search filter to use to search for the names
of users
Filter when using the remote LDAP directory for client
authentication. Leave the field blank to use the
following default search filter:
(|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)
(givenname=%a))))
Custom
Description
search
filter field
Authorization Specify a search filter to use to look up the members of
Filter groups for Notes database authorization. Leave the field
blank to use the following default search filter:
(|(&(objectclass=groupOfUniqueNames)(UniqueMember=%*
))(&(objectclass=groupOfNames)(Member=%*)))
To define custom search filters, you should be familiar with valid search
filter syntax described in RFCs 2251 and 2254.
Syntax for custom LDAP search filters
To define a custom search filter, insert parameters into standard LDAP
search filters to represent a part of the names being searched for.
Name Parameter to
Defined as Example of name
part insert to
part (in bold) represent name
part
First The set of
%a
name characters AlexM Davidson
from the first
character
to the first space
or punctuation
Last The set of
%z
name characters Alex M Davidson
from the last
space or
punctuation to the
last character
Alex M
Whole The entire name %*
Davidson
name
Local Local part of an
amd@acme.com %l
part RFC
822 mail address
Domain part of an amd@acme.com %d
Domain
RFC 822 mail
part
address
Name
Search filter used to search for
searched Search filter formula in
the
for
Directory Assistance name
document
Alex M
(|(gn=%a)(sn=%z)(cn=%*)( (|(gn=Alex)(sn=Davidson)(cn=
Davidson
mail=%l)) Alex M Davidson)(mail=“”))
amd (EmpID=%*) (EmpID=amd)
amd (EmpID=%z) (EmpID=“”)
amd (mail=%*@acme.com) (mail=amd@acme.com)
Option Description
Never dereference alias entries. If there are no
Never
alias
entries in the LDAP directory that require
dereferencing,
choose this option to improve search
performance.
Only for Dereference alias entries subordinate to a
subordinate specified
entries search base, but do not dereference an alias
search base
entry.
Only for search Deference an alias entry for a specified search
base base, but
entries do not dereference alias entries subordinate to
the search
base.
Always dereference aliases. This selection is the
Always
default,
and the Release 5 behavior.
Always
o=Acme1 cn=John Doe, o=Acme1
Contents Comments
Basics tab
Domain type Notes —
Domain
Domain B —
name
Company A
Company —
name
Search order None —
Make this Selected for: • Notes Clients Enables Domain A
domain & Internet servers to use the
available to Authentication/Authorization Domain B directory
•LDAP Clients for all directory
assistance services.
Group Yes Allows Domain A
Authorization servers to to look up
groups in the Domain
B directory when
authorizing database
access.
Enabled Yes —
Contents Comments
Naming contexts (rules) tab
N.C.1: */ */ */ */ */ * Enabled - Enables Domain A
Yes Trusted for Credentials - servers to search all
Yes names in the
directory. “Trusted
for Credentials”
selected to allow
servers to
authenticate all
Internet users
registered in the
directory.
Replicas tab
Replica1: Server Name: More than one replica
Server1/DomainA Directory of the Domain A
Filename: DOMANAMES.NSF directory is specified,
indicating that the
directory assistance
method of failover is
used to find an
available replica.
Server Name: Same comments as
Replica2
Server2/DomainA above.
Directory Filename:
DOMANAMES.NSF
Contents Comments
Basics tab
Domain type Notes —
Made-up name that
Domain name EDC
does
not correspond to an
actual
domain name.
Company name Company Y —
Search order None —
Make this Notes Clients & Allows servers to use
domain • Internet the
available to Authentication/ Extended Directory
Authorization Catalog for all
directory
• LDAP Clients assistance services.
Allows servers to look
Group Yes
up
Authorization groups in the
Extended Directory
Catalog when
authorizing database
access.
Enabled Yes —
Naming contexts (rules) tab
N.C.1: */ */ */ */ */ * Enabled Allows servers to
- Yes Trusted for search all names in
Credentials - Yes the Extended
Directory Catalog.
“Trusted for
Credentials” selected
to allow servers to
authenticate all
Internet users with
Person documents
that are aggregated in
the directory catalog.
Replicas tab
Replica1: Server Name: Server1/DomainA is a
Server1/DomainA member of a cluster.
Directory Filename: Only one replica of
EDC.NSF the Extended
Directory Catalog in
the cluster is specified
so that cluster failover
is used to find an
available replica.
Contents Comments
Basics tab
Domain type Notes —
Domain name EDC Made-up name that
does not correspond
to an actual domain
name in Domino.
Company name Company Z —
Search order 1 Causes Domain A
servers to search the
Extended Directory
Catalog before the
remote Active
Directory.
Make this • Notes Clients &
domain available Internet
to Authenticatoin/
Authorization
• LDAP Clients
Yes Group Allows servers to use
Authorization groups from any of
the directories
aggregated into the
directory catalog for
database
authorization.
Enabled Yes —
Contents Comments
Naming contexts (rules) tab
Allows servers to
N.C.1: */ */ */ */ */ *
search all
entries in the
Enabled - Yes directory.
Trusted for Credentials “Trusted for
- Credentials”
No set to “No”to prevent
the Extended Directory
Catalog
from being used for
Internet client
authentication, and
allow
only the remote Active
Directory to be used
for this
purpose.
Replicas tab
Replica1: Server Name: Server1/DomainA is a
Server1/DomainA member of a cluster.
Only
one replica of the
Directory Filename:
Extended
Directory Catalog in
EDC.NSF
the
cluster is specified so
that
cluster failover is used
to
find an available
replica.
Contents Comments
Basics tab
Domain type LDAP —
Made-up name that
Domain name ActiveDir
does
not correspond to an
actual
domain name in
Domino.
Company
Company Z —
name
Causes Domain A
Search order 2
servers
to search the remote
Active
Directory after the
Extended Directory
Catalog.
Make this Domain A does not
Notes Clients & Internet
domain want its
available to Authentication/Authorization LDAP service to refer
LDAP clients to the
Active
Directory, so it does
not select the “LDAP
Clients”
option.
Contents Comments
Group No. Since Domain A
Authorization servers look up groups
used for database
authorization in the
Extended Directory
Catalog, they cannot
use the remote Active
Directory for this
purpose too. All groups
used for database
authorization are
stored in the Domain A
primary Domino
Directory and in the
domain directories that
are aggregated into
the Extended Directory
Catalog.
Enabled Yes. —
Naming contexts (rules) tab
N.C.1: */ */ */ */ */ * Enabled - The distinguished
Yes Trusted for names of the users
Credentials - Yes registered in the Active
Directory do not
correspond to the
Notes naming
convention of
organizational unit
(ou), organization (o),
and country (c). So
Company Z must use
an all-asterisk rule to
represent the
distinguished names of
these users. “Trusted
for Credentials”is
enabled for the naming
context (rule) so that
Domain A can use the
user entries in Active
Directory for Internet
client authentication.
Contents Comments
LDAP tab
To provide failover,
Hostname ldap1.companyz.com,
two
ldap2.companyz.com Active Directory
servers are specified,
each with replicas of
the directory and with
the same LDAP
configurations.
Optional Username: cn=john doe, —
Authentication cn=recipients, dc=east,
Credential dc=acme, dc=com
Password: adminspass
Base DN for cn=recipients, dc=east, —
search dc=acme, dc=com
Since DomainA servers
Channel Yes
use
encryption the Active Directory for
client authentication,
Company Z selects the
“Channel
Encryption”so that
Domino servers can
use a Secure Sockets
Layer (SSL) certificate
to verify the Active
Directory server’s
identity.
Port 636 Necessary for SSL
connections.
Accept expired Yes —
SSL
certificates
SSL protocol Negotiated —
version
Verify server Yes —
name with
remote
server’s
certificate
Timeout 60 —
Maximum 100 —
number of
entries
returned
Contents Comments
Dereference Never The Active Directory
alias on search server does not use
alias dereferencing so
Company Z selects
Never to improve
search performance.
Preferred mail Internet Mail Address —
format
Attribute to be notesname Company Z uses
used as Notes Notes-style
Distinguished distinguished names,
Name rather than the original
LDAP names of the
users in the Active
Directory, for client
authentication and in
Notes database ACLs.
The specified attribute,
notesname, is defined
in Active Directory as
the attribute to store
the Notes name.
Company Z uses its
own tool to add Notes-
style distinguished
names as values for
the notesname
attribute in user
entries.
Type of search Active Directory Ensures that the
filter to use Domain A servers use
LDAP search filters
that are customized
for Active Directory
searches.
Monitoring directory assistance
To monitor directory assistance:
Use
the Show Xdir command to display information about all the
directories a server uses for directory services.
View
these directory assistance statistics, which a server begins
calculating at startup:
Statisic Description
Number of times directory
Database.DAReloadCount
assistance
reloaded because of changes to
the directory
assistance database.
Number of times directory
Database.DARefreshServer
assistance
InfoCount refreshed because of changes to
Server
documents in the Domino
Directory.
Number of times directory
Database.DAFailoverCount
assistance failed
over to an available replica.
Chapter 24
Setting Up Directory Catalogs
This chapter describes how to set up and manage directory catalogs.
Directory catalogs
A directory catalog is an optional directory database that typically
contains information aggregated from multiple Domino Directories.
Clients and servers can use a directory catalog to look up mail addresses
and other information about the people, groups, mail-in databases, and
resources throughout an organization, regardless of the number of
Domino domains and Domino Directories the organization uses. A
directory catalog includes the type of information that is important for
directory services, and excludes other types of information that are part
of a Domino Directory, for example Domino configuration information,
such as information in Connection documents.
You use a directory catalog in conjunction with, rather than instead of,
the primary Domino Directory and the Personal Address Book. A server
searches its primary Domino Directory, and a Notes client searches its
Personal Address Book, before searching a directory catalog.
There are two types of directory catalogs: condensed Directory Catalogs
and Extended Directory Catalogs. Condensed Directory Catalogs use a
unique design based on the DIRCAT5.NTF template that enables them to
be extremely small. Condensed Directory Catalogs are designed for use
on Notes clients. A condensed Directory Catalog on a Notes client is also
known as a Mobile Directory Catalog.
Extended Directory Catalogs use the same design as the Domino
Directory, which is based on the PUBNAMES.NTF. They are larger than
condensed Directory Catalogs, but are the recommended directory
catalog for server use because they allow faster and more flexible
directory lookups.
Servers can use a directory catalog for mail addressing, for processing
LDAP service operations, to look up client authentication credentials,
and to look up the members of groups in database ACLs when
authorizing users’ database access.
Condensed Directory Catalogs
You create a condensed Directory Catalog from the Directory Catalog
template (DIRCAT5.NTF). Condensed Directory Catalogs are designed
to be small enough to fit on Notes clients. For example, several Domino
directories that together contain more than 350,000 users and total 3GB in
size, when aggregated in a condensed Directory Catalog are likely to be
only about 50MB. In general, each user and group entry is slightly more
than 100 bytes. Condensed directory catalog are designed primarily for
use on Notes clients.
To achieve its small size, a condensed Directory Catalog uses a unique
design that combines multiple documents from the Domino Directories
into single documents in the directory catalog, and that limits the number
of sorted views available for lookups.
Aggregate documents
One reason a condensed Directory Catalog is small is it combines many
entries from the source Domino Directories into single aggregate
documents. A single Directory Catalog aggregate document can contain
up to 250 source directory entries, although on average the maximum is
about 200. This means that a condensed Directory Catalog needs to use
only about 1000 aggregate documents to store information from 200,000
documents in the source Domino Directories.
Limited number of views
A condensed Directory Catalog is also small because it contains only a
few, small views. By contrast a Domino Directory and an Extended
Directory Catalog have multiple, typically large views.
$Users view This is the one view used in a condensed Directory
Catalog for name lookups. When you configure the directory catalog
you choose how to sort this view, either by distinguished name, by
last name, or by alternate name. To find names that don’t correspond
to the selected sort order, a full-text search is done of the directory
catalog rather than a view lookup.
You shouldn’t open the aggregate documents in the $Users view
manually; these documents are not intended for viewing, and it can
take a considerable amount of time to format them for that purpose.
$Unid view This view contains information needed by the Dircat
task to replicate the source directory entries into the directory
catalog. The $Unid view isn’t created on replicas of the directory
catalog, which further reduces the directory catalog size.
$PeopleGroupsFlat view This view displays directory names when
Notes users click the Address button to browse directories.
24-2 Administering the Domino System, Volume 1
Configuration view This view shows the Configuration document
that contains the directory catalog configuration settings.
Users view This is a view that users can open and programs can
access to see the names included in the directory catalog. This view is
not stored on disk but is instead built as needed.
Design changes
In general, you should not change the database design of a condensed
Directory Catalog. One exception is changing the name of the Users
view; you can change the name of this view, as long as you keep the
original view name, Users, as an alias.
Application access
Notes applications can use these methods to access a condensed
Directory Catalog programmatically:
NAMELookup
calls to the $Users view
NAMEGetAddressBooks
calls, if you use the NOTES.INI setting
Name_Include_Ed=1.
NIFFindByKey,
NIFReadEntries, and NIFOpenNote calls.* You can’t
use NSFNoteOpen to open notes passed back from NIFReadEntries;
you must call NIFOpenNote instead.
LotusScript
methods*
@NameLookup
function
*Can access the Users view but not the $Users view.
In addition, LDAP applications can search a condensed Directory
Catalog used by a server that runs the LDAP service.
Benefits of condensed Directory Catalogs on clients (Mobile
Directory Catalogs)
Condensed Directory Catalogs on Notes clients, also called Mobile
Directory Catalogs, are useful to organizations that use one or multiple
Domino Directories. Although Notes users’ mail or directory servers can
do lookups in Domino Directories on behalf of Notes users, using
condensed Directory Catalogs on Notes clients instead offers these
benefits:
Notes
users have access to one local, corporate-wide directory, even
when their clients are disconnected from the network.
When
they address mail, users can press F9 to verify quickly the
address of anyone in the organization.
Setting Up Directory Catalogs 24-3
Directory Services
Users
can flag mail for encryption when using clients that are
disconnected from the network. The clients look up the public key
and encrypt the mail when the users connect to the network and
send the mail.
Groups
are included in a directory catalog by default, so users can
send mail to groups. However, to minimize the size of the directory
catalog, the members of the groups are not included by default, so
users’ mail servers or directory servers must be able to look up the
members of the groups.
Type-ahead
name resolution it instantaneous because type-ahead
searches the local directory catalog. Type-ahead searches never
extend to a server when there is a directory catalog configured
locally on the client.
Users can use the detailed search feature available for Local Address
Books to search the directory catalog. For example, if a user wants to
send mail to someone by the name of Robin at the Los Angeles
location but doesn’t remember Robin’s last name, the user can search
for “First name” Robin and “Location” Los Angeles to retrieve the
name from the directory catalog.
Users can use the Mail Address dialog box to open and scroll
through the names in the directory catalog.
Using Soundex, users can enter phonetic spellings to search for
names they don’t know how to spell.
Network traffic is reduced because name resolution occurs locally on
the client, rather than on a server.
Directory catalogs on servers compared to directory assistance for
individual Domino Directories
A server can do lookups directly in a secondary Domino Directory using
directory assistance, or can do lookups in a directory catalog that
aggregates information from the secondary Domino Directory. There are
several advantages to servers doing lookups in a directory catalog, rather
than in individual Domino Directories:
A server can look up information more quickly by searching one
directory database rather than multiple databases — the more
secondary directories you aggregate in a directory catalog, the
greater this advantage.
24-4 Administering the Domino System, Volume 1
there are multiple Person documents with the same name in one
If
directory or across directories, you can remove the duplicates from
the directory catalog. The Dircat task then aggregates the first Person
document with the name that is encountered, which avoids name
ambiguity problems, for example, the Router failing to deliver mail
because it finds more than one occurrence of a name.
A directory catalog excludes most or all Domino administration
information that is part of a Domino Directory that is not of interest
to users. You can also filter out other information in a Domino
Directory from a directory catalog. For example, an administrator
can exclude specific fields, or use a selection formula to exclude
documents that don’t match specified criteria.
Notes
users without local condensed Directory Catalogs, can browse
one directory, rather than multiple, individual secondary Domino
Directories.
The advantage to doing lookups in individual secondary Domino
Directories is there is no need to build, maintain, and replicate a
directory catalog. Instead you create and replicate only a small directory
assistance database.
Setting up servers to use directory catalogs is useful for organizations
that use multiple Domino Directories, for example, organizations with
multiple Domino domains.
Extended Directory Catalogs
You can set up servers to use an Extended Directory Catalog. You create
an Extended Directory Catalog from the PUBNAMES.NTF template, the
same template used to create the Domino Directory. An Extended
Directory Catalog combines advantages of a Domino Directory and a
condensed Directory Catalog. It aggregates entries from multiple
Domino directories into a single directory database as does the
condensed Directory Catalog, but it retains the individual documents
and the multiple, sorted views available in the Domino Directory to
facilitate quick name lookups.
Although you can set up servers to use a condensed Directory Catalog,
there are several advantages to using an Extended Directory Catalog
instead.
Multiple views
The Extended Directory Catalog uses the same design as the Domino
Directory, so it includes multiple views that sort names in different ways.
Regardless of the format of a name, there’s a view in the Extended
Setting Up Directory Catalogs 24-5
Directory Services
Directory Catalog that a server can use to quickly find the name. A
condensed Directory Catalog has one view used for lookups, which you
choose how to sort when you configure it. To look up a name in a
condensed Directory Catalog that doesn’t correspond to the selected sort
order, the server uses the full-text index to search for the name, which
takes longer than a view search.
Using an Extended Directory Catalog on servers that route mail is a
particular advantage, because a mail server can use views to quickly find
an address regardless of the address format. When a mail server uses a
condensed Directory Catalog, mail routing can back up if the Router uses
the full-text index to look up addresses, for example, some Internet
addresses, that don’t correspond to the selected sort order.
When a Notes user with a condensed Directory Catalog on the client
sends mail to a group, if the client’s directory catalog doesn’t contain the
members of the group, there can be a delay while a server does a full-text
search of a condensed Directory Catalog to look up the members. Delays
when sending mail to groups are not an issue if mail servers use
Extended Directory Catalogs.
Ease of application access
Applications can access information in an Extended Directory Catalog as
easily as they can in a Domino Directory. Application access to a
condensed Directory Catalog however is restricted by the nature of the
aggregate documents and the number of views.
Multiple-view, enterprise directory
Users can open an Extended Directory Catalog and see an enterprise-wide
directory with multiple views that sort by entry type. In a condensed
Directory Catalog, there is only one view to display the different types of
entries.
Groups for database authorization
Servers can use groups in only one directory configured in a directory
assistance database, in addition to the primary Domino Directory for
authorizing database access. Using an Extended Directory Catalog for
this purpose, effectively allows servers to use groups in any secondary
Domino Directory aggregated in the directory catalog for database access
control.
Remote lookups
Servers use Directory Assistance to locate an Extended Directory
Catalog, so you need to replicate the Extended Directory Catalog only to
two or a few strategic servers to which the Directory Assistance database
then points. You can configure failover so that if one replica of the
directory catalog is unavailable, servers can use an alternate.
24-6 Administering the Domino System, Volume 1
Each server that uses a condensed Directory Catalog requires a local
replica of the directory catalog, which makes its smaller size less of an
advantage overall.
Administrator control over rebuilds
Rebuilding a directory catalog removes all of the existing aggregated
information, and then re-aggregates the information from the source
Domino Directories. Since this process is time consuming, the Dircat task
only rebuilds an Extended Directory Catalog when an administrator
indicates. Changing almost any field in the configuration document for a
condensed Directory Catalog, by contrast, triggers the Dircat task to
rebuild the directory catalog automatically.
Extended ACL and LDAP access control settings
You can use an extended ACL to refine the overall database access to an
Extended Directory Catalog. For example, you can deny access to
sensitive fields, to entire documents associated with a particular part of a
name hierarchy, and so forth. An extended ACL on an Extended
Directory Catalog is independent of any Extended ACLs set on the
individual source Domino Directories.
You can also create a Configuration Settings document in an Extended
Directory Catalog and use access control settings on the LDAP tab of the
document to control anonymous LDAP search access to the directory
catalog.
These access control features are not available for a condensed Directory
Catalog.
Native documents
You can add documents manually to an Extended Directory Catalog, in
addition to aggregating documents through Dircat task processing. These
“native” documents that originate in the database are not affected by
Dircat task processing. You cannot add native documents to a condensed
Directory Catalog.
Full-text index advantages
An Extended Directory Catalog has multiple, sorted views, so in general
no full-text index is required for lookups, which helps minimize disk
space usage. A full-text index is required, however, if you want the
LDAP service to use an Extended Directory Catalog to process searches
that use search filters based on something other than names or mail
addresses.
A full-text index is always required for a condensed Directory Catalog.
Setting Up Directory Catalogs 24-7
Directory Services
If you choose to create a full-text index on an Extended Directory
Catalog, users can do full-text searches of it from the Notes client. Users
can’t do full-text searches of a condensed Directory Catalog from the
Notes client.
One server using more than one
A server can use more than one Extended Directory Catalog, for example
one that aggregates directories that are trusted for Internet client
authentication, and another that aggregates directories that are not
trusted for client authentication.
A server can use one condensed Directory Catalog only.
Integration into a primary Domino Directory
Because an Extended Directory Catalog uses the same design as a
Domino Directory, you can build an Extended Directory Catalog directly
into the primary Domino Directory for a domain, so that one directory
contains the information for an entire enterprise.
Server documents
You can aggregate Server documents into an Extended Directory
Catalog, but not a condensed Directory Catalog.
Overview of directory catalog setup
To set up a directory catalog, you first create a directory catalog
database. You use the PUBNAMES.NTF template to create an Extended
Directory Catalog and the DIRCAT5.NTF template to create a condensed
Directory Catalog. In the directory catalog database you create a
configuration document in which you indicate which Domino Directories
— known as the source Domino Directories — to aggregate, which
information from them to aggregate, and other options.
For information on creating and completing a directory catalog
configuration document, see the next topic “Planning directory catalogs”
as well as the topics “Setting up a condensed Directory Catalog” and
“Setting up an Extended Directory Catalog” later in the chapter.
After you complete the configuration document, you run the Directory
Cataloger task (Dircat task) to build the directory catalog. A server that
runs the Dircat task is referred to as a Dircat server, and typically there is
one Dircat server dedicated to aggregating directory catalogs. The Dircat
task replicates information from the Domino Directories indicated in the
configuration document, and then combines — aggregates — the entries
into the directory catalog. After the directory catalog is built, you then
24-8 Administering the Domino System, Volume 1
continue to run the Dircat task at regular intervals to keep the
information in the directory catalog current with the information in the
source Domino Directories. The Dircat task can build and maintain
multiple directory catalogs.
After the Dircat task has built a directory catalog, you set up clients
and/or servers to use the directory catalog. You can automate setting up
a condensed Directory Catalog on clients by using a Setup policy settings
document or a Desktop policy settings document. This process replicates
the directory catalog to the client, and adds the directory catalog file
name to “Local address books” field in the User Preferences dialog for
mail.
To set up a server to use an Extended Directory Catalog, you set up the
server to use a directory assistance database, and then create a Directory
Assistance document in the database for the Extended Directory Catalog.
To set up a server to use a condensed Directory Catalog, you specify the
file name of the directory catalog in either the servers’ Server document,
or in the Domino Directory Profile.
Planning directory catalogs
When planning directory catalogs, consider the following issues:
Directory
catalogs and client authentication
Directory
catalogs and Notes mail encryption
Picking
the server(s) to run the Dircat task
Specifying
the Domino Directories for the Dircat task to aggregate
Controlling
which information is aggregated in a directory catalog
Planning issues specific to Extended Directory Catalogs
Planning issues specific to condensed Directory Catalogs
Full-text indexing directory catalogs
Multiple directory catalogs
Directory catalogs and client authentication
When an Internet client logs on to a server to authenticate, the server can
look up the client name in the directory catalog to find the client
credentials for authentication.
Setting Up Directory Catalogs 24-9
Directory Services
Using an Extended Directory Catalog for client authentication
To allow a server to use an Extended Directory Catalog to look up client
names for authentication, in the Directory Assistance document for the
Extended Directory Catalog, enable a rule that is trusted for credentials.
In addition, if you don’t aggregate all fields from documents as
recommended, you must make sure to aggregate the fields required for
the authentication. For example, to use name-and-password security,
aggregate the HTTPPassword field from Person documents. Or to use
X.509 certificate security, aggregate the userCertificate field.
If you want servers to use some secondary Domino Directories for
Internet client authentication but not others, you can create one Extended
Directory Catalog that aggregates the Domino Directories to use for
authentication, and another that aggregates the other Domino
Directories. Then create a Directory Assistance document for each
Extended Directory Catalog, and enable a rule that is trusted for
credentials only in the one that aggregates the directories to be used for
authentication.
Using a condensed Directory Catalog for client authentication
To enable a server to look up authentication credentials for any user
name aggregated in a condensed Directory Catalog, select the option
“Trust the server based condensed directory catalog for authentication
with internet protocols” on the Basics tab of the server’s Server document
in the Domino Directory.
To allow a server to look up credentials for user names from only one or
some of the source Domino Directories aggregated into a condensed
Directory Catalog, do not select the above option. Instead, create a
directory assistance database on the server. In the database, create a
Directory Assistance document for each aggregated Domino Directory
you want to use for authentication. In each Directory Assistance
document, enable a rule that is trusted for credentials.
If you use name-and-password security for Internet client authentication,
you can store the passwords in the condensed Directory Catalog. To do
this, aggregate the HTTPPassword field from Person documents. In this
case, a server looks up the passwords in the directory catalog, and
doesn’t require directory assistance to look them up in the source
Domino Directories.
If you use X.509 certificates for client authentication, storing the
certificates in a condensed Directory Catalog isn’t recommended due to
their size. Instead, set up directory assistance to look up the certificates
directly in the source Domino Directories. Similarly, servers can use
directory assistance to look up passwords in the source Domino
24-10 Administering the Domino System, Volume 1
Directories, rather than aggregating the passwords into the directory
catalog, as a way to keep the condensed Directory Catalog small.
When you don’t store passwords and X.509 certificates in a directory
catalog, using the directory catalog and directory assistance in
conjunction is quicker than using directory assistance alone, because only
one database, the directory catalog, needs to be used to find a name.
For more information on using directory assistance in conjunction with a
directory catalog for client authentication, see the chapter “Setting Up
Directory Assistance.”
Directory catalogs and Notes client authentication
By default, when a Notes client logs on to a server, the server does not
look up information in Domino Directory Person documents during the
client authentication process. However, if the option “Compare Notes
public keys against those stored in Directory” is enabled in the server’s
Server document, then the server must be able to look up public key
information in Person documents to authenticate Notes clients. If there
are Notes users who use a server with this option enabled who are not
registered in the server’s primary Domino Directory, servers can use a
directory catalog that it trusts for credentials, to look up names to do the
public key comparison.
Scenarios for using directory catalogs for client authentication
The following table describes various ways to configure directory
catalogs on servers to support client authentication, depending on the
type of directory catalog you are using and the extent to which you want
servers to trust the aggregated Domino Directories for authentication.
The scenarios assume the following:
S1,
S2, S3, and S4 are the names of the servers in a domain
A, B, C, and D are the names of the Domino Directories for each of
the organization’s four domains.
Each name in A, B, C, and D is part of one of the following
namespaces: west/acme, east/acme, north/acme, south/acme.
Namespaces overlap across A, B, C, and D.
DA = Directory Assistance
EDC = Extended Directory Catalog
CDC = Condensed Directory Catalog on server
Location of source
Enter
Domino
Directory
The file name —for example,
Locally
EASTNAMES.NSF
The file name, preceded by the linked
Locally in a linked
directory —
directory for example, DIRECTORIES\EASTNAMES.NSF
Over the network on
The file name and path —for example,
a
mapped drive U:\DIRSERVER\NAMES.NSF
Over the network The file name in this syntax: portname!!!
through Domino servername!!filename where: • portname is
the name you gave to the port • servername
is the hierarchical name of the server that
stores the directory • filename is the file
name for the directory on the server For
example: TCPIP!!!DIRSERV/EAST/ACME!!
NAMES.NSF If you don’t care which port is
used, omit the port, for example:
DIRSERV/EAST/ACME!!NAMES.NSF Note
The server running the Dircat task must
have a certifier in common with the remote
server, or be cross-certified with that server.
Aggregated by
Document type Option(s) in configuration
default?
document that affect
aggregation of
the document
“Additional fields to
Person Yes
include”
“Remove duplicate users”
“Selection Formula”
“Additional fields to
Group Yes (Mail and
include”
Multi-purpose types “Group types” “Selection
only, by default) Formula”
Mail-in “Additional fields to
Yes
Database include”
“Include Mail-in Databases”
“Selection Formula”
“Additional fields to
Resource* Yes
include”
“Selection Formula”
Server “Additional fields to
No
(Extended include”
Directory
Catalog “Include Servers”
only) “Selection Formula”
Custom “Additional fields to
No
documents include”
you’ve added to
a “Selection Formula”
Domino
Directory
Field aggregated by
Documents that use the field
default
FullName1 Person, Mail-In Database, Resource
ListName1 Group
Type1 All
FirstName Person
MiddleInitial Person
LastName LastName
Location Person
MailAddress Person
Shortname Person
Person, Group, Mail-In Database,
MailDomain
Resource
Person, Group, Mail-In Database,
InternetAddress
Resource
MessageStorage Person, Mail-In Database
Members2 Group
AltFullName2 Person
AltFullNameLanguage2 Person
1Required fields that ensure that each document aggregated in the directory
catalog has a known name and type
2Aggregated by default only in an Extended Directory Catalog
Condensed
Field to add Extended Condensed
Directory
Catalog used Directory Directory
by Catalog Catalog
clients used by servers
(Optional) (Required)
Members field (from (Required)
Add Allows
Group documents) only to allow Allows Notes Notes clients
Notes and
users who are clients and servers to look
not up
connected to servers to look the members of
the
network to
up the members groups from
look up
free time of groups from secondary
schedules
of other secondary Domino
users. Note
that adding Domino Directories.
the
Members Directories.
fields is
not generally
recommended
because it
increases
the directory
catalog size
and requires
more
replication.
Use a server
directory
catalog or
directory
assistance to
provide a way
for servers to
look up the
members of
groups from a
secondary
Domino
Directory.
(Optional)
AltFullName, (Recommended) (Recommended)
Add if
AltFullNameLanguage users in the Include this Include this field
(from Person directory field even if no even if no
catalog
documents) use alternate certified certified
names alternate
in their alternate names names are used
certificates. in
are used in your your
organization; organization;
then
then if alternate if alternate
certified names certified names
are put into use are put in use
later, no later, no
directory
directory catalog rebuild
is
catalog rebuild necessary.
is necessary.
Condensed
Field to add Extended Condensed
Directory
Catalog used Directory Directory
by Catalog Catalog
clients used by
servers
HTTPPassword Not (Optional) Add
(Optional) Add
(from recommended to
Person to enable enable servers
documents) to
servers to look look up
Internet
up Internet passwords in
the
passwords in directory
catalog
the directory for Internet
client
catalog for authentication.
Internet client
authentication.
UserCertificate Not
(Optional) Add Not
(from recommended
Person to enable recommended
documents) servers to look
up X.509
certificates in
the directory
catalog for
Internet client
authentication.
1Can use directory assistance instead to trust for client authentication only some
rather than all of the aggregated directories
Setting up a condensed Directory Catalog
When you finish planning a condensed Directory Catalog, follow these
steps to set it up:
Step 1: Verify that each Domino Directory has a defined domain
Each Domino Directory aggregated in a directory catalog should have a
domain defined in its Directory Profile. The Dircat task appends the
domain name to the names of groups in the directory catalog, to
distinguish between groups in different directories with the same name.
Do the following for each Domino Directory you will aggregate into the
directory catalog:
1. Open a Domino Directory.
2. Choose Actions - Edit Directory Profile.
3. Make sure the field “Domain defined by this Domino Directory”
contains a valid domain name. This field is usually filled in
automatically.
4. Click Save & Close.
Step 2: Create the condensed Directory Catalog database
1. Choose File - Database - New.
2. Next to Server, select the Dircat server you picked to aggregate the
directory catalog.
3. Next to Title, enter a title for the directory catalog, for example
Condensed Directory Catalog.
4. Next to Filename, enter a file name for the catalog, for example
CDC.NSF.
5. Select “Create full text index for searching.”
6. Click “Show advanced templates.”
7. Below “Template server,” select a server that stores the Directory
Catalog template, and then click OK.
8. Select the Directory Catalog template (DIRCAT5.NTF). Do not select
the Catalog (V6) template (CATALOG.NTF).
9. Click OK.
Note Keep the - Default - entry in the database access control list
(ACL) set to Reader.
Step 3: Create the directory catalog configuration document and run
the Dircat task:
1. In the database you created, choose Create - Configuration.
2. Complete the following fields in the Directory Catalog Configuration
document:
Note The “Directories to include” field is the only field you must
complete. In many situations you can accept the default values in the
other fields. However, read the complete descriptions of the fields
before you run the Dircat task to build the directory catalog.
Fields in Basics
Description
tab
Directories to Specifies which Domino Directories the
include Dircat task aggregates, and the order in
which it processes the
directories. For more information, see the
earlier
topic “Specifying the Domino Directories for
the Dircat task to aggregate.”
Additional fields Specifies which fields from Domino
to Directories to
include aggregate. For more information, see the
earlier topic
“Choosing which fields to aggregate in a
directory
catalog.”
Specifies how to sort entries in the directory
Sort by
catalog.
For more information, see the earlier topic
“Deciding
how to sort entries in a condensed Directory
Catalog.”
Specifies whether to support Soundex
Use Soundex
lookups. For
more information, see the earlier topic
“Supporting
Soundex searches of a condensed Directory
Catalog.”
Remove Specifies whether to aggregate multiple user
duplicate entries
with the same name. For more information,
users
see the
earlier topic “Removing duplicate user
entries from
a directory catalog.”
Specifies which types of groups to
Group types
aggregate. For
more information, see the earlier topic
“Choosing
the types of groups to aggregate in a
directory
catalog.”
Specifies whether to aggregate Mail-In
Include Mail-in
Database
Databases documents. Default is Yes. Consider setting
to No if
the directory catalog is used only on clients,
since
Notes users don’t typically send mail to Mail-
In
Databases.
Restrict (Recommended) Specifies the one Dircat
aggregation server that
to this server can aggregate this directory catalog. For
more
information, see the earlier topic “Allowing
only one
server to aggregate a directory catalog.”
(Optional) Specifies the names of people to
Send Directory
receive
Catalog reports Directory Catalog status reports. For more
to:
information, see the later topic “Mailing
Directory
Catalog reports.”
Fields in Advanced
Description
tab
Version Read only field that can increment after a
Domino upgrade.
Selection formula (Optional) Specifies a selection formula to
control which documents are aggregated.
For more information, see the earlier topic
“Using a selection formula in a directory
catalog configuration document.”
Total number of Read-only field that shows the total
people/group/mail- number of entries aggregated from
i n databases and Domino Directories after the Dircat task
runs.
resources
Packing density Specifies the maximum number of Domino
Directory entries that can be aggregated
into each aggregate document. You
usually do not have to change the default
setting. Do not change the default setting
if clients use local replicas of the directory
catalog. For more information, see the
earlier topic “Using performance settings
in a condensed Directory Catalog.”
Incremental fields Specifies whether changed fields are
stored in a temporary location. You usually
do not have to change the default setting.
Do not change the default setting if clients
use local replicas of the directory catalog.
For more information, see the earlier topic
“Using performance settings in a
condensed Directory Catalog.”
Description
Fields in Basics tab
Specifies which Domino Directories the Dircat
Directories to
task
include aggregates, and the order in which it
processes the directories. For more
information, see the earlier
topic “Specifying the Domino Directories for
the
Dircat task to aggregate.”
Additional fields Specifies which fields from Domino
to Directories to
include aggregate. Aggregating all fields is
recommended.
To aggregate all fields, leave the “Additional
fields to
include”field blank by deleting all fields from
it. For
more information, see the earlier topic
“Choosing
which fields to aggregate in a directory
catalog.”
Description
Remove
Specifies whether to aggregate multiple user
duplicate
entries with the same name. For more
users
information,
see the earlier topic “Removing duplicate
user entries from a directory catalog.”
Group types Specifies which types of groups to aggregate.
For more information, see the earlier topic
“Choosing the types of groups to aggregate
in a
directory catalog.”
Specifies whether to aggregate Mail-In
Include Mail-in
Database
Databases documents. Default is Yes.
Specifies whether to aggregate Server
Include Servers
documents.
Default is No.
Restrict (Recommended) Specifies the one Dircat
aggregation server
that can aggregate this directory catalog. For
to server
more
information, see the earlier topic “Allowing
only
one server to aggregate a directory catalog.”
Send (Optional) Specifies the names of people to
Aggregation receive
reports to: Directory Catalog status reports. For more
information, see the later topic “Mailing
Directory
Catalog reports.”
Fields in Advanced tab
Version Read-only field that can increment after the
DIRCAT5.NTF template is upgraded. Used
only for
internal purposes.
Selection (Optional) Specifies a selection formula to
formula control which documents are aggregated.
Click Check Syntax to verify that the syntax
specified in a selection formula is valid.
For more information, see the earlier topic
“Using a selection formula in a directory
catalog configuration document.”
Replication Shows the date and time when the Dircat
history task last replicated the aggregated
directories
Click Clear History to do a full rebuild of the
directory catalog. Do not click Clear History
unless you understand Dircat rebuilds. For
more information, see the later topic “The
Dircat task.”
Field Enter
Directory The file name(s) of the directory catalog(s) the
Catalog Dircat
filenames task should process. Separate multiple file
names with
commas.
Schedule Select Enabled.
A time range or one or more specific times to
Run Directory
update
Catalog the source directory catalog. Separate multiple
time
entries with commas (,).The default is the
aggregator at
range
08:00 AM to 10:00 PM.
Repeat A number representing the minutes between
interval of updates
that are scheduled during a time range. The
default
is 360 minutes (every 6 hours). Consider
reducing
this interval to have the Dircat task run every
60 or
120 minutes.
The days of week to run the Dircat task. The
Days of week
default is
daily.
Access
Tasks allowed
setting
Allows a user to read a field. The user must also have
Read
Browse
access to the document.
Write Allows a user to modify a field.
When more than one type of document uses a particular field, you
control access to the field separately for each type of document.
If you are controlling the access of Notes and Web users, be aware of the
following issues. These issues do not apply to access through other
means, such as LDAP access or Notes application access, except where
indicated.
you deny a Notes or Web user access to a field in a document,
If
when the user opens the document, the document does not show the
field and the text (TRUNCATED) shows in the tab of the document.
In addition, the user is unable to edit the document, even if the user
has write access to the fields in it.
you deny a Notes or Web user access to a field in a document that
If
a view uses to sort the document, the name of the document is blank
in the view. The user can still select the document to open it.
To delete a document, a Notes or Web user must be able to see the
document in a view. To see a document requires Browse access to the
document.
To create a document, a Notes or Web user or a Notes application
must have Create access to the document as well as Write access to
the fields to which the user/application will add values.
Administer access
Grant Administer access to allow someone with Designer or Editor
access in the database ACL to modify access settings at an extended ACL
target. Someone with Manager access in the database ACL can modify an
extended ACL without having Administer access. Grant Administer
access to allow someone to manage access to documents under a target
category without granting the person Manager access in the database
ACL. A user with Editor or Designer access in the database ACL does
not have the Administer access by default; you must grant the user that
access explicitly. You grant someone Administer access to a target
category and not to a specific document.
Note You can give a Domino 6 server Administer access to a selected
target category. This access enables the server to be an extended
administration server whose Administration Process manages
documents below the selected target category.
For more information, see the chapter “Setting Up the Administration
Process.”
Default access compared to form-specific access
When you set a subject’s access to a selected target, you specify default
access settings that generally apply to all types of documents at the
selected target. Then you can also set form-specific access settings that
are different than the default access settings. For example, by default you
can deny a subject Browse and Read access, but then allow Browse access
to Person and Group documents and Read access to the fields in those
documents.
Default access
You use the “Extended Access at target” dialog box to set a subject’s
default access to a target. The following figure shows default access set to
Deny all for the -Default- subject at / (root)
Form-specific access
You click Form and Field Access from the “Extended Access at target”
dialog box to use the “Form and Field access at target” dialog box to set
form-specific access settings that are exceptions to the selected subject’s
default access at the selected target. The following figure shows access
set for the Person form for the -Default- subject at / (root):
Note The Administer access setting is
available only as a default access
setting, and not as a form-specific access setting.
Displaying LDAP attributes and object classes when setting
form-specific access
Use the Schema option in the “Form and Field access at target” dialog
box to control whether the dialog box shows the directory contents in
terms of LDAP object classes and attributes or in terms of Domino forms
and fields. Domino is selected by default, meaning the dialog box shows
Domino forms and fields. To show LDAP object classes and attributes,
select LDAP next to the Schema option.
When you set a subject’s access to a form or field, the access setting
automatically applies to the corresponding LDAP object class or
attribute, if there is one. Similarly, if you set a subject’s access to an object
class or attribute, the access also applies to the corresponding form or
field if there is one.
25-6 Administering the Domino System, Volume 1
For example, if you deny a subject Read access to the InternetAddress
field of a Person form when Domino is selected as the Schema option, the
subject is also denied LDAP Read access to the mail attribute of the
dominoPerson object class that shows when LDAP is selected as the
Schema option. If the Schema option is set to LDAP and you deny a
subject Read access to the mail attribute of the dominoPerson object class,
the subject is also denied Read access to the InternetAddress field of a
Person form that shows when the Domino is selected as a Schema option.
Some object classes and attributes that the “Form and Field access at
target” dialog box displays when you select LDAP as the Schema option
do not correspond to forms and fields and are useful only for controlling
LDAP access. For example, the object class residentialPerson does not
correspond to a form. Similarly, some forms and fields that the dialog
box displays when you select Domino as the Schema option do not
correspond to LDAP object classes and attributes and are useful only for
controlling Notes or Web user access. For example, the form
DirectoryProfile does not correspond to an object class.
Note Domino uses the Domino LDAP Schema database
(SCHEMA.NSF) to generate the LDAP object classes and attributes that
display when you choose LDAP for the Schema option in the dialog box.
So to use the LDAP schema option, the directory for which you are
setting access must be located on a server that runs the LDAP service. If
you extend the schema, you can use the extended ACL to control access
to the new object classes and attributes.
For more information on the LDAP schema, see the chapter “Managing
the LDAP Schema.”
Precedence rules used to resolve access conflicts at a target
When you select a target in the “Extended Access at: target” dialog box,
by default the dialog box shows all the subjects in the extended ACL
with access settings to the target. Included are subjects whose access is
set at and inherited from a higher target through the scope “This
container and all descendants.” (You can select “Show Modified” to see
only the subjects with access set directly at the target.)
More than one subject that is shown at a selected target can apply to a
particular user. For example, a user might be a member of two groups,
both of which have access set to the target O=Acme. The following
precedence rules are applied to determine the access a user has to a
target when there are multiple subjects that apply to the user at the
target.
Note Even after precedence rules are applied, a user’s access can never
exceed the access the database ACL allows the user.
Setting Up Extended ACLs 25-7
Directory Services
1. Access set for a subject with the scope “This container only” take
precedence over access set for a subject with the scope “This
container and all descendants” regardless of subject type. For
example, the access set for the subject */Acme and the scope “This
container only” takes precedence over the access set for the subject
Kathy Brown/Acme and the scope “This container and all
descendants.”
2. Among subjects with the same scope, access for a more-specific type
of subject take precedence over access for a less-specific type of
subject. The order of subject specificity, from most specific to least
specific, is:
a. Individual user or server
b. Self
c. Group
d. A wildcard, — for example */Acme
e. -Default-
For example, the access set for Kathy Brown/Acme with the scope
“This container and all descendants” takes precedence over the
access set for the group Admins/Acme with the scope “This
container and all descendants”.
3. When evaluating more than one group subject or more than one
wildcard subject, the access settings of the subjects are combined,
with Deny access taking precedence over Allow access. For example,
if the group Admins/Acme denies Write access and allows all other
access, and the group Managers/Acme denies Create access and
allows all other access, users that are members of both groups are
denied Write and Create access and allowed all other access.
Tip To determine a user’s effective access to an extended ACL target
after extended access settings and database access are evaluated, select
the target in the “Extended Access at target” dialog box, then click
Effective Access.
For more information on using the Effective Access tool, see the topic
“Showing a subject’s effective access to an extended ACL target” later in
the chapter.
Combined
Subject 1 Subject 2 Rule
access (can
never exceed applie
the access d
granted in the
database
ACL)
Subject: */Acme Subject: */Acme Rule 1 Allow:
Scope: “This Scope: “This Create, Delete,
container and all container only” Write Deny:
descendants” Allow: Create, Read, Browse
Allow: Read, Delete, Write
Browse Deny: Deny: Read,
Create, Delete, Browse
Write
Subject:
Subject: */Acme Allow: All Rule 2
Admins/Acme
group Scope: “This
container
Scope: “This and all
container descendants”
and all
Deny: All
descendants.”
Allow: All
Subject:
Subject: Deny: All Rule 3
Admins/Acme
group Managers/Acme
Scope: “This group
container
and all Scope: “This
descendants” container
Allow: Read, and all
Browse descendants”
Deny: Create, Allow: Create,
Delete, Delete,
Write Write
Deny: Read,
Browse
This
Subject Access container Description
and
all
descendants
?
Admins/East/ Default: Yes Allows members of
Acme group • Allow all Admins/East/Acme
to have full access
to
documents under
OU=East
Componen
Name Description
t
type
Server Monitors the MAIL.BOX database for
Router task
tasks new
messages. Responsible for
transferring messages to other
servers and delivering messages to
local mail files. Can transfer mail
using Notes remote procedure calls
(NRPC) as well as SMTP. Converts
message format between Notes rich
text and MIME as needed.
Maintains a routing table comprised
of information derived from the
Domino
Directory and NOTES.INI file.
(Optional) Enables the SMTP listener,
SMTP task
which
lets the server receive messages sent
over
SMTP routing.
Listens for incoming messages sent
Server task
by clients
and servers over Notes routing and
for Notes
client requests.
(Optional) Enables IMAP clients to
IMAP task
access
messages in user mail databases on
the
Domino server.
(Optional) Enables mail files for IMAP
Converter
access.
Message (Optional) Maintains the
Tracking MTSTORE.NSF
Collector (MT database used to perform message
tracking.
Collector)
(Optional) Performs maintenance
Object Store
activities on
Manager databases and mail files that use
shared mail.
(Optional) Enables POP3 clients to
POP3 task
access
messages in user mail databases on
the
Domino server.
HTTP task (Optional) Allows the server to host
Web applications. Needed to provide
Web clients and iNotes users with
access to their mail
databases on the Domino server.
(Optional) Provides iNotes Web
DOLS
Access users
with offline access to their mail
databases.
Documents Description
Every Domino server requires a Server document.
Server
Server
documents documents specify the following for each server:
Notes name;
IP address; fully-qualified Internet hostname;
Domino domain;
the Notes Named networks it is a member of;
Internet
messaging ports and services available, such as the
IMAP,
POP, and SMTP ports; the security options for each
port.
Configuration Configuration Settings documents provide additional
Settings information that determines how servers process
incoming
documents and outgoing mail. They define Router settings for
SMTP and
Notes routing; set inbound SMTP restrictions;
provide MIME
conversion information; configure mail access for
IMAP and
iNotes Web Access clients.
Connection documents define the routing path to
Connection
servers
documents outside the current Domino domain or Notes Named
Network.
Global Global Domain documents identify the Internet
Domain domains
documents considered to be internal to a Domino domain and
for which
the local domain can accept mail. Also provides
instructions for converting the sender’s Notes mail
address to an SMTP address.
Adjacent and Non-adjacent Domain documents
Adjacent and
specify the
Non-adjacent domains from which the current domain will accept
mail
Domain destined for a specified adjacent or non-adjacent
domain.
documents Non-adjacent Domain documents also define the
intermediary
domain through which the local domain routes mail
intended
for a Notes domain to which no direct connection
exists.
Foreign Foreign SMTP Domain documents define the
SMTP relationship
Domain between Domino domains and SMTP mail systems.
documents
Internet Site documents provide protocol
Internet Site
information for
documents IMAP, POP3 and SMTP ports. If configured, the
information in
a Site document takes precedence over settings for
the port in
the Server document.
Documents Description
File Identifications documents define the
File
relationships
Identification between the file extensions and MIME types and
subtypes of
documents various file types.
Person documents provide information about the
Person
location of
documents the user’s mail file; Notes and Internet mail
addresses; Internet
passwords required for HTTP, POP3, and IMAP
access; and mail storage preferences.
Chapter 27
Setting Up Mail Routing
This chapter describes how to set up mail routing on your Domino
system. If you are upgrading a mail system from a previous Domino
release, see the Upgrade Guide.
The Domino mail router
The Domino mail router (the Router) is a special server task responsible
for the delivery and transfer of the messages in MAIL.BOX. Delivery
refers to moving messages from MAIL.BOX into a local mail file or
database; while transfer refers to sending messages from MAIL.BOX
across the network to another server.
Mail routing on a Domino server begins when a mail server receives a
message from a mail client, a Router on another Domino server, or an
application. The message is transferred to a special Notes database,
called MAIL.BOX, on the server. The server temporarily stores all
incoming and outgoing mail in the MAIL.BOX database.
The Router periodically checks MAIL.BOX for new or changed messages.
When it finds a message that requires processing, the Router reads the
recipient list and for each recipient determines whether the destination
mail file is on the current server or a different server. The Router then
moves the message, delivering it to local mail files on the server or
transferring it to MAIL.BOX databases on other servers as necessary.
When a recipient’s mail file is not on the local server, but is in the
Domino domain, Domino calculates how to route the message to the
recipient’s server and whether to use SMTP or Notes routing. The
configuration of the local server and the message format determine how
Domino moves the message to the server. For messages in MIME format,
if the local server can send SMTP within the local Internet domain and
the home mail server can receive SMTP, the Router uses SMTP to send
the message. Otherwise the message is routed using NRPC.
When necessary, the Router converts the format of the message.
Conversion can occur during message delivery and during message
transfer. For example, if a recipient’s Person document specifies MIME
storage for incoming mail, but the original message was sent in Notes
27-1
Mail
rich text format, the Router converts the message to MIME before
delivering it to the local recipient’s mail file. Likewise, during message
transfer, if a server receives a message in MIME format and must transfer
it to a Domino Release 4 server, which does not support MIME, the
server converts the MIME message to Notes rich text before transferring
it. To determine whether the receiving server can handle MIME
messages, the sending server checks the Server document of the
receiving server to find out what version of Domino it’s running.
To minimize the number of conversions, Domino servers running
Release 5 or later support the transfer of MIME messages over Notes
routing. As a result, MIME messages destined for Internet recipients can
route through internal servers “as is,” regardless of whether the
intermediate servers use Notes routing or SMTP.
Planning a mail routing topology
Domino offers you considerable flexibility in configuring your mail
system infrastructure, allowing you to use Notes routing, SMTP routing,
or both, for internal and external messages. In determining how to set up
mail routing, you need to consider:
How
clients access the server
How
to route internal mail
How to route mail to external destinations
Connection
topologies for mail routing
Connection topologies for mail routing
Typically, mail routing on the network occurs across a mix of
hub-and-spoke and peer-to-peer connections. In a hub-and-spoke
topology, mail traffic passes between a central hub server and multiple
spoke servers; no mail is exchanged directly among the spokes. A
hub-and-spoke topology is suited to handling a high volume of mail
across a large organization. In a peer-to-peer topology, on the other
hand, every server connects to every other server. A peer-to-peer
topology is commonly used when connecting a small number of servers
in a workgroup or department.
larger networks, create a Domino server cluster to act as the mail
In
hub and specify the cluster as the destination in Connection
documents originating from spoke servers.
27-2 Administering the Domino System, Volume 1
When
connecting Domino domains, designate one server in each
domain to connect to other domains. In larger networks, make this
connecting server part of a Domino cluster to provide failover.
When
connecting domains across a wide-area network (WAN),
ensure that the Connection documents match the physical network
path of the WAN. For example, in a network where multiple WAN
connections originate from a central site (hub-to-spoke design),
create Connection documents that follow this same design, with
Connection documents between the hub server or server cluster and
each spoke server, and vice-versa.
When setting up a connection from a spoke server to a clustered hub,
specify the name of the cluster as the destination server in
Connection documents.
Establish
a single Connection document to define routing from all
spoke servers in a domain to a central hub server or server cluster by
using a wildcard (*) to represent part of the source server’s name in
the Connection document. For example, enter */acme as the source
server to set up a connection from all servers in the /acme
organization (Mail1/acme, Mail2/acme, SalesMail/acme,
HRMail/acme, and so forth) to a designated destination server.
Establish a single Connection document to define routing from a hub
server to each spoke server by creating a server group that includes
each spoke server as a member and specifying this group as the
destination server in the Connection document from the hub server.
For example, create a group MailSpokes and add the servers
Mail1/acme, Mail2/acme, SalesMail/acme, and HRMail/acme to
this group. Then create a Connection document from the hub server
that lists MailSpokes as the destination server.
For more information on connecting servers, see the chapter “Setting Up
Server-to-Server Connections.”
Clients accessing the Domino server
Users who have mail files on the Domino server can use either the Notes
client or an Internet mail client to access their mail. By default, Notes
clients use Notes protocols to send and access mail on a Domino server,
but a Notes client can also act as an Internet mail client. Internet mail
clients access mail files through the Domino POP3, IMAP, or HTTP
servers. POP3 and IMAP clients send mail using SMTP.
When deciding how to route local mail, keep in mind what types of mail
clients you support. For example, if users have Internet mail clients, such
as POP3 or IMAP, you’ll need servers that can receive mail over SMTP.
On the other hand, if most users send mail from the Lotus Notes mail
Setting Up Mail Routing 27-3
Mail
client, you’ll want to implement Notes routing to ensure support for
Notes public key security and features such as Notes Document links
and workflow applications.
For more information about Domino mail clients, see the chapter
“Overview of the Domino Mail System.”
Routing internal mail
Internal mail consists of messages sent between users within an
organization and its local Internet domains. The Domino mail router (the
Router) uses both SMTP and Notes routing to transfer messages between
network servers, and handles messages in both MIME format and Notes
rich text format. By default, the Router transfers local mail using the
Notes routing protocol only. Within a given Domino named network,
servers that use Notes routing automatically transfer mail among
themselves.
For information about configuring Notes routing to support messaging
across multiple Domino named networks and domains, see the topic
“Setting up Notes routing” later in this chapter.
To use SMTP routing to transfer local mail, you must enable the SMTP
listener for receiving mail and enable servers to send SMTP within the
local Domino domain. In addition, the Server document for each
SMTP-enabled server must specify a valid, fully qualified Internet host
name for the server. In most cases the host name field is populated
during server setup or by the Admin process (AdminP).
For information about setting up internal SMTP routing, see the topic
“Setting up SMTP routing within the local Internet domain” later in this
chapter.
Implementing different protocols for internal and external routing
When selecting the protocol to use for internal mail routing, don’t base
your decision on whether you’re using SMTP to transfer mail to external
systems. Domino can send mail to the Internet even if you use Notes
routing for internal mail. Rather than having all your servers route
SMTP, you may want to retain a gateway-style architecture wherein you
channel all mail to and from the Internet through a few designated
servers and prohibit the majority of internal servers from sending
directly to the Internet.
Ensuring support for Lotus Notes functionality
When choosing a routing protocol, consider security requirements and
the need to support Notes applications. Using Notes as the internal
routing protocol and SMTP for external routing can provide greater
27-4 Administering the Domino System, Volume 1
protection for your network against external intrusion. Certain Lotus
Notes features, such as mail-enabled workflow applications, Notes
public key security, and Notes items, such as Doclinks, require Notes
routing to work properly.
Routing mail to local users not listed in the Domino Directory
If you have users in your organization who are not listed in the Domino
Directory, but in an alternate directory on another SMTP server, set up
Domino to use this other server as a smart host. When processing a
message in MAIL.BOX, if the Router comes across a recipient address
that is in the local Internet domain, but does not have a match in the
Domino Directory, it forwards the message to the specified smart host,
which routes it to the recipient.
For information about setting up a smart host, see the topic “Setting up a
smart host” later in this chapter.
A Domino SMTP server in your organization may receive Internet mail
for recipients in Domino domains that are within the local Internet
domain, but outside the local Domino domain, and thus not listed in the
Domino Directory. To ensure that the server can access other Domino
Directories and route messages to servers in other Domino domains,
configure Directory Assistance on the server.
For more information, see the chapter “Setting Up Directory Assistance.”
Starting and stopping the mail router
By default, when you start the server, the Router task automatically loads
and starts. You can manually shut down and restart the Router to
troubleshoot server and messaging problems. You can also disable
automatic loading of the Router.
To shut down the Router from the console
Enter this command at the console:
tell router quit
This shuts down the Router. Mail accumulates in MAIL.BOX, since other
servers and clients continue to deposit mail, but the Router does not
deliver or transfer the messages.
To reload the Router, enter this command at the console:
load router
The Router task starts and begins routing and delivering mail.
Setting Up Mail Routing 27-5
Mail
To shut down the Router from the Domino Administrator
1. From the Domino Administrator, click the Server — Status tab.
2. Select the Server Tasks view.
3. From the list of tasks, right-click Router and select Stop Task.
4. Click Yes when prompted to confirm the operation. The Router task
shuts down and no longer appears in the list of active tasks. Mail
accumulates in MAIL.BOX, since other servers and clients continue
to deposit mail, but the Router does not deliver or transfer the
messages.
To start the Router from the Domino Administrator
1. From the Domino Administrator, click the Server — Status tab.
2. Choose Tools — Task — Start.
3. From the Start New Task dialog box, select Router and click Start
Task. The Router task starts and begins routing and delivering mail.
4. Click Done to close the dialog box.
To prevent the Router from automatically starting when the server
starts
1. Shut down the server.
2. Edit the NOTES.INI file to remove Router from the ServerTasks
setting.
3. Restart the server so that the change takes effect.
When you restart the server, it does not load the Router task.
To restore automatic loading, add Router back to the ServerTasks setting
in the NOTES.INI file.
Routing mail on demand to a specific server
You can route mail to another Domino server between scheduled
intervals, forcing all mail in the transfer queue of the specified server to
route immediately. Use one of the following methods:
Console
ROUTE command
Domino
administrator
Sending mail outside the local Internet domain
Because all mail on the Internet travels over SMTP routing, for your
organization to send mail to Internet addresses you’ll need to set up at
least one Domino server to send SMTP to external Internet domains and
one to listen for incoming SMTP connections. Alternately, you can enable
multiple, or even all, of your servers to route mail over SMTP to external
Internet domains. Although you can use a single server to handle
27-6 Administering the Domino System, Volume 1
incoming and outgoing SMTP connections, if you anticipate a high
volume of Internet mail, to avoid bottlenecks consider balancing the load
among multiple servers.
The Domino SMTP servers you use for inbound and outbound Internet
mail can connect to the Internet either directly or through an SMTP relay
host or firewall. Routing between the Domino Internet mail server and
internal mail servers can be over either SMTP or Notes routing. It’s not
necessary to enable SMTP routing on your internal servers.
Using a single server to route mail to external Internet domains
In this configuration, a single designated mail server connects to the
Internet. All other internal mail servers route messages addressed to
recipients in external Internet domains to this server. If you use SMTP for
internal mail routing, you can configure all of your internal servers to use
the server that is connected to the Internet as a relay host. In the
Configuration Settings documents that apply to any mail servers that do
not connect directly to the Internet, enter the host name of the designated
relay host in the “Relay host for messages leaving the local Internet
domain” field. When the Router on these internal servers finds a message
addressed to a recipient in an external Internet domain, it looks up the
specified relay host in the DNS and forwards the message to it.
To set this up using Notes protocols, create a Foreign SMTP Domain
document and an SMTP Connection document. When the Router on a
server not connected directly to the Internet finds a message addressed to
a recipient in an external Internet domain, the Router forwards the
message to the domain in the Foreign SMTP Domain document, which is
connected to the server with an Internet connection by the SMTP
Connection document. When that server receives the message, its Router
connects to the external Internet domain and routes the message.
Using multiple servers to route mail to external Internet domains
In this configuration, a few designated mail servers connect to the
Internet. Other mail servers route messages addressed to recipients in
external Internet domains to these servers. To set this up using SMTP,
configure the servers that are connected to the Internet as relay hosts —
for example, create a DNS name, such as outbound.acme.com, that maps
to multiple MX records. Each MX record lists one of the connected
servers. Enter the DNS name in the “Relay host for messages leaving the
local Internet domain” field in the Configuration Settings document that
applies to all servers that do not connect directly to the Internet. When the
Router on those servers finds a message addressed to a recipient in an
external Internet domain, it forwards the message to one of the servers
that are listed in DNS and correspond to that name.
Setting Up Mail Routing 27-7
Mail
To set this up using Notes protocols, create Foreign SMTP Domain and
SMTP Connection documents. When the Router on a server not
connected directly to the Internet finds a message addressed to a
recipient in an external Internet domain, the Router forwards the
message to the domain in the Foreign SMTP Domain document, which is
connected to one of the servers with an Internet connection by the SMTP
Connection document. When that server receives the message, its Router
connects to the external Internet domain and routes the message.
Enabling all mail servers to route mail to external Internet domains
In this configuration, every mail server connects to the Internet and runs
the TCP/IP network protocol. Each server has the setting “SMTP used
when sending messages outside of the local Internet domain” enabled in
its Configuration Settings Document. When a user sends a message to a
recipient in an external Internet domain, the Router looks up the domain
in the Domain Name Service (DNS) and uses SMTP to connect to the
receiving server in that domain. The Router transfers the message and
closes the connection.
Routing SMTP mail over dialup connections
Your organization may connect to the Internet and external Internet
domains through a dialup connection — for example, to an Internet
Service Provider (ISP). To set up a dialup connection in your Domino
mail system:
For
Notes routing, create a Notes Direct Dialup Connection
document
For SMTP routing, create a Network Dialup Connection document
that specifies TCP/IP as the network protocol
After you create the appropriate Connection document, specify how
Domino exchanges messages over that connection.
For more information on creating Connection documents for dialup
connections, see the chapter “Setting up Server-to-Server Connections.”
For information on setting up mail routing over a dialup connection, see
the topic “Routing mail over transient connections” later in this chapter.
Routing Internet mail through a relay host
A relay host is an SMTP server that receives mail from other servers and
then transfers, or relays, it to the next SMTP server on the route to the
recipient’s domain. A relay host can be a Domino SMTP server, or a
non-Domino SMTP host — for example, you might relay mail to an
SMTP server hosted by your ISP, or through a firewall server. If only a
small number of servers on the network have direct connections to the
Internet, set these servers up as relay hosts to which other internal
27-8 Administering the Domino System, Volume 1
servers forward messages for recipients in external Internet domains.
You can set up a single relay host that handles messages addressed to
any external Internet domain, or set up multiple relay hosts, and set up
each one to route messages addressed to specific Internet domains.
For more information on setting up relay hosts, see the topic
“Configuring Domino to send mail to a relay host or firewall” later in
this chapter.
Sample mail routing configurations
These sample mail routing configurations represent typical messaging
implementations; however, other configurations are possible. Use these
sample configurations to help you plan and refine the messaging
infrastructure in your organization:
Use
one server for all Internet messages
Use one server for inbound and one server for outbound messages
Use two servers to balance Internet mail load
Set up mail routing in the local Internet domain
Set up mail routing between a third-party server and Domino in the
same Internet domain
Use a smart host
Use all servers to route outbound mail and one to route internal mail
Field Enter
Use these Select the Yes checkbox to have this document
settings serve as
as the default the default Configuration Settings document
for all
settings for all Domino servers in the Domino domain. If you
create
additional Configuration Settings documents in
servers
the
Domino Directory for specific servers or groups
of
servers, settings in those documents override
equivalent settings in the default document.
Group or Enter the name of the individual server or
server server group
to which this Configuration Settings document
name
applies.
Type of
Documents required to create connection
connection
required
To a server in No Connection documents required. There must
same be a
Domino named common entry on the Ports - Notes Network
Ports tab of
network each server’s Server document.
Two Connection documents —one from each
To a server in a
server —to
different Domino ensure that mail routes in both directions.
named network
within the local
Domino domain
Two Connection documents, one in each Domino
To an adjacent
domain,
Domino domain to ensure that mail routes in both directions.
One Adjacent domain document if you need
restrictions.
Type of
Documents required to create connection
connection
required
To a non- Two Connection documents, one in each Domino
adjacent domain
Domino domain that connects to the adjacent Domino domain.
Two Non-adjacent domain documents, one in
each Domino domain that are not adjacent, to
provide restrictions and simplify addressing
across the intermediary domain between the first
and third domains.
To a gateway for One Foreign domain document to identify the
a foreign
foreign domain domain for non-mail messaging systems, such as
fax or
pager systems.
To an SMTP- One Foreign SMTP domain document to identify
enabled server the destination for messages being sent to the
(for example, a Internet. One SMTP connection document to
server that can specify the SMTP-enabled server.
send mail to the
Internet)
Field Enter
Domain type Choose Adjacent domain
Adjacent The name of the adjacent Domino domain. The
domain current
domain must have a Connection document to
name
this
domain.
Domain Optional description of the domain
description
Field Enter
Allow mail Enter the names of adjacent Domino domains
only that are
from domains allowed to route mail to this adjacent domain.
To allow any domain to route mail through the
local domain to this adjacent domain, leave this
field blank.
Deny mail Enter the names of adjacent Domino domains
from that are
domains not allowed to route mail to this adjacent
domain.
To allow any domain to route mail through the
local domain to this adjacent domain leave this
field blank.
Note You cannot use wildcards in the Restrictions fields. You must
enter explicit domain names.
6. Create a Connection document to specify how servers in the current
domain connect to the adjacent domain.
up routing to non-adjacent Domino domains
Non-adjacent domains are Domino domains that are not directly
connected, but have an intermediary domain, adjacent to both of them in
common. For example, domain A and domain B are adjacent and have
Connection documents defining the route between them. Similarly,
domain B, in turn, is adjacent to domain C and mutual Connection
documents exist between them; and domains C and D are likewise
adjacent to each other and linked by Connection documents. Domain B is
thus adjacent to domain A on one side, and domain C on the other; and
domain C is adjacent to B and D, respectively. If no direct connection
exists between A and C, these two domains are considered to be
non-adjacent domains. Similarly if there is no direct connection between
B and D, these two domains are also non-adjacent.
Field Enter
Domain
Choose Non-adjacent domain
type
The name of the non-adjacent Domino domain
Mail sent to
you want
domain to route mail to.
Route The name of the intermediary Domino domain
through through
domain which you want to route mail for the destination
domain. The current domain must have a
Connection document to
this domain.
Also, the Domino Directory in the intermediary
domain must have a Connection document to the
destination
domain.
Domain An optional description of the domain
description
5. Click the Restrictions tab, complete one or both of these fields, and
then save the document:
Field Enter
Allow mail Enter the names of Domino domains adjacent to
only the
from current domain that are allowed to route mail to
domains this
non-adjacent domain.
Leave this field blank to allow any domain to
route mail through the local domain to the non-
adjacent domain.
Deny mail Enter the names of Domino domains adjacent to
from the
domains current domain that are not allowed to route
mail to this
non-adjacent domain.
Leave this field blank to allow any domain to
route mail through the local domain to the non-
adjacent domain.
Note You cannot use wildcards in the Restrictions fields. You must
enter explicit domain names.
6. Create a Connection document to specify how servers in the current
domain connect to the intermediary adjacent domain.
Note Since, by definition, all servers in a domain use the same Domino
Directory, only one Non-adjacent domain document is required for each
non-adjacent domain. You do not have to create a separate document for
each server.
Setting up routing to external application gateways
Domino treats external messaging applications, such as fax or pager
gateways, as foreign domains. To route mail from a Domino domain to
an external application, create a Foreign domain document.
Creating a Foreign domain document
A Foreign domain document defines the path between a Domino domain
and an external application, such as a fax or pager gateway. A Foreign
domain document identifies the Domino server that acts as the gateway
to the external application.
Applications such as X.400 and cc:Mail use their own specialized
versions of the Foreign domain document to direct the messages through
a message transfer agent (MTA). For more information about MTAs, see
the documentation for the specific MTA.
Although Foreign domains are mostly used for third party applications,
you can also use them to transfer messages between a Release 5.0 or later
server and a Release 3.x SMTP server.
27-30 Administering the Domino System, Volume 1
Restrictions that you set on this Foreign domain document apply only to
the From domain of the previous hop. These restrictions work in
conjunction with those in the Configuration Settings document. Domino
always defaults to the most restrictive entry.
To create a Foreign domain document
1. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
2. Choose Domains.
3. Click Add Domain to create a new Domain document.
4. Click the Basics tab, and complete these fields:
Field Enter
Domain type Choose Foreign domain.
Foreign Domain The domain name of the foreign mail
Name system. This name was chosen when the
MTA or gateway was installed.
An optional description of the gateway or
Domain description
MTA.
Click the Restrictions tab, and then complete these fields:
Field Enter
Allow mail only The names of Domino domains that are
from domains allowed to route messages to this foreign
domain. Leave this field blank to allow any
domain to route mail through the local
domain to the foreign domain.
Deny mail from The names of Domino domains that are
domains not allowed to route messages to this
foreign domain. Leave this field blank to
allow any domain to route mail through
the local domain to the foreign domain.
Field Enter
Domain type Foreign SMTP Domain
Field Enter
Connection
SMTP
type
The name of the SMTP-enabled server where
Source server non-SMTP
servers send mail destined for the Internet
domains
specified in the Foreign SMTP domain
document. This server must have access to
DNS and have SMTP
enabled for sending messages outside the local
Internet domain.
Connect via Choose one:
• Direct connection —For servers that
communicate over LAN connections
• Dial-up connection —For servers that
communicate over transient connections, such
as phone lines. If you select this option, Domino
displays the field “Dial using connection record.”
Dial using Specifies the Network Dialup Connection
connection document containing the dialup settings for
record connecting to the SMTP server specified in the
Source server field. This field appears only if
you selected “Dial-up connection” in the
preceding field. Click “Choose record,”to select
a Network Dialup Connection document (remote
LAN service connection record) from the list of
previously created Network Dialup Connection
documents. For information about creating a
Network Dialup Connection document, see the
chapter “Planning server-to-server
connections.”
Destination A unique, fictitious, placeholder name —such
server as, all_internal_hosts. Domino does not use the
value in this field, but the Connection document
will not work if the field is empty. The name
you specify must not match the name of any
server on the network.
Field Enter
The fictitious, logical domain name specified in
Destination
the
domain Internet Domain name field of the
corresponding
Foreign SMTP domain document. The name in
this field
links this SMTP connection document with the
Foreign
SMTP Domain document.
Specifies the SMTP host to which the source
SMTP MTA
server transfers outbound mail. This allows a
relay host
SMTP server to
further split Internet destinations and configure
multiple relays.
If this field is blank, the Router transfers
outbound mail
to the relay host specified in the server’s
Configuration Settings document.
If there is no relay host specified in either this
field or in the Configuration Settings document,
the Router determines the next hop by looking
up the destination domain in the DNS or a local
hosts file, depending on the value of “Host
name resolution”field on the
Router/SMTP- Basics tab of the Configuration
Settings document.
For information on configuring how the Router resolves
host names,
see the topic “Specifying how Domino looks up SMTP
hosts when
sending outbound mail”later in this chapter.
On the Replication/Routing tab, complete these fields:
Field Enter
Replication
Disabled
task
Routing task Choose Mail Routing. Because the same routing
task is responsible for transferring messages
over NRPC and SMTP, there’s no need to specify
SMTP routing. The source server must have
SMTP routing enabled in its Server document;
otherwise, the Router discards the
information in the SMTP Connection document.
Choose SMTP routing only if the specified source
server is running Domino Release 4.6x or
earlier.
Route at once The number of pending messages that will force
if routing.
Default is 5.
On the Schedule tab, specify the desired routing schedule.
6. Click Save & Close. Replicate the Domino Directory to all servers in
the Domino domain.
The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, recalculate the
routing tables on all effected servers.
Configuring Domino to send and receive mail over SMTP
Setting up a Domino server as an SMTP server consists of enabling two
separate tasks: a listener task and a routing task. Enabling the SMTP
Listener allows a server to receive mail over SMTP. Enabling SMTP
routing lets the Domino Router send mail to other servers using SMTP.
You enable SMTP routing to destinations within the local Internet
domain separately from SMTP routing to external destinations. It’s also
possible to enable SMTP routing on a server without enabling the
Listener task, and vice-versa.
For example, to support POP3 and IMAP clients, which use SMTP to
send mail, you must have at least one internal server running the SMTP
Listener task. However, the server does not have to use SMTP when
transferring messages it receives over SMTP to the next hop on the
routing path. After the server has accepted a message over SMTP, it can
use Notes routing to transfer the message to other servers.
By default, Domino uses Notes routing only and is not configured for
SMTP routing. To have Domino use SMTP to send and receive mail, do
the following:
Prepare
your system for sending messages to the Internet by testing
your Internet connection and verifying that DNS is set up properly.
Enable
the SMTP Listener task in the Server document of each server
you want to receive mail over SMTP
Enable
SMTP routing within the local Internet domain so that servers
can send mail over SMTP within the local Internet domain.
Enable SMTP to be used to send messages outside the local Internet
domain.
Specify the relay host, if any, to be used when sending mail outside
the local Internet domain. Configure a relay host for SMTP servers
that do not have direct access to the Internet.
Set up inbound and outbound mail restrictions to protect against
misuse of the mail infrastructure.
To allow POP3 or IMAP users who connect to Domino from an
external network to send mail to external Internet domains, specify
exceptions to inbound relay enforcement for authenticated users.
If you intend to allow users to access mail from POP3 or IMAP mail
clients, you must install and enable these access protocols on users’ mail
servers. By default, Domino supports only Notes client access.
Setting Up Mail Routing 27-37
Mail
For information about using POP3 mail, refer to the chapter “Setting Up
the POP3 Service.” For information about using IMAP mail, see the
chapter “Setting Up the IMAP Service.”
Preparing to send and receive mail to the Internet
Use this list to ensure that your system is ready to send mail to and
receive mail from the Internet or another private SMTP network.
1. Make sure that you have a connection to the Internet via an Internet
Service Provider (ISP) or a direct connection.
2. Use the Ping command to test the connectivity between the
SMTP-enabled server and any external host to which it connects. Test
the connection between machines from which messages will be sent
and the servers from which you send mail to the outside world, such
as your ISP. Ping tests only the accessibility of the host, not the
existence or proper configuration of SMTP.
3. Define a list of the inbound Internet domain names by which your
organization is known. In some cases, a company may have multiple
Internet domain names. Enter these names as aliases in the Global
domain document.
4. Make sure that the DNS is set up to include all the Internet domain
names that your company uses.
5. If your company uses a mail relay or firewall, obtain the host name.
Setting up SMTP routing to external Internet domains
To send messages over SMTP to destinations outside of the local Internet
domain — for example, to the Internet or another private network — you
must enable external SMTP routing.
To enable SMTP routing outside of the local Internet domain
1. Make sure that you prepared your system to send mail to the
Internet.
2. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
3. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
4. Choose Configurations.
5. Select the Configuration Settings document and then click Edit
Configuration.
27-38 Administering the Domino System, Volume 1
6. On the Router/SMTP - Basics tab, complete this field, and then save
the document:
Field Enter
SMTP used when Choose one: • Enabled to use SMTP to
sending messages route mail to the Internet • Disabled
outside the local (default) to prevent the server from routing
Internet domain mail outside the local Internet domain
The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Setting up SMTP routing within the local Internet domain
You can set up servers to use SMTP routing when transferring messages
to other servers in the local Internet domain.
You can enable SMTP routing on every server or only on servers that
route to destinations outside of the Domino named network. For
example, you may not have a direct IP connection between all the servers
in one TCP/IP Domino named network and all the servers in another.
You may still require that all messages moving from one Domino named
network to another be routed through hub servers.
To set up SMTP routing within the local Internet domain
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
3. Choose Configurations.
4. Select the Configuration Settings document to be edited and then
click Edit Configuration.
5. Click the Router/SMTP- Basics tab.
Setting Up Mail Routing 27-39
Mail
6. Complete these fields, and then save the document:
Field Enter
SMTP Choose one: • MIME messages only —The Router
allowed uses SMTP to transfer MIME messages to other
within the Domino servers that are within the same Domino
local domain and that run the SMTP Listener. •
Internet Disabled (default) —The Router uses Notes
domain routing to transfer mail to other servers in the
same Domino domain. • All messages —The
Router uses SMTP to transfer both Notes format
and MIME format messages to other Domino
servers that are within the same Domino domain
and that run the SMTP Listener. This will cause
Notes format messages to be converted to MIME
format before being transferred. This may cause
loss of fidelity and performance. For example,
Notes Doclinks and applications such as Calendar
and Scheduling will not work. You can limit the
use of SMTP to transfer mail within the Domino
domain by setting the next field (“Servers within
the local Domino domain are reachable via SMTP
over TCPIP”) to only allow SMTP within the same
Domino named network.
Field Enter
The server’s complete combined host name
Fully qualified
and
Internet host domain name, including the top-level domain.
name For example, smtp.acme.com; smtp is the
host name; acme is the second-level domain;
and .com is the top level domain.
In the absence of a Global Domain document,
the
Router uses the entry in this field to
determine the local Internet domain.
Typically, the fully qualified host name is
added to the Server document during server
setup or by the Administration process
(AdminP). A routing loop can result if this field
does not contain a valid entry.
SMTP listener
Choose one:
task
• Enabled to turn on the Listener so that the
server
can receive messages routed via SMTP
routing
• Disabled (default) to prevent the server
from
receiving messages routed via SMTP routing
Field Enter
The host name for the server that hosts the
Local Internet
directory
domain smart for SMTP recipients who are not in the local
Domino
host Directory. To provide a level of failover and
load-balancing, specify a host name that maps
to an
existing MX record. You can also specify IP
address
Smart host is Choose one: • Enabled to route all incoming
used for all SMTP messages to the smart host for lookup
local Internet before routing elsewhere. • Disabled (default)
domain to route only messages whose recipients are
recipients not found in the Domino Directory to the smart
host for lookup.
Note Smart host settings are ignored if you enable the field “Verify
that local domain recipients exist in the Domino Directory” on the
Router/SMTP - Restrictions and Controls - SMTP Inbound Controls
tab.
8. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Setting up a server to receive mail for multiple Internet domains
Every organization has a primary Internet domain name — for example,
acme.com — by which it is known to the rest of the world. By default,
Domino considers the local, primary Internet domain to be the domain
specified in the server’s host name. For example, for a server with the
host name Server1.acme.com, both Server1.acme.com and acme.com are
considered local Internet domains. The server does not accept messages
addressed to recipients in any other Internet domain.
In addition to having a primary Internet domain, some organizations use
alternate Internet domain names. If your organization uses more than
one Internet domain name, you’ll want Domino to consider other domain
suffixes as local. Using multiple Internet domain names typically results
when:
An
organization changes names
An organization acquires or merges with another company that
already has an existing Internet domain name, and users continue to
use the other Internet domain in their addresses
You set up a mail topology to route messages addressed to other
subsidiaries through your firewall before routing the messages to the
Internet or another private network
27-44 Administering the Domino System, Volume 1
You
set up a mail topology specifically to include more than one
Internet domain name
If for any of the preceding reasons people in your organization have
addresses in an Internet domain other than the primary domain, create a
Global Domain document. A Global Domain document identifies the
Internet domains that are considered to be internal to a Domino domain
and for which the local domain can accept mail. By default, the Domino
Directory does not contain a Global domain document. Within the Global
Domain document, you specify one primary Internet domain name and
multiple secondary domains. Secondary domains are listed as alternate
Internet domain aliases.
You must ensure that the DNS is set up to include all the Internet domain
names that your company uses.
To create a Global Domain document
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured. For Domino Release 5 and greater
servers, a Configuration Settings document is required to set up
SMTP routing.
2. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
3. Choose Domains, and then click Add Domain.
4. On the Basics tab, complete these fields:
Field Enter
Domain type Choose Global Domain
Global domain (Optional) A word or phrase that describes
name the domain. Never use the name of an
existing domain for your Global Domain
Global domain
Choose one:
role
• R5 Internet Domain —For Domino Release
5 and greater SMTP servers. • R4.x SMTP
MTA —For Domino servers that use the
SMTP MTA to send Internet mail.
5. Click the Conversions tab, complete these fields, and then save the
document:
Field Enter
The primary Internet domain name that your
Local primary
company
Internet uses to represent themselves to the outside
domain world —for
example, another.com.
Alternate Additional Internet domain names that your
Internet company uses —for example, still.another.com,
domain yet.another.com,
aliases have.another.com, and so on.
Use the asterisk (*) as a wildcard to represent
the names
of subdomains. Wildcard use is valid only if the
wildcard character appears as the first character
of a given entry and represents an entire
subdomain name,
for example: the entry *.another.com indicates
that
Domino treats any subdomain of
“another.com”as a local domain.
Entries that use wildcards in any other way are
considered invalid, including:
• Using a wildcard in any position other than as
a leading character in the entry. For example,
the
entries another.*, and still.*.com are not valid.
• Using a wildcard on its own to represent an
entire domain suffix. For example, the entry * is
not valid.
• Using a wildcard to represent a portion of a
name only. For example, the entries *other.com
and
*ill.another.com are not valid.
These fields represent the only ones you must complete if you are
using the Global Domain document solely for the purpose of
defining the internal Internet domains in an organization running
Domino Release 5 and greater.
6. Restart the server to put the changes into effect. The server reloads
information in the Global Domain document into memory only after
a restart.
For more information about DNS, see the chapter “Overview of the
Domino Mail System.”
If a Domino server uses ETRN to pull mail for multiple Internet domains
from another mail host, you can set up the Connection document to that
host to request mail for alternate Internet domains.
Specifying how Domino looks up the recipients of incoming SMTP
messages
When Domino receives a message over SMTP, the message recipient is
identified by an Internet-style address, in the format
Genevieve_Martin@acme.com, rather than a Notes-style address, such as
Genevieve Martin/Acme. To determine the correct destination mail file,
Domino must match the SMTP address to a Person document in the
Domino Directory. To find a match, the Router checks the $Users view of
the directory. This view displays all name entries in all Person
documents in the directory, including Internet mail addresses, as well as
all user name variations, first names, last names, common names (CN),
distinguished names (DN), short names, and soundex names.
Note To display the hidden $Users view: Open the directory, press
CTRL-SHIFT and select View-Go To. In the Go To dialog box, select the
view ($Users) and click OK.
Inbound recipient lookups are controlled by the Address lookup setting
on the Router/SMTP - Basics tab of the Configuration Settings document.
This setting determines the criteria that the Router uses when attempting
to match the SMTP address on an incoming message to an entry in the
$Users view. The Router matches addresses based on:
The
full SMTP address only — for example,
Genevieve_Martin@acme.com
The local part of the SMTP address (that is, the part to the left of the
@ sign) only — for example, Genevieve_Martin
The full SMTP address, and then if no match is found, the local part
address
When using full name matching, the Router searches the Domino
Directory for an exact match of the entire SMTP address (for example,
First_Last@Acme.com). If an exact match is not found, the Router
performs a secondary search if the domain suffix of the incoming address
is listed in the Global domain document as an Internet domain alias. For
this secondary search, the Router replaces the given domain suffix with
the domain suffix designated in the Global domain document as the
Primary domain name.
To prevent the Router from using domain aliases when looking up
addresses, do not include alternate Internet domain aliases in a Global
domain document. Instead, create multiple Global Domain documents,
each specifying a different primary Internet domain.
Restricting the Router to matching addresses on the full Internet address
only ensures that each user’s Internet address complies with a standard
format. Users cannot receive inbound mail addressed to their short
Setting Up Mail Routing 27-47
Mail
names, soundex names, or other name variations that exist in the $Users
view. When configuring the Router to look up users’ full Internet
addresses only, complete the Internet address field in all Person
documents, and Mail-in database documents for mail-in databases that
receive mail over SMTP.
To specify how addresses are looked up
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
3. Choose Configurations.
4. Select the Configuration Settings document to be edited and then
click Edit Configuration.
5. Click the Router/SMTP - Basics tab.
6. Complete these fields, and then save the document:
Field Enter
Address Specifies how the Router searches the Domino
lookup Directory
to determine the Notes recipient of an inbound
Internet message. Choose one:
• Fullname then Local Part —(default) The Router
first searches the Domino Directory for a match
for the full
Internet address (localpart@domain.com). If no
match
is found, it searches the directory again, looking
for a match for the local part of the address only.
• Fullname only —The Router searches the
Domino Directory for full Internet addresses only.
For example,
it searches for “user@domain.com”but not for
“user.”
If an exact match is not found and the domain
suffix is
equivalent to an Internet domain alias defined in
the
Global domain document, a secondary search is
performed using the domain suffix of the primary
Internet domain.
• Local Part only —The Router searches the
Domino Directory for a match of the local part of
the Internet
address, that is, the part before the @ symbol.
Local
part matching matches periods and underscores
in the address with spaces in the directory.
Field Enter
Exhaustive Choose one: • Enabled —The Router searches all
lookup directories to ensure that there are no duplicate
recipient names that might prevent the message
from getting to the right person. Performing
exhaustive lookups is time-consuming and places
a heavy load on the server. • Disabled —
(default) The Router limits its search to the first
directory that contains the address.
Field Enter
Host name
Choose one:
lookup
• Dynamic lookup only (DNS only) —The
Router determines the IP address for a host by
looking it up in DNS. SMTP transfer can occur
only if the destination host is listed in DNS.
• Local lookup only (host files only) —The
Router determines the IP address for a host by
looking it up in a hosts file on the local
machine.
• Dynamic then local —(default) The Router
determines the IP address for a host by
looking it up in DNS first and then checking
the local hosts file if no DNS entry exists.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Enabling the Router to look up the sender’s Internet address from
the Person document
When a Notes client is configured to send mail for Internet recipients in
Notes rich text format, a Domino server must convert outbound mail
from the client to MIME format for Internet mail transport over SMTP.
The Domino server responsible for the conversion must ensure that all
addresses in the message headers, including both the recipient and
sender addresses, are in Internet mail (RFC 821/822) format.
If the sending user’s Location document specifies an Internet address,
Domino places this address in the From field of the MIME message.
However, if the Location document does not specify an Internet address,
Domino must obtain the address by other means. By default, Domino
forms an Internet address by converting spaces in the user’s Notes
address into underscores, and prefixing the names of Domino domains in
the address with percent signs. For example, a Domino server in the
acme.com Internet domain converts the Notes address John
Smith@Notes to the Internet address John_Smith%Notes@acme.com.
Domino determines the Internet domain from the Server document or
the Global Domain document.
If your organization prefers to standardize Internet addresses using a
format that does not reveal internal domain names, you can specify an
Internet address in each user’s Person document and configure Domino
to look up the specified addresses during MIME conversion.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the MIME - Conversion Options - Outbound tab.
Setting Up Mail Routing 27-51
Mail
6. Complete the following and click Save & Close:
Field Description
Lookup Addresses on all messages sent to Internet
Internet recipients must be in Internet format (RFC
address for all 821/822 format). A Notes user may send a
Notes message to both Notes addresses and Internet
addresses addresses. To specify how Domino converts
when Internet the addresses of Notes recipients on messages
address is not sent to the Internet, choose one: • Enabled —
defined in On outbound Internet messages, if the address
document of the sender or any recipient is in Notes
format, Domino looks up the user’s Internet
address from the Person document and, if
found, substitutes it for the Notes address
before sending. • Disabled —(default) Domino
forms Internet addresses based on rules in the
Global Domain document. If a Global domain
document is not present, Domino constructs
addresses by converting spaces into
underscores and encoding Domino domains
with percent signs. For example, Domino
converts the Notes address John Smith@Notes
to the Internet address John_Smith
%Notes@acme.com When this option is
disabled, Domino will continue to perform
Internet address lookups if configured to do so
in the field “Internet address lookup”in the
SMTP Address Conversion section of the
Conversion tab of the Global Domain
document.
Field Enter
Use as default Global Select Yes to designate this Global
Domain Domain
(for use with all Internet document as the default Global
domain for
protocols except HTTP) this Domino Directory.
Field Enter
Relay host for The host name, domain name, or IP address
messages of the server being used as a relay host. A
leaving the local domain name is a valid entry only if the
Internet domain internal DNS contains an MX record for that
domain and can resolve it to a host name.
When entering an IP address, enclose it
within square brackets; for example,
[127.0.0.1].
The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
8. After you set up a relay host, you can set up restrictions based on
where the message originated or the message destination.
Routing mail over transient connections
Sites that do not have permanent connections to the Internet, or to other
servers on the Domino network, can send and receive messages over a
transient connection, such as a dialup connection.
For example, an organization that does not have a constant connection to
the Internet might use a remote mail server at its ISP to hold mail until a
local mail server calls in to the ISP server to retrieve or “pull” pending
messages from the ISP server. If the ISP mail server supports the SMTP
ETRN command, you can configure the Domino server to “pull” mail
over SMTP. A local Domino server can also use Notes routing protocols
to pull messages from a remote Domino server over a Notes Direct
Dialup connection.
Setting Up Mail Routing 27-59
Mail
Setting up Domino to pull mail from a remote server
By default, when a local server initiates a connection to a remote server,
it uses the connection to push messages to the remote server. The local
server does not “pull” pending messages from the remote server.
Instead, the local server only receive mail from the remote server when
the remote server initiates a connection to route those pending messages.
To change this default behavior and have the local server retrieve
messages from a remote server during the same session in which it sends
messages to the remote server, set up the local server to send a “pull
request” to the remote server.
When the local server is configured to send a “pull request,” it sends a
message to the remote server requesting that the server deliver any
messages it has pending for the local server. The remote server receiving
the pull request can be any SMTP host; it does not have to be a Domino
server. When the remote server receives the “pull request,” it checks its
mail queues for any messages pending for the initiating server and starts
the processing necessary to transfer those messages.
If you are using SMTP routing, you must make sure that ETRN protocol
extension has been enabled on the other server (the one receiving the
“pull request”), or it will not be able to receive the pull request. Also the
remote server must be able to resolve the DNS host name of the initiating
server to an IP address to ensure that the messages can be sent.
Generally, ETRN requires that the initiating server has a static IP
address, which is available in DNS to the server holding the pending
messages.
Note Some ISPs use DHCP to assign a host a new IP address whenever
it connects. If the remote system assigns a new IP address every time you
connect, do not configure dialup systems to use pull routing.
When configuring dialup routing, you can indicate how long the
initiating server keeps the line open to allow the remote server to
establish a connection. This is useful to prevent the initiating server from
hanging up the line before the remote server is able to attempt to transfer
any pending mail. The initiating server sends a pull request, then pushes
any messages it has for the remote server, and then waits for any
messages pending from the remote server.
When sending a pull request, the initiating server can also request
messages for other servers, domains, hosts, or any queue name within
your organization for which the initiating server is responsible.
27-60 Administering the Domino System, Volume 1
The ETRN command
With ETRN support, a dialup SMTP host can notify an SMTP server
holding messages for it when to deliver those messages. ETRN enables
servers to use bandwidth resources efficiently, because the dialup host
sends and receives mail during the course of a single session.
ETRN stands for Extended Turn and is an SMTP service extension
command, defined in RFC 1985. that provides improved security over
the SMTP TURN command, originally defined in RFC 821. The TURN
command allows hosts involved in a SMTP session to reverse their
respective roles, so that, for example, if Server1 is sending an SMTP
message to Server2, Server1 can issue the TURN command so that
Server2 then becomes the sender and Server1, the receiver.
However, because the TURN command has no mechanism for verifying
the identity of the calling host, use of the command poses a security risk.
A malicious user who spoofs the identify of a server can falsely appear to
belong to a someone else’s Internet domain and then use the TURN
command to retrieve messages intended for that domain.
The ETRN command plugs this security hole by redefining the sending
and receiving roles during the course of the SMTP session. For example,
after Server1 issues the ETRN command to Server2, ETRN instructs
Server2 to open a new SMTP session with Server1. Because Server2 has
to resolve the name of Server1 to an IP number in the DNS, Server2 is
more likely to open a new SMTP session with the correct machine.
For Domino to use ETRN to retrieve new mail over a dialup connection,
your ISP must support this command. Check with your ISP to verify
whether they support this command or not. You can also verify support
for the command by establishing a telnet connection to port 25 of the
ISP’s SMTP server. After the SMTP session starts, type EHLO and press
Enter. The response from the ISP’s SMTP server indicates whether the
server supports ETRN.
For more information about Notes Direct Dialup Connections and
Network Dialup Connections, see the chapter “Setting Up
Server-to-Server Connections.”
To set up a server to route mail over a transient connection
1. For SMTP routing, on the Router/SMTP Basics tab of the
Configuration Settings document for the sending server, enable
SMTP for messages sent outside the local Internet domain.
For information on how to enable SMTP for outbound Internet mail,
see the topic “Setting up SMTP routing to external Internet domains”
earlier in this chapter.
Setting Up Mail Routing 27-61
Mail
2. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
3. Click Connections.
4. Click Add Connection.
5. On the Basics tab, complete these fields:
Field Description
Connection Choose one: • Network Dialup —Choose this
type option for servers that will route mail over SMTP
using this dialup connection. You can also use this
option for NRPC routing. • Notes Direct Dialup —
Choose this option only for servers that will use
this connection to route mail over NRPC to another
Domino server.
6. On the Routing and Replication tab, complete these fields, and then
click Save & Close:
Field Description
Routing Select Mail routing
task
Router Choose one: • Push/Wait —Select this option when
type the destination server is used for outbound mail only,
and initiates the connection to the source server.
After the source server establishes the dialup
connection, it waits to receive a connection from the
destination server. When the destination server
connects and issues a “pull request,”the source
server then pushes any messages pending for the
remote server. • Push Only —(default) Select this
option if the destination server is used for outbound
mail only. The source server calls the destination
server and sends messages queued for that
destination. You’ll need to create a separate
Connection document to the server used for inbound
mail. • Pull Push —Select this option if the ISP host to
which the source server connects is used for both
inbound and outbound routing. The source server
calls the destination server, pushes, or sends, any
pending messages for that destination, and then
“pulls”messages from the destination server
(actually, the calling server issues a request to the
other server to push messages back to it). The
destination server pushes any pending messages
back to the source server. If you select this option,
you must specify whether the source server issues
the pull request using Notes routing or SMTP. • Pull
Only —Select this option if the destination server is
used for inbound mail only. The source server calls
the destination server and issues a pull request (a
request for the other server to push back messages).
The destination server pushes any pending messages
to the source server. You’ll need to create a separate
Connection document to the server used for outbound
mail.
Field Description
Pull Choose one: • Notes RPC —The server makes the
routing pull request using Notes Remote Procedure Calls. •
request SMTP —The server makes the pull request using
protocol SMTP. Select this option for SMTP connections that
support ETRN. When the destination server is a
Domino server, the protocol specified in this field
only applies when the Router type is set to Pull Only.
By contrast, if the Router type is set to Pull/Push, the
sending server always uses the same protocol to
issue the pull request that it used to transfer
messages to the destination server.
Request Specifies the servers, hosts, or domains on whose
the behalf the source server issues a pull request. As a
following result of the request, the remote server sends all
when messages it is holding for the specified entities.
issuing a Choose one or more of the following: • Source server
pull name (both Notes and Host) —(default) The source
request server requests that the remote server transfer any
messages addressed to recipients on the source
server. The source server receives messages for
addresses that specify either the Domino server
name or the DNS host name (for example,
CN=Server/Org=ACME or server1.acme.com). • All
local primary Internet domains listed Global
Domain(s) —(default) The source server requests
that the destination server transfer all messages it is
holding for recipients with addresses in the primary
Internet domain named in the source server’s Global
Domain document (for example, acme.com). • All
alternate Internet domain aliases listed in Global
domain(s) —The source server requests that the
destination server transfer all messages it is holding
for recipients with addresses in any of the Internet
domain names listed in the source server’s Global
Domain document (for example, acme.com,
sales.acme.com, acme-alias.com). • The following
servers/domains/hosts —The source server requests
that the destination server transfer all messages it is
holding for recipients in the specified Domino
servers, Internet domains, or DNS host names. If
you select this option, list the specific servers,
domains, or hosts on whose behalf the pull request is
made. Use this option if the remote server requires
the calling server to use a specific syntax or name
when sending the ETRN pull request to initiate
message transfer.
Field Description
Pull The number of seconds that the calling server waits
router for the
timeout answering server to respond to a pull request before
disconnecting. The default is 30 seconds.
Field Description
Number Indicates the number of mailboxes (MAIL.BOX
of databases) on
mailboxes servers that uses this Configuration Settings
document. If this
field is blank, one mailbox is used. Configure a
maximum of
ten mailboxes.
Field Enter
Type-
Choose one:
ahead
• Enabled —(default) The server checks the Domino
Directory for an address that matches what a user
enters
in the To, cc, or bcc field of a message.
• Disabled —The server does not try to match
addresses.
Matches occur only in the user’s Personal Address
Book or local Directory Catalog.
6. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration
28-6 Administering the Domino System, Volume 1
Changing the logging level for mail
By default, when the Router is unable to deliver a mail message, Domino
records information in the server log file (LOG.NSF). When you
troubleshoot messaging, you may want to record additional information
in the log file.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Advanced - Controls tab.
6. Complete this field in the Miscellaneous Controls section, and then click Save & Close:
Field Enter
Logging Choose one: • Minimal —Domino logs all mandatory
level status messages and fatal error messages. •
Normal (default) —Domino logs all minimal events,
plus warning messages indicating conditions that do
not cause processing to stop. • Informational —
Domino logs all minimal and normal events, plus
informational messages involving intermediate
storage, MAIL.BOX access, message handling,
message conversion, and transport status. •
Verbose —Domino logs all minimal, normal, and
informational events, plus additional messages that
may help you troubleshoot system problems. To
prevent the log file from becoming excessively
large, use Verbose logging only when
troubleshooting specific problems.
7. The change takes affect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Customizing the Domino Mail System 28-7
Mail
Controlling message delivery
Message delivery occurs when the Router deposits a message in the
recipient’s mail file. You can control how the Router behaves when
delivering messages to mail files on the Domino server. For example, you
can specify whether messages are always encrypted, how many server
threads the Router can use to deliver messages, and what the Router
does with messages sent to users whose mail files are larger than the
allowed size.
You set delivery controls in the Configuration document on the
Router/SMTP - Restrictions and Controls - Delivery Controls tab. You
can also set quota controls to help control the size of user mail files.
Setting delivery controls
You can customize message delivery on Domino, including how many
threads are used to deliver messages, whether the messages must be
encrypted, how long the server waits for a pre-delivery agent to run, and
whether the Router supports the forwarding action in Notes client mail
rules.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Delivery
Controls tab.
6. Complete these fields in the Delivery Controls section, and then click
Save & Close:
Field Description
Maximum The maximum number of server threads
delivery Domino can create to deliver mail from
threads MAIL.BOX to local mail files. The Router
automatically sets the default maximum
number of delivery threads based on server
memory. Letting the Router select the
maximum number is usually best. To set the
maximum number manually, enter a maximum
between 1 and 25, based on the server load.
Encrypt all Choose one: • Enabled —When delivering
delivered messages to local mail files, Domino encrypts
mail the messages, regardless of whether the sender
encrypted the message or the recipient’s mail
file encrypts messages. • Disabled (default) —
Domino encrypts messages only if the
recipient’s mail file is set to encrypt received
messages. When encryption is enabled and an
external user requests a return receipt for a
message sent to a user whose mail file is on the
server, the return receipt message that Domino
generates contains a blank message body.
Pre-delivery Users who create LotusScript or Java agents for
agents their mail files can set the agent to run before
new mail arrives. When delivering a new
message, if the Router detects such a pre-
delivery agent, it runs the agent against the
message before the message ever appear in the
recipient’s Inbox. Use this field to specify
whether the server permits the use of pre-
delivery agents. Choose one:
• Enabled —(default) Allows the Router to run
agents that process mail before delivering it to
user mail files on the server.
• Disabled —Prevents the Router from running
pre-delivery agents.
Pre-delivery The maximum time (in seconds) that a pre-
agent delivery agent, such as a mail filter, can run
timeout before the Router interrupts it. Because the
Router waits for pre-delivery agents to
complete, failure to restrict agents can slow
routing performance on the server. The default
time-out is 30 seconds.
Field Description
User rules Notes users can create mail file rules[[ that
mail automatically process new mail. User mail rules
forwarding specify an action to
take when a newly-delivered messages meets
certain
conditions. Use this field to specify whether the
Router on this server supports the rule action to
send copies of
selected messages automatically to other
recipients.
Choose one:
• Enabled —The Router supports the “Send copy
to” action for Notes client mail rules, allowing
users to send copies of messages automatically
to other
recipients.
• Disabled —Prevents Notes clients from using
the “Send copy to”rule action.
7. The change takes affect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Using quotas to manage the size of user mail files
Users may receive and save a high volume of e-mail, including their own
sent messages, in their mail files. Large mail files can overwhelm a
server’s disk capacity and reduce the performance of the mail client.
Because you generally cannot provide users with unlimited storage
space, set a size limit, or database quota, for each mail file. When
delivering mail to a user’s mail file, the Router checks the current size of
the mail file against the specified quota.
You can configure the Router to respond in several ways when a mail file
exceeds its quota, each representing a higher level of enforcement. The
least restrictive response is to have the Router issue automatic
notifications to users when their mail files exceed the quota. If users fail
to respond to notifications, you can hold pending messages in
MAIL.BOX or return messages to the senders as undeliverable until the
users reduce the size of their mail files.
In addition to setting a quota, you can configure a warning threshold and
use it as the basis for providing users with advance notice that their mail
files have grown too large. For example, you might set a warning
threshold of 25MB on a mail file that has a 30MB quota. In the
Configuration Settings document, you can enable the Router to send
notifications to users who exceed their warning threshold. If you enable
this option, the Router delivers an Over Threshold Warning to users
whose mail files exceed the warning threshold. Sending such warnings
allows users to reduce the size of their mail files before they exceed the
quota.
28-10 Administering the Domino System, Volume 1
Along with the methods the Router uses to enforce quotas, the Notes
client also displays a warning to any user who has exceeded their
designated warning threshold or quota whenever the user attempts to
send mail.
Setting mail file quotas
You can set two types of size limits on a user’s mail file: an absolute
quota size and a warning threshold. Set a quota if you intend to establish
a policy of interrupting users’ mail usage if their mail files exceed a
specified size. Set a warning threshold to provide users with advance
notice when their mail files approach the designated mail file quota, so
they can reduce the size of their mail files before message flow is
interrupted. You must set a quota before you can set a warning
threshold.
Quotas and warning thresholds are associated with a particular mail file
database only, not with a user ID. If a user has access to an alternate mail
file, the quota set on the primary mail file has no effect on the alternate
mail file.
You set quota limits and warning thresholds:
During
registration — quotas specified during registration apply
only to new users, not to existing users. For users migrated from
other mail systems, the restrictions do not apply to mailbox contents
brought over from the old system. In other words, a mail file limit of
5MB does not prevent you from migrating a user’s 6MB mail box
from cc:Mail. However, the user will not be able to receive new mail.
Per database — Using the Domino Administrator, you can manually
specify the warning threshold and quota of one or more mail files
using the same method you would to set these limits for any Notes
database.
Detecting when a mail file exceeds its quota
If quota enforcement is enabled, whenever the Router delivers mail, it
compares the current size of the destination mail file against its
configured database quota or threshold. If the size exceeds one of these,
the Router takes appropriate action.
If a mail file uses shared mail, Domino factors in the complete size of any
messages stored in shared mail databases when calculating mail file size.
When calculating mail file size, Domino does not take into account the
space consumed by a file’s full-text index. When setting a mail file quota,
be sure to consider the additional space required for the file’s full-text
index. Over time, the full-text index of a typical mail database can reach
a size between 5 and 15 percent of the database size.
Customizing the Domino Mail System 28-11
Mail
To specify the method a server uses to calculate the size of a mail
file
1. From the Domino Administrator, click the Configuration tab, expand
the Server section, and click “All Server Documents.”
2. Select the Server document to edit, and then click Edit Server.
3. Click the Transactional Logging tab, and in the Quota enforcement
field, select one of these methods and then click Save & Close:
For information on adding custom text to over quota and quota warning
reports, see the topic “Customizing the text of mail failure messages”
later in this chapter.
Users who exceed the quota for their mail file receive over quota
warnings only. If the Router is configured to send over threshold
warnings, it stops sending them to users who exceed their quota.
Message tracking is not enforced or supported for either type of warning
notification.
If Domino rejects an inbound message as the result of a quota violation, it
returns a failure message stating the reason for the failure to the sender.
Specifying how often users receive notifications
You have three options for specifying how often the Router delivers
warning notifications to users who violate their mail file’s warning
threshold or quota:
None
- (Default ) — Users receive no warning if their mail files
exceed the size limit.
Per Message — Users whose mail files exceed the size limit receive a
warning notification every time MAIL.BOX receives a new message
for them.
Per time interval — Users whose mail files exceed the size limit
receive a warning message at the specified interval until they reduce
the size of their mail file. If you select this option, an additional field
appears where you can specify the interval in minutes, hours, or days.
Withholding mail from users who exceed their quota
Quota controls enable the Router to selectively hold or reject mail if the
destination mail file has exceeded its quota. When the Router has new
mail to deliver to a user whose mail file is already full, it checks the
Configuration Settings document to determine the appropriate action. By
default the Router continues to deliver mail, even after a mail file exceeds
its quota. To change the default behavior, you must configure the Router
to refuse or hold mail.
When delivering mail to a user’s mail file, the Router checks the mail
file’s size. If the file will remain within the specified threshold after
delivery of the message, no action is taken.
The Router recognizes certain exceptions to the specified quota setting.
For example, users who are over quota continue to receive over quota
notifications from the Router, regardless of the current setting. However,
if the Router is configured to Hold and Retry, all messages are held, and
the owner of the mail file receives no further notifications until the size of
the mail file is reduced or the administrator takes action to allow
messages to be delivered.
To prevent an excessive number of messages from accumulating in
MAIL.BOX when you choose the Hold and Retry method of enforcing
quota violations, it’s best to have Domino calculate database size based
on usage, rather than file size. This is especially true on servers where
transaction logging is enabled, because users cannot reduce the size of
their mail files without assistance from an administrator.
Limiting the size and number of messages held for retry
If you set the Router to temporarily hold mail intended for users whose
mail files exceed the specified quota, the increased number of pending
messages can increase the size of MAIL.BOX and decrease Router
28-16 Administering the Domino System, Volume 1
performance. To help ensure service quality, you can limit the number of
pending messages.
You can also specify the maximum size of messages that the Router will
hold. If a message is larger than the configured size, it is returned to the
sender as undeliverable, rather than held.
Restrictions do not apply to sent messages
Router enforcement of mail file quotas is limited to withholding new
mail from users who exceed their quotas. The Router continues to accept
outgoing mail from whose mail files are full. However, these users are
not able to save any messages to mail files on the server.
When a user who exceeds the configured warning threshold or quota
sends a message from a Notes client, the client displays a warning, but
the user can still send the message.
Setting quota controls for the Router
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Delivery
Controls tab.
6. In the Quota Controls section, complete these fields:
Field Enter
Over Specifies how often the Router delivers
Warning notifications to users who exceed their warning
Threshold threshold. Choose one: • None —The Router does
Notifications not deliver notifications when mail files grow
larger than the specified warning threshold. • Per
Message —The Router delivers a notification for
every message it delivers after the mail file
exceeds the specified warning threshold. • Per
Interval N — Send notifications at a specified
interval until the user deletes or archives enough
messages to bring the size of the mail file below
the specified Warning Threshold. When this
option is selected, an additional field, “Warning
Interval Minutes,”appears.
Field Enter
Warning Specifies, in minutes, how long the Router waits
Interval to send the next Over Warning Threshold
Minutes Notification
Over Quota Specifies how often the Router delivers
Notification notifications to users who exceed their quota.
Choose one:
• None —The Router does not deliver
notifications when mail files grow larger than the
specified warning threshold. • Per Message —The
Router delivers a notification for every message it
delivers after the mail file exceeds the specified
quota. • Per time interval —Send notifications at
the specified interval until the user deletes or
archives enough messages to bring the size of
the mail file below the specified quota. When this
option is selected, an additional field appears
where you can specify an interval measured in
minutes, hours, or days.
Specifies, in minutes, hours, or days, how long
Error
the Router waits to send the next over quota
Interval
notification.
Over Quota Specifies the action the Router takes when
Enforcement receiving new mail for a user whose mail file is
larger than the specified quota. Choose one:
• Deliver anyway (don’t obey quotas) —(Default)
The Router continues to deliver mail to a mail file
that is over quota. • Non Deliver to originator —
The Router stops delivering new messages to the
mail file and returns a nondelivery message to
the sender reporting that the message could not
be delivered because the intended recipient’s
mail file was full.
• Hold mail and Retry —The Router stops
delivering new messages to the mail file and
temporarily holds incoming messages in
MAIL.BOX until space is available in the mail file.
After a configured interval, the Router tries to
deliver the message. If the user has sufficiently
reduced the size of the mail database by the next
scheduled delivery attempt, the mail is delivered.
Messages that cannot be delivered before the
configured expiration time (default =1 day) are
returned to the sender as undeliverable. If you
choose this option, the document displays
additional fields where you can specify how the
server handles held messages. To prevent an
excessive number of messages from
accumulating in MAIL.BOX when this option is
selected, it’s best to have Domino calculate
database size based on usage, rather than file
size.
7. If you selected “Hold mail and Retry” in the “Over Quota
Enforcement” field, complete the following:
Field Description
Pending messages may be of different sizes. A mail
Attempt
file that
delivery of has reached its quota may have sufficient space
available to
each fit some messages, but not others. Use this field to
message specify
whether the Router delivers messages small
enough to fit
the available space in a destination mail file.
Choose one:
• Enabled —The Router attempts delivery of each
new
message. Messages that fit the available space are
delivered. Other messages are held.
• Disabled —After a mail file reaches its quota, the
Router
holds all messages until the file size is reduced.
Specifies the maximum number of messages that
Maximum
the Router
number of will hold in MAIL.BOX for a given mail file. After
the
messages number of pending messages reaches the specified
to number,
hold per the Router returns a delivery failure report to the
user sender of
each additional message in first-in, first-out order.
Specifies the maximum size, in KB, of messages
Maximum
that the
message Router can hold in MAIL.BOX for over quota users.
size If a
to hold message larger than the specified size is received
for the
user, the Router returns a delivery failure report to
the
sender.
Condition
Description
component
Specifies the content to search for in the
Value to check in
target
message item message item.
For example, if the target message item is
Attachment Name and the qualifier is
“contains,”
enter .VBS to create a rule that acts on all
messages having an attached file with a
name containing the
string .VBS, including, LOVE-LETTER.VBS,
CLICK-THIS.VBS.TXT, and
MY.VBS.CARD.EXE.
• Text fields do not support wildcard
values, such as the asterisk character (*).
To specify a search string for a target field,
use the “contains”
operator and enter the search string in the
accompanying text field. For example, as
in the preceding example, to search for an
attached
file with a name that contains the string
.VBS,
create the condition “Attachment Name
contains .VBS,”not “Attachment Name is
*.VBS.”
• Search string text is not case sensitive.
• When indicating numeric values, always
enter a numeral, rather than its text
equivalent (that is,
enter 2, not two).
Field Enter
Maximum The maximum message size in KB
message (thousands of
size bytes) the server accepts. The Router rejects
any
messages that exceed this size for both
transfer and
delivery. The default is 0 KB, which does not
limit
message size.
Send all Choose one: • Enabled • Disabled (default)
messages as If you choose Enabled, specify the lower limit
low-priority if of the size range in KB. By default (size
message size is range 0 to 0) message priority is not based
between on size.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Total
message size is equal to the sum of the message text and the
size of all attachments.
You can change the default hours for routing low-priority mail.
For more information, see the topic “Setting transfer limits” later
in this chapter.
You can customize the text of delivery failure messages.
For more information, see the topics “Customizing the text of mail
failure messages” later in this chapter and “Routing mail by
priority” earlier in this chapter.
On Domino SMTP servers you can use the ESMTP SIZE extension
to prevent inbound transfer of messages that exceed the specified
maximum message size. You can also use the outbound ESMTP
SIZE extension to configure Domino to honor size restrictions on a
target server when transferring outbound SMTP mail.
For information on setting the inbound and outbound SIZE
extensions, see the topics “Supporting inbound SMTP extensions”
and “Supporting outbound SMTP extensions” later in this chapter.
Customizing the Domino Mail System 28-29
Mail
Generating delay notifications for deferred low-priority mail
When Domino routes all low-priority mail within the specified
low-priority time range, the affected messages may remain in MAIL.BOX
for a significant amount of time. The delay may be acceptable to users
who sent their messages as low priority, but users may be less forgiving
if their messages were relegated to late-night routing after the Router
automatically demoted their priority — as happens when you set
Domino to change the routing priority of messages above a certain size.
Unexpected routing delays are likely to cause concern and result in calls
to the help desk.
You can configure the Router to notify senders when low-priority mail is
delayed. Of course, you should also educate users about your policy on
routing low-priority mail. When delay notifications are enabled, the
Router delivers a message to the sender of the delayed message that
explains that the message is being held until the specified routing time.
When a message is delayed, users receive an informational Delay report,
which identifies the number and addresses of the intended recipients and
indicates that transfer is delayed until the low-priority time range. The
notification includes the headers of the original message, but not the
message body, and explains that no additional user action is required to
deliver the message. You can also customize the text of the notification to
include additional information.
For information on customizing the text of a delay notification, see the
topic “Customizing the text of mail failure messages” later in this chapter.
You can have the Router deliver delay notifications for every
low-priority message held; for messages held because the sender
designated them as low-priority; or for messages held because Domino
changed the priority for policy reasons — as, for example, when a size
restriction forces a change to the routing priority of a large message.
For information on configuring Domino to send delay notifications when
it holds low-priority messages, see the topic “Setting transfer limits”
earlier in this chapter. For information on setting size limits on messages,
see the topic “Restricting mail routing based on message size” earlier in
this chapter.
Normally, a server sends only one delay notification for each message.
However, restarting a server or Router can result in duplicate delay
notifications. Also, a user may receive multiple delay reports for a
message that is delayed by servers at successive hops along the routing
28-30 Administering the Domino System, Volume 1
path. Servers at successive hops can each send a delay report if delay
notifications are enabled and they each receive the message before their
configured low-priority routing time and buffer time.
For example if a first hop server has a low-priority range of 12:00 AM to
3:00 AM and receives a low-priority message at 11:30 PM, it generates a
delay notification. At the start of the low-priority routing time, the server
routes the message to the next hop server. If this server also defers
low-priority mail and has a low-priority range of 4:00 AM to 6:00 AM, it
generates an additional delay notification.
By default, the Router does not send delay notifications for low-priority
messages that a user sends within the low-priority time range or a buffer
time of 30 minutes before the start of the time range. You can alter the
default behavior by adding the variable
RouterLPDelayNotifyBufferTime to the NOTES.INI file and setting its
value to the length of the desired buffer time, in minutes. For example, if
you would like to prevent low-priority messages sent within an hour of
the start of the time range from generating a delay notification, enter the
following line in the NOTES.INI file:
RouterLPDelayNotifyBufferTime=60
Exceptions to sending delay notifications
The Router does not send delay notifications in the following cases:
you enabled the following setting in the Configuration Settings
If
document: Router/SMTP - Restrictions and Controls - Advanced -
Controls- Advanced transfer controls - Ignore message priority.
When
inbound SMTP messages include a Delivery Status
Notification (DSN) request that is set to NOTIFY=NEVER. Only DSN
requests with the value NOTIFY=DELAY result in delay
notifications.
If the delayed message is a delivery failure report. For example, if a
message is demoted to low priority and delayed because its size
exceeds the threshold for normal priority mail, the resulting delay
notification (which includes the original message) is not delayed.
If a Notes client user sets the Delivery Reports option to None in the
Delivery Options dialog box.
Customizing the Domino Mail System 28-31
Mail
Restricting users from sending mail to groups listed in the Domino
Directory
By default, all users can send mail to groups defined in the Domino
Directory. To reduce unnecessary mail traffic, you can edit the reader
fields for a Group document to restrict access to the group, specifying the
users who are allowed to send mail to the group. Only users to whom
you grant reader access can send mail addressed to the group. Users who
do not have access to the group can see the group name listed in the
Domino Directory and choose the name in the Select Addresses dialog
box, but the Router rejects the message if they attempt to send a message
to the group.
The restrictions apply to messages sent to either a group’s Notes address
or its Internet address and to messages originating from a Notes client as
well as messages sent and received over SMTP (as from an IMAP or
Notes client). From a Notes client, a user who does not have permission
to use the group receives an error when attempting to send mail to the
restricted group. If the same user attempts to mail from a POP3 or IMAP
client, the Router generates a Nondelivery reports indicating that the
sender is not authorized to send mail to the specified recipient.
To restrict users from sending mail to a group
1. From the Domino Administrator, click the People & Groups tab,
expand the Domino Directory that contains the group you want to
restrict access to, and select the Groups view.
2. Right-click the Group document to manage and choose Document
Properties.
3. Select the Security tab (the Key).
4. Deselect the All readers and above checkbox to enable editing of the
readers list.
5. To enable a user to send mail to the group, select the user’s name in
the list.
6. To provide access to users not listed, click the Person icon to the
right, add the name in the Select Names dialog box, and click OK.
The user’s name appears at the bottom of the list with a check next
to it.
7. Deselect the names of users you want to prevent from sending mail
to the group, including the Anonymous entry.
8. Close the Document Properties dialog box.
28-32 Administering the Domino System, Volume 1
Setting transfer limits
Transfer controls affect how Domino transfers messages between servers.
They control the number of threads used, the number of hops allowed
before a message fails, the low-priority mail routing time range, and the
time-out and purge intervals. Transfer controls apply to both SMTP and
Notes routing.
To set message transfer controls
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Transfer
Controls tab.
6. Complete these fields in the Transfer Controls section, and then click
Save & Close
Field Enter
The maximum number of server threads Domino
Maximum
creates to
transfer messages to all other servers. The value
transfer
applies to
threads both Notes routing and SMTP. The Router sets a
default maximum number of transfer threads
based on server
memory. Letting the Router select the maximum
number is usually best. If you set the maximum
number manually, set the maximum to between 1
and 25 threads, depending on server load.
Field Enter
Maximum The maximum number of server threads the
concurrent Domino Router can use to transfer messages to a
transfer single destination. The value applies to both Notes
threads routing and SMTP. If no value is specified, the
default value is equal to one-half of the maximum
transfer threads, rounded down to the nearest
integer. For example, if the maximum transfer
threads is 5, the maximum concurrent transfer
threads defaults to 2. On servers that send
outbound Internet mail to an SMTP relay host, this
setting effectively defines the total threads
available for transferring mail to the relay host. By
default, when transferring messages over Notes
routing from one Domino domain to another, the
Router does not use multiple concurrent threads.
To enable use of multiple concurrent transfer
threads between Domino domains, add the variable
RouterAllowConcurrentXFERToALL to the server’s
NOTES.INI file.
Field Enter
If you configure the Router to hold low-priority
Low-priority
messages
delay until a given time period, message originators
may not be
notifications aware of the reason for the delay. To inform
senders when low-priority messages are delayed,
have the Router
automatically generate delay notifications. The
Router can
either generate delay notifications for every low-
priority message it holds or when it holds
messages for a specific
reason only. Choose one:
• Disabled —The Router does not notify senders
when messages are delayed for priority reasons.
• Only if priority changed for policy reasons —The
Router notifies senders of priority-related delays
only for
messages that were designated low-priority as
the result of a configured mail rule or size
restriction.
• Only if user requested low-priority —The Router
notifies senders of priority-related delays only for
messages that
the sender designated as low-priority.
• All low-priority messages —The Router notifies
senders of priority-related delays for all low-
priority messages.
Domino Release 5.0.x used the variable
RouterLowPriorityDelayNotify in the server’s
NOTES.INI
file to control the use of low-priority delay
notifications. If this setting is present, it takes
precedence over the setting
specified in the Configuration Settings document.
Initial The time (in minutes) that the Router waits after
transfer a message transfer failure before retrying the
retry transfer. If failure recurs, Domino doubles the
interval interval before a second retry. If additional retries
are needed, they occur at three times the initial
retry value.
The default interval is 15 minutes. Lower values
increase
the retry attempts per hour and could possibly
increase the success rate of routing the
messages. Higher values decrease the retry
attempts per hour, resulting in longer routing
times.
The Router continues attempts to transfer a
pending message until the age of the message
reaches the configured time-out value (by
default, 24 hours). After a message times out, the
Router generates a delivery failure report to the
sender.
Expired Specifies, in minutes, how often the Router
message checks MAIL.BOX for expired messages to purge.
purge The default is 15 minutes.
interval
Field Enter
Ignore Choose one: • Enabled —The Router sends all
message messages as Normal priority. • Disabled —
priority (default) The Router honors message priority
settings assigned by the sender or another
server process. Do not enable this setting if
you restricted Domino to routing messages of a
specified size as low priority and want to
confine routing of large messages to the
specified low priority routing time.
Field Enter
Restrict name Choose one: • Enabled —Users can look up
lookups to names and groups only in the Domino Directory
primary for the server’s Domino domain. Users cannot
directory only look up names and groups in other directories
that are available through Directory Assistance.
• Disabled —(default) Users can look up names
and groups in any directories available from the
server.
Cluster
Choose one:
failover
• Disabled —If a recipient’s server is
unavailable, the Router does not automatically
route mail through a clustered server.
• Enabled for last hop only —(default) When the
Router detects that a recipient’s mail server
(the last
hop in the routing path) is unavailable, it
attempts to
locate a clustered server and transfer the
message to that server. For example, Server1
routes a message
addressed to Jane Doe, whose mail file is on
Server3.
Server1 fails to connect to Server3, which is
unavailable. Server1 checks the Domino
Directory to
see if there are any servers clustered with
Server3.
Server2 is clustered with Server3, so the Router
on
Server1 attempts to connect to Server2. If the
connection is successful, the Router transfers
the
message to Server2.
• Enabled for all transfers in this domain —
When the
Router detects that a server for any hop in the
routing path is unavailable, it attempts to locate
a server
clustered with that hop server. If the Router can
find
another clustered server, it transfers the
message to that server. For example, if the
Router on Server 1
attempts to transfer to HubA but HubA is
unavailable, the Router checks the Domino
Directory to see if there are any servers
clustered with HubA.
Because HubB is clustered with HubA, the
Router
attempts to connect to HubB. If the connection
is successful, the Router transfers the message
from
Server1 to HubB, which continues routing the
message.
Field Enter
Hold • Enabled —When the Router cannot transfer or
undeliverable deliver a message, it leaves the message in
mail MAIL.BOX rather than generate a delivery
failure
report. Select this option if you want to be able
to
examine messages with failures. You can then
access
these messages and either release them,
forward
them, or delete them
• Disabled —(default) When the Router cannot
deliver
a message, it generates a delivery failure
report.
If you configure MAIL.BOX to hold undeliverable
messages, examine the database frequently to
check for
accumulated messages.
Method Description
Text file The Router adds customized text to failure
messages from external files. For each
condition listed, enter the
complete path to a text file that contains
customized text
you want to add to the default failure message.
The Router adds customized text to failure
Text
messages
from text entered in the Configuration Settings
document. For each condition listed, enter the
customized text you want to add to the default
failure
message.
Field Enter
Transfer Transfer failures occur when there is a transient
failure connection failure between the servers —for
example, a network problem. If you specified Text
in Step 6, enter text to add to the default transfer
failure message; otherwise specify the path to a file
containing the text —for example,
C:\DOMINO\DATA\TRANSFER.TXT.
Delivery Delivery failures occur when the server is unable to
failure deliver the message to the recipient’s mail file —for
example, if the recipient’s mail file has moved and
the Domino Directory has not been properly
updated. If you specified Text in Step 6, enter text
to add to the default delivery failure message;
otherwise specify the path to a file containing the
text —for example,
C:\DOMINO\DATA\DELIVER.TXT.
Message Message expiration failures occur when Domino
expiration cannot transfer the message to its destination in a
given period of time. If you specified Text in Step 6,
enter text to add to the default message expiration
notification; otherwise specify the path to a file
containing the text —for example,
C:\DOMINO\DATA\EXPIRE.TXT.
Domain Domain failures occur when Domino cannot identify
failure the destination domain for a recipient of a message.
For example, if you send a message to
jdoe@lotus.com and Domino cannot locate
lotus.com in either the Domino Directory or the
DNS, the server generates a domain failure
message. If you specified Text in Step 6, enter text
to add to the default message for domain failures,
or specify the path to a file containing the text —for
example, C:\DOMINO\DATA\DOMAIN.TXT.
Server Server failures occur when Domino cannot connect
failure to the destination server. For example, if you send
a message to jdoe@lotus.com, and DNS instructs
you to send mail for the lotus.com domain to
mail1.lotus.com but Domino cannot connect to
mail1.lotus.com, the sending Domino server
generates a server failure message. If you specified
Text in Step 6, enter text to add to the default
message for server failures; otherwise, specify the
path to a file containing the text —for example,
C:\DOMINO\DATA\SERVER.TXT.
Field Enter
Username User name failures occur when Domino cannot
failure match the local part of an address to a recipient.
For example, if you send a message to
jdoe@lotus.com, but Domino cannot find jdoe in
the Domino Directory, the server generates a user
name failure message. If you specified Text in Step
6, enter text to add to the default message for user
name failures; otherwise, specify the path to a file
containing the text —for example,
C:\DOMINO\DATA\USER.TXT.
Field Enter
Delay Low-priority routing delays occur when MAIL.BOX
notification receives process the message until the specified
low-priority routing time (12:00 AM to 6:00 AM
by default). If low-priority delay notifications are
enabled for the message, the Router sends a
delay notification to the originator’s address. If
you specified Text in Step 6, enter text to add to
the default low-priority delay notification;
otherwise, specify the path to a file containing
the text —for example,
C:\DOMINO\DATA\DELAY.TXT Domino Release
5.0.x specified this file using the
MailTextFileForTransferDelays setting in the
server’s NOTES.INI file. If this setting is present,
it takes precedence over the setting specified
here.
Quota
warning mail files exceed their configured quota warning
notification threshold. If you specified Text in Step 6, enter
text to add to the default quota warning
notification; otherwise, specify the path to a file
containing the text —for example,
C:\DOMINO\DATA\WARNING.TXT.
Quota The Router sends Quota error notifications to
error users whose mail files exceed their configured
notification quota. If you specified Text in Step 6, enter text
to add to the default quota error notification;
otherwise, specify the path to a file containing
the text —for example,
C:\DOMINO\DATA\QUOTA.TXT.
Field Enter
Schedule Choose one: • Enabled to use this schedule to
control connections between the specified
servers. • Disabled to cause the server to ignore
the schedule.
Field Enter
Routing task Choose one or more: • Mail Routing —(default)
Enables Notes mail routing between the servers •
X400 Mail Routing —Enables routing of X.400
mail between servers in a system with an X.400
Message Transfer Agent • SMTP Mail Routing —
Enables routing of Internet mail to a server that
can connect to the Internet • ccMail Routing —
Enables routing of cc:Mail mail between servers
in a system with a cc:Mail Message Transfer
Agent • None —The Connection document is not
used to route mail between the servers
9. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
For more information on Router types, see the chapter “Setting Up Mail
Routing.”
Example: Scheduling immediate 24 x 7 routing
To route mail immediately 24 hours a day, 7 days a week, create a
routing schedule for a 24-hour, 7-day period. Then set routing to begin as
soon as MAIL.BOX contains a single pending message.
1. Complete these fields in the Scheduled Connection section of the
Connection document:
Field Enter
Schedule Enabled
Call at times 12:00 AM - 12:00 PM
Repeat
Blank
interval
Days of week Select Sun, Mon, Tue, Wed, Thu, Fri, Sat
Field Enter
Route at
1 message pending
once if
Field Enter
Routing cost A number from 1 to 10. The default is 1. The
Router chooses connections with lower cost
first; for example, the Router chooses a
connection with a cost of 2 over a
connection with a cost of 3.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Restricting mail routing based on Domino domains, organizations,
and organizational units
You can use two methods to restrict how mail routes over Notes routing
in your infrastructure.
Create
Adjacent domain documents in the Domino Directory to keep
users from routing mail through your domain to another domain.
For example, if you have a connection from your domain, Acme, to
the Lotus domain and the IBM domain, you might set up an
Adjacent domain document to keep users in the Lotus domain from
routing to the IBM domain through the Acme domain. Using these
restrictions reduces the mail load on your system. Adjacent domain
documents keep users from using your domain as a Notes mail relay.
For more information on Adjacent domain documents, see the
chapter “Setting Up Mail Routing.”
Specify
restrictions in the Configuration Settings document in the
Domino Directory to restrict mail from specified Domino domains.
To restrict Notes mail routing
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration document for the mail server or servers you
want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Restrictions tab.
Customizing the Domino Mail System 28-55
Mail
6. Complete these fields in the Router Restrictions section, and then
click Save & Close:
Field Enter
Domino domains from which the server accepts
Allow mail
mail. If
only from you enter Domino domains in this field, only
messages
domains from those domains can enter your domain
over Notes routing. Domino denies mail from
all other Domino domains. For example, if you
enter Lotus in the field, Domino accepts only
messages sent from the Lotus domain to your
users. Domino denies messages sent from all
other Domino domains.
This restriction does not affect mail in the local
Domino
domain.
Domino domains from which the server denies
Deny mail
mail. If you
from domains enter Domino domains in this field, all
messages except those from the domains listed
in this field can route to your users. For
example, if you enter Lotus in the field,
Domino accepts messages from all Domino
domains except the Lotus domain. Domino
denies messages from the Lotus domain.
This restriction does not affect mail in the local
Domino
domain.
Organizations and/or organizational units from
Allow mail
which the
only from the server accepts mail. If you enter organizations
and/or
following organizational units in this field, only messages
from users
organizations in those organizations and/or organizational
units can
and enter your domain over Notes routing. Domino
denies
organizational mail from all other organizations and/or
organizational
units units. For example, if you enter */East/Lotus in
the field,
Domino accepts only messages from the
/East/Lotus
organizational unit to your users. Domino
denies messages
from organizations and/or organizational units
other than
*/East/Lotus.
Organizations and/or organizational units from
Deny mail
which the
only from the server does not accept mail. If you enter
organizations or
following organizational units in this field, all messages
except those
organizations from users in the organizations and/or
organizational
and units in this field can enter your domain over
Notes
organizational routing. Domino denies mail only from
organizations
units and/or organizational units in this field. For
example, if
you enter */West/Lotus in the field, Domino
accepts
messages from all organizations and
organizational units
except /West/Lotus. Domino denies messages
from the
/West/Lotus organizational unit.
Note If you specify the same entry in an Allow field and a Deny
field so there is a conflict between the two fields, Domino denies
messages for that entry. The Deny setting takes precedence for
security reasons. Avoid placing the same entry in both the Allow and
Deny fields for the same setting.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Customizing SMTP Routing
If you enabled SMTP routing, you can customize it by:
Stopping
and starting the SMTP service
Changing
the inbound and outbound SMTP port settings
Restricting
inbound SMTP routing
Restricting
outbound SMTP routing
Specifying
inbound and outbound MIME settings
Stopping and starting the Domino SMTP service
The Domino SMTP service, or SMTP Server task, runs the SMTP listener,
which checks for incoming SMTP connections and messages. SMTP
messages can originate from any Internet host or another Domino Server
in your domain. For Domino to receive inbound SMTP mail, the SMTP
listener must be running on the server.
The SMTP service does not control SMTP routing. SMTP routing is
handled by the server’s Router task.
If the SMTP listener task is enabled on the Basics tab of the Server
document, the SMTP service starts automatically when you start the
server. You can stop and start the SMTP service manually from the
Customizing the Domino Mail System 28-57
Mail
Domino Administrator client or the server console. The following table
shows how to restart, stop, and start the SMTP service using both
methods.
Start 1. Click the Server - Status tab and select Enter: Load
the 2. the Server Tasks view. Click Tools - SMTP
SMTP 3. Task - Start. From the list of server
service tasks, select SMTP Server.
Note The SMTP Server task is represented in the server task list by
three related subtasks. The status of all three tasks changes when you
change the status of any one of them.
As an alternative to restarting the SMTP service to incorporate
configuration updates, you can use a console command to refresh SMTP
service parameters.
For information on using a console command to refresh the SMTP
configuration, see the chapter “Setting Up Mail Routing.”
Changing SMTP port settings
You can modify inbound and outbound SMTP port settings.
Inbound
SMTP port settings determine how the Domino SMTP
listener receives SMTP connections from other servers. For inbound
connections, you can specify the port numbers, port status, and
authentication methods required for both TCP/IP and SSL ports.
For more information, refer to the topic “Changing the inbound
SMTP port settings” later in this chapter.
28-58 Administering the Domino System, Volume 1
Outbound
SMTP settings determine how Domino makes SMTP
connections to other servers. For outbound connections, you can
change the default port numbers and status of the TCP/IP and SSL
ports.
For more information, refer to the topic “Changing the outbound
SMTP port settings” later in this chapter.
Configuring SMTP authentication options on servers that use
Internet Site documents
On servers that use Internet Site documents, the SMTP service obtains
inbound port authentication settings from the Security tab of the SMTP
Site document, rather than from the Server document. As a result, when
Internet Site documents are used, the TCP/IP and SSL port
authentication settings described in the procedures that follow are not
available in the Server document. Settings in the Server document
continue to provide the inbound SMTP port number and status and
determine whether the Domino server allows incoming connections from
the authenticated user.
To determine whether the use of Internet Site documents is enabled for a
server, check the value of the following field on the Basics tab of the
Server document: “Load Internet configurations from Server\Internet
Sites documents.” If this field is set to “Enabled,” the server uses Internet
Site documents to configure all of its Internet protocols (SMTP, POP3,
IMAP, and so forth).
If the server uses Internet Site documents, and an Inbound SMTP Site
document is not present in the Domino Directory, or the authentication
options in a configured Inbound SMTP Site document are set to No, the
SMTP service rejects incoming connections. In each case, connecting
hosts receive the following error when attempting to authenticate with
the SMTP service:
This site is not enabled on the server.
For information on creating and using Internet Site documents, see the
chapter “Installing and Setting Up Domino Servers.”
Ensuring that SMTP clients can connect to a nonstandard port
Because remote SMTP clients attempt to connect to port 25 by default, if
you specify a different port number, be sure to configure connecting
clients to use the new port, otherwise inbound SMTP connections will
fail. This can cause routing problems, especially if the server with the
nonstandard SMTP port acts as a relay host for outbound Internet mail.
Customizing the Domino Mail System 28-59
Mail
To configure your other Domino servers to transfer outbound SMTP mail
to a nonstandard SMTP port, change the Outbound SMTP setting on the
Port - Internet Ports - Mail tab of the Server document.
For example, if a server must initiate an SMTP session with a receiving
server on which the SMTP task is listening on port 26, set the SMTP
Outbound port to 26 on the Server document of the initiating server.
Configuring SMTP port security
To prevent unauthorized access to the SMTP Listener and to protect
SMTP sessions from eavesdropping, you can require users and servers to
provide name and password credentials to authenticate with the server,
and you can enable the use of SSL to encrypt both inbound and
outbound SMTP sessions.
On servers that support SSL, you can encrypt SMTP mail sessions by
having the server send and receive mail over the SSL port (port 465 by
default). Domino also supports negotiated SSL for both inbound and
outbound sessions, which allows for encryption over the TCP/IP port
between servers that support the STARTTLS command.
For information on the STARTTLS command, see the topic “Securing
SMTP sessions using the STARTTLS command” later in this chapter.
You can restrict access to the SMTP listener so that only users who are
allowed to access the server can connect to the server’s inbound SMTP
port. For more information on securing the SMTP port, refer to the topic
“Changing the inbound SMTP port settings” later in this chapter. For
more information on restricting server access, see the chapter
“Controlling Access to Domino Servers.”
Changing the inbound SMTP port settings
Inbound port settings affect how other SMTP hosts connect to Domino.
For inbound connections, you can specify TCP/IP port settings and SSL
port settings. For both ports you can define port numbers, port status,
and the supported authentication methods.
Configuring SMTP authentication options on servers that use
Internet Site documents
On servers that use Internet Site documents, the SMTP service obtains
port authentication settings from the Security tab of the SMTP Inbound
Site document, rather than from the Server document. As a result, when
Internet Site documents are used, you cannot use the Server document to
configure TCP/IP and SSL authentication settings for the SMTP port.
28-60 Administering the Domino System, Volume 1
Settings in the Server document still provide the port numbers and status
for the SMTP TCP/IP and SSL ports, and enable the SMTP ports to honor
server access restrictions.
To determine whether the use of Internet Site documents is enabled for a
server, check the value of the following field on the Basics tab of the
Server document: “Load Internet configurations from Server\Internet
Sites documents.” If this field is set to “Enabled,” the server uses Internet
Site documents to configure all of its Internet protocols (SMTP, IMAP,
POP3, and so forth).
If the server uses Internet Site documents, then you must use Site
documents to configure all Internet protocols on the server. If an SMTP
Site document is not present in the Domino Directory, or the
authentication options in a configured SMTP Site document are set to
No, users cannot connect to the SMTP service. In each case, SMTP clients
receive the following error when attempting to connect to the SMTP
service:
This site is not enabled on the server.
For information on creating and using Internet Site documents, see the
chapter “Installing and Setting Up Domino Servers.”
Changing the default port number
By default, after you enable the SMTP task, it “listens” for client
connections on TCP/IP port 25 on the Domino server. The default SMTP
SSL port is port 465. In some cases — for example, on partitioned servers
— you might need to specify a port number other than the default to
avoid conflicts. You might also change the default port to a nonstandard
port number to “hide” it from clients attempting to connect to the default
port or if another application uses the default port on the server.
Disabling the SMTP inbound TCP/IP port or SSL port prevents other
servers from accessing the SMTP Listener on that port.
Note On servers with multiple TCP/IP ports, by default, the SMTP
service uses the port listed first in the NOTES.INI file as the preferred
path. You can configure the service to use a different port.
For information on configuring the SMTP service on a server with
multiple TCP/IP ports to use a specific TCP/IP port, see the chapter
“Setting Up the Domino Network.”
Changing the default SMTP greeting
You can modify the default reply that the SMTP service sends in
response to a connecting host. By default, the Domino SMTP server
reveals its host name and software version to connecting clients. For
security reasons, you can change the default greeting so that the server
Customizing the Domino Mail System 28-61
Mail
does not disclose essential information. Use the variable SMTPGreeting
in the NOTES.INI file to customize the SMTP service greeting.
To change inbound SMTP TCP/IP port settings
1. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the SMTP
service.
2. Click the Ports - Internet Ports - Mail tab.
3. In the Mail (SMTP Inbound) column, complete these fields, and then
click Save & Close:
Field Enter
TCP/IP port Choose 25 (default) to use the industry
number standard port for SMTP connections over
TCP/IP. You can specify a different port, but 25
works in most situations. When specifying a
nonstandard port, make sure the port is not
reserved for another service. Port numbers can
be any number from 1 to 65535.
TCP/IP port Choose one: • Enabled (default) —SMTP clients
status can connect to the Domino SMTP service using
the designated TCP/IP port. Depending on the
authentication options you choose, users may
have to supply a user name and Internet
password to connect. • Disabled —SMTP clients
cannot connect to the Domino SMTP service
using the TCP/IP port.
Field Enter
Authentication Choose one: • Yes —Sets the ESMTP AUTH
options: Name extension for the TCP/IP port. Domino
& password advertises AUTH=LOGIN to connecting SMTP
clients. Clients must supply a user name and
Internet password to connect to the SMTP
service over the TCP/IP port and transfer mail.
Remote SMTP servers that do not support the
AUTH extension cannot connect to the SMTP
service over this port. When Name and
password authentication is enabled, you can
specify whether authenticated POP3 and IMAP
users sending mail to the SMTP port are
subject to anti-relay enforcement. • No —
(default) Domino does not support Name-and-
password authentication over the TCP/IP port.
If you choose No, you must enable Anonymous
connections to allow SMTP connections to this
port. On servers supporting negotiated SSL on
the inbound TCP/IP port (STARTTLS), the
setting in the SSL Name & password field —not
the setting in the TCP/IP Name & password
field —determines whether the server accepts
SMTP AUTH commands for SSL-over-TCP/IP
sessions. For information about enabling
support for STARTTLS, see the topic
“Supporting inbound SMTP extensions”later in
this chapter.
Authentication If the TCP/IP port status is set to Enabled,
options: choose one: • Yes —(default) The SMTP service
Anonymous allows clients and servers to connect to the
TCP/IP port anonymously to transfer mail. If
both Name and password and Anonymous
authentication are enabled (set to Yes), the
port allows connections from SMTP hosts that
supply a name and password as well as those
that connect anonymously. • No —The SMTP
service does not allow anonymous connections
over the TCP/IP port. SMTP hosts can connect
to the TCP/IP port only if Name & password
authentication for the port is set to Yes, and
the connecting host must send the SMTP AUTH
command.
Note If you enable the TCP port, at least one authentication option
must be set to Yes to save the document.
Note To support inbound SMTP connections, the server must have
at least one SMTP port enabled and be running the SMTP task.
Customizing the Domino Mail System 28-63
Mail
4. Restart the SMTP task to put the new settings into effect.
As an alternative to restarting the SMTP service to incorporate
configuration updates, you can use a console command to refresh
SMTP service parameters.
For information on using a console command to refresh the SMTP
configuration, see the chapter “Setting Up Mail Routing.”
If you change the default SMTP port, inbound SMTP connections fail if
the connecting host is not configured to use the new port. See the topic
“Ensuring that SMTP clients can connect to a nonstandard port” earlier
in this chapter for information about configuring Domino servers to
connect to nonstandard SMTP ports.
To change inbound SMTP SSL port settings
1. Familiarize yourself with the Domino security model.
2. To secure SMTP sessions using SSL, set up SSL on the Domino
server.
3. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the SMTP
service.
4. Click the Ports - Internet Ports - Mail tab.
5. In the Mail (SMTP Inbound) column, complete these fields, and then
click Save & Close:
Field Enter
SSL port Choose 465 (default) to use the industry
number standard port
for SMTP connections over SSL. You can specify
a
different port, but 465 works in most
situations. When
specifying a nonstandard port, make sure the
port is not
reserved for another service. Port numbers can
be any
number from 1 to 65535.
SSL port
Choose one:
status
• Enabled —SMTP clients can connect to the
Domino
SMTP service using the designated SSL port.
• Disabled (default) —SMTP clients cannot
connect to
the Domino SMTP service using the designated
SSL
port.
Field Enter
Authentication Choose one: • Yes —Enables the SSL port to
options: Name support the SMTP AUTH command. POP3 and
& password IMAP clients, and remote SMTP servers that
send AUTH, must supply a name and password
to connect to the SMTP service over the SSL
port and transfer mail. To allow remote SMTP
servers that do not send the SMTP AUTH
command to connect to the SMTP service over
this port, set Anonymous authentication to Yes.
• No —(default) Domino does not support
name and password authentication for hosts
connecting to the SMTP service over the SSL
port. If a connecting host sends AUTH, Domino
rejects the command and returns an error
indicating that the command is not
implemented. If you choose No, you must set
Anonymous authentication to Yes to allow
SMTP connections to this port. On servers
supporting negotiated SSL on the inbound
TCP/IP port (STARTTLS), the setting in the SSL
Name & password field —not the setting in the
TCP/IP Name & password field —determines
whether the server accepts SMTP AUTH
commands for SSL-over-TCP/IP sessions.
Authentication If the “SSL port status”field is set to Enabled,
options: choose one: • Yes —(default) The SMTP service
Anonymous allows clients and servers to connect to the SSL
port anonymously to transfer mail. If
Anonymous is set to Yes and Name and
password authentication is also set to Yes,
IMAP and POP3 clients are prompted to supply
a name and password when connecting to this
port, but servers can connect anonymously. •
No —The SMTP service does not allow
anonymous connections over the SSL port.
IMAP and POP3 clients, and servers that send
the SMTP AUTH command, may connect to the
SSL port if you set Name and password
authentication for the port to Yes.
6. Restart the SMTP task to put the new settings into effect.
As an alternative to restarting the SMTP service to incorporate
configuration updates, you can use a console command to refresh
SMTP service parameters.
For information on using a console command to refresh the SMTP
configuration, see the chapter “Setting Up Mail Routing.”
If you change the default SSL port, inbound SMTP SSL connections fail
unless the connecting host is configured to use the new port.
For information about configuring Domino servers to connect to
nonstandard SMTP ports, see the topic “Ensuring that SMTP clients can
connect to a nonstandard port” earlier in this chapter.
For information about enabling support for STARTTLS, see the topic
“Securing SMTP sessions using the STARTTLS command” later in this
chapter.
Changing outbound SMTP port settings
Outbound SMTP port settings affect how Domino connects to other
SMTP servers. Change the default port numbers and the status of the
TCP/IP and SSL ports to match the settings on servers to which this
server sends SMTP mail.
The outbound port settings apply to all outbound SMTP sessions. If you
change an outbound port number to a nonstandard value, the server
cannot establish SMTP connections with servers that listen for SMTP
requests on the standard port. Similarly, if you set up the server to send
SMTP over SSL only, disabling the outbound SMTP TCP/IP port, the
server cannot establish SMTP connections with a remote server that
accepts SMTP connections over the TCP/IP port only.
To change outbound SMTP port settings
1. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the SMTP
service.
2. Click the Ports - Internet Ports - Mail tab.
28-66 Administering the Domino System, Volume 1
3. In the Mail (SMTP Outbound) column, complete these fields, and
then click Save & Close:
Field Enter
TCP/IP The number of the TCP/IP port on the remote server
port to which Domino attempts to connect when initiating
number an SMTP session. The default and industry standard
port for SMTP connections over TCP/IP is 25. Specify
a nonstandard port only if this Domino server makes
all of its outbound SMTP connections over TCP/IP to
a server that uses the nonstandard port.
TCP/IP Choose one: • Enabled —The Domino SMTP Router
port connects to the designated TCP/IP port number on a
status remote server to initiate an SMTP session. If the
SSL port status is also set to Enabled, the Router
attempts to use the SSL port first and uses the
TCP/IP port only if it cannot connect to the SSL port.
• Disabled (default) —The Domino SMTP Router
cannot initiate an SMTP session using the TCP/IP
port on a remote server.
Field Enter
Verify Choose one: • Enabled —Domino verifies the
connecting name of the connecting host by performing a
host name in reverse DNS lookup. Domino checks DNS for a
DNS PTR record that matches the IP address of the
connecting host to a host name. If Domino
cannot determine the name of the remote host
because DNS is not available or no PTR record
exists, it does not allow the host to transfer
mail. Although Domino accepts the initial
connection, later in the SMTP transaction it
returns an error to the connecting host in
response to the MAIL FROM command. Internet
SMTP hosts are not required to have PTR entries
in DNS. As a result, when this field is enabled,
the SMTP task may reject connections from
valid SMTP hosts. • Disabled —(default) Domino
does not check DNS to verify the name of the
connecting host.
Field Enter
Allow The host names and/or IP addresses allowed to
connections connect to the SMTP service on this server. If
only from the you enter host names and/or IP addresses in
following this field, only servers matching these entries
SMTP can connect to the SMTP listener; connection
Internet host requests from all other servers are denied.
names/IP Enter IP addresses in brackets —for example,
addresses [192.168.10.17]. Host name entries may be
complete, as in the fully qualified host name of
a particular server, or partial and imply the
existence of a wildcard. That is, if you enter:
abc.com Domino extends accepts only
connections from mail hosts in the domains
represented by *abc.com, that is, all host
names ending in abc.com, including
smtp.abc.com and mailhost.abc.com. Domino
rejects all other connection requests. If you
specify host name entries, each time a host
connects, Domino checks DNS for a PTR record
for the connecting host. If Domino cannot
resolve the IP address to a host name because
DNS is unavailable or no PTR record exists, no
mail is accepted from the connection.
The host names and/or IP addresses that are
Deny
not
connections allowed to connect to the SMTP service on this
from server. If
you enter host names and/or IP addresses in
the following
this field,
SMTP all servers except those matching entries in this
Internet field can
host connect to the SMTP listener; connection
names/IP requests are
addresses denied only for servers matching the entries in
this field.
Enter IP addresses in brackets —for example,
[192.168.10.17].
Host name entries may be complete, as in the
fully qualified host name of a particular server,
or partial and use an implied wildcard. That is, if
you enter:
abc.com
Domino implicitly extends the restriction to all
mail hosts within the denied domain, denying
connections from *abc.com, that is, all hosts in
the abc.com domain,
including smtp.abc.com and mailhost.abc.com.
The entry abc.com does not prevent
connections from xyzabc.com.
Do not use a leading dot (.) in an entry; for
example, .abc.com. Because Domino does not
match the leading dot, the entry .abc.com does
not prevent connections originating from the
domain abc.com.
7. Reload the SMTP task, or update the SMTP configuration to put the
changes into effect.
You
can use an asterisk (*) to indicate “all domains.” For example,
putting * in an Allow field allows all hosts in all domains to
perform that operation.
Wildcards
may be used in place of an entire subnet address; for
example, [127.*.0.1]. Wildcards are not valid for representing
values in a range — for example, the entry [123.234.45-*.0-255] is
not valid because the asterisk is used to represent the high-end
value of the range that begins with 45.
When entering multiple addresses, separate them with carriage
returns; after the document is saved, Domino automatically
reformats the list, inserting semicolons between the entries.
When entering an IP address, enclose it within square brackets; for
example, [127.0.0.1].
How Domino resolves conflicts between settings in the inbound
relay controls
When there is a conflict between the allowed and denied relay
destinations, and the allowed/denied relay sources, the entry in the
“Allow” field takes precedence. Thus, a host that you explicitly allow to
relay can always relay to any destination, including denied destinations.
Similarly, if you allow relays to a given domain, all hosts can relay to that
Customizing the Domino Mail System 28-79
Mail
destination, including hosts to which you have explicitly denied relaying.
Denied hosts cannot relay to domains other than those that you
specifically list in the Allow field. The following table provides several
examples of how Domino resolves conflicts between entries in the Allow
and Deny fields of the Inbound relay controls.
Example of conflict between an allowed relay destination and denied
relay source
Note This differs from the behavior of Domino Release 5, where if you
denied relays to a destination domain, an allowed source host could not
relay to the denied domain, and a denied source could not relay to any
destination. You can revert to the Release 5 behavior by setting the
variable in the NOTES.INI file.
For information on the NOTES.INI setting
SMTPRelayAllowHostsandDomains, which is required to make the
inbound relay controls behave as they did in Domino Release 5, see the
appendix “NOTES.INI File.”
Example of conflict between allowed and denied relay destinations
If the same entry is placed in the list of allowed and denied destinations,
or the list of allowed and denied sources, Domino honors the entry in the
Deny list. For example, Domino rejects relays to xyz.com if you configure
the relay controls as follows:
Field Entry
Allow messages to be sent only to the xyz.com, abc.com,
following external internet domains: qrs.com
Field Enter
DNS Choose one: • Enabled —When Domino receives
Blacklist an SMTP connection request, it checks whether
filters the connecting host is listed in the blacklist at the
specified sites. • Disabled —Domino does not
check whether a connecting host is on the
blacklist.
Field Enter
Custom Enter the text of the error message Domino
SMTP error returns when denying a connection because it
response found the host in the DNS blacklist. The default
for rejected error message indicates that the connection was
messages denied for policy reasons.
You can use the format specifier “%s”to specify
the IP address of the denied host and the DNS
blacklist site
where Domino found the host listed. For example,
if you enter the following:
Your host %s was found in the DNS Blacklist at
%s
whenever Domino denies a connection, it returns
an error
to the host, in which it replaces the first instance
of “%s” with the IP address of the host, and the
second instance
with the DNS blacklist site name. Thus, if you
entered the text in the preceding example, a
denied host receives an error such as:
Your host 127.0.0.2 was found in the DNS
Blacklist at blackholes.mail-abuse.org
Field Description
Verify that local Specifies whether the SMTP listener checks
domain recipient names specified in RCPT TO
recipients exist commands against entries in the Domino
in the Domino Directory Choose one:
Directory
Field Description
Internet addresses that are within the local
Allow messages
Internet
intended only for domain and that are allowed to receive mail
from
the following the Internet. If you enter addresses in this
field, only
Internet those recipients can receive Internet mail.
addresses Domino denies mail for all other recipients.
You can create a Notes group containing a
list of addresses allowed to receive mail from
the Internet
and enter the group name in this field. A
group entry is valid only if it does not contain
a domain part or dot (“.”). For example, the
group with the name group1 is valid, but the
groups named yourdomain.com or
group2@yourdomain are not.
Field Enter
SIZE
Choose one:
extension
• Enabled —(default) Domino declares its
maximum message size to connecting hosts
and checks the sending host’s estimates of
message size before accepting transfer. If the
sender indicates that a message to be
transferred is larger than the maximum size,
Domino returns an error indicating that it will
not accept the message.
• Disabled —Domino does not advertise its
maximum
message size or check inbound message size
before transfer.
For information about setting the maximum
message size, see the topic “Restricting mail
routing based on message size”earlier in this
chapter
Pipelining Choose one: • Enabled (default) —Improves
extension performance by allowing Domino to accept
multiple SMTP commands in the same network
packet. • Disabled —Domino does not accept
multiple SMTP commands in a single packet.
Field Enter
DSN
Choose one:
extension
• Enabled —Domino supports incoming
requests to return delivery status notifications
to the sender for failed, delayed, delivered, and
relayed messages. Domino sends delay reports
for low-priority messages held until the low-
priority routing time to the sender of an SMTP
message upon request. • Disabled —(default)
Domino does not return delivery status
notifications for SMTP messages.
8-bit MIME Choose one: • Enabled —Domino accepts 8-bit
extension messages as is, allowing reception of
unencoded multinational characters.
EXPN
Choose one:
command
• Enabled —Domino expands mailing lists or
groups to show individual recipient names. •
Disabled —(default) Domino does not expand
lists and groups.
ETRN
Choose one:
command
• Enabled —Domino accepts inbound
“pull”requests from other SMTP hosts to
transfer messages destined for the calling
server. Enabling ETRN support allows for more
efficient use of bandwidth resources by allowing
a remote SMTP host to request pending
messages at the same time it transfers
messages to the Domino server.
• Disabled —(default) Domino does not accept
inbound “pull”requests from other SMTP hosts.
Field Enter
SSL Choose one: • Enabled —Domino supports the
negotiated STARTTLS command, allowing it to create an
over TCP/IP encrypted SSL channel over the SMTP TCP/IP
port port. • Required —Domino accepts inbound
SMTP connections over the TCP/IP port only
from hosts that issue the STARTTLS command.
• Disabled (default) —Domino does not allow
secure SSL connections over the SMTP TCP/IP
port. After accepting the STARTTLS command
from a remote server, Domino uses settings for
the server’s SSL port to govern authentication
for the sessions. For Domino to authenticate
remote hosts that use the SMTP AUTH
command, Name & Password authentication
must be enabled for the Domino SSL port.
Note Group entries cannot contain a domain qualifier (’@’ sign). For
example, an entry for a group with the name DenyMail is valid, but
if you add the domain name to the entry, as in Denymail@acme,
Domino does not expand the entry to determine its members. This
restriction applies to nested groups also. That is, if the group
DenyMail includes Sales@AcmeWest as a member, Domino does not
expand Sales@AcmeWest to determine its members.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Customizing the Domino Mail System 28-101
Mail
The outbound sender controls are not intended to control relaying. For
information on controlling message relaying, see the topic “Setting
inbound relay controls” earlier in this chapter.
Setting outbound recipient controls
The Outbound recipient controls let you specify the Internet domains,
and host names users are allowed to and denied from sending mail to.
The controls consist of a set of pair of lists, one specifying the Internet
domains or host names to which users can send mail and another listing
the domains and host names to which users cannot send mail.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP
Outbound Controls tab.
6. Complete these fields in the Outbound Recipient Controls section,
and then click Save & Close:
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Note For security reasons, if there is a conflict between the two fields for
a given setting, entries in the Deny field take precedence. For example, if
acme.com appears in both the “Allow messages only to recipients in the
following Internet domains or host names” field and the corresponding
“Deny messages” field, Domino denies messages sent to acme.com. Be
careful not to have the same entry in an Allow field and a Deny field for
the same setting.
Note Domino checks each address to see if it is an Internet address or a
Notes address. The Router then applies the restrictions specified for that
type of address.
Note If you are entering multiple names in a field, consider creating a
group and entering the group name in the field. Domino expands the
group into a list of members. If you update the group list in this
document or edit the group members in the Domino Directory, changes
do not take effect immediately.
Supporting outbound SMTP extensions
Domino supports outbound extended SMTP (ESMTP) features to interact
with other messaging servers. These extensions are controlled in the
Configuration Settings document.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
Customizing the Domino Mail System 28-103
Mail
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Advanced - Commands and Extensions
tab.
6. Complete these fields in the Outbound SMTP Commands and
Extensions section, and then click Save & Close:
Field Enter
SIZE
Choose one:
extension
• Enabled —(default) If the destination SMTP
host also supports the SIZE extension, Domino
declares the estimated size of messages before
transfer. • Disabled —Domino does not declare
message size before transferring messages to
another SMTP server.
Pipelining Choose one: • Enabled —(default) If the remote
extension SMTP host also supports pipelining, Domino
sends multiple SMTP commands in the same
network packet to improve performance. •
Disabled —Domino sends each SMTP command
in a separate packet.
DSN
Choose one:
extension
• Enabled —When sending a message to a
server that also supports the DSN extension,
Domino appends a NOTIFY parameter to the
SMTP RCPT TO command to request a particular
type of delivery status notification for the
message. For messages sent from Notes
clients, Domino uses the Delivery report options
specified by the client (Confirm delivery; Trace
entire path; Delivered) to determine the type of
DSN requested. • Disabled —(default) Domino
does not send DSN requests.
8-bit MIME Choose one: • Enabled —When sending a
extension message to a remote server that also supports
8-bit MIME, Domino improves performance by
sending messages containing multi-national
characters as is, without first encoding them. •
Disabled —(default) Domino encodes messages
containing 8-bit characters as 7-bit ASCII
before sending.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Mail journaling
By default, after the Router processes a message, it does not retain a copy
of the message. That is, after ServerA successfully sends a message to
ServerB, the Router on ServerA deletes the message from its MAIL.BOX
database. Likewise, when ServerB successfully transfers or delivers the
message to the next server on the routing path, the Router on ServerB
removes the message from its MAIL.BOX database.
To comply with laws or regulations that apply to your business, your
organization may be required to save a copy of every message processed
by the local mail system and permanently store or otherwise process the
message copies. For example, government agencies such as the Securities
and Exchange Commission (SEC) require a business to retain all
messages related to the transactions they undertake.
Mail journaling enables administrators to capture a copy of specified
messages that the Router processes by the Domino system. Journaling
can capture all messages handled by the Router or only messages that
meet specific defined criteria. When mail journaling is enabled, Domino
examines messages as they pass through MAIL.BOX and saves copies of
selected messages to a Domino Mail Journaling database
(MAILJRN.NSF) for later retrieval and review. Mail journaling works in
conjunction with mail rules, so that you create a journaling rule to specify
the criteria for which messages to journal. For example, you can journal
messages sent to or from specific people, groups, or domains. Before
depositing messages in the Mail Journaling database, the Router encrypts
them to ensure that only authorized persons can examine them.
Journaling does not disrupt the normal routing of a message. After the
Router copies a message to the Mail Journaling database, it continues to
dispatch the message to its intended recipient.
Domino mail journaling differs from message archiving. Journaling
works dynamically, making a copy of each message as it passes through
MAIL.BOX to its destination and placing the copy in the Mail Journaling
database. A copy of the message is retained, even if the recipient, or an
agent acting on the recipient’s mail file, deletes it immediately upon
delivery. Archiving is used to reduce the size of an active mail file
database by deleting messages from one location and moving them to an
Customizing the Domino Mail System 28-105
Mail
offline database, usually in another location, for long-term storage.
Archiving acts on messages that have already been delivered. Journaling
is performed automatically by the server; while archiving is a manual
operation, performed by end users on their own mail files. End users can
search for and retrieve messages from a mail file archive, but only an
authorized administrator can examine a Mail Journaling database.
You can use Domino mail journaling in conjunction with third-party
archiving programs to fulfill long-term storage needs.
To provide access to certain journaling routines, Domino implements
several Extension Manager (EM) hooks. EM hooks enable an executable
program library, such as a dynamic link library or shared object library,
to register a callback routine that will be called before, after, or before
and after Domino performs selected internal operations. Using EM
hooks, developers can customize mail processing. For example, EM
hooks to the Journaling task could be used in conjunction with a
third-party archiving program to route certain messages directly to an
archive center. For more information about Extension Manager, see the
IBM Lotus C API Toolkit for Notes/Domino 6. The toolkit is available at
http://www.lotus.com/capi.
Setting up mail journaling
There are two steps to configure journaling:
Setting
up the Mail Journaling database
Specifying
which messages to journal
Setting up the Mail Journaling database
By default, mail journaling is not enabled. You enable journaling from
the Configuration Settings document. To set up the Mail Journaling
database, you specify where to store journaled messages and then set
options for managing the security and size of the database.
After you enable journaling, Domino automatically creates the Mail
Journaling database in the specified location.
To set up the Mail Journaling database
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers where you want to journal mail, and click Edit Configuration.
28-106 Administering the Domino System, Volume 1
5. Click the Router/SMTP - Advanced - Journaling tab.
6. Complete the following fields, and then click Save & Close:
Field Description
Journaling Specifies whether the server supports mail
journaling. Choose one:
• Enabled —Domino supports mail journaling on the
servers governed by this document. To journal mail,
create a server mail rule with the action “Journal
this message.” • Disabled —(default) Mail journaling
is not supported on the servers governed by this
document.
Field Specifies the names of Notes message fields that
encryption Domino does not encrypt when adding messages to
exclusion the Mail Journaling database. Encrypted fields
list cannot be displayed in a view. List any fields you
want to display in a view. By default, the following
fields are not encrypted: Form, From, Principal, and
PostedDate. When using a mail-in database for
journaling, Domino does not automatically encrypt
messages added to the database. To encrypt
messages in a mail-in database use the Mail-in
database document to specify encryption of
incoming messages.
Method Specifies the location of the Mail Journaling
database. Choose one:
• Copy to local database —(default) The Router
copies each journaled message to a database on the
local server. If it does not already exist, Domino
creates a local Mail Journaling database on the
server. If the Configuration Settings document
applies to multiple servers, Domino creates a
unique Mail Journaling database on each server. •
Send to mail-in database —The Router copies each
journaled message and sends it to a specified mail-
in database. The specified database must already
exist and must have a Mail-in database document in
the Domino Directory. The mail-in database used
for journaling may be on any Domino server,
including the local server. Specify the mail file
where journaled messages are to be sent in the Mail
Destination field. When using a mail-in database for
journaling, be sure to encrypt messages when
adding them to the database. To encrypt messages
sent to a mail-in database, enable encryption on the
Administration tab of the Mail-in database
document.
Field Description
Database If you specified “Copy to local database”as the
name journaling method, specify the file name you
want Domino to use when it creates the Mail
Journaling database. The default name is
MAILJRN.NSF.
Mail If you specified “Send to mail-in database”as the
destination journaling method, use this field to enter the
name of the mail-in database to which the Router
forwards messages to be journaled. Click the
down-arrow to select the name of the mail-in
database from the Domino Directory. You must
create the mail-in database beforehand; Domino
does not automatically create mail-in databases
for journaling.
Encrypt on If you specified “Copy to local database”as the
behalf of journaling method, enter the fully qualified Notes
user Name of the user whose certified public key
Domino uses to encrypt messages added to the
database. To ensure privacy, consider creating a
special user ID for reviewing journaled messages,
and protect the ID with multiple passwords. To
encrypt messages sent to a mail-in database,
enable encryption on the Administration tab of
the Mail-in database document.
Database For local Mail Journaling databases, the entry in
Management this field specifies how Domino controls the size
- Method of the Mail Journaling database. When the
database management method in effect calls for
Domino to create a new Mail Journaling database,
on the day that it creates the new database, it
does so at approximately 12:00 AM. Choose one
of the following methods: • Periodic Rollover —
(default) When the current Mail journaling
database reaches the age specified in the
Periodicity field, Domino renames the existing
Mail Journaling database and creates a new Mail
Journaling database with the original name. •
None —Domino does not automatically control
the size of the Mail Journaling database. If you do
not use one of the available methods for
controlling database size automatically, be sure
to monitor the database size and use appropriate
tools to archive the journal data. •
Purge/Compact —Domino deletes documents
from the database after the number of days
specified in the Data Retention field and then
compacts the database. • Size Rollover —When
the current database reaches the size specified in
the Maximum size field, Domino renames the
database and creates a new Mail Journaling
database with the original name.
Field Description
If you specified Periodic Rollover in the preceding
Periodicity
field,
Domino displays this field for specifying the length,
in days,
of the rollover interval. The default value is 1 day.
Data If you specified Purge/Compact in the Database
Retention Management-Method field, Domino displays this
field for
specifying the time, in days, that a message
remains in the
Mail Journaling database before being deleted.
Maximum If you specified Size Rollover in the Database
size Management-Method field, Domino displays this
field for
specifying a size limit, in megabytes (MB), for the
Mail
journaling database. After the database reaches the
specified
size, Domino renames it and creates a new one.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
For information on Mail-in database documents, see the chapter “Rolling
Out Databases.”
For more information on the different journaling and database
management methods, and on securing the Mail Journaling database, see
the topic “Managing the Mail Journaling database” later in this chapter.
Managing the Mail Journaling database
When setting up the Mail Journaling database, you must specify:
The
journaling method
Security
settings
How to manage database size
Specifying the journaling method
There are two methods available for journaling messages, copying
messages to a local database (local journaling) and forwarding messages
to a mail-in database (remote journaling). In local journaling the Router
moves messages from MAIL.BOX to a Mail Journaling database on the
same server. If you enable local journaling on more than one server, each
server maintains its own unique Mail Journaling database. Since local
journaling doesn’t require messages to be transferred between servers to
reach the Mail Journaling database, this is the preferred method for
minimizing network traffic.
Customizing the Domino Mail System 28-109
Mail
Remote journaling lets you journal messages from multiple servers to a
single location, sending them to the mail-in database specified in the
“Mail Destination” field. Domino does not automatically create mail-in
databases for journaling; you must manually create both the destination
database and the necessary Mail-in database document.
Using a mail-in database to journal messages greatly increases mail
traffic, since messages must travel over the network to be deposited in
the Mail Journaling database.
For information about using Mail-in databases, see the chapter “Rolling
Out Databases.”
Managing security of the Mail Journaling database
The Mail Journaling database contains private information about many
people. Domino employs two methods to restrict access to the Mail
Journaling database. First, it conceals the database from users. By default,
Domino makes the Mail Journaling database “invisible” to users; that is,
the database does not appear in the Open database dialog box when a
user opens a new database. To display the database, check “Show in
’Open Database’ dialog” on the Design tab of the Database properties
dialog box.
Second, when local journaling is enabled, Domino encrypts the
information in the Mail Journaling database, using the Certified public
key of a specified Notes user. To specify the ID to use when encrypting
messages, enter a user name in the field “Encrypt on behalf of user.” By
default, Domino exempts certain summary information fields from
encryption so that the information they contain can be used in database
views. You can specify other fields to exempt in the field, “Field
encryption exclusion list.”
Setting up a Mail Journaling user
To maximize security, create and register a special user ID for the Mail
Journaling database and assign multiple passwords to the ID. Distribute
passwords in such a way that no one person knows them all, so that the
consent of multiple parties is required to view the contents of the
database.
For information on assigning multiple passwords to an ID, see the
chapter “Protecting and Managing Notes IDs.”
28-110 Administering the Domino System, Volume 1
Providing access to the Mail Journaling database for users who are not
server administrators
Domino encrypts journaled messages with the user ID specified on the
Router/SMTP - Advanced - Journaling tab of the Configuration Settings
document. The ID you specify can be the ID of an existing server
administrator or another user ID. By default the ACL of the Mail
Journaling database includes only users listed in the Administrators field
of the Server document’s Security tab. If the ID for encrypting messages
does not belong to a server administrator, you must add this user to the
database ACL before the user can access the database.
The user’s name is preserved in the ACL during daily rollovers and size
rollovers, but if you remove the Mail Journaling database, the next time
the server starts, it automatically creates a new database using the
original ACL. You must add the ID used for encryption to the database
ACL again.
Enabling encryption for remotely journaled messages
By default, mail-in databases do not encrypt incoming mail. To ensure
privacy when sending journaled messages to a mail-in database, enable
the mail-in database to encrypt incoming mail. When enabling
encryption for a mail-in database, you select a user whose Notes certified
public key Domino uses to encrypt messages stored in the database.
For more information on setting up a mail-in database, see the chapter
“Rolling Out Databases.”
No encryption of previously encrypted messages
A message that Notes has previously encrypted for its recipients is not
re-encrypted with the certified public key of the specified Journal user.
As a result, when depositing encrypted messages in the Mail Journaling
database, Domino preserves the original encryption, so that the message
content cannot be decrypted with the ID of the designated Mail
Journaling user, unless, of course, that user was included in the original
recipient list. A Mail Journaling user who was not on the recipient list
can view header information only.
Customizing the Domino Mail System 28-111
Mail
Managing the size of the Mail Journaling database
Depending on how you set up journaling rules, the size of the Mail
Journaling database may increase rapidly. Domino provides several
methods for automatically controlling the database size:
Description Size
management
method
Periodic Rollover (Default) Domino creates a new Mail Journaling
database at an interval in specified in days,
The default interval is one day. The new
database takes its name from the name of the
current database (for example, MAILJRN.NSF)
and is created at approximately 12:00 AM of
the specified day. Domino renames the current
database using the format: MJ<date>.NSF
where <date>is an 8-digit number
representing the current date in a format
specified by the operating system’s
international date settings. For example, if the
server defines dates in MMDDYYYY format, the
current database is renamed to
MJ09032002.NSF.
Purge/Compact Domino deletes documents from the database
after a specified number of days and then
compacts the database to eliminate deletion
stubs and white space.
Size Rollover Domino creates a new Mail journaling database
when the current database reaches a specified
size, renaming the old database using the
format: MJXXXXXX.NSF where XXXXXX
represents a number series starting at 000001
and increasing by 1 with each successive
rollover, for example, MJ000001.NSF, followed
by MJ000002.NSF, and so forth. If a database
with the next name in the sequence already
exists on the server, Domino uses the next
number in the sequence. The new Mail
journaling database uses the original database
name (for example, MAILJRN.NSF). Because
Domino may be unable to determine the exact
size of any message attachments before
adding a message to the Mail journaling
database, the database may exceed the
maximum size after the addition of a new
message. If this happens, the next message
added to the database triggers creation of the
new database.
These methods for controlling database size are not available
if you use a mail-in database for journaling messages. If you
select this method of journaling, be sure to monitor the
database size and use appropriate tools to archive data to
another location.
View
Description
name
By Displays messages by the Internet domain hierarchy
Hierarchy (for messages received over SMTP) or Notes
organizational certifier hierarchy (for messages received
over Notes routing) of the sender. The Count column
displays separate message totals for all messages, for
messages received from each node in the hierarchy,
and for messages received from each sender. Expand
entries for each node to view messages in descending
order by date and time (most recent message first). In
addition to the date, individual message entries display
the size in bytes and the message subject, if that field is
specified in the Field Encryption Exclusion list.
By Displays messages by the name of the sender. Senders
Sender may be listed more than once: by their Internet address
for messages received by the server over SMTP routing
and by their Notes address for messages received over
Notes routing. The Count column displays the total
number of messages routed and the number of
messages from each sender. Expand sender entries to
view messages in descending order by date and time
(most recent message first). In addition to the date,
individual message entries display the size in bytes and
the message subject, if that field is specified in the Field
Encryption Exclusion list.
By Size Displays messages in descending order by size in bytes.
Click the column head to reverse the order. Individual
message entries display the message date, sender
(From), and subject, if that field is specified in the Field
Encryption Exclusion list.
By Date (Default) Displays messages in ascending order by
date, with the most recent date last. The Count column
displays the number of messages routed on each date.
Expand date entries to view messages sorted in
descending order by time, with the most recent
message listed first. Individual message entries display
the message time, sender (From), and subject, if that
field is specified in the Field Encryption Exclusion list.
View name Description
Displays messages in ascending alphabetical order by
By Form
the name
of the Notes message form used; for example,
Delivery report,
Memo, Reply, Trace Report, and so forth.
Uncategorized forms
are listed last. The Count column displays the
number of
messages routed for each form type. Expand form
entries to view
messages sorted in ascending order by date and
time. Individual
message entries display the message date, sender
(From), and
subject, if that field is specified in the Field
Encryption Exclusion
list.
Displays messages in ascending order by attachment
By
size in
Attachments bytes. Column totals provide the average size in
bytes of
journaled attachments and the total size of all
journaled
attachments. Individual message entries display the
attachment
name, sender (From), date, and subject, if that field
is specified in
the Field Encryption Exclusion list.
Note Domino does not map the Return Receipt request to one of the
MIME headers if the address specified in the
Disposition-Notification-To or Return-Receipt-To header does not
match the sender’s address. Domino sends return receipts only to the
sender.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Setting the primary and secondary character set groups
In the text parts of a MIME message, character set tags, such as US-ASCII
or EUC-KR (Korean), specify how Domino interprets the text data and
renders it into recognizable characters. The value that represents a
character in one character set can represent a different character in
another character set.
When converting a MIME message into Notes rich-text, Domino uses the
information in the character set tags to determine the appropriate
characters for representing the message text. Similarly, when Domino
converts a Notes rich-text message into MIME, it must determine which
MIME character set tag to apply.
On the MIME - Basics tab of the Configuration Settings document, you
can define a primary character set group and one or more secondary
character set groups. These primary and secondary choices control,
among other things, how Domino detects character sets to correctly
identify ambiguous text data in a message when converting inbound
MIME messages to Notes rich-text and outbound Notes rich-text
message to MIME.
Note If your organization sends and receives messages that use
US-ASCII characters only, there’s no need to change the default settings.
Domino can interpret text represented in 16 different character set
groups (also known as language groups) including the Unicode standard
for encoding character systems (www.unicode.org/ ). A language group
can correspond to a single language (for example, Japanese) or to a
region where multiple languages use more or less the same characters
(for example, Central Europe). A language group can also support
multiple character sets.
For a list of character set groups and the language codes associated with
them, see the topic “Language codes supported in Notes and Domino”
later in this chapter.
28-118 Administering the Domino System, Volume 1
If the MIME messages your organization receives always contained the
correct character set information, there would be no need to change the
default settings. However, some mail systems do not provide character
set information when sending mail. For example, older mail systems may
not support MIME at all, and some Web-based systems enable users to
create messages in a given language but don’t correctly generate MIME
character set information when sending the message. Thus a user
sending mail from a Web-based mail system might be able to compose
and send messages written in Chinese, but in the sent message, the
character set tag US-ASCII is incorrectly applied to the message text. If
your SMTP server is configured to use the default character set group, it
would be unable to correctly convert this message.
In such cases, Domino examines incoming messages to determine the
byte range used and identify unique control codes. It then attempts to
match patterns in the incoming message to a probable character set. This
process is effective in distinguishing among certain character sets only.
For example, it can correctly distinguish messages in the CJKT languages
(Simplified Chinese, Japanese, Korean, and Traditional Chinese ) from
each other and from an English message), but it cannot distinguish
between messages in English or any other Western languages, which
tend to use the identical bytes and byte ranges.
To ensure accurate character set detection for the CJKT languages,
configure a priority order among the languages by specifying a primary
and secondary character. For example, if Domino cannot distinguish
whether a MIME message uses EUC-KR (a Korean character set) or
GB2312 (a Simplified Chinese character set), it uses the priority order
assigned to the primary and secondary character set groups to determine
which character set to use in converting the message to Notes rich-text.
Domino chooses the primary character set first, then the secondary
character set (in an undefined order — the order of multiple secondary
choices doesn’t matter), then the operating system group (for operating
systems such as Windows NT where the locale can be queried).
When converting outbound messages to MIME format, Domino chooses
a MIME character set based on the text of the message. Outbound
messages are examined by the Router and the appropriate character set is
selected for the message. For example, messages in Japanese are
converted using the ISO-2022-JP character set; messages in Simplified
Chinese, using the GB character set; messages in Traditional Chinese,
using the Big5 character set; and messages in French, using the
ISO-8859-1 character set. When Domino cannot automatically detect
which character set to use, as with some European languages, it refers to
the primary, secondary, and operating system groups, in that order, to
determine which character set to use. For example, if all of the characters
Customizing the Domino Mail System 28-119
Mail
in a message could be French or Turkish, Domino uses the information
about the primary and secondary character set groups to determine
which character set to use.
To set the primary and secondary character set groups
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Basics tab, and in the field International MIME Settings for
this document, select Enabled.
6. Click the MIME - Basics tab.
7. Complete the following fields and click Save & Close:
Field Enter
Primary The character set group for this domain’s
character primary
language. English is the default value. Choose
set group
the
language or region appropriate for your
organization,
for example, Simplified Chinese.
The character set groups for other languages
Secondary
typically
character set used in this domain. By default, no secondary
character set group is configured. Choose the
groups
language
or region(s) appropriate for your organization,
for
example, Western. You can specify multiple
secondary
character set groups.
8. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Language codes supported in Notes and Domino
The following table lists each character set group supported in Notes and
Domino Release 6 together with the character set language codes and
encoding types for that group. Where multiple language codes or
encoding types may be used for a given character set group, the default
code and encoding for the group are listed first. For each character set
28-120 Administering the Domino System, Volume 1
group, the default character set language code and encoding are the
same for message bodies and headers unless otherwise indicated.
Character set
Header and body
language code
encoding
Characters set group
Arabic Windows-1256, ISO- Base64, Quoted
8859-6 Printable, None
Baltic Rim Windows-1257 Quoted Printable,
Base64, None
Central Europe ISO-8859-2, Quoted Printable,
Windows-1250 Base64, None
Cyrillic KO18-R, ISO-8859-5, Base64, Quoted
Windows-1251 Printable, None
Field Description
When a Notes client sends a rich-text message
Attachment
with a file
encoding attachment that contains 8-bit data —for example,
program,
method image, sound, video, and application files —
Domino
encodes the attachment data as ASCII text for
SMTP
transport. Choose the encoding method best
suited to the file
types sent and supported by the majority of likely
message
recipients.
Choose one of the following:
• Base64 —(default) This is the preferred method
for encoding non-text data attachments when
sending
messages to recipients who use MIME-compliant
mail
programs. Domino adds a MIME tag to describe
what
type of file was sent. Sending files with MIME
encoding
ensures that the recipient receives binary data
(non-text)
intact. Base64 encoding converts binary data in
attachments into a subset of the US-ASCII
character set
and is slightly more efficient than UUencode,
resulting in
a transmitted file approximately 37% larger than
the
original.
• Quoted Printable —This method is best suited to
sending text-based files to recipients that use
MIME-compliant
mail programs. Quoted-Printable (QP) encoding
replaces
each special character in the attachment with an
equal
sign “=”followed by two hexadecimal digits, which
represent the 8-bit character code. Printable ASCII
characters are left unencoded. QP provides
efficient
encoding of text-based files, creating an encoded
file
that’s only a fraction larger than the original.
However,
for non-text files, QP encoding can result in
encoded files
that are two to three times the size of the original.
Field Description
• UUencode —Use UNIX-to-UNIX encoding on
Attachment
servers
encoding that send message attachments primarily to
recipients
method who use UNIX or older PC mail programs.
UUencode
(continued increases the size of the encoded file by about
) 42%.
• BinHex —Use primarily when sending binary
data to
recipients who use Macintosh mail programs
This field does not control encoding for messages
sent from
the Macintosh version of the Notes client. To
configure
attachment encoding for messages sent from
Macintosh
clients, use the field “Macintosh attachment
conversion”on
the MIME - Advanced - Advanced Outbound
Message
Options tab.
Specifies how Domino structures the MIME content
Message
of messages when converting Notes rich-text
Content
messages before
sending them over SMTP. Choose one:
• Convert from Notes to plain text —(default)
Domino converts the text in a Notes rich-text
document to plain
text. If the message contains file attachments or
images, Domino creates a multipart/mixed MIME
message with
the images and attachments following the
text/plain part.
Use this option in organizations that send most of
their outbound SMTP mail to mail systems that are
unable to
handle MIME messages containing multiple text
parts (for
example, messages with a multipart/alternative
structure that includes text/plain and text/html
parts).
• Convert from Notes to HTML —Domino converts
the
text in a Notes rich-text document to HTML. If the
message contains file attachments, Domino
creates a
multipart/mixed MIME message and includes the
attachment in that part. If the message contains
images,
Domino includes the images in the message body
by
creating a multipart/related part.
• Convert from Notes to Plain Text and HTML —
Select this
option on internal server for Domino to best
preserve rich-text content when converting
messages from Notes
format to MIME. Domino converts the text in a
Notes
rich-text document to both plain text and HTML by
creating a multipart/alternative body part that
contains
both the text/plain and text/html parts. If the
message
contains file attachments, Domino creates a
multipart/mixed MIME message and includes the
attachment in that part. If the message contains
images,
Domino creates a multipart/related part and
includes the image in that part along with the text
parts.
Field Description
Create multi-part alternative including
Message
• conversion and
Content encapsulation —Domino converts Notes rich-
text
(continued messages and creates an additional file
) attachment that
contains a Notes database with the original
message in it.
This option results in a message nearly twice
the size of
the original. Use this option only in
organizations that
send most of their outbound SMTP mail to
recipients
using Notes 4.x clients.
Convert Choose one: • Yes —Enables the Router to change
tabs to tabs to spaces when converting outbound
spaces messages to MIME format. Use this option only in
organizations that send most of their outbound
SMTP mail to recipients using mail clients that do
not recognize tabs. • No —(default) The Router
does not change tabs to spaces when converting
outbound messages to MIME format.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Customizing the Domino Mail System 28-125
Mail
Configuring how Domino converts inbound MIME messages to
Notes rich-text
Inbound conversion options apply to messages received over SMTP in
MIME format, which must be converted to Notes rich-text format.
Conversion to Notes rich-text format is necessary when the storage
preference for the recipient’s mail file is set to Notes rich-text format, or
when the route to the destination mail file includes Domino servers
earlier than Release 5.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the MIME - Conversion Options - Inbound tab.
6. Complete the following fields and then click Save & Close:
Field Enter
Use character Choose one of the following: • Yes —Domino
set auto- examines the text of inbound messages to
detection if determine the character set if it is not specified
message has in the message. Select this option if your site
no character routinely receives non-MIME messages that are
set encoded in character sets other than ASCII.
information Provides the most accurate rendering of the
original character information, but slows
performance. • No —(default) Character set
auto-detection is disabled.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Setting font and message options for international languages
A single Domino SMTP server can handle inbound and outbound
messages in any language group or character set, including double-byte
character sets. For each character set group, for example, Simplified
Chinese, Domino provides default settings that control how servers
convert messages in that character set group from Notes rich-text format
28-126 Administering the Domino System, Volume 1
to MIME and vice-versa. You can change the default settings to
customize conversions for specific languages.
Inbound settings specify font options that control how the text of a MIME
message using a given character set tag displays in Notes. Outbound
settings determine the character set tag and encoding to apply when
converting Notes rich-text messages to MIME.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Basics tab. If it is not already selected, select the field
“International MIME Settings for this document.”
6. Click the MIME - Settings by Character Set Groups tab.
7. Complete the following fields and then click Save & Close:
Field Enter
For outbound When unchecked (default), Domino’s
message Outbound
options below use Message Options are set to use the
all standard
possible choices character set and encoding method for the
(Advanced users) language group specified in the field “MIME
settings by character set.”The options in
the Character Set field are limited to the
standard
character sets for the language group.
Check this box to enable use of
nonstandard
character set choices in the header and
body of messages in any language group.
Click the drop-down list to choose the
MIME settings by
language
character set group to configure. You can accept the
group default settings or configure specific
settings for one or
more language groups.
The language group displayed at the time
you
save and close the document is not the
only one
for which Domino saves settings. After you
save the Configuration Settings document,
Domino
retains the settings for each language
group that
you modified.
These fields allow you to override default values for character sets,
fonts, and so on, for individual character set groups.
Customizing the Domino Mail System 28-127
Mail
Note If no Server Configuration document exists, Domino uses the
default typeface and point size settings. The default typeface used
for HTML text is Default Sans Serif, and the point size is determined
by the sender of the message. The default typeface for Plain Text
(US-ASCII) is Default Monospace with point size of 10.
To set character set options for inbound messages
1. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
4. Click the MIME - Settings by Character Set Groups tab.
5. In the Inbound Message Options - Font Options section, complete the
following fields, and then click Save & Close:
Field Enter
The typeface style to be used for proportional
HTML
type in
Proportional inbound SMTP messages.
(default = Default Serif)
The typeface to be used for monospaced type in
HTML
inbound
Mono- SMTP messages.
spaced
(default = Default Monospace)
The point size to use for HTML text in inbound
HTML Size
SMTP
messages.
(default = 12)
The typeface to be used for plain text in inbound
Plain text
SMTP
messages.
(default = Default Monospace)
Plain text The point size to use for plain text in inbound
size SMTP
messages.
(default = 10)
Note The font list displays every font available to the client system.
However, when converting messages, Domino uses the “Default”
fonts (Default Serif, Default Sans Serif, Default Monospace, and
Default Multilingual) only. If you select a font other than one of the
four “Default” fonts, Domino converts the text in all incoming
messages to Default Monospace.
28-128 Administering the Domino System, Volume 1
6. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
To set character set options for outbound messages
You can specify the character set and encoding type for the header and
body text of outbound messages. The settings you select do not affect
attachments. For each language (or region) there is a default character
set. For example, for Western Europe the default character set is
ISO-8859-1, but other Latin character sets can also be used. You can
indicate the specific character set and encoding to be used for outbound
SMTP message headers and body content. In general, use the same
character set for both the headers and the body of outbound messages.
However, because some characters set groups, such as Korean, typically
use different character sets for the headers and body, by default, for
these languages, the character set specified for header text differs from
the character set for body text.
For a complete list of character set groups and the default characters sets
used in the headers and body of messages in those groups, see the topic
“Language codes supported in Notes and Domino” earlier in this
chapter.
1. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
4. Click the Basics tab and select “International MIME settings for this
document.”
5. Click the MIME - Settings by Character Set Groups tab.
Customizing the Domino Mail System 28-129
Mail
6. In the Outbound Message Options section, complete the following
fields, and then click Save & Close:
Field Choose
Header - The character set Domino uses to display
Character Set message headers. The default entry depends
on the character set language group currently
selected in the field “MIME settings by
character set group.”In most cases, the
default entry is the best choice for
representing header text for this language
group.
Body - The character set used to display message
Character Set body. The default entry depends on the
character set language group currently
selected in the field “MIME settings by
character set group.”In most cases, the
default entry is the best choice for
representing body text for this language
group.
Header -
The encoding method for outbound headers.
Encoding
The default entry depends on the character
set language group currently selected in the
field “MIME settings by character set
group.”In most cases, the default entry is the
best choice for encoding header text for this
language group. Choose one:
• Base64 • Quoted Printable • None
Body -
The encoding method for outbound body text.
Encoding
The default entry depends on the character
set language group currently selected in the
field “MIME settings by character set
group.”In most cases, the default entry is best
choice for encoding body text for this
language group. Choose one:
• Base64 • Quoted Printable • None
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter, “Setting Up Mail Routing.”
28-130 Administering the Domino System, Volume 1
Setting advanced inbound MIME options
Set advanced inbound MIME options to control how servers process
certain address headers and how servers decipher messages using
undefined or incorrectly defined character sets.
1. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
4. Click the MIME - Advanced - Advanced Inbound Message Options tab.
5. Complete the following fields, and then click Save & Close:
Field Description
Resent Specifies whether Domino uses resent- headers
headers on
take inbound messages. When forwarding a message,
precedence some mail programs add header lines that
over original describe the
headers forwarding sender. These headers begin with the
resent-
prefix, such as “Resent-From:”The received
message contains both the resent- headers and
headers describing
the original sender, for example:
From: original-sender
Resent-From: forwarding-sender
When generating a reply to a forwarded
message, some
older mail programs address the reply to address
specified in the resent-from header. However,
most
modern mail programs consider resent- headers
to be for
informational purposes only and do not normally
use them to generate replies. Instead, when
forwarding a
message, a MIME-compliant mail program
creates a new
message and encapsulates the original message
within this message as a MIME body part of
content type
message.
Choose one:
• Enabled —When receiving a forwarded
message over SMTP, Domino places the value of
the Resent-From
header in the From header. Select this option
only if a
large number of users in your organization find
that when replying to Internet messages that
use resent-
Field Description
Remove Specifies whether Domino preserves the names
group of Internet distribution lists in the message
names from headers of inbound messages. RFC 822 specifies
headers use of a group construct to allow Internet
address headers to include
distribution lists. Groups are designated using
either of the following formats:
Groupname:;
groupname: person1@domain.com,
person2@domain.com, person3@domain.com;
This option does not control the use of
Notes/Domino group names in recipient lists.
Choose one:
• Yes —Domino strips RFC 822 group names
from address headers on incoming SMTP
messages.
• No —(default) Domino preserves RFC 822
group names in the address headers of incoming
SMTP
messages.
If each Choose one: • Yes —Enables Domino to resolve
recipient’s differences between addresses in the SMTP RCPT
address TO commands and the RFC 822 message header.
does not If an address is referenced in the SMTP RCPT TO
appear in command, but not in the message header,
any address Domino creates a new copy of the message and
header, then places the address in the BCC: field of the new
add their message. • No —(default) Domino ignores
address to differences between the recipients listed in the
the BCC list RCPT TO command and the message header.
6. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Setting advanced outbound MIME options
Outbound MIME settings apply to messages sent over SMTP to another
host. They do not apply to messages delivered to local mail files on the
server or messages transferred over Notes routing.
Use the advanced outbound MIME options to specify how servers
determine the following message items:
Encoding
for attachments sent from Macintosh clients
Use of phrases specifying the sender’s user name in the sender’s
Reply address
Sending
of Notes mail items that do not have standard MIME
equivalents
Removal of Notes fields from message headers
Character set to use when converting multilingual messages
Character set alias to use in place of one that is typically mislabeled
in outgoing messages
To set advanced outbound MIME options
1. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
4. Click the MIME - Advanced - Advanced Outbound Message Options
tab.
Customizing the Domino Mail System 28-133
Mail
5. Complete the following fields, and then click Save & Close:
Field Enter
Macintosh The format for Macintosh attachments.
attachment Choose
conversion one:
• AppleDouble [base64 only] —(default)
Provides standard MIME encoding for
sending Macintosh files to recipients using
newer Macintosh and PC mail programs.
AppleDouble splits the data fork and the
resource fork of the file and encodes the
resulting data in Base 64 for transport. PC
clients receiving the attachment discard
the resource fork and use the data fork
only.
The AppleDouble header is effectively the
resource fork and includes the original Mac
file name of the file. If the Apple-Double
data part has a recognizable MIME type,
Domino uses it to label the MIME part of
the converted message; for example, the
data part of a Microsoft Word attachment is
described as
application/msword. If the MIME type
cannot be determined, Domino labels the
MIME part as application/octet-stream.
• BinHex4.0 —Sends Macintosh
attachments with
the MIME type application/mac-binhex40.
Use this method for sending Macintosh files
to other Macintosh users who do not use
MIME-compliant mail programs. Because
few Windows mail programs can decode
BinHex, this method should not be used
when sending files to recipients who use
Windows.
Specifies how the server handles phrases
RFC822 phrase
in an
handling address header. Choose one:
• Do not add phrase (default) —Outbound
mail displays the sending user’s RFC 821
address.
The Router permits user-defined phrases in
recipient addresses.
• Use DN as phrase (Use domain name for
the phrase) —The Router constructs an
RFC
822-style address using a phrase part
derived
from the person’s hierarchical,
distinguished
name; for example, “John
Jones/Sales/ACME”
<JJones@acme.com>. The Router permits
user-defined phrases in recipient
addresses.
Field Enter
RFC822 phrase • Use alt. name if available —otherwise DN
handling (Use the alternative name or domain
(continued) name) —If an
Alternate name is specified in the user’s
Person
document, constructs an RFC 822-style
address
using it as the phrase part; otherwise uses
the
hierarchical, distinguished name; for
example,
“John Jones/Sales/ACME”
<JJones@acme.com>. The Router permits
user-defined phrases in recipient
addresses.
• Remove phrase —Only RFC 821-style
addresses allowed. The Router strips
user-defined phrases in recipient
addresses.
Use CN as phrase —Constructs an RFC
822-style
address using a phrase part derived from
the
person’s common name; for example,
“John Jones”
<JJones@acme.com>. The Router permits
user-defined phrases in recipient
addresses.
Internet mail Notes private items are header items
server sends present in a Notes rich-text message that
Notes private do not map to any of the standard header
items in messages fields for SMTP messages, as defined in
RFC 2822. When adding private items to
the headers of an SMTP message, Domino
adds the prefix “x-notes-item”to the field
name to indicate that it is a nonstandard
field.
Choose one:
• Enabled —When converting Notes rich-
text messages for SMTP transport or
download by a POP3 or IMAP client,
Domino converts all
Notes private items in the message to
custom “x-notes-item”headers. The
resulting “x-notes-item”is a structured
header with
parameters that reflect the attributes of
the original notes item, for example, data
type, value, summary flags, item name,
and so on. Because Notes private items are
not generally used in Internet mail, do not
select this option unless you have a specific
reason for sending private items.
Items specified in the field “Notes items to
be removed from headers”are excluded
from the
headers of the converted message.
• Disabled —(default) When converting
Notes rich-text messages for SMTP
transport, Domino removes nonstandard
Notes header items.
Field Enter
Always send the List the Notes header items to always
following Notes include as RFC 2822 headers in outbound
items in headers SMTP messages, mapping each specified
Notes item to a valid nonstandard RFC
2822 header item. For example, the Notes
item, header-1 would be mapped to the
RFC 2822 header, x-header-1. The header
body is the first 255 bytes of the item
value, converted to text if necessary.
Domino sends the items specified in this
field even if sending of Notes private items
is disabled. Use this field to send specific
items only, while preventing export of all
unspecified Notes private items. If an item
listed in this field is also listed in the field
“Notes items to be removed from headers,”
the item is not included.
Notes items to be List the Notes header items to exclude
removed from from x-headers in outbound SMTP
headers messages.
When converting a Specifies the character set Domino uses
multilingual when converting a Notes rich-text message
message to MIME with text content that cannot be
represented by a single character set group
—for example, a message in which part of
the content is in French (Western character
set group) and part in Arabic. Choose one:
• Send it in Unicode [UTF8] —(default)
Domino converts all the text to an 8-bit
encoding of the Unicode character set. To
read the resulting message, recipients’mail
programs must support Unicode. • Send it
in most representable character set —
Domino selects the character set that best
matches the majority of characters in the
message. If the message is sent as plain
text, any character that cannot be
represented by the selected character set
is replaced by a fallback character —
typically a question mark. If the message
is sent as HTML, a Unicode-enabled mail
program is required to decode the message
because such a mail program can replace
unrepresentable characters with their
Unicode numeric values.
Field Enter
Character set Specifies the name of a nonstandard
name character set
aliases alias to be used when converting Notes
rich-text
messages for outbound SMTP transfer. For
example, you can send messages sent in
ISO-8859-1 with the tag “My-Character-
Set.”It is
not recommended that you provide aliases
here
because outbound messages will be
understood
only by similarly configured mail clients.
Note These settings apply to messages sent outbound over SMTP to
another host, or exported to the IMAP or POP3 service. They are not
applied to messages delivered locally or messages transferred over Notes
routing.
6. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
For more information about using the RFC 822 address format, see the
topic “Configuring outbound Internet mail to use RFC 822 address
format (phrase parts)” later in this chapter.
Examples: How Domino handles Macintosh attachments in inbound
messages
For inbound messages, Domino supports AppleSingle, AppleDouble,
and BinHex attachment encoding. Macintosh attachments of any
encoding are stored as normal Notes Macintosh attachments; if the data
fork would be meaningful to a PC user, then a Notes user at a PC
workstation can launch the attachment normally.
In the following examples, unless noted otherwise, it is assumed that the
application required to open the attachment is properly installed on the
user’s computer. Also, it is assumed that both sender and recipient are
using MIME-compliant mail programs.
A Macintosh Netscape user sends a JPEGview file containing a JPEG
image (with no resource fork, which would be the normal case) to
two Notes recipients: one uses a Macintosh, and one uses a PC.
Both users receive the attachment intact. If the Macintosh user has
JPEGview, the attachment displays with the JPEGview file icon and
can be launched from within Notes. If the Macintosh user does not
have JPEGview, the attachment displays with a generic file icon and
cannot be launched from within Notes. For the PC user it also has a
Customizing the Domino Mail System 28-137
Mail
generic icon; it can be launched from within Notes only if its name
ends in JPG and the user has an application association set up for the
JPG extension. In all cases, the image can be viewed from within
Notes by using the “Attachment - View” function.
A Macintosh Claris Emailer user sends a Lotus 1-2-3 spreadsheet to
two Notes recipients: one uses a Macintosh, and one uses a PC.
Both recipients receive an intact Lotus 1-2-3 spreadsheet attachment.
The Macintosh recipient can launch it from within Notes or can
detach it and double-click to launch — regardless of the name given
to the attachment.
The PC user can launch it from within Notes or detach it and
double-click to launch, only if the file name ends in WK1, WK3, 123,
or some other extension associated with the Lotus 1-2-3 application.
(This is a Windows restriction, not a Notes restriction.)
A Lotus Notes user sends a Lotus 1-2-3 spreadsheet from a PC to a
Macintosh recipient using Claris Emailer.
The PC user must save the spreadsheet as a 1-2-3 R1 spreadsheet
because it is the most recent version of 1-2-3 available on the
Macintosh. The spreadsheet is encoded with the MIME type
“X-Lotus-123R1,” a private MIME type defined by Lotus. Since this is
a private MIME type, by default, it cannot be launched directly from
Claris Emailer. To view the file, the recipient can detach it, launch
Lotus 1-2-3, and then open it using the File - Open command.
As an alternative, Macintosh users can install Internet Config (a
widely used free software utility) and configure a mapping for the
“X-Lotus-123R1” MIME type. Claris Emailer can then use the file
mapping table in Internet Config to determine the application to use
to launch the attachment directly from the message.
Configuring outbound Internet mail to use RFC 822 address format
(phrase parts)
RFC 821 defines the standard convention for naming mailbox addresses
as “user@domain” or more broadly, “Localpart@Domainpart.” This
format has come to be known as RFC 821-style addressing. Subsequently,
RFC 822 specified a format for a more human-readable Internet address,
which adds a phrase part, also known as a friendly name or display
name, before the actual address. Phrase-style addresses use the form
“Phrase” <localpart@domainpart>; an optional display name indicates
the name of the recipient for display to the user of a mail application, for
example, “John Jones” <JJones@acme.com>.
28-138 Administering the Domino System, Volume 1
You can have Domino add a phrase to the sender’s address on outbound
SMTP mail and specify the name component to use as the address
phrase. By default, addresses do not include phrases. If you choose not to
support phrase-style addresses, you can specify that Domino remove any
user-added phrases in the recipient fields of outbound messages.
You configure this address format using the “RFC822 phrase handling”
field in the Configuration Settings document, under the MIME -
Advanced - Advanced Outbound Message Options tab.
The Router adds phrases to Internet addresses both when taking the
address from a Person document in the Domino Directory and when
constructing the address from rules in the Global domain document.
This setting applies to messages sent over SMTP to another host or
exported to the IMAP or POP3 service. It does not apply to messages
delivered to mail files on the server or messages transferred over Notes
routing.
The options for this field are as follows:
Do
not add phrase — (Default setting) Outbound mail displays the
sending user’s RFC 821 address. The Router permits user-defined
phrases in recipient addresses.
Use DN as phrase — Constructs an RFC 822-style address using a
phrase part derived from the person’s hierarchical, distinguished
name; for example, “John Jones/Sales/ACME” <JJones@acme.com>.
The Router permits user-defined phrases in recipient addresses.
Use alt. name if available - otherwise DN — If an Alternate name is
specified in the user’s Person document, constructs an RFC 822-style
address using it as the phrase part; otherwise uses the hierarchical,
distinguished name; for example, “John Jones/Sales/ACME”
<JJones@acme.com>. The Router permits user-defined phrases in
recipient addresses.
Remove Phrase — The Router strips user-defined phrases in
recipient addresses. Only RFC 821-style addresses are allowed.
Use CN as phrase — Constructs an RFC 822-style address using a
phrase part derived from the person’s common name; for example,
“John Jones” <JJones@acme.com>. The Router permits user-defined
phrases in recipient addresses.
Mapping MIME types to file extensions
Domino uses File identification documents in the Domino Directory to
associate file types and their file name extensions with MIME types and
subtypes. For example, a File identification document for JPEG files
classifies files with the extension JPG as having the MIME type image
Customizing the Domino Mail System 28-139
Mail
and MIME subtype jpeg. Domino servers and Notes clients use the
information in the File Identification documents to map file types to file
extensions and vice versa on inbound and outbound mail.
This ensures that the contents of attached files are correctly interpreted
by the recipient’s mail client. Upon opening the message in a
MIME-aware mail program, the recipient can open the attached
document from within the message, provided that the mail program
recognizes the MIME type and the associated application is installed on
the recipient’s computer.
You can add, modify, or delete File Identification documents from the
Domino Directory. Add new documents to support additional file types.
When adding a new File Identification document, you must know the
MIME type for the application and the file extension associated with the
application. Modify a File Identification document in the event that a
default mapping is incorrect or later standards dictate a change. You
might also edit a File Identification document to specify which of
multiple MIME types and subtypes Notes and Domino assign to files
with a given file extension when sending outbound mail.
How Domino uses File Identification documents when processing
inbound mail
When receiving an inbound MIME message that includes a file
attachment, Domino reads the MIME headers to determine the name and
type of the attached file. If, however, the MIME headers do not specify
the name of the attached file, Domino must assign a name to the file that
is both unique within the document and includes the appropriate file
extension. To determine the file extension to use in creating the file name,
Domino refers to the File Identification documents in the Domino
Directory.
For example, if Domino receives a message that has a MIME header
indicating that it contains a Microsoft Word attachment (MIME
type/subtype of application/ms-word), but neither the content-type
header or content-disposition header specify a file name, the server has
to provide a name for the attachment. To ensure that Domino creates a
name using the correct file extension for a file of this type, the server
checks the Domino Directory for a File Identification document for this
file type and subtype, and then checks the “Extension” field of the
matching document. Because, by default, the only document that
matches files with the MIME type application/ms-word indicates that
the file uses the extension DOC, Domino creates a file name using this
extension.
28-140 Administering the Domino System, Volume 1
By default, the File Identifications view of the Domino Directory lists
multiple documents for a given MIME type/subtype alphabetically, by
file extension. For example, by default, Domino includes several File
Identification documents for the MIME type/subtype
application/vnd.lotus-1-2-3, and the default view lists these from top to
bottom, beginning with the document that specifies the extension 123
and proceeding through those that specify the extensions unknown,
WK2, WK3, WK4, and WKS. This list order determines how Domino
names files when receiving a message containing an unnamed file
attachment with one of these MIME types. When creating the file name,
the server uses the information in the first document that appears
alphabetically in the view. Thus, when a server receives an inbound
message that includes an unnamed file attachment with the MIME
type/subtype application/vnd.lotus-1-2-3, Domino names the file using
the extension 123, because the File Identification view lists the document
specifying this extension before the other documents that describe the
same MIME type/subtype.
How Domino uses File Identification documents when processing
outbound mail
Domino servers and Notes clients both use File Identification documents
when sending MIME messages that include file attachments. In both
cases, information in the document is used to specify the MIME content
type of the message attachment.
Domino servers use File Identification documents when converting
messages that include file attachments from Notes rich-text format to
MIME format for sending over SMTP. When converting an outbound
message that includes a file attachment, Domino first searches for a File
Identification document that corresponds to the file extension of the
attachment. After locating the correct document, Domino uses the MIME
type and subtype information from the document to construct the MIME
Content-type header for the message part that describes the attachment.
When a Notes client attaches a file to a message it sends in MIME format
(for example, when sending to Internet recipients or to Notes mail
recipients whose mail storage preference is set to MIME), the client first
checks the operating system to determine what file associations are
defined. Clients running on Microsoft Windows check the Windows
registry, while clients running on the Macintosh check Internet Config. If
the client cannot locate MIME type information from these sources, it
then checks the Domino Directory for a File Identification document that
applies to files with the same extension as the attached file. After locating
the correct document, the client places the MIME type and subtype
information from the document in the MIME header describing the
attachment.
Customizing the Domino Mail System 28-141
Mail
In the case of both servers and client, if more than one File Identification
document applies to a given file extension, the setting in the “Outbound”
field of the documents determines which MIME type and subtype to
assign to file attachments with this extension when sending mail.
To create or modify a File Identification document
1. From the Domino Administrator, click the Configuration tab and
expand the Messaging view.
2. Click File Identifications.
3. To add a new File Identification document, click Add File
Identification.
To edit an existing File Identification document, select it from the
documents listed, and click Edit File Identification.
4. Complete the following fields:
Field Description
MIME type General MIME category used to describe files of
this content type or media; for example,
application, audio, image, or video. When
sending attachments in MIME messages, the
information in this field is placed in the MIME
Content-type header. Each MIME type/subtype
combination can be mapped to zero or more file
extensions.
MIME The specific MIME category that uniquely
subtype identifies the application that created files of this
content type, for example, X-Lotus-NSF. When
sending attachments in MIME messages, the
information in this field is placed in the MIME
Content-type header. Each MIME type/subtype
combination can be mapped to zero or more file
extensions.
File The Windows or UNIX file name extension
extension associated with files of this type; for example,
JPG, BMP, or NSF. The Domino Directory can
contain multiple File identification documents for
a given file extension. If the MIME headers of an
inbound message do not specify the name of an
attached file, Domino creates a file name for the
attachment using this extension.
Description Use this field to specify the type of file or the
name of the application used to create and open
the file.
Field Description
Outbound If the Domino Directory contains multiple File
Identification documents for files with this file
extension,
this setting determines which MIME type and
subtype Notes and Domino use to send file
attachments with this
extension.
Notes clients also use settings in the Windows
registry or the Macintosh Internet Config object
to determine the MIME type and subtype to
associate with a given file extension.
Choose one:
• Send —When sending outbound messages in
MIME format, Domino assigns this MIME type
and subtype specified in this document to
attachments that have this file extension. If
there are multiple File Identification documents
for a given file extension, select this option for
one document only. If the value in this field is
set to Send in multiple File Identification
documents for a given file extension, Domino
uses the first document listed in the File
Identifications view to
set the MIME information for attachments with
the
extension.
• Do not send —When sending outbound
messages to MIME format, Domino does not
assign the MIME type and subtype specified in
this document to attachments that have this file
extension. If there are multiple documents for a
given file extension, specify this option in the
Outbound field in all but one of the documents.
Chapter 29
Setting Up Shared Mail
This chapter describes setting up and managing shared mail databases.
Shared mail overview
By default, the Domino mail system employs a message-based model for
mail storage, delivering a separate and complete copy of every document
to each recipient’s mail file. When a message is small or is addressed to
only a few recipients, creating multiple copies of a message does not
consume much additional disk space. But when a large message is
broadcast to thousands of users on a single server, creating a separate
copy of the message for each recipient can consume several gigabytes of
disk space.
To use disk space more efficiently, you can set up shared mail on each
mail server after you set up the Domino mail system. Shared mail,
sometimes referred to as the Single Copy Object Store (SCOS), offers an
alternative to message-based mail, allowing servers to store a single copy
of messages received by multiple recipients in a special central database,
or object store. Every server using shared mail contains one or more of
these object stores, or shared mail databases, to hold all shared messages.
After you enable shared mail on a server, all mail databases on the server
automatically use the shared mail database to store the content of new
messages, unless you explicitly exclude a database from using shared
mail. You do not need to configure each user’s mail file individually for
shared mail use.
When shared mail is enabled and an incoming message is addressed to
multiple local recipients, the Router divides the message into a message
header and message body. The header includes the message’s To, cc, bcc,
Subject, and From fields. The body includes the text and other content, as
well as any file attachments. The Router then writes the message body to
a shared mail database and the message header to each recipient’s mail
file. The message body stored in the shared mail database contains an
object store link, which identifies all of the mail files linked to that
message. Similarly, the corresponding message headers stored in each
recipient’s mail file each contain a pointer to the object store that contains
the message body.
29-1
Mail
To keep shared mail databases small, Domino automatically purges the
shared portion of a message from the shared mail database after all
recipients delete the message from their mail files. Domino purges the
shared portion of these obsolete messages immediately; you do not have
to wait for a task to run before a message can be removed.
To improve efficiency and support encryption, Domino excludes certain
messages from the object store. Users always receive messages smaller
than one kilobyte (1 KB) as complete messages. This guarantees that
message pointers in a mail file never exceed the size of the message body
in the shared mail database. In addition, users always receive complete
messages if instructions in their Person documents specify to encrypt
incoming mail.
Using a shared mail database is completely transparent to users. When a
recipient opens a message, the link between the mail file and the shared
mail database causes the message to appear in its entirety. Users can
delete, reply to, change the view or folder, edit, save, resend, and
perform all the same tasks on a mail message stored in a shared mail
database as they would with the same message stored in their own mail
files. If a users edit and save, or encrypt and save a message, the
complete message is then stored in their personal mail file, with no effect
on how the original message appears to other users.
Shared mail works for all messages, regardless of the mail client used to
compose the message. That means that users who use a POP3, IMAP, or
Notes mail client and who have a mail file on the Domino mail server can
all use shared mail. However, shared mail is not used if the various
recipients have different format preferences for incoming mail. For
example, if a message is sent to four users, half of whom have Notes rich
text format specified as their format preference, and half whose format
preference is set to MIME, all of the users receive the complete message.
Using multiple active shared mail databases
To improve scalability and reduce database contention, Domino servers
support the use of multiple active shared mail databases in multiple
shared mail directories. The directories can exist on any disk that the
server has access to. An active shared mail database is one that is open
for delivery of new messages. When multiple active shared mail
databases are available, the Router evenly distributes incoming mail to
each of them, choosing the destination database at the time of delivery.
Each new message that a user receives may be stored in any one of the
currently active shared mail databases. After a message is stored in a
shared mail database, it remains there until all users delete the message
from their mail files.
29-2 Administering the Domino System, Volume 1
You can configure the server to use as many as ten active shared mail
directories at one time. Each configured shared mail directory can
contain as many as 100 shared mail databases, to a maximum of 1000
total shared mail databases per server.
If a server has less than 1000 active databases configured, it can continue
to reference a number of inactive shared mail databases up to the
maximum of 1000. Inactive databases no longer receive new mail, but
store previously received messages. A server can support as many as 40
inactive shared mail directories, As with active shared mail directories,
each of these inactive directories can contain a maximum of 100 shared
mail databases. A single shared mail directory can contain both active
and inactive databases.
A shared mail database is automatically set to inactive if the parent
directory exceeds the maximum size you specify for it in the Server
document.
When a server has multiple active shared mail databases, user mail files
on the server may contain links to any or all of them, as well as to
inactive shared mail databases. If you create additional shared mail
databases, Domino distributes a portion of all new incoming messages to
each of them. Previously received messages continue to reside in the
shared mail databases where Domino originally stored them.
Using multiple shared mail databases reduces the amount of shared mail
that could be lost or become temporarily inaccessible as a result of
database corruption. You can enable transaction logging for shared mail
databases, so that databases corrupted as the result of a server crash or
power outage can be automatically recovered at server startup. Enabling
transaction logging frees you from the need to restore shared mail
databases manually.
If transaction logging for shared mail is not enabled, to protect shared
mail databases against data loss, install a backup utility that can back up
and verify open NSF files and back up all shared mail databases at least
once a day. Because security settings on shared mail databases prevent
replication, you cannot replicate shared mail databases to provide
backup.
For more information on restoring shared mail databases, see the topic
“Restoring a shared mail database” later in this chapter.
Setting Up Shared Mail 29-3
Mail
How using shared mail affects a user’s mail file quota
When calculating the size of a mail file to determine whether it conforms
to configured mail quota or warning threshold limits, Domino treats
shared messages as though each user owned the entirety of the shared
message. Thus, the full size of every message delivered to a mail file that
uses shared mail counts against the mail file quota. Likewise, when a
user deletes a message that is linked to a shared mail database, the full
size of the message is removed from the mail file quota.
The actual file size of the mail database that uses shared mail therefore
does not necessarily reflect its logical size. For example, a user’s mail file
might exceed its quota limit of 60MB even though the physical size of the
file is only 35MB.
How Domino maintains the security of a shared mail database
Because a shared mail database contains confidential messages for all
users on a server, it must be secured against unauthorized browsing.
These security features ensure that only users who should have access to
a given message actually have access to that message:
Shared
Mail databases are encrypted locally with a random key,
which is in turn encrypted using the public key of the server’s ID.
The access control list (ACL) of a shared mail database is set so that
only the server’s ID can access the database. The server’s ID has
Manager access, and the user type is Server. Even if an unauthorized
user obtains the server ID, the user cannot use the server ID to access
a shared mail database from a Notes workstation and cannot create a
replica of the database on another server.
The shared mail database does not appear in the Open Database
dialog box.
A shared mail database contains no views, and none can be added
to it.
The shared mail database includes links to message headers. When a
user reads a message, Domino verifies that the message header
matches the content stored in the shared mail database.
Messages received by users for whom the “Encrypt incoming mail”
option in the Person document is set to “Yes” cannot be stored in a
shared mail database. Messages delivered to recipients who encrypt
incoming mail are placed in the recipient’s mail file in their entirety.
For more information on mail encryption, see the chapter “Encryption
and Electronic Signatures.”
29-4 Administering the Domino System, Volume 1
How shared mail works
1. The Router on a server receives a mail message addressed to two or
more recipients whose mail files are on that server.
2. The Router splits the incoming message into two parts: the header
and the content. The header consists of the message’s To, cc, bcc,
Subject, and From fields. The content contains the body of the
message, along with any file attachments.
Note If the combined size of a message and its attachments is 1KB
or less, Domino delivers the complete message to the recipient’s mail
file and does not use the object store.
3. The Router stores a copy of the header in each recipient’s mail file
and stores a single copy of the content in the shared mail database.
4. When a recipient opens the message, the header activates a link to
the message content, which is stored in the shared mail database. The
message appears as though the entire message is stored in the
recipient’s mail file.
5. If the recipient deletes a shared message, Domino deletes only the
header in the recipient’s mail file. The content is not affected because
it is stored in the shared mail database.
6. After all of the recipients delete the message header from their mail
files, Domino automatically purges the obsolete message, including
the content in the shared mail database.
For more information on how Domino removes obsolete message
from a shared mail database, see the topic “Purging obsolete shared
mail messages” later in this chapter.
a user edits and saves a received message, Domino stores the
If
revised message in the user’s mail file in its entirety and deletes
links between the user’s mail file and the message body in the
shared mail database.
Setting up shared mail databases
Before setting up shared mail, decide where to locate your shared mail
databases. On each server that uses shared mail, you specify the
directory where you want shared mail databases to reside. When
creating multiple shared mail databases, you can place all of the
databases in one directory, or create multiple directories and have
multiple databases in each directory. Servers can have up to 10 active
shared mail directories, each supporting a maximum of 100 shared mail
databases. In addition, Domino recognizes as many as 40 inactive shared
Setting Up Shared Mail 29-5
Mail
mail directories, from which users can continue to access messages.
Inactive directories are directories that no longer appear in the server
document, but remain in the last location specified. Each server can
support a combined total of 1000 active and inactive shared mail
databases.
Shared mail directories must reside within the logical directory structure
that is controlled by the server or be referenced by a directory link within
that directory structure. To improve performance, you can place shared
mail databases on another file system. When creating shared mail
databases in a directory that is not a subdirectory of the Domino data
directory, Domino creates a link to point to the shared mail directory. If
no link exists, Domino cannot locate the shared mail databases.
To create and enable a shared mail database
1. From the Domino Administrator, click the Configuration tab and
then expand the Server section.
2. Select the Server document to be edited and then click Edit Server.
3. Click the Shared Mail tab.
4. Enable or disable the use of shared mail by completing the following
field:
5. For each shared mail directory you want to create, complete the
following fields and then click Save & Close:
6. To put the new configuration into effect, restart the server or enter
the following command at the server console:
Show SCOS
For more information about using the SHOW SCOS command, see
the appendix “Server Commands.”
Using shared mail for delivery only or for transfer and delivery
There are two ways of setting up shared mail. One is for delivery only,
and the other is for transfer and delivery. When shared mail is enabled
for delivery only, the Router places the body of an incoming message in
the shared mail database only if there are multiple local recipients.
Messages for a single local user are delivered as complete messages. The
server uses its normal transfer mechanism for messages being routed
through the server to another destination; that is, messages in MAIL.BOX
that are awaiting transfer to another server always remain intact.
In contrast, when shared mail is enabled for transfer and delivery, the
server splits every message it receives (that is, the content goes to the
shared mail database and the header goes to MAIL.BOX), regardless of
the number of recipients. Then, during delivery, the Router merges the
header and content together, examines the recipient list, and either
transfers the message to the next server, or delivers it to the local
recipients (with the content staying in the shared mail database and the
header going to the users’ mail files).
29-8 Administering the Domino System, Volume 1
The shared mail setting that you decide to use depends on your situation.
In general, use shared mail for transfer and delivery on servers that have
mostly deliveries and few transfers to other servers. Because most
incoming messages are likely to be for local delivery, it’s efficient to have
the server automatically place all incoming messages in the object store.
On the other hand, on servers such as hub servers, which perform mostly
transfers and have few local mail file deliveries, use shared mail for
delivery only. Because incoming messages on these servers are likely to
be transferred to another server, it’s counterproductive to have the server
absorb the cost of preparing mail for the object store.
In the end, both settings provide similar disk space savings, but because
the “transfer and delivery” setting always places the message body
directly in the object store, rather than in MAIL.BOX, it provides faster
delivery for local users by eliminating the transfer time required to move
mail from MAIL.BOX to the object store.
Specifying the location and size of a shared mail directory
Shared mail databases may become quite large, so be sure to locate
shared mail directories on a disk that has enough free space to
accommodate future growth. To manage growth, you can specify a size
limit for the database set contained in each shared mail directory. The
size limit applies to the cumulative size of all shared mail databases in
the directory. The size of individual databases may fluctuate as messages
are added and removed, but barring any configuration change, the
number of databases remains constant, and the size of the entire database
set never significantly exceeds the specified maximum. Domino supports
a maximum size limit of 8GB (8192MB) for each shared mail directory.
Always set a maximum directory size that is less than the actual amount
of available disk space. A shared mail directory may exceed the specified
size limit if the Router adds a large message to the directory when it is
already near the limit.
If a shared mail directory reaches the configured maximum size, Domino
automatically deactivates it, changing the delivery status of the directory
to Closed, so that it can no longer receive new mail. Existing links
between users’ mail files and the inactive shared mail database continue
to work, so users can read and otherwise work with these messages. If
another shared mail directory is available, the Router places future
messages into the active shared mail databases in that directory. If no
shared mail directories are available, the Router delivers new messages
as complete messages to user mail files.
Setting Up Shared Mail 29-9
Mail
Managing object store growth
As the object store becomes host to a greater number of users and
messages, you may need to change the size limits on existing shared mail
directories or add new directories to accommodate the increased usage.
Whether you extend the size of current directories or add new ones
depends on the amount of physical space and the number of concurrent
users accessing your current directories.
If there’s still adequate space on the current disk, after the existing
shared mail directories reach their size limit, you can increase the
maximum size of the existing directories. If the amount of additional
space on the current disk is limited, create another shared mail directory
on a separate disk that has more space.
If database contention (too many users accessing the database at the
same time) is affecting performance, and space allows, increase the
number of databases (not the size) within the existing shared mail
directories or create new shared mail directories on the same disk or a
separate disk.
Creating shared mail directories outside of the Domino Data
directory
If you create a shared mail directory that is not a subdirectory of the
Domino data directory, Domino automatically creates a link file, or
directory link, within the Data directory, called SCOS_N.DIR, where N
indicates the sequence order in which the link file was created relative to
other shared mail database links. For example, the directory link Domino
creates for the first shared mail directory outside of the Domino Data
directory is named SCOS_1.DIR; the second one is named SCOS_2.DIR;
and so forth. Domino does not create link files for shared mail directories
residing within the Domino Data directory. The link file is a text file
containing the path to the shared mail directory so that the server can
locate shared mail databases.
If the server has a drive mapped to another computer, you can place the
directory on that drive by entering its full path. For example:
J:\Shared\SHAREDMAIL
You cannot specify a path in the form of a Universal Naming Convention
(UNC) name (that is, using the format: //hostname/sharepoint).
Caution If Domino loses access to the remote directory for any reason,
users will be unable to access messages stored in that directory.
29-10 Administering the Domino System, Volume 1
Managing a shared mail database
Use these procedures to manage a shared mail database and the user
mail files that are linked to it:
Reconfigure
shared mail
Generate
and view shared mail information
Link,
unlink, or relink a user’s mail file
Include
or exclude a user’s mail file
Enable
shared mail for replicas of mail files
Purge
obsolete shared mail messages
Restore
a shared mail database
Move mail files between servers that use shared mail
Delete a shared mail database
Disable shared mail
Reconfiguring shared mail settings
As the object store becomes host to a greater number of users and
messages, you may need to change the existing settings to accommodate
continued growth. You can:
Increase
the number of files in a directory
Increase
the size limits on existing shared mail directories
Change
the delivery status of a directory
Add new shared mail directories
Whether you extend the size of current directories or add new ones
depends on whether physical space or concurrent usage is the limiting
factor.
If your existing shared mail directories reach their size limit, and there’s
still adequate space on the current disk, increase the maximum size of the
existing directories. If the amount of additional space on the current disk
is limited, create another shared mail directory on a separate disk that
has more space.
If database contention (too many users accessing the database at the
same time) is affecting performance, and space allows, increase the
number of databases (not the size) within the existing shared mail
directories or create new shared mail directories on the same disk or a
separate disk.
Setting Up Shared Mail 29-11
Mail
Use the Shared Mail tab on the Server document to change the directory
settings. In addition, you can also use the SET SCOS command to change
the status of individual shared mail databases within a directory. For
more information about using the SET SCOS command, see the appendix
“Server Commands.”
To change directory settings for shared mail
1. From the Domino Administrator, click the Configuration tab and
then expand the Server section.
2. Select the Server document to be edited it and then click Edit Server.
3. Click the Shared Mail tab.
4. To create an additional shared mail directory, complete the following
fields:
Chapter 30
Setting Up the POP3 Service
This chapter describes how to set up the POP3 service on a Domino
server and how to set up POP3 users.
The POP3 service
POP3 (Post Office Protocol Version 3) is an Internet mail protocol that
allows a user running a POP3 client — for example, the Lotus Notes
POP3 client, Netscape Navigator, Eudora Pro, or Microsoft Outlook
Express — to retrieve mail from a server that runs the POP3 service. You
can set up a Domino server to run the POP3 service. The Domino server
receives and stores mail for POP3 users, who can then connect to the
server to retrieve their mail.
The Domino POP3 service acts as an intermediary for communications
between POP3 mail clients and the Domino mail server. By default, the
Domino POP3 service monitors TCP port 110, where POP3 clients
connect to submit requests to the service to retrieve mail. After receiving
a request, the POP3 service sends mail to the client. POP3 clients let users
specify whether to leave a copy of a message on the server after
retrieving it. By default, messages downloaded by the client are deleted
from the server.
The POP3 service complies with RFC 1939 - Post Office Protocol Version 3.
Supporting outbound mail service for POP3 clients
POP3 is a mail access protocol only and does not stipulate any method
for sending mail. To ensure that POP3 clients can send outbound mail,
you must provide them with access to an SMTP server. The SMTP server
can be the Domino server running the POP3 service, another Domino
server, or a non-Domino SMTP server.
For information about specifying the SMTP server that a POP3 client uses
for outbound mail, see the topic “Configuring POP3 client software” later
in this chapter.
30-1
Mail
Authenticating with the server
The Domino server does not check Notes User ID files to verify the
identity of users who connect from a POP3 client. Because the POP3
service does not use ID files to identify users and control access to
servers, a POP3 user does not have to be a registered Notes user. To
access mail through the POP3 service, users need a mail file on the server
and a Person document (including an Internet password) in the Domino
Directory. Only users who receive encrypted Notes mail or access
Domino applications must be registered Notes users.
To authenticate POP3 users, Domino relies on authentication methods
built into the Internet protocols. The methods available depend on the
server ports you configure the POP3 service to use. The POP3 service can
use a TCP/IP port, a Secure Sockets Layer (SSL) port, or both the TCP/IP
and SSL ports.
If POP3 uses the TCP/IP port only (the default), the server uses basic
name-and-password authentication to identify users. The login names
that the server accepts as valid depend on the setting in the Internet
authentication field on the Security tab of the Server document.
For more information on configuring how Domino authenticates Internet
clients, see the chapter “Setting Up Name-and-Password and
Anonymous Access to Domino Servers.”
If the SSL port is enabled, you can specify whether a client certificate is
required to authenticate (SSL authentication), and whether clients must
also supply a name and password.
For information on setting up an SSL server, see the chapter “Setting Up
SSL on a Domino Server.” For information on setting up clients for SSL,
see the chapter “Setting Up Clients for S/MIME and SSL.”
Accessing a mail file from the Notes client and a POP3 client
POP3 clients use the standard Domino mail file database. This allows
registered Notes users to access their mail files from both a POP3 client
and the Notes mail client.
Setting up the POP3 service
The Domino POP3 service can be run on any Domino server on which a
TCP/IP port is configured. The POP3 protocol provides a mechanism for
retrieving mail only; POP3 clients send mail using the SMTP protocol.
30-2 Administering the Domino System, Volume 1
To set up the Domino POP3 service
1. Edit the Server Document to enable the TCP/IP port for POP3.
Optionally, you can configure the POP3 TCP/IP port to run from an
alternate port number, and to accept SSL connections.
For more information on enabling and configuring POP3 ports, see
the topic “Enabling and configuring the POP3 service port” later in
this chapter.
2. Start the POP3 task on the Domino server.
Starting and stopping the POP3 service
You can load the POP3 service manually or start it automatically when
you start the Domino server.
Field Enter
TCP/IP port Choose 110 (default) to use the industry
number standard port for POP3 connections over
TCP/IP. You can specify a different port, but
110 works in most situations. When specifying
a nonstandard port, make sure the port is not
reserved for another service. Port numbers can
be any number from 1 to 65535.
TCP/IP port Choose one: • Enabled (default) —Allows POP3
status clients to connect to the Domino server without
using SSL. Users must provide their name and
Internet password to connect.
4. Restart the POP3 task to put the new settings into effect.
To enable and configure the POP3 SSL port
1. Familiarize yourself with the Domino security model and set up SSL
on the Domino server.
2. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the POP3
service.
3. Click the Ports - Internet Ports - Mail tab.
4. In the Mail (POP) column, complete these fields, and then click Save
and Close:
Field Enter
SSL port Choose 995 (default) to use the industry
number standard port for POP3 connections over SSL.
You can specify a different port, but 995 works
in most situations. When specifying a
nonstandard port, make sure the port is not
reserved for another service. Port numbers can
be
any number from 1 to 65535.
SSL port
Choose one:
status
• Enabled —Allows POP3 clients to connect to
the
POP3 service over SSL.
• Disabled —(default) Prevents client
connections
over SSL.
Authentication If “SSL port status”is set to Enabled, choose
options: Client one: • Yes —The POP3 SSL port authenticates
certificate POP3 clients that use client certificates. If a
connecting client does not have a certificate,
the server reverts to using name-and-password
authentication. • No —(default) The POP3 SSL
port does not support client certificate
authentication.
Authentication If the “SSL port status”field is set to Enabled,
options: Name choose one: • Yes —POP3 clients use name-
& password and-password authentication when connecting
to the POP3 service over SSL. • No —(default)
The POP3 SSL port does not support name-
and-password authentication.
5. Restart the POP3 task to put the new settings into effect.
Performing additional POP3 configuration
In addition to configuring the POP3 service port, you can customize the
operation of the POP3 service by setting variables in the server’s
NOTES.INI file. Variables used to configure the POP3 service begin with
the prefix “POP3.”
For more information on setting variables in the NOTES.INI file, see the
appendix “NOTES.INI File.”
30-6 Administering the Domino System, Volume 1
Setting up POP3 users
To set up POP3 users, perform these procedures:
1. Set up the Person document.
2. Create a mail file for the POP3 user.
3. Configure POP3 client software.
Setting up the Person document for a POP3 user
To access mail files on the Domino server, a POP3 user must have a
Person document in the Domino Directory. For users who already have a
Person document, edit settings in the existing document as necessary to
provide POP3 support. If a user does not have an existing Person
document, you must create a new one. You can create a Person document
manually, or use the Domino registration process to create the Person
document automatically. If you use the Domino registration process,
select POP3 in the “Mail system” field of the Register Person dialog box.
Note By default, the Domino registration process generates a Notes ID
file (and corresponding Notes Public Encryption Key in the Domino
Directory) for each user in addition to creating the Person documents
and mail files required by a POP3 user. Because users who will access
Domino from POP3 clients only do not require a Notes ID, during
registration you can deselect the option to “Create a Notes ID for this
person.” However, if a new POP3 user also requires access to Domino
from a Notes client, Domino Administrator client, or Domino Designer
client, be sure to enable creation of an ID file.
For more information on using the Domino registration process, see the
chapter “Setting Up and Managing Notes Users.”
The following procedure specifies the Person document settings required
for POP3 users and explains how to create a Person document manually.
To set up a Person document for a POP3 user
1. From the Domino Administrator, click the People & Groups tab.
2. Select Domino Directories - Address Book - People.
3. If no Person document exists for this user, click Add Person to create
a new Person document.
To display an existing Person document, select the name of the user,
and click Edit User.
Setting Up the POP3 Service 30-7
Mail
4. Click the Basics tab, complete these fields, and then click Save &
Close:
Field Description
The name the client uses to authenticate with
First name
the POP3
Last name server must be unique in the Domino Directory.
User name Depending on the level of Internet access
security established for the server (Server
document - Security tab), the login name or
user name configured on the POP3 client must
match an entry in one of these fields. Entries in
the User name field are always accepted as the
login name. If Internet authentication is set to
allow “More name variations with lower
security”entries in the First name and Last
name fields may also be accepted as login
names.
The password that the user enters to access
Internet
the Domino
password server from the POP3 client. POP3 users must
have an
Internet password that complies with your
organization’s password quality requirements.
Choose POP or IMAP if the user does not
Mail system
require Notes
client access.
The name of the Notes domain to which the
Domain
server
belongs.
The name of the POP3 user’s Domino mail
Mail server
server.
The path for the user’s mail file, relative to the
Mail file
Domino
data directory —for example: MAIL\AJONES.
Leave this blank for users who access mail files
Forwarding
on the
address Domino server from a POP3 client.
Internet The Internet address at which the user can
address receive mail
within your organization. This address must
match the
Internet address specified in the POP3 client.
Field Description
Format Choose one: • Keep in sender’s format -
preference for (default) The mail file may contain messages in
incoming mail either Notes rich text or MIME format. When
delivering messages to the mail file, the local
Router preserves the current message format.
Thus messages received at the server in MIME
format are stored in the mail file in MIME
format, and messages received at the server in
Notes rich text format are in Notes rich text
format. When a POP3 client requests a
message that is stored in Notes rich text
format, the POP3 service must convert the
message to MIME before sending it to the
client. Because the stored message remains in
Notes rich text format, each time a POP3 client
requests the message, the POP3 service must
perform the conversion. • Prefers MIME - The
mail file stores messages in MIME format only.
Choose this option for users who access mail
exclusively from a POP3 client. Since POP3
clients require messages in MIME format,
storing mail in MIME format ensures the best
performance for POP3 users, eliminating the
need for the POP3 service to convert messages
before passing them to the client. • Prefers
Notes Rich Text - The mail file stores messages
in Notes format only. The Router converts
messages received as MIME into Notes rich text
before delivery. In addition, the POP3 task
must convert messages to MIME format when
sending them to a POP3 client. To ensure the
best performance, do not choose this option for
users who access their Domino mail file
primarily from a POP3 client.
When Choose No (default). POP3 clients cannot read
receiving encrypted Notes mail. To ensure that users
unencrypted who read mail exclusively from POP3 clients do
mail, encrypt not receive Notes-encrypted mail, remove the
before storing POP3 users’Notes public encryption keys from
in your mail their Person documents. Never remove the
file Notes public key from the Person document of
users who access Notes databases from a
Notes client.
Field Enter
The Domino mail server that stores the user’s mail
Server
file.
Title The name of the client’s mail file —for example, Alan
Jones’ Mail.
File The full path to the mail file, relative to the Domino
name data directory —for example, MAIL\AJONES.NSF.
4. From the list of template names, select Mail (R6) with the filename
MAIL6.NTF, and click OK.
5. After Domino creates and opens the mail file, determine what level
of access is appropriate for both the user and you, as the
administrator. Then, edit the Access Control List (ACL) as follows:
a. Choose File - Database - Access Control.
b. From the Access Control List dialog box, create an ACL entry for
the user by clicking Add and then selecting the user’s name from
the Domino Directory.
c. Set the user type to Person and select the level of access. Users
require at least Editor with Delete document access.
d. (Optional) Select your name from the ACL and click Remove. As
the administrator, you can choose to retain Manager access,
particularly for users who do not have Notes client access.
e. Click OK to save the entry and close the ACL.
6. Complete the procedure “Configuring POP3 client software.”
30-10 Administering the Domino System, Volume 1
Configuring POP3 client software
After you set up a Domino server to run the POP3 service, users can
access their mail files on the Domino server from any POP3 mail client.
The POP3 service supports all POP3-compliant clients — for example,
the Lotus Notes POP3 client, Microsoft Outlook and Outlook Express,
Netscape Messenger, and Qualcomm Eudora.
The requirements for configuring POP3 client software differ for each
product. This table presents general requirements.
Field Description
Incoming mail Fully qualified host name of Domino POP3
(POP3) server.
server
Outgoing mail The fully qualified host name of a server
(SMTP) running
SMTP to which the user can send mail
server
addressed to
intranet or Internet recipients. The SMTP
server may be the Domino server running the
POP3 service, a different Domino server, or a
non-Domino SMTP
server.
Authentication
Specifies whether the configured SMTP server
required
to send outbound requires users to provide a name and
mail password
before they can send outgoing messages.
Account/Login name The name by which the user authenticates
with the Domino server. Valid user name
values depend on the setting in the Internet
authentication field of the Server document:
• If the server is set to use “More name
variations
with lower security,”users can enter a login
name that matches any entry in the First
name, Last name, User name or Short
name/UserID field of the Person document,
as long as it is unique within the Domino
Directory, for example, JCorrer.
• If the server uses “Fewer name variations
with
higher security,”a user’s login name must
match an entry in the User name field of the
Person document, for example, Jada
Correr/ACME
Password The Internet password from the user’s Person
document.
By default, when downloading messages from
Automatically delete
the
mail documents server, most POP3 clients delete the server
from copy to
the POP3 server conserve disk space. For users who read mail
after from
the client copies both the Notes client and a POP3 client, make
them sure
locally. the POP3 client is set to leave messages on
the server.
Field Description
Determines how often the POP3 client checks
POP3 client should
for
check for mail no mail. If the client checks for mail more
more frequently, it
than every five (5) may affect server performance.
minutes.
The Internet address specified in the user’s
E-mail address
Person
document.
Field Enter
Choose 143 (default) to use the industry standard
TCP/IP
port for IMAP
connections over TCP/IP. You can specify a different
port
port, but
number 143 works in most situations. When specifying a
nonstandard
port, make sure the port is not reserved for another
service. Port
numbers can be any number from 1 to 65535.
TCP/IP Choose one: • Enabled (default) - Allows IMAP
port clients to connect to the Domino server without
status using SSL. Users must provide their name and
Internet password to connect. • Disabled - Prevents
IMAP clients from connecting to the Domino server,
unless they can connect using SSL. • Redirect to SSL
- Denies access to clients connecting to the IMAP
TCP/IP port, but returns a message indicating that
they must connect over SSL. You can specify the
contents of the message. To support IMAP clients,
either the IMAP TCP/IP port or the IMAP SSL port
must be enabled, and the IMAP task must be running
on the server.
5. Restart the IMAP task to put the new settings into effect.
Setting IMAP session limits
You can configure the following IMAP session limits:
Maximum
number of IMAP sessions
Default
timeout value
Specifying the maximum number of IMAP sessions
To maintain a session with a client, Domino allocates a main session
thread, which uses a certain portion of the server’s memory. Each IMAP
client connecting to the server consumes an additional session thread,
and thus a certain amount of memory. If the number of IMAP sessions
exceeds the amount of available memory, the server can become
unstable.
To ensure that servers can properly support the number of connecting
IMAP clients, you can set a limit on the number of concurrent IMAP
sessions allowed. By default, servers do not place limits on the number of
concurrent IMAP sessions.
After the number of sessions reaches the specified limit, the IMAP
service rejects additional connection attempts.
Note You cannot use the NOTES.INI variable, IMAPMaxSessions,
available in Domino 5.0.3, to limit the number of IMAP sessions on a
Domino Release 6 server.
Specifying a default IMAP session timeout value
After a user opens a session with the IMAP service, the service waits for
commands from the mail client. If no commands are received, the session
is considered to be idle. Sessions that are idle for a long period may be
the result of a user forgetting to log out after completing their mail
processing. Because servers must allocate memory for each IMAP session
and send periodic keep-alive messages to a client to maintain the
connection, idle sessions represent a waste of server resources.
You can limit how long the server continues to maintain client sessions
that do not show any activity. Specify the number of minutes that the
IMAP service waits before disconnecting idle IMAP client sessions. Many
IMAP clients poll for new mail every 10 minutes, so it’s best to set the
value to greater than 10 minutes, because the overhead of supporting an
idle session is less than the overhead required to support clients logging
in and opening mailboxes.
By default, servers drop idle sessions after 30 minutes.
Note You cannot use the NOTES.INI variable, IMAP_Session_Timeout,
available in earlier versions of Domino, to configure the IMAP session
timeout on a Domino Release 6 server.
Setting Up the IMAP Service 31-9
Mail
To set IMAP session limits
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to restrict mail on, and click Edit Configuration.
5. Click the IMAP - Basics tab.
6. Complete the following fields and then click Save & Close:
Field Enter
The maximum number of concurrent IMAP
Maximum
client
number of sessions the server allows. By default, no limit
IMAP is
sessions imposed.
The time, in minutes, that the IMAP service
IMAP session
continues
timeout to maintain an idle session. If there is no client
activity
by the end of the specified time, Domino closes
the session. By default, servers drop idle
sessions after 30
minutes.
Field Enter
Enable Choose one: • Enabled - (default) The IMAP service
IMAP automatically converts mail files to Lotus Domino
during Release 6 IMAP format the first time a user logs in
login from an IMAP client. • Disabled - Administrators
must manually convert mail files for IMAP use
before users can access mail from an IMAP client.
Field Enter
Public and Choose one: • Enabled - (default) In addition
other to presenting an IMAP client with the current
users’folders user’s mail folder, the IMAP service also
support presents any public folders and other
users’mail files that the current user has access
to. • Disabled - The IMAP service does not
present IMAP clients with public and other
users’mail folders. The IMAP client can access
the current user’s personal mail file only.
Field Description
Public The name of the virtual root folder Domino uses to
folder organize
prefix the hierarchy of Notes mail databases configured as
IMAP public folders. When an IMAP client connects
to the server it displays the public folders available
to the user as subfolders of this folder.
Unless you have a specific reason to change the
folder prefix, accept the default name to ensure
IMAP clients can access public folders on the
server.
Public Database links for IMAP-enabled Notes mail
folder databases you
database want to designate as IMAP public folders. Paste the
database
links link copied in Step 2 into this field.
For example, insert the cursor in the field and click
Edit -
Paste. The Notes database represented by the link
is now
designated as an IMAP public folder. Users with the
appropriate access privileges can open the
database from an
IMAP client.
Field Enter
The name of the virtual root folder which
Other users’
contains Notes
folder prefix mail databases whose owners delegated access
to other users. When an IMAP client connects to
the server it
displays the other users’folders to whom the user
has access as subfolders of this folder.
Unless you have a specific reason to change the
folder prefix, accept the default name to ensure
IMAP clients can access other users’folders on
the server.
The character that Domino uses to separate the
Other users’
common
domain name, organizational unit(s), and organization
name in a
delimiter users’Notes hierarchical names when displaying
the
user’s mail file to an IMAP client as part of the
Other users’folder list. Default is forward slash ( /
). For IMAP
clients, such as the Netscape client, that cannot
display
hierarchical names that contain the default
separator character, specify a different character,
for instance a dot
“.”) or pipe character (“|”).
For example, if you enter the pipe character,
Domino
sends the mail folder of a user named Jada
Mendez/Sales/Acme to IMAP clients as Jada
Mendez|Sales|Acme.
IMAP users The fully-qualified Notes names of users who are
who can permitted to change the unread status of
messages in
change other users’mail files. You can also enter the
other name of a
users’unread Notes group.
marks
The change takes effect after the next IMAP service update. You can
restart the IMAP service to force an immediate update to the IMAP
service configuration.
7. To provide other another user with access to a personal mail file,
instruct the mail file owner to delegate access from a Notes client.
For information about delegating access to a mail file from a Notes
client, see the topic “Delegating mail access” if you have installed
Lotus Notes 6 Help. Or, visit the Documentation Library in the Lotus
Developer Domain at http://www.lotus.com/ldd/doc to download
or view Lotus Notes 6 Help.
Note To provide IMAP users with access to other users’ mail files,
you must use a Notes client or iNotes client to delegate mail file
access. It is not sufficient to add the names of users to the ACL of the
mail file.
31-18 Administering the Domino System, Volume 1
Configuring IMAP internal thread use
The IMAP service acts as an intermediary between IMAP clients
attempting to retrieve messages and the Domino mail server. IMAP
clients do not have direct access to mail files on the Domino server;
instead, the IMAP service acts as a proxy, relaying each client’s request to
retrieve messages to the mail server. To return message data to the client,
Domino opens the mail database and passes on the requested
information to the IMAP service. The IMAP service then sends the
requested message information to the client.
An IMAP session begins when a user at an IMAP client logs in to the
Domino IMAP service. Domino allocates each IMAP session its own
session thread from the server’s main thread pool. This session thread
becomes the sole channel for all communications between the client and
the IMAP service. When the session ends, Domino returns the thread to
the pool for use by another client.
The session thread communicates directly with the server’s IMAP port to
receive client input, validate the syntax of received requests, queue
requests to the IMAP service, and send responses from the service back
to the client. If the IMAP service is slow to respond, the main thread also
sends periodic keep-alive messages to the client so that it does not close
the connection.
A Domino server can interact with multiple clients simultaneously
because it allocates a new thread to service each client session. Clients
connect to a port and exchange all input and output through that port.
Threads require memory and CPU time. The thread pool contains a
limited number of physical threads, but thread use is virtualized so that a
single thread works on different tasks. Thus in a fraction of a second, a
single thread that is idled by one task as it waits for information, can
switch to another task. This allows Domino to maximize processor use
and minimize memory.
By avoiding the need to create a new physical thread for each requested
connection, Domino makes the best use of available memory. However, a
high number of IMAP sessions can place a strain on the server. If clients
experience slow response during times of peak usage, consider limiting
the number of IMAP sessions.
The internal IMAP thread pool
The Domino IMAP service provides an internal IMAP thread pool that is
independent of the thread pool that Domino uses to create client
sessions. The default number of available threads is based on the amount
of physical memory the server has. The service has a minimum of 50
threads available and a maximum of 400 threads. To ensure that the
Setting Up the IMAP Service 31-19
Mail
IMAP service continues to function properly, it’s best to use the default
thread pool settings and modify these settings only at the direction of a
qualified IBM support representative.
The IMAP thread pool consists of three types of worker threads as shown
in the following table:
Default maximum
Thread type Description
value
FETCH thread Accepts validated FETCH 80% of pool total
commands from the
client and transmits
them to the Domino mail
service
FETCH response Transmits message data 80% of pool total
thread from the Domino mail
service to fulfill client
FETCH requests
LOGIN None
Converts mail files to
conversion
IMAP format
thread
Available threads become active when the main session thread queues a
request.
To specify IMAP thread use
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to restrict mail on, and click Edit Configuration.
5. Click the IMAP - Advanced tab.
6. In the Worker thread pool section, complete the following:
Field Description
Maximum The total number of threads available in the
number IMAP
service’s thread pool, including Login
of IMAP worker
conversion
threads threads for upgrading mail files to Domino
Release 6
IMAP format; FETCH threads for transmitting
validated client requests to the Domino mail
server;
and FETCH response threads for transmitting
message data from the mail server in
response to client FETCH requests.
Field Description
Maximum The number of threads available to transmit
number message
of response data to fulfill a given FETCH request (default
threads is 4).
per FETCH
Maximum The Number of concurrent threads the IMAP
number service
of FETCH can use to transmit client requests to FETCH
threads message
allowed data to the Domino mail server
Maximum The number of threads the IMAP service can
number use to
of FETCH return message data from the Domino mail
response server in
threads allowed response to FETCH requests received from all
active IMAP sessions.
Field Enter
The login name a client uses to authenticate
First name
with the
IMAP server must be unique in the Domino
Last name
Directory.
User name Depending on the level of Internet access
security established for the server (Server
document - Security
tab), the login name or user name configured
on the
IMAP client must match an entry in one of
these fields. Entries in the User name field are
always accepted as
the login name. If Internet authentication is set
to allow
“More name variations with lower
security”entries in the First name and Last
name fields may also be
accepted as login names.
The password that the user enters to access
Internet
the Domino
password server from the IMAP client. IMAP users must
have an
Internet password that complies with your
organization’s password quality requirements.
Choose IMAP if the user does not require Notes
Mail system
client
access.
The name of the Notes domain to which the
Domain
server
belongs.
The name of the IMAP user’s Domino mail
Mail server
server.
The path for the user’s mail file, relative to the
Mail file
Domino
data directory —for example, MAIL\AJONES.
Leave this blank for users who access mail files
Forwarding
on the
address Domino server from an IMAP client.
Internet The Internet address at which the user can
address receive mail
within your organization. This address must
match the
Internet address specified in the IMAP client.
Field Enter
Format Choose one: • Keep in sender’s format -
preference for (default) The mail file may contain messages in
incoming mail either Notes rich text or MIME format. When
delivering messages to the mail file, the local
Router preserves the current message format.
Thus messages received at the server in MIME
format are stored in the mail file in MIME
format, and messages received at the server in
Notes rich text format are in Notes rich text
format. When an IMAP client requests a
message that is stored in Notes rich text
format, the IMAP service must convert the
message to MIME before sending it to the
client. Because the stored message remains in
Notes rich text format, each time an IMAP
client requests the message, the IMAP service
must perform the conversion. • Prefers MIME -
The mail file stores messages in MIME format
only. Choose this option for users who access
mail exclusively from an IMAP client. Since
IMAP clients require messages in MIME format,
storing mail in MIME format ensures the best
performance for IMAP users, eliminating the
need for the IMAP service to convert messages
before passing them to the client. In addition,
using MIME storage allows the Router to add
special IMAP attributes to the messages it
delivers. • Prefers Notes Rich Text - The mail
file stores messages in Notes format only. The
Router converts messages received as MIME
into Notes rich text before delivery. In addition,
the IMAP task must convert messages to MIME
format when sending them to an IMAP client.
To ensure the best performance, do not choose
this option for users who access their Domino
mail file primarily from an IMAP client.
When Choose No (default); IMAP clients cannot read
receiving encrypted Notes mail. To ensure that users
unencrypted who read mail exclusively from IMAP clients do
mail, encrypt not receive Notes-encrypted mail, remove the
before storing IMAP users’Notes public encryption keys from
in your mail their Person documents. Never remove the
file Notes public key from the Person document of
users who access Notes databases from a
Notes client.
Field Enter
The Domino mail server that stores the user’s mail
Server
file.
Title The name of the client’s mail file —for example,
Alan Jones’ Mail.
File name The full path to the mail file, relative to the Domino
data directory —for example, MAIL\AJONES.NSF.
4. From the list of template names, select Mail (R6) with the filename
MAIL6.NTF, and click OK.
5. After Domino creates and opens the mail file, determine what level
of access is appropriate for both the user and you, as the
administrator. Then, edit the Access Control List (ACL) as follows:
a. Choose File - Database - Access Control.
b. From the Access Control List dialog box, create an ACL entry for
the user by clicking Add and then selecting the user’s name from
the Domino Directory.
c. Set the user type to Person and select the level of access. Users
require at least Editor with Delete document access.
d. (Optional) Select your name from the ACL and click Remove. As
the administrator, you can choose to retain Manager access,
particularly for users who do not have Notes client access.
e. Click OK to save the entry and close the ACL.
6. Complete the procedure “Preparing a mail file for IMAP access.”
31-26 Administering the Domino System, Volume 1
Preparing a mail file for IMAP access
To support access from IMAP clients, mail files must be specially
modified to store IMAP folder and message attributes as database items.
If you used the Domino registration process to create a user, and set the
user’s mail system type to IMAP, Domino automatically performs the
steps required to prepare the mail file for IMAP use. Otherwise, you
must complete several tasks to prepare a mail file to support IMAP
access.
To prepare a mail file for IMAP access
1. Verify that you have:
Set
up the Person document for the IMAP user.
Created
a mail file for the IMAP user.
2. If you are upgrading a mail file, run Compact on the mail file to
ensure that it uses the Notes ODS (on-disk structure) version 41 or
greater.
You do not have to run Compact on newly created mail files that are
based on a Lotus Domino Release 5 or later mail template. For new
mail files, skip to Step 4.
3. Run the Fixup task on the mail file.
4. Run the mail conversion utility on the mail file to enable it for IMAP
access.
5. If this is not a new mail file, run the mail conversion utility with the
-h option to increase the speed of header downloads when clients log
in.
The IMAP service does not rely on template views to store IMAP folder
and message data; you can enable mail files created from any mail
template.
For users with multiple mail file replicas — for example, users with mail
files on clustered servers — you must independently enable each replica
for IMAP access. Because Domino does not replicate IMAP database
items between databases, by default, when you create a new replica of an
IMAP-enabled mail file, it is not enabled for IMAP use.
Differences when viewing mail files from IMAP clients and Notes
client
Some aspects of a mail file are structured in template items that are
visible only to a Notes client, and as such are not available to IMAP
clients. As a result, IMAP clients display certain folders and views in a
mail file differently from Notes clients. For instance, from an IMAP
client, the Inbox and Trash folders, and any public folders, appear as
Setting Up the IMAP Service 31-27
Mail
IMAP mailboxes. Also, hidden and private folders are not visible to
IMAP clients. And finally, IMAP clients do not display views that are
part of the Notes mail file template, such as the Draft and Sent view.
The Domino IMAP service does not support renaming of the Inbox folder
in a Notes mail file from an IMAP client.
For users who access their mail files from both an IMAP client and a
Notes client, Domino synchronizes unread message marks between the
two. Thus, a message marked as read in Notes is also marked as read for
an IMAP client, and vice versa.
IMAP clients cannot read messages that use Notes encryption. IMAP
clients do not have access to the Notes private key needed to decrypt
messages encrypted with a user’s Notes public key certificate. As a
result, when a user opens an encrypted Notes message from an IMAP
client, only the unencrypted header information is available. The server
replaces the blank message body with the following text:
[Portions of this MIME document are encrypted with a Notes
certificate and cannot be read.]
Running Compact to update the ODS version of a mail file
To be enabled for IMAP, a mail file must use the Domino Release 5 or
later file format, Notes ODS (on-disk structure) version 41 or greater. If a
mail file is at a previous ODS version, you must run Compact on it to
update the ODS version. It is not necessary to run Compact to enable
newly mail files that are based on either the MAIL6.NTF or MAIL50.NTF
mail templates.
The ODS version of a mail file database is listed on the Info tab of the
Database properties dialog box. For information on how to determine the
file format of a database, see the chapter “Improving Database
Performance.”
To run Compact using a console command
Compacting converts Release 4 databases to the Lotus Domino 6 file
format or ODS 43.
1. From the Domino Administrator, on the Server pane on the left,
select the server on which to run Compact. To expand the pane, click
the servers icon.
2. Click the Server - Status tab.
3. Click Console.
31-28 Administering the Domino System, Volume 1
4. Enter the following command in the command line at the bottom of
the console, and then press ENTER:
Load compact databasepath
Enter the database path relative to the Domino data directory. To
compact a specific mail file in the MAIL directory, enter the name of
the MAIL directory followed by the name of the mail file, for
example:
Load compact MAIL\USER.NSF
To compact all mail files in the MAIL directory, enter the name of the
MAIL directory as the database path, for example:
Load compact MAIL
Note You can also enter Step 4 directly at the console on a server.
After you run compact on the mail file, continue preparing the file for
IMAP users by running Fixup.
Running Fixup to prepare a mail file for IMAP use
You do not need to run Fixup on newly created mail files that are based
on a Lotus Domino Release 5 or later mail template.
After you run Compact on a user’s mail file to ensure that it uses the
correct file format, run the Fixup task on the mail file.
Because the Fixup task requires exclusive access to the mail file database,
you must shut down the server before running Fixup.
To run Fixup
1. Shut down the server.
2. From the Windows NT command prompt, change to the Domino
program directory. For example, if you installed Domino in the
default location, enter:
cd c:\lotus\domino
3. To run Fixup on a specific mail file, enter:
nFixup path\mailfile
where path is the database path relative to the Domino data directory
and mailfile is the name of the mail file database. For example, to run
Fixup on the mail file database USER.NSF in the DATA\MAIL
folder, enter:
nFixup mail\user.nsf
Setting Up the IMAP Service 31-29
Mail
Note If transaction logging is enabled on the server, run Fixup with
the -j switch, for example:
nFixup -j mail\user.nsf
Running the mail conversion utility to enable a mail file for IMAP
Note If you used the Domino Release 6 registration process to add a
user account, and set the user’s mail system type to IMAP, Domino
automatically enables the mail file for IMAP use.
After you run Fixup on the mail file, run the mail conversion utility (the
Convert task) to enable IMAP-specific features in the mail file. The
conversion utility sets an option bit in the database indicating that this
database is IMAP enabled. After you enable a mail file for which the
format preference is set to MIME, the Router automatically adds special
IMAP attributes to new messages delivered to the database. These
attributes provide IMAP clients with summary information which
enables them to download message headers more efficiently. To ensure
the best performance, after the initial conversion completes run the
conversion utility a second time, using the -h option to add these
attributes to messages that were already in the mail file at the time of the
initial conversion.
For users with multiple mail file replicas — for example, users with mail
files on clustered servers — you must independently enable each replica
for IMAP access. Because Domino does not replicate IMAP database
items between databases, by default, when you create a new replica of an
IMAP-enabled mail file, it is not enabled for IMAP use.
After the conversion utility enables a mail file for IMAP, the following
information is added to the bottom of the Information tab of the mail
file’s Database Properties dialog box:
Database is IMAP enabled
Deciding whether to convert mail files manually or automatically
By default, when a user connects to the IMAP service, the service checks
whether the user’s mail file is currently enabled for IMAP. If the mail file
is not already enabled, the IMAP service automatically launches the
conversion utility to format it for use with IMAP. To prevent conversions
from occurring during login, change the default configuration by
disabling automatic conversion.
For information on enabling and disabling automatic conversion, see the
topic “Setting the IMAP service to automatically enable mail files at
login” earlier in this chapter.
31-30 Administering the Domino System, Volume 1
Although the IMAP service can automatically convert mail files, consider
manually converting them before users first log in to the IMAP server to
ensure that mail files are properly converted. By performing conversions
ahead of time, you can ensure that users are not confronted with
conversion errors that they are unable to recover from. For example,
because the conversion utility requires that a mail file be at least at ODS
version 41, for mail files that use an earlier ODS version you must run
Compact before converting the mail file; using automatic conversion
would fail. Similarly, in databases where some type of internal
corruption has occurred (for example, an invalid note, or corrupt meta
data), you must run Fixup against the mail file before running the
conversion utility.
You might also choose to run the conversion utility manually if many of
your first-time IMAP users access the server over slow modem
connections, particularly if a large proportion of them would be logging
in at the same time. The reason for this is related to the way the IMAP
service allocates threads to perform automatic conversions. The IMAP
service dedicates a single conversion thread for each conversion and it
draws this conversion thread from the same thread pool that provides
the threads responsible for servicing other IMAP client requests, such as
logging in users or retrieving messages. Because mail file conversions can
require a significant amount of time, with conversion times increasing as
connection speeds decrease, a conversion thread typically remains busy
longer than other thread types. As a result, an IMAP service flooded with
conversion requests can experience a thread shortage. This shortage
affects not only the users awaiting conversion, but current IMAP users,
too, who encounter unexpected delays attempting to log in and retrieve
messages. When the conversion utility is run manually on the mail
server, the operation completes in a very short time, even if the mail file
is relatively large.
Finally, you must run conversions manually to enable mail files in the
other users’ and public folders namespaces. Automatic mail file
conversion can occur only for the personal mail file of the currently
authenticated user.
To manually convert mail files for use with IMAP
You can run the mail conversion utility on a single mail file or on all mail
files in a directory.
1. At the server console of the Domino server on which you want to
enable mail files, shut down the Router by entering:
tell router quit
This prevents Domino from routing mail to the mail files while they
are being converted. Mail is stored in MAIL.BOX while you upgrade
Setting Up the IMAP Service 31-31
Mail
the mail files. After you have converted the mail files and loaded the
Router task again, the Router processes and delivers the mail in
MAIL.BOX.
2. Load the mail conversion utility by entering the following command:
load convert -e maildirectory\mailfilename
where maildirectory names the path to the mail subdirectory that
contains the user’s mail file and mailfilename is the filename of the
user’s mail file. The maildirectory path describes the path relative to
the server’s Domino data directory. For example, to convert the mail
database USER.NSF in the \MAIL subdirectory of the Domino data
directory enter:
load convert -e mail\user.nsf
Note On UNIX systems, use a forward slash (/) as the hierarchy
separator, rather than a backslash (\). For example, enter:
load convert -e mail/user.nsf
To specify all files in a directory, make sure the directory contains
only mail files and that they are the mail files you want to convert.
For example, to enable IMAP for all mail files in the \MAIL
subdirectory, enter:
load convert -e mail\*.nsf
3. After you finish enabling mail files for IMAP on this server, load the
Router by entering:
load router
4. Configure IMAP client software.
For information on configuring IMAP client software, see the topic
“Configuring IMAP client software” later in this chapter.
For information about disabling IMAP access to a mail file, see the topic
“Disabling an IMAP mail file” later in this chapter.
31-32 Administering the Domino System, Volume 1
Convert utility options
Optio
Use
n
-e Enables mail files for IMAP use.
-h To enable clients to download message headers more
efficiently, the Convert task processes all messages in the
mail file in the order in which they are listed in the mail
file’s “All Documents”view and adds the special IMAP
attributes ($Content_Type, IMAP_BodyStruct, and
IMAP_RFC822Size) to messages that don’t have them.
Because the Convert task is single-threaded, and this
option requires the Convert task to process every message
in the mail file, it is resource-intensive and can take a long
time, especially for mail files where messages must also be
converted from Notes rich text to MIME format.
You cannot use this option in combination with the -e
switch.
Removes from messages the IMAP items used to provide
-o
more
efficient header retrieval. You may use this option in
combination
with the -h option, but not with the -e option.
-e- Disables IMAP access to mail files.
Syntax Example
INBOX-PATH {fully qualified INBOX-PATH
domain {East.Acme.com}INBOX
name of IMAP server}INBOX
Folder collections {fully qualified Folder collections
domain {East.Acme.com}
name of IMAP server}
Default Applicabl
Variable name Description
value e
Domino
releases
IMAP_Config_Update_Interva Specifies in
None. 4.6x, 5.x,
l minutes
how often Without 6.x
the IMAP this
service
setting,
checks for
configuration Domino
changes checks
made to the for
Domino updates
Directory. every 2
minutes.
Chapter 32
Setting Up iNotes Web Access
This chapter describes how to set up iNotes Web Access so that Notes
client users can use a Web browser to access their Lotus Notes mail and
calendar. It provides configuration document settings and NOTES.INI
settings to control and customize iNotes Web Access for users. In
addition, this chapter describes how iNotes Web Access works with
Sametime and Domino Off-Line Services to provide users with instant
messaging and the ability to work offline.
iNotes Web Access
iNotes Web Access provides Notes users with browser-based access to
Notes mail and to Notes calendar and scheduling features. iNotes Web
Access users can send and receive mail, view their calendars, invite
people to meetings, create to do lists, keep a notebook, and work offline.
After being set up for iNotes Web Access, a user can use both the
standard Notes client and a Web browser to access their mail files.
Because both the Notes client and iNotes Web Access operate on the
same underlying user mail file, read and unread marks remain
up-to-date, regardless of which client the user uses to read the mail.
Users can also synchronize contact information in their Personal Address
Book with information in their Contact List in iNotes Web Access.
While users simply need a name and Internet password to log on and use
iNotes Web Access, a Notes ID is required if a user wants to work offline.
Be sure to create a Notes ID for each user when registering new users
with the iNotes Web Access template.
For more information, see the topic “Registering iNotes Web Access
users” later in this chapter.
Security
iNotes Web Access requires user log-on and logout security. When a user
logs onto iNotes Web Access, they must enter their name and Internet
password, as specified in their Person document. The login names that
the server accepts as valid depend on the setting in Internet
authentication field on the Security tab of the Server document.
32-1
Mail
For more information, see the chapter “Setting Up Name-and-Password
and Anonymous Access to Domino Servers.”
When the user logs out of iNotes Web Access, iNotes closes the browser
and removes the user’s log-on credentials and private data from the
browser’s cache. By deleting this data, iNotes prevents an unauthorized
user from using cached information to access the user’s mail file.
Note The removal of private data from the browser’s cache and more
secure data clearing capabilities are available only if the user accepts the
iNotes ActiveX control.
iNotes Web Access will not remove some personal data unless the user
explicitly selects “Logout for Shared PCs or Kiosk Users.” With this
selection, users can choose one of two secure logouts:
Secure
- This option deletes all traces of the user’s personal use of
iNotes Web Access and any Web pages that they may have browsed,
but keeps iNotes Web Access program elements (this boosts
performance when the next person logs on).
More
secure - This option deletes all traces of iNotes Web Access and
all other Web pages in the temporary Internet files folder.
You can also redirect users to a specific Web page after they logout.
For more information, see the topic “Redirecting users to a Web page
after logout” later in this chapter.
Integration with DOLS and Sametime
To provide users with the ability to work offline and use instant
messaging, you can integrate iNotes Web Access with Domino Off-Line
Services (DOLS) and Sametime. DOLS enables users to work offline,
disconnected from the network, and provides many replication features
that Notes users expect when working in the Notes client. Sametime
provides integrated, real-time chat features for iNotes Web Access users.
Neither DOLS nor Sametime are required for iNotes Web Access use.
For more information about setting up Sametime and iNotes Web Access,
see the chapter “Installing and Setting Up Domino Servers.”
Registering iNotes Web Access users
When registering users, choose “iNotes” as the mail system. This choice
uses the iNotes60.ntf template. The name of the template is “iNotes Web
Access (R6.0).” The template contains mail template support for the
iNotes Web Access client and the Notes client.
32-2 Administering the Domino System, Volume 1
For information on registering new users, see the chapter “Setting Up
and Managing Notes Users” and keep the following information in
mind:
The
mail system, “iNotes,” does not automatically create a Notes ID
for the person. You must select “Create a Notes ID for this person.”
Under
“Password Options,” enable “Synch internet password with
Notes ID password.” Making the passwords the same makes it easier
to manage passwords and allows Notes users to work offline with
iNotes Web Access.
Providing a log-on URL for iNotes Web Access users
After you register new iNotes Web Access users, they will need three
things to access their mail files:
User
name
Internet
password
Default
log-on URL (http://servername.com/mail/username.nsf)
The default URL displays the Welcome Page. However, you can give
users a URL that will initially display other views. Appending the
following text to the URL with a specific keyword (see following table)
will cause iNotes Web Access to initially display a different view:
.../username.nsf/inotes/keyword/?OpenDocument&ui=inotes
Setting Action
Welcome Page Setup
Default Welcome Click View/Modify to set Welcome Page
Page settings.
Default Page: Lets users customize the
Welcome Page.
Selected Web Page: Forces users to use a
specific Web page as the Welcome page.
Enter the URL and title.
Custom Layout: Choose from six custom
layouts to specify new mail, calendar
schedule, Web links, and other options to
appear in a layout.
Allow user to edit Enable (default) to allow users to create
the custom
Welcome page Welcome pages and override any settings
on the
server.
Disable to prevent users from changing
the administrator-prescribed Welcome
page.
Alarm and Mail Polling
Alarms Enable (default) to allow users to set
alarms for appointments, meetings,
events, and task deadlines.
Disable to prevent users from setting
alarms that may slow server performance.
Enter a number to specify how often, in
Minimum alarm
minutes,
polling time the iNotes Web Access client checks the
server for alarms. Default is 5 minutes.
Increase this number
to improve server performance.
Mail
Minimum mail Enter a number to specify how often, in
polling minutes,
time the iNotes Web Access client checks the
server for
new mail. Default is 5 minutes. Increase
this
number to improve server performance.
When sending Choose Plain text, or Let user decide. This
mail, set setting
format to: allows you to restrict outgoing mail to
plain text
only. Plain text messages can be read by
most
legacy mail applications. Allowing the user
to
decide lets the user pick the format for
every
outgoing mail message.
Setting Action
Name resolution Enable to allow alternate name lookups,
and similar to
validation “type-ahead”in Notes. Lets user resolve
ambiguous names and use alternate
names by
checking names against a contact list or
Domino
Directory.
Offline
When enabled, allows users to encrypt
Encrypt offline mail
their
files offline mail files for security.
Offline encryption Sets the default offline encryption level to
level be simple, medium, or strong.
Simple encryption provides protection
against casual snooping.
Medium encryption provides the right
balance among security, strength, and
fast database access. Probably the right
choice for most users.
Choose strong encryption when security
requirements are paramount, and the
resulting database access performance is
acceptable.
Allow user to
This setting, when enabled, overrides the
choose
an encryption level administrator-specified encryption level
and
allows users to choose their own
encryption level.
Allow user to go When selected, this option enables the
offline “Go Offline”feature in the iNotes Web
Access client.
Disable this option to prevent users from
using iNotes Web Access offline,
disconnected from the
network.
International
Alternate name Enable (default) to allow iNotes Web
display Access users to display alternate names in
a native language.
Disable to prevent iNotes Web Access
from displaying alternate user names in a
native language. When disabled, users see
alternate names in English only.
This setting overrides the preferred
Alternate name
language for
language an alternate name in user Preferences.
Pick from a list to select the default
alternate
name language. Default is English.
Setting Action
Allow user to Lets users choose the preferred language
choose for an
alternate name alternate name.
display
Disable (default) to prevent users from
controlling alternate name support.
Other Settings
Full-text indexing Enable (default) to allow users to create a
full-text index of their mail, calendar, and
task entries on
the server.
Disable to prevent creation of full-text
indexes to save disk space on the server
and improve performance.
Archiving on server Enable (default) to allow users to create
archives of their mail files on the server.
Disable to prevent creation of mail
archives to save disk space on the server.
Disable to prevent users from changing
Modification of
their
Internet password Internet password.
Calendar printing Enable (default) to allow users to print
various calendar formats, including
DayRunner, Franklin Planner, and Trifold.
Calendar printing uses the PDF format
from Adobe Acrobat.
Disable to prevent users from printing
Calendar formats using PDF.
Enable (default) to allow users to use the
Custom ActiveX file
custom
attachment utility file upload utility to drag-and-drop file
attachments, select files easily, and have
multiple file views.
Disable to allow users to use the standard
browser
file upload utility.
Chapter 33
Monitoring Mail
This chapter describes how to track messages to determine if they
reached the recipients and how to generate mail usage reports.
Tools for mail monitoring
Domino provides three tools that you can use to monitor mail. Message
tracking allows you to track specific mail messages to determine if the
intended recipients received them. Mail usage reports provide the
information you need to resolve mail problems and improve the
efficiency of your mail network. Mail probes test and gather statistics on
mail routes.
Tracking mail messages
Both users and Domino administrators can track mail. Users can track
only messages that they themselves sent. Administrators can track mail
sent by any user.
When you configure mail tracking, you can specify which types of
information Domino records. For example, you can specify that Domino
not record message-tracking information for certain users, or you can
choose not to record the subject line of messages sent by specific users.
The Mail Tracker Collector task (MTC) reads special mail tracker log files
(MTC files) produced by the Router and copies certain messaging
information from them to the MailTracker Store database
(MTSTORE.NSF). The MailTracker Store database is created
automatically when you enable mail tracking on the server. When an
administrator or user searches for a particular message, either a message
tracking request or a mail report, Domino searches the MailTracker Store
database to find the information.
Note The Mail Tracker Collector differs from the Statistics Collector
(Collect task), which is responsible for gathering statistical information
about servers.
33-1
Mail
How mail tracking works
1. From a Notes client or Domino Administrator client, a user creates a
query to determine whether a specific message arrived at its
intended destination or to determine how far it got if delivery failed.
2. The mail tracking program begins to trace the routing path from the
server where the message originated. If the message is not found on
the originating server, tracking automatically continues at the next
server on the route.
3. Step 2 is repeated on each “next server” until the route ends.
Detailed information is provided about the processing of the
message on each server.
4. After the tracking query completes, the user can select messages
from the results and check their delivery status. The following table
displays the possible values for the delivery status:
Delivery
Meaning
Status
The message was delivered to a mailbox on the
Delivered
server.
The mail file status indicates whether the
message was read, unread, or deleted. If the
mail file status is not read,
unread, or deleted, it appears as unknown.
Delivery The server attempted to deliver the message to
failed a mail file
but was unsuccessful. The recipient may not
exist, or the
server’s disk may be full.
In queue The Router is processing the message.
The Router successfully sent the message to the
Transferred
server
identified in the next hop field.
Transfer The Router attempted to transfer the message
failed to another
server and failed.
Group The message was addressed to a group, and the
expanded group
was expanded on this server.
The status of the message on the server cannot
Unknown
be
determined.
Field Enter
Server The name of the server that stores the Mail
Tracking Store database (MTSTORE.NSF)
Title Reports
File name REPORTS.NSF
Template The name of the server entered in the Server
server field
Template REPORTS.NTF
Field Enter
Message tracking Choose one:
• Enabled to log message-handling activity
information in the Mail Tracking Store
database.
• Disabled (default) to not log any
message-handling information.
Don’t track The names of users and/or groups whose
messages for messages will not be logged and, therefore,
cannot be tracked. This field applies only to
messages sent by the specified person or
group.
For example, to prevent administrators from
tracking messages sent by the Manager of
Human Resources, enter the manager’s
name in this field.
If you leave this field blank (default),
authorized administrators can track
messages for all users and groups on all
servers that are enabled for mail tracking.
On servers running the ISpy task to test
mail connectivity, this task sends trace
messages at 5-minute intervals. To prevent
the Domino MailTracker Store database from
filling up with entries for these trace
messages, enter the name of the ISpy mail-
in database on the server in this field, for
example, ISpy on MailHub1.
Field Enter
Log message Choose one: • Yes —The server records the
subjects subject of each message in the MailTracker
Store database. • No —(default) The server
does not log message subjects.
Don’t log The names of users and/or groups whose
subjects for message subjects will not be logged and,
therefore, cannot be tracked. This field
applies only to messages sent by the
specified person or group. The default is
none.
Message tracking A number that represents how often, in
collection interval minutes, you want to log message tracking
activity in the Mail Tracking Store database.
This number may affect server performance.
Enter a number appropriate to the size and
speed of your system. The default 15
minutes is recommended.
Allowed to track The names of servers and/or users allowed
messages to track messages on this server. If you
leave this field blank (default), only
members of the LocalDomainServers group
are authorized to track messages on this
server. If you add any entries to this field,
you must list all servers and/or users that
are allowed to track messages on this
server.
Allowed to track The names of servers and/or users allowed
subjects to track messages by subject on this server.
If you leave this field blank (default), only
members of the LocalDomainServers group
are authorized to track messages by subject
on this server. If you add any entries to this
field, you must list all servers and/or users
allowed to track subjects on this server. If
you list servers and/or users in this field,
you do not have to list them in the “Allowed
to track messages”field.
Field Enter
From The user name of the sender. You can also select the
name from the Domino Directory.
To The user name of the recipient. You can also select
the name from the Domino Directory.
Sent Choose one: • Today • Yesterday • Last week • Last 2
weeks • Last month • All times To increase the
likelihood of finding messages, choose a long time
period.
Subjec
The subject of the message that you want to track.
t
The message ID of the message you want to track.
Message
ID
Field Description
Delivery Indicates whether the Router deposited the
status message in the recipient’s mail file or
transferred it to another
server.
Mailbox Indicates whether the message is unread, read,
status deleted, or unknown.
This server The name of the current server.
Previous The name of the server that delivered the
server message to the current server in the message
path being examined. For messages originating
outside the Domino network and transferred
over SMTP, this is the server from which Domino
received the message.
Next server If the current server is not the final destination,
the next server on the routing path.
Msg priority Indicates whether the message priority is high,
normal, low, or unknown.
Unique A value that uniquely identifies the message on
message ID the current server.
Inbound The message ID of the message when it arrived
message ID on the server.
Outbound The message ID of the message when it left the
message ID server. In some cases, the SMTP Router changes
the ID of the message before transferring it.
Inbound The sender’s e-mail address as it appeared in
originator the message headers when the message arrived
at the current server.
Outbound The sender’s e-mail address as it appeared in
originator the message headers after transfer from the
current server to the next hop server.
Inbound The recipient’s e-mail address as it appeared in
recipient the message headers when the message arrived
at the current server.
Field Description
The recipient’s e-mail address as it appeared in
Outbound
the
recipient message headers after transfer from the current
server to
the next hop server.
Subject The content of the message’s subject header.
Disposition Indicates the time when the Router changed the
time status of
the message to the value in the Delivery status
field.
There can be a delay between the arrival of a
message
and when the Router processes it.
Message The time when the current server received the
arrival message.
time
The size of the message, including any
Message size
attachments.
(bytes)
Field Description
Description Required text to identify the report.
Report Type Specifies the type of report to create. Choose
one: • Top 25 Users by Count • Top 25 Users by
Size • Top 25 Senders by Count • Top 25
Senders by Size • Top 25 Receivers by Count •
Top 25 Receivers by Size • Top 25 Most Popular
“Next Hops” • Top 25 Most Popular “Previous
Hops” • Top 25 Largest Messages • Message
Volume Summary • Message Status Summary
Field Description
If you chose Mailed or Saved & Mailed in the
Mail Recipient
“Report
should be”field, enter the user name of the
person who
should receive the report or select the user
name from
the Domino Directory. The default is the name
of the
administrator running the report.
Note The Earliest Message Found and Latest Message Found fields
are filled in automatically when you run the report. They display the
date and time of the earliest and latest message found.
7. (Optional) To narrow the scope of a report, complete any of these
fields:
Field Enter
Sender’s A text string for the sender’s name, and then
Name choose
whether the name should contain the text string
or
exactly match the text string.
A text string for the recipient’s name, and then
Recipient’s
choose
Name whether the string should contain the string or
exactly
match the string.
Delivery
Choose one:
Status
• Is - Delivered (all messages that were
delivered)
• Other than - Delivered (all messages that
encountered delivery failures or are still being
processed)
• Is - Not Delivered (all messages that
encountered delivery failures)
• Other than - Not Delivered (all messages that
were either delivered or are still being
processed)
• Is - Being Processed (all messages that are still
being processed)
• Other than - Being Processed (all messages
that were delivered or encountered delivery
failures)
The delivery status corresponds to the message
tracking delivery status. “Delivered”refers to
messages that were delivered, transferred, or
“group expanded”(that is, the message was
addressed to a group, and the group was
expanded to its member list on the server). “Not
delivered”refers to messages that were not
delivered, not transferred, or whose status is
unknown.
Message The maximum or minimum message size (in
Size bytes) to
include in the report.
Chapter 34
Setting Up the Domino Web Server
This chapter describes how to set up a Domino server as a Web server.
The Domino Web server
Lotus Domino provides an integrated Web application server that can
host Web sites that both Internet and intranet clients can access, and can
serve pages that are stored in the file system or in a Domino database.
When a Web browser requests a page in a Domino database, Domino
translates the document into HTML. When a Web browser requests a
page in an HTML file, Domino reads the file directly from the file system.
Then the Web server uses the HTTP protocol to transfer the information
to the Web browser.
Using Domino to store Web pages as documents in a database has a
major advantage over storing static HTML pages: using Domino, any
change that you make to a database is automatically reflected on the Web
server.
The following diagram shows how the Web server displays a Notes
document as an HTML page to a browser client
Any Domino application can be
a Web application. Before you create a
Web application, become familiar with the Domino features that can be
translated into HTML and determine whether Web browser users, Notes
clients, or both will access the application. You can use the Notes formula
language to detect which type of user is accessing the application and
then, based on the user type, change the display of information in the
application.
A Domino Web site can consist of a single database or several databases
that are connected by links. In addition to hosting Web sites, the Web
server can run other server tasks, such as mail or directory services. Be
sure to enforce security on databases if you do not want users outside
your organization to access the databases on the server.
For information on designing Web applications, see Application
Development with Domino Designer.
Web server features
Domino includes these Web server features:
Translation
of Notes features into HTML code. For example, in
HTML code, hot spot links are translated into anchor (<A>) tags.
Passthru
HTML. This is HTML code that you include in a form,
document, or About and Using documents that Domino does not
interpret during the page translation. Passthru HTML lets you use
Web-only text formatting, links, images, commands, and programs.
Using passthru HTML, you can combine Domino features with
HTML code.
Security
for applications using standard Domino security, such as the
database ACL and Internet security features, such as Secure Sockets
Layer (SSL) and name-and-password authentication.
Support for Java applets that are referenced using passthru HTML or
embedded in a document.
Support for JavaScript that is included as passthru HTML or
embedded directly in a document.
Support for CGI programs that are referenced using passthru HTML
in a document. CGI supports EXE, CMD, and BAT files and scripts
written in Perl, Python, and PHP.
Support for static HTML pages that are referenced in a directory on
the server’s hard drive. Static HTML pages can be referenced by
passthru HTML included in a document or can be requested directly
using a URL.
34-2 Administering the Domino System, Volume 1
Support
for a last-modified header in Domino URLs, which allows
many Web browsers or proxy servers to cache Domino pages.
Support
for URL extensions that expose Domino functionality to the
Web client — for example, opening a database or view.
Redirecting
and remapping URLs and directories to another location.
Support
for multiple Web sites with separate DNS names to exist on
a single server machine.
Support
for server clusters, which allow a server to fail over to an
answering server if the first server is unavailable and provides load
balancing to maximize response time for users.
Domino Web Server Application Interface (DSAPI) supports all
phases of request handling, including mapping and transforming
incoming URLs, authenticating and authorizing users, processing
requests, and logging.
For information on customizing the authentication of Web application
users, see the DSAPI documentation in the Lotus C API Toolkit for
Domino and Notes.
Making Web site content changes
You might find it convenient to set up one Web server as a production
server and another Web server as a “staging” server. Web content
managers can make changes on the staging server without exposing the
changes to users. After all changes to the Web site are complete, the Web
content manager replicates the Web site from the staging server to the
production server. In addition, using a staging server allows Web content
managers to view changes through a browser before replicating.
If you use a staging server, give access only to Web content managers.
Also be sure to give the Web content managers replication access on both
the staging server and the production server.
Setting Up the Domino Web Server 34-3
Web
In this example, Web content managers make changes on Webstage-E
and replicate these changes to Web-E, which is available to users outside
the firewall.
Setting up a Domino
server as a Web server
You can specify that you want to run the HTTP task on a Domino server.
The Domino server then acts as a Web server so that browser clients can
access databases on the server.
1. Set up the Domino server.
Make
sure you understand TCP/IP concepts, including DNS host
names and IP addressing.
Set up a Domino server.
Set up security for the server.
For more information, see the chapters “Configuring Additional
Domino Servers” and “Planning Security.”
2. Decide on an Internet connection strategy.
To allow users to connect to the server over the Internet, connect
the server to an Internet Server Provider (ISP) and register the
server’s domain name and IP address on the ISP’s DNS server. For
more information, contact the ISP.
To
allow users to connect to the server internally, without
connecting to the Internet, register the server’s domain name and
IP address on the DNS server at your organization.
3. Start the Domino server.
34-4 Administering the Domino System, Volume 1
4. From the Domino Administrator, click Files, open the Server
document and enable “Loads configuration information from the
Internet Sites view.”
5. Create at least one Web site.
6. Decide on an HTTP port strategy. You can enable ports for TCP/IP,
SSL, or for both. In the Server document, click Ports - Internet Ports -
Web, and enable one or both: “TCP/IP port status” and “SSL port
status.”
For information on setting up SSL, see the chapter “Setting Up SSL
on a Domino Server.”
7. (Optional) Enable the Domino Web server log.
8. Start the HTTP task.
To check the server setup, start your browser and enter the DNS name or
IP address for the server.
Starting and stopping the Domino Web server
Note When the HTTP task starts up, a server console message indicates
the Domino Directory view the task is using for Web configuration
information (Servers\Internet Sites or Servers\Web Configurations).
For more information on server commands and NOTES.INI settings, see
the appendices “Server Commands” and “NOTES.INI File.”
Setting Up the Domino Web Server 34-5
Web
Modifying Web server Internet port and protocol settings
In certain cases, you may need to change some default Internet port and
protocol settings. Check carefully before changing the defaults.
To modify Web server Internet port and protocol settings
1. Open the Server document that you want to edit.
2. (Optional) Click Ports - Internet Ports - Web. Under Web
(HTTP/HTTPS), complete these fields:
Field Action
TCP/IP port Enter a port number. Default is 80.
number
TCP/IP port Choose one: • Enabled —To configure the
status server to listen for HTTP requests on the
specified TCP/IP port. • Disabled —To prevent
the server from listening for HTTP requests on
the specified TCP/IP port. • Redirect to SSL —To
redirect any HTTP requests that come into the
TCP/IP port to the SSL port.
Field Action
Bind to host Choose one:
• Enabled —To enter up to 32 IP addresses
name
and/or
DNS names in the Host name(s) field to which
the Domino server will bind. This allows users to
access a
Web server using a name other than the
Domino
server name.
• Disabled (default) —To bind to all IP
addresses on
the server.
DNS lookup Choose one:
• Enabled —To have Domino look up the DNS
name of the requesting client. The Domino log
files and database contain host names
corresponding to the machine used by the Web
client.
• Disabled (default) —To not look up the DNS
name of the requesting client. The Domino log
files and database contain IP addresses.
Choosing Disabled improves the performance of
the Domino server because the server does not
use
resources to perform the DNS name lookup.
Note The majority of browser users connect to
the Internet through Internet server providers
(ISPs), so the host names returned by DNS
lookup are those of the ISP’s proxy servers, not
the individual user machines.
DNS lookup Choose one: • Enabled —To have Domino cache
cache the results of a DNS lookup for faster retrieval.
• Disabled —To not have Domino cache DNS
lookup results.
Field Action
Enter the maximum size, in KB, allowed for
Maximum URL
URLs
length received from HTTP clients. The length includes
the query string. The default is 4KB.
Increase the default only if you host an
application that requires an extremely long
URL.
Enter the number of segments allowed. The
Maximum
default is
number of 64, which is usually more than enough. A
URL segment is
path delimited by slashes; for example, the URL
segments
“/products.nsf/widgets”contains two segments.
Maximum Enter the total number of HTTP request headers
number of allowed. The default is 48. Normally, there is
no need to
request increase the setting; typical requests sent from
headers browsers
usually include less than a dozen headers.
Maximum size Enter the total length, in KB, of all the headers
of in the
request request. The default is 16KB.
headers
Maximum size Enter the total amount of data, in MB, that can
of be
request contained in a request. The default is 10MB.
content The two
most common ways for users to send data to
the server
is by submitting forms or by uploading files. If
none of
the applications on the server allow users to
upload
large files, you can probably set this to a much
lower
value.
Field Action
Specify which IP address list —Allow or Deny
IP address
—
allow/deny takes priority if an incoming IP address is
priority listed in both the allow list and the deny list
(this can happen when both lists contain
wildcards).
The default is that the Allow list takes
priority.
IP address allow List the IP addresses that are allowed to
list access the
ports.
IP address deny List the IP addresses that are denied access
list to the
ports.
Note If a client IP address does not match either list, then the
connection is allowed.
Examples of typical IP address restriction settings
Settings
Example Comment
configuration
Allow access to
IP address allow/deny
all
addresses priority: Allow
(leave
default settings) IP address allow list:
<blank>
IP address deny list:
<blank>
Deny access to IP address allow/deny
everyone priority: Deny IP
address allow list: *
IP address deny list: *
Deny access to
IP address allow/deny All addresses are
a
particular Web priority: Deny allowed, but
crawler
crawler IP address allow list: * is denied because
it
matches the deny
IP address deny list:
list,
123.45.6.78 which takes
priority over the
allow list.
Deny access
IP address allow/deny
from
subnets that are priority: Deny
infected with a IP address deny list:
Web 123.45.*;
worm 95.123.4.*
IP address allow list: *
Allow access IP address allow/deny In this case, you
only from two priority: Allow IP must use a
trusted proxy address allow list: wildcard in the
servers 123.45.6.78; deny list so that
123.45.6.79 IP address all other
deny list: * addresses will
explicitly match
that list.
Field Enter
The name of the port the Domino IIOP task
TCP/IP port
listens on.
number Do not change this port unless you have
assigned port number 63148 (the default) to
another task.
The default on Linux servers is 60148 because
of an
operating system restriction.
TCP/IP port Choose one: • Enabled (default) —To allow
status communication over this port. • Disabled —To
prevent communication over this port.
Field Enter
The number of threads you want to allow the
Number of
DIIOP
threads server task to process at the same time. The
default is 10.
Field Enter
The name that the applet or application uses
Run restricted
to access
Java/Javascript/ the server. Applet or application names
entered in this
COM field are allowed to run programs created
using a
restricted set of Java and JavaScript features.
If the applet
or application logs on anonymously, enter the
word
“Anonymous”in this field.
Run The name that the applet or application uses
unrestricted to access the
Java/Javascript/ server. Applet or application names entered
in this field
COM are allowed to run programs created using all
Java and
JavaScript features. If the applet or
application logs on
anonymously, enter the word “Anonymous”in
this field.
For information on this setting, see the topic Customizing Web server
setup.
Setting Up the Domino Web Server 34-11
Web
5. To restrict the level of authentication, choose a setting in the Internet
server authentication field on the Security tab and save the
document.
6. If necessary, edit the ServerTasks setting in the NOTES.INI file to
include the DIIOP task.
7. Set up SSL server authentication, name and password authentication,
or anonymous access to the IIOP port for the application or applet.
8. Define server access by browser clients that use Java and JavaScript.
If the applet or application uses name-and-password authentication,
enter the name for the applet or application. Otherwise, use the name
“Anonymous” when setting up server access.
9. Restart the server.
Generating references to the Web server
You can specify how other servers generate URL references to this Web
server. This feature works only for servers that are in the same Domino
domain (share the same Domino Directory).
A typical example of how this feature is used is that of a user performing
a domain search from a browser. The user sends the search request to
Server A, but some of the search hits are actually located in a database on
Server B. When Server A generates the HTML for the search results page,
it needs to create URL links to Server B for those hits. To create those
links, Server A will look up the Server record for Server B in the Domino
Directory, and use the fields in the table below to generate the correct
syntax for the URLs.
To generate references to the Web server
1. Open the Server document you want to edit and click Edit Server.
2. Choose Internet Protocols - Domino Web Engine. Under “Generating
References to this Server,” complete these fields:
Field Action
Does (Domino 5.0x servers only) Specify whether this
this server uses the Microsoft IIS stack instead of the
server native Domino HTTP stack. Note This setting is used
use only if the server is Domino 5.0x or earlier; Domino 6
IIS? servers always generate IIS-compatible links.
Protocol Indicate the protocol to be used in URL links to this
server. Choices are HTTP and HTTPS (for SSL).
Host Indicate the fully-qualified host name to be used in
name URL links to this server; for example,
www.acme.com.
Port Indicate the port number to be used in URL links to
number this server. The default is 80, the standard HTTP port.
Field Action
Java Choose one: • None (default) —To not load the Java
servlet Virtual Machine (JVM) or the servlet manager when
support the HTTP task starts. • Domino Servlet Manager —To
load the JVM and the servlet manager that comes
with Domino. • Third Party Servlet Support —To load
the JVM, but not the Domino servlet manager. This
lets you use a servlet manager other than Domino,
such as IBM WebSphere.
Field Action
Class path Enter one or more paths that the Servlet Manager
and JVM search to find servlets and dependent
classes. The standard Java libraries installed with
Domino are automatically in the class path. This
setting allows you to add additional paths. You may
specify directories, JAR files, and ZIP files. Paths
may be absolute or relative to the Domino data
directory. For example:
• domino\servlet specifies files in the
c:\lotus\domino\data\domino\servlet directory
• c:\apps\myservlets specifies files in the
c:\apps\myservlets directory
• c:\javamail\mail.jar specifies the mail.jar file in
the c:\javamail directory
• domino\servlet\sql.zip specifies the sql.zip file in
the c:\lotus\domino\data\domino\servlet directory
The default is domino\servlet.
Servlet Enter a list of URL file extensions that signal
file Domino that a
extensions URL refers to a servlet. You must map each
extension to a
single servlet by a directive in the
servlets.properties file. The
default is no extensions.
Session Choose one: • Enabled (default) — To have the
state Domino servlet manager check periodically the
tracking user activity of all HttpSession instances. Sessions
that are idle for the period of time specified in the
Idle session timeout field are automatically
terminated. The servlet manager calls the method
HttpSession.invalidate() to inform the servlet that
the session will be terminated. • Disabled —Does
not check for user activity. Domino uses this
setting and the settings below only if the servlet
uses the Java Servlet API HttpSession interface.
The HttpSession interface support is completely
separate from the Domino HTTP session
authentication feature.
Enter the amount of time in minutes the user is
Idle
allowed to
remain idle before the session is terminated. The
session
default is 30
time-out minutes.
Enter the number of simultaneous active sessions
Maximum
allowed. The
default is 1000. After this limit is reached, the
active
sessions that
sessions have been idle the longest are terminated.
Field Action
Session Choose one:
persistence • Enabled —To save session data to a disk file
called
sessdata.ser in the Domino data directory when
the HTTP task exits. Domino saves the data in the
Domino data
directory in a file named sessdata.ser. Domino
reloads the session data when the HTTP task
restarts. Domino also
saves objects that the servlet has bound to
sessions if the objects implement the
java.io.Serializable interface.
• Disabled (default) —Discards all session data
when the
HTTP task exits.
If you are using virtual servers or hosts, create one Web Site document
for each virtual site. If you provided a default site in the Release 5 server
record, you must either make one of the Web Site documents the default
site, or create a document for the default site.
To convert from the Web Server Configurations view to the Internet
Sites view
If you do not have virtual servers or hosts, follow these steps to convert
to the new view:
1. Create a Web Site document.
2. Select the Web Site document and choose Edit Document.
Setting Up the Domino Web Server 34-19
Web
3. Click the Web Site button and create the corresponding documents in
Lotus Domino 6: Rule (URL Mapping/Redirection), File Protection
(File Protection), or Authentication Realm (Realm).
4. Open the Server document.
5. Click Basics and check Enabled for “Loads Internet configurations
from Server\Internet Sites documents.”
6. Save the document, and restart the HTTP server task to use the new
view.
Hosting multiple Web sites on a partitioned server
You can set up multiple Web sites for each server’s HTTP process on a
partitioned server.
To set up multiple Web sites on a partitioned server (for Web Site
documents or for Virtual Servers)
1. Set up the partitioned server with separate TCP/IP addresses.
2. Assign IP addresses or hosts to each specific HTTP process. In each
Server document, click Internet Protocols - HTTP. In the host name
field, under “Basics,” include the host name or DNS name for each
Web server, separated by semicolons. (If you separate them with
commas, it will be saved with semicolons.)
3. Set up the Web sites, using either Web Site documents or virtual
server documents, to further define the HTTP configuration.
4. Restart HTTP. You should now be able to send HTTP requests to the
partitioned servers and all of the Web sites or virtual servers for each
partition.
Configuring HTML, CGI, icon, and Java files for Web Site documents
Domino looks for individual HTML, CGI, and icon files in specific
directories on the server’s hard drive. You can change the URL path for
icons and CGI program files. The URL path is where Domino looks for
icons or CGI programs when it encounters a reference in the HTML code
to one of these.
Specifying icon and CGI URL paths is useful if you change the directory
location of icons or CGI programs and you do not want to modify HTML
code that references the previous location of these files.
1. From the Domino Administrator, choose Configuration - Web -
Internet Sites.
2. Choose the Web Site document you want to edit and click Edit
Document.
34-20 Administering the Domino System, Volume 1
3. Click Configuration. Under “Default Mapping Rules,” complete
these fields:
Field Action
Enter the URL command to perform when users
Home
access the
URL Web site without specifying a resource —for
example, the
user just requests “http://www.acme.com.”Usually
the home
URL points to the Web site’s home page —for
example,
“/welcome.nsf/hello?OpenPage.”
Specify the directory that will be used to find HTML
HTML
files if a
directory URL does not specify a path —for example,
http://www. acme.com/welcome.html. Default is
domino\html. The path can be relative to the Domino
data directory, such as domino\ myhtml, or it can be
fully qualified, such as c:\websites\html.
Service providers: This directory is relative to the
main Domino data directory, not to the hosted
organization’s data directory.
Enter the directory where icon files are located. You
Icon
can
directory specify the path for the icon directory using either
the fully qualified path or a relative path. Default is
domino\icons.
Service providers: This directory is relative to the
main Domino data directory, not to the hosted
organization’s data
directory.
Icon Enter the URL path that is used to map to the icon
URL directory.
path The default is /icons.
For example, the URL
http://servername/icons/abook.gif returns the file
c:\lotus\domino\data\domino\icons\abook.gif.
Enter the default directory where CGI programs are
CGI
located.
directory The default is domino\cgi-bin.
Service providers: This directory is relative to the
main Domino data directory, not to the hosted
organization’s data directory.
Enter the URL path that is used to map to the default
CGI URL
CGI
path directory. The default is cgi-bin.
For example, the URL http://servername/cgi-
bin/test.pl runs the CGI program
c:\lotus\domino\data\domino\cgi-bin\test.pl.
Java Enter the directory where the Domino Java applets
applet are located.
directory The default is domino\java.
Java Enter the URL path that is used to access files in the
URL default
path Java directory. The default is /domjava.
Note If you are using the Web Server Configuration view, open the
Server document, choose Internet Protocols - HTTP, and complete the
fields in the “Mapping” section.
Setting Up the Domino Web Server 34-21
Web
Configuring DSAPI, HTTP methods, and WebDAV in Web Site
documents
You can set up a Web Site document to support the Domino Web Server
Application Programming Interface (DSAPI), various HTTP methods,
and Web-based Distributed Authoring and Versioning (WebDAV).
The Domino Web Server Application Programming Interface (DSAPI) is
a C API that you can use to write your own extensions to the Domino
Web Server. These extensions, or “filters,” let you customize
authentication for Web users. For more information about DSAPI and
filters, see the C API User’s Guide and the C API Reference Guide.
WebDAV is a set of extensions to the HTTP 1.1 protocol which allows
users to collaboratively edit and manage files on remote Web servers.
WebDAV clients can only access design elements in the design collection
of a database. Users must have Notes manager or designer level access
rights to the database. Application developers are the typical uses of
WebDAV.
For more information, see the topic “Setting up WebDAV” later in this
chapter.
For more information about WebDAV, see the book Application
Development with Domino Designer.
Note If you are using the Web Server Configurations view, the DSAPI
fields appear in the Server document on the Internet Protocols - HTTP
tab.
1. From the Domino Administrator, click the Configuration tab, expand
the Web section and click Internet Sites.
2. Choose the Web Site you want to edit, and click Edit Document.
3. Click the Configuration tab and complete these fields:
Field Action
DSAPI filter
Enter the name of one or more DSAPI filter files.
file
names Service providers: Each DSAPI filter applies to
the entire server; therefore, if the services must
be different for individual hosted organizations,
the DSAPI filter itself must be coded to handle
those differences for each
individual hosted organization.
Field Action
Methods Choose one or more:
• GET (default)
• HEAD (default)
• POST (default)
• OPTIONS (default)
• TRACE (default)
• PUT
• DELETE
Choose this option to enable Web-based
WebDAV
Distributed
Authoring and Versioning.
Note If you enable WebDAV, the following HTTP
methods are also enabled: GET, HEAD,
OPTIONS, PUT,
and DELETE.
Field Enter
GIF (default) —To convert images in
Image conversion
documents to
format GIF format.
Interlaced
Choose one:
rendering
• Enabled (default) —To display each line of
the
image individually.
• Disabled —To wait for the entire image to
download before displaying the image.
Field Enter
Image JPEG —To convert images in documents to
conversion JPEG
format format.
Progressive Choose one: • Enabled (default) —To display
rendering the image incrementally in several passes. •
Disabled —To wait for the entire image to
download before displaying the image.
JPEG image A percentage between 5 and 100 to indicate
quality the level of image quality. The larger the
value, the larger the file, the longer the files
take to transmit, and the better the image
quality.
The default is 75.
Note If you are using the Web Server Configuration view, open the
Server document and click the Internet Protocols - Domino Web Engine
tab.
Specifying the number of lines to display in a view
You can specify the default number of lines to display in a view when
users do not specify a line count in a URL. The number of lines to display
depends on your preference. Displaying many lines per view makes it
easy to find an item in a large view. Displaying fewer lines per view
make it easy to read the items in the view.
You can also specify the maximum number of lines to display in a view
when the user specifies a line count in a URL.
Entering a maximum number of lines prevents users from overloading
server resources by requesting a large number of lines to display.
Setting Up the Domino Web Server 34-25
Web
To specify the number of lines to display in a view
1. From the Domino Administrator, click the Configuration tab, expand
the Web section and click Internet Sites.
2. Choose the Web Site document you want to edit and click Edit
Document.
3. Click the Domino Web Engine tab. Under “Conversion/Display”
complete these fields:
Field Enter
A number from 1 to the number specified in
Default lines per
the
view page “Maximum lines per view page”field. Default
is 30.
Maximum lines
A number that is limited only by the browser
per
view page software. Default is 1000.
Enter 0 if you do not want to limit the
number of lines in a view.
Note If you are using the Web Server Configuration view, open the
Server document and click the Internet Protocols - Domino Web Engine
tab.
Limiting the number of documents displayed during a Web Site
search
You can specify a default and maximum number of documents to
display as a result of performing a search on a database. Users can
specify the number of documents for a search query to return using the
SearchMax parameter with the SearchSite and SearchView commands.
Note If you are using the Web Server Configuration view, open the
Server document and click the Internet Protocols - Domino Web Engine
tab.
Change these options to prevent users from overloading server resources
with search results.
To limit the number of documents displayed during a Web Site
search
1. From the Domino Administrator, click the Configuration tab, expand
the Web section, and click Internet Sites.
2. Choose a Web Site document you want to edit, and click Edit
Document.
34-26 Administering the Domino System, Volume 1
3. Click the Domino Web Engine tab. Under Conversion/Display,
complete these fields:
Field Action
Enter the maximum number of documents to
Default search
display
result limit when users do not specify the SearchMax
parameter in the URL.
Field Enter
Redirect to Choose one: • Disabled (default) —To
resolve external prevent the server from accepting Redirect
links URL commands and to prevent the server
from generating Redirect URL commands as
a result of a domain search. • By Server —
To look up the server name specified in the
URL in the Domino Directory on the Web
server. The Web server searches for the
server name in both the Host names field on
the Internet Protocols - HTTP tab or in the
Fully qualified Internet host name field on
the Basics tab. • By Database —To find the
database in the Domino Directory on any
available server. Domino locates the
database in the domain catalog, if available,
or in the server’s local catalog. Make sure
the domain catalog contains up-to-date
information on the location of databases. By
choosing this option, resolving links take
more time than the By Server option since
the Web server searches for the database on
an available server, instead of just the
server presented in the URL. The By
Database option however, may resolve more
links since the Web server tries to resolve
the link using a replica of the database on
servers in addition to the server presented in
the URL. Use this option on the server that
runs the domain search so more links are
resolved for the user. Since By Server and
By Database both rely on the information in
the Domino Directory, make sure the server
information in the Domino Directory is
complete and correct.
Note If you are using the Web Server Configuration view, open the
Server document and click the Internet Protocols - Domino Web
Engine tab.
34-28 Administering the Domino System, Volume 1
Restricting the amount of data users can send to a Domino
database
The HTTP POST and PUT methods allow users to send data to the
Domino server. The Server record field “Maximum size of request
content” is new for Domino 6, and sets a limit on the amount of data that
can be sent using either POST or PUT. This limit is enforced for all POST
and PUT methods, whether the target is a database, CGI program, or
Java servlet, and applies to all Web sites.
The Web Site document contains two additional settings that control
POST and PUT methods that target a database (for example, filling in a
form or uploading a file attachment). Formerly available in the Server
record, for Domino 6 these settings been moved to the Web Site
document so that you can specify different values for each Web site.
To restrict the amount of data that can be sent to a Domino
database
1. From the Domino Administrator, click the Configuration tab, expand
the Web section and click Internet Sites.
2. Choose the Web Site document you want to edit and click Edit
Document.
3. Click the Domino Web Engine tab. Under “POST Data” complete
these fields:
Field Action
Maximum Enter the amount of data in KB that a user is
POST allowed to
data send to the Web site in a POST request that
targets a database. The default is 0, which does
not restrict the
amount of data that users can send (however,
the amount is still limited by the Server record
setting “Maximum request content”). This limit
applies to both the PUT and the POST HTTP
methods.
If users try to send more than the maximum
allowed data, Domino returns an error message
to the browser.
File Choose one: • Enabled —To compress files
compression before adding them to a database. Compressing
on upload files saves disk space on the server. • Disabled
(default) —If clients use a browser that
supports byte-range serving. You cannot
download compressed files using Domino byte-
range serving.
Field Action
Store user Choose one: • Disabled —Users cannot
preferences in customize their regional preferences •
cookies Single Server —Cookies for customized
preferences are generated for current Web
site/server only • Multi-server —Cookies
for customized preferences are generated
for the DNS domain to which the current
Web site/server belongs
Note If you are using Server document settings and the Web Server
Configurations view, you can enable these settings in the Server
document in Internet Protocols - Domino Web Engine, under “Web user
preferences.”
34-30 Administering the Domino System, Volume 1
Setting up language preferences
The Web server uses language string resource modules to render Web
pages in different languages. The Domino 6 Web server can support
multiple languages and be configured to handle them on the fly. The
language in which a Web server generates a Web page is based on the
“Accept-Language” setting in the headers of client HTTP requests. For
example, a Web server with English and French resource modules will
generate a Web page in French if a Web client sends an HTTP request
with “Accept-Langage:fr (French)” in its headers.
1. From the Domino Administrator, choose Configuration - Web -
Internet Sites.
2. Choose the Web Site document you want to edit and click Edit
Document.
3. Click Domino Web Engine. Under “Web User Preferences,” complete
these fields:
Field Action
Use this setting to select the default
Default string
language string
resource resource module for Web clients who do not
language send
“accept-language”information with HTTP
requests,
or for cases in which the languages specified
in the
“accept-language”header are not in the
languages
available on the server.
Additional string Use this setting to select the additional string
resource resource languages that are installed on the
languages server.
Note If you are using Server document settings and the Web Server
Configurations view, you can enable these settings in the Server
document in Internet Protocols - Domino Web Engine, under
“Language.”
Specifying the character set to use when retrieving Web pages
Domino uses the default character set and character set mapping
selection to generate HTML text for the browser. If you have
international users who need to see text in nonwestern languages, you’ll
need to make changes to the settings. The character set setting affects all
databases on the server.
To specify an international character set
1. From the Domino Administrator, click the Configuration tab, expand
the Web section and click Internet Sites.
2. Choose the Web Site document you want to edit and click Edit
Document.
Setting Up the Domino Web Server 34-31
Web
3. Click the Domino Web Engine tab. Under “Character Set Mapping”
complete these fields:
Field Enter
Default A character set group to allow users to choose
character their
preferred character set when they create or
set group
edit
documents. The default is Western.
Convert A language to use for messages, HTML for
resource default
strings to search pages, and static strings in pages. You
can choose a language other than English only
for international versions of the Domino server
that have
translated text. The default is English.
Use UTF-8 for Choose one: • Yes —To generate pages using
output UTF-8. • No (default) —To generate pages
using the character set mapping you select.
Meta character
Choose one:
set
• Yes —To add the character set to the
<META> tag
of an HTML page. This option lets you save the
character set information when you save an
HTML file on a server or on your hard disk.
• No (default) —To exclude the character set
from
the <META> tag of an HTML page.
4. In the fields that display the character set group names, select one of
the available choices for character set mapping.
5. Save the document.
Table of character sets for Web server pages
The default character set governs the available choices for character set
mapping. If a character set group has mapping choices, you must also
select which character set to use
Character set group Mapping choices
Western US-ASCII
This set includes Windows
ISO-8859-1 (default) ISO-8859-15
and ANSI characters.
Windows-1252
Central European ISO-8859-2 Windows 1250
(default)
Japanese
SJIS (default) JIS(ISO-2022-JP)
EUC-JP
Traditional Chinese Big5 (default)
EUC-TW
Simplified Chinese GB
Korean KSC5601(EUC)
Cyrillic ISO-8859-5
Windows-1251
KOI8-R (default)
Greek ISO-8859-7
Windows-1253 (default)
Turkish ISO-8859-9
Windows-1254 (default)
Thai Windows-874
Baltic Windows-1257
Arabic Windows-1256 (default) ISO-8859-
6
Hebrew ISO-8859-8 (default) Windows-
1255
Vietnamese Windows-1258
Field Action
Enter a name that differentiates this rule from
Description
others you
create.
Type of Rule Choose one:
• Directory —To allow a server file-system
directory to
be accessed by a URL path.
• Redirection —Resource identified by the URL
has
been moved to a different location or Web site.
• Substitution —To replace a string in the URL
with
another string.
• HTTP response header —To add an Expire
header or
custom headers to HTTP responses that match
specified URL patterns and response codes.
Incoming Pattern that describes the URLs affected by this
URL rule.
pattern If you are defining many rules, specify the
longest unique pattern for each rule. Do not
include http or the host name in the pattern.
Field Action
Redirect to (Redirection only) Enter the new URL location. If
this URL the URL pattern in this field starts with a slash,
the rule is treated as internal redirection.
Otherwise, the rule is assumed to be external
redirection. The pattern for an external
redirection needs to start with an Internet
protocol string that the browser understands,
such as http: or ftp.
Replacement (Substitution only) Enter the string that replaces
pattern the matching part of the incoming URL.
Target (Directory only) Enter the file-system directory
server path being mapped. This can be specified as a
directory fully-qualified path or a path relative to the data
directory. If you want to map a directory that
isn’t under the Domino data directory, specify
the fully qualified path. Service providers: use
the organization’s data directory.
Access level (Directory only) Choose one: • Read access —To
allow browser users to read files from the
directory are displayed in the browser or
downloaded. When a user requests a file from
the directory, the server sends the contents of
the file back to the browser.
• Execute access —To allow browser users to
load and run CGI programs in the directory. The
server relays the output from the program to the
browser.
HTTP (HTTP Response Header only) Enter the HTTP
response response codes to which you want your response
codes headers applied.
Expires (HTTP Response Header only) Choose one: •
header Don’t add header —Files in the directory are
displayed in the browser or downloaded. • Add
header only if application did not —Files in the
directory are CGI files to be executed on the
server. • Always add header (override
application’s header) Note If you choose to add
a header, you must specify an expiration period
— either by specifying the number of days for
which you want to enable this header, or a date
after which you want to disable this header.
Custom (HTTP Response Header only) For each custom
header header you want to use, specify: • Name —The
name of the response header. • Value —The
value of the response header. • Override —
Override application’s header
Field Action
Enter a name that differentiates this rule from
Description
others you
create.
Type of Rule Select Directory
Incoming Enter :/php-bin An example of an incoming URL
URL pattern would be:http://<server>/php-
bin/PHP.EXE/<php-scripts>
Field Action
Descriptive name for
Enter a name for this Web site.
this site
Domino servers that List all the servers in the domain that
host this site will host this Web site
Field Action
(Optional) Enter a name that differentiates this
Description
document
from others you create.
Directory Specify the directory or file path that you want to
or which you
file path want to restrict access. It should be either in the
fully-qualified path format, which includes the
drive letter
—for example, “c:\lotus\domino\data\domino\cgi-
bin,”
or enter the path relative to the server’s data
directory —for
example,“domino\cgi-bin.”
Displays the users and groups who can access the
Current
file or
Access directory you specified, and the type of access
they are
Control allowed. Similar to a database ACL, the access
List control list is
always created with a -Default- entry, set to No
Access,
which you can modify. As with a database ACL,
those not
listed in the Access List receive the default access
level.
To add users to the Access Control List, click
Set/Modify
Set/Modify
Access Access Control List. Select a user name or group
from the
Control Domino Directory or type a name in the Name
List field. Select
“Read/Execute access (GET method),”or
“Write/Read/Execute access (POST and GET
methods,”or
“No Access.”Click Add to add the entry to the
Access
Control List.
GET lets the user open files and start programs in
the
directory. POST is typically used to send data to a
CGI
program; therefore, give POST access only to
directories
that contain CGI programs. No Access denies
access to the
specified user or group.
To remove an entry from the list, select it and click
Clear.
If users connect to the server using Anonymous
access,
enter Anonymous in the Name field and assign the
appropriate access.
Note If you wish to enter a user name that resides
in an LDAP Directory, you must replace the comma
delimiters
with slashes. Do not enter the name with commas
as
delimiters.
For example, an LDAP user with the following
name
format:
cn=Anthony Jones,l=westford,o=airius.com
should be entered into the access list of a File
Protection
document like this:
cn=Anthony Jones/l=westford/o=airius.com
Field Action
Applies to (Read-only) This setting applies to the base
server, and all virtual servers or virtual hosts
that do not have file
protection settings. If a virtual server or virtual
host has any file protection settings, then this
setting does not apply.
Specify the drive, directory, or file to which you
Path
want to
restrict access. You can use fully-qualified path
or the
relative path.
4. Click Access Control, complete this field, and then save the
document:
Field Enter
Current The users and groups who can access the files or
access directories you specified and the type of access
control list they are allowed. By default, the access control
list contains a -Default- entry, set to No Access.
Users who are not listed in this field receive the
-Default- access level.
To add users to this list:
1. Click Set/Modify Access Control List.
2. Select a user name or group from the Domino
Directory or enter a name in the Name field.
3. Select “Read/Execute access (GET
method),”or “Write/Read/Execute access (POST
and GET methods),” “No Access.”
4. Click Next to add this entry to the access list.
Note GET lets the user open files and start
programs in the directory. POST is typically used
to send data to a CGI program; therefore, give
POST access only to directories that contain CGI
programs. No Access denies access to the
specified user or group.
To remove an entry from the list, select the
entry and click Clear.
If users connect to the server using Anonymous
access, enter Anonymous in the Name field and
assign the appropriate access.
Field Action
(Optional) Enter a name that differentiates this
Description
document
from others you create.
Directory Enter the name of the path that you want to
or protect. It
file path should be in either the fully-qualified path format,
which
includes the drive letter; for example, use
“c:\lotus\domino\data\domino\cgi-bin,”or the
relative
path to the server’s data directory for example,
“domino\cgi-bin.”
Realm Enter a text string that describes the location on
label the server
returned to or any other descriptive string, which will be used
as the
browser realm that is displayed to the user and stored by
the browser. This string should not contain any
accented or international characters, because they
will not be displayed correctly by the browser.
The browser displays the text string whenever
there is an authentication or authorization failure
at the location. The
text appears in the browser’s authentication
dialog.
5. Enter this command at the console so that the settings take effect:
tell http restart
Setting Up the Domino Web Server 34-47
Web
Custom Web server messages
You can customize some of the error messages or responses that are
generated by the Web server. If an “Error & Response” form-mapping
document exists in DOMCFG.NSF, custom errors, not generic errors, are
used.
To create a message page, create a form for each type of message and
then create a mapping document in the Domino Configuration database
(DOMCFG.NSF) to specify which form to display. While you can store
message pages in any database, the one most commonly used is
DOMCFG.NSF.
You can customize the messages that a user receives when:
The
user fails to authenticate with the server.
The user is not authorized to access one of the databases that is part
of the Web site on the server.
The user issues a command to delete a document from a database,
and the server successfully completes the deletion.
The user’s Internet password has expired.
The user attempts to change their Internet password and that is not
allowed.
The user changes their Internet password and the change is
submitted and accepted.
In addition, you can specify a general message that appears for all other
types of errors or responses that occur on the Web server.
Note The general error message will not be generated for errors that
occur when accessing non-database files. This type of custom error
message only works when errors are encountered while accessing .NSF
files.
If you enabled session-based name and password authentication,
Domino displays an HTML page you specify to request name and
password information from the user. Domino does not use customized
error pages to display errors when authenticating with the server or
accessing a database if session-based name and password authentication
is enabled.
Database designers also have the ability to create custom error messages
for individual databases that reside on Domino servers. These types of
custom error messages are stored within the database and will only be
generated when errors occur while accessing that specific database.
34-48 Administering the Domino System, Volume 1
For information on customizing messages that a user receives for a
specific database on a server, see Application Development with Domino
Designer. For information on session-based name and password
authentication, see the chapter “Setting up Name-and-Password and
Anonymous Access to Domino Servers.” For information on changing
Internet passwords, see the chapter “Protecting and Managing Notes
IDs.”
In this example, the form for the message exists in the database
ANYDB.NSF and is returned to the user when the user encounters an
error.
Users must have Reader access to the Domino Configuration
(DOMCFG.NSF) database and Any database (ANYDB.NSF).
Field Action
Enter the number of database design
Maximum cached
elements to
designs cache for users. The default is 128.
When a user opens a database, Domino
maps each
design element name to an identification
number. This mapping procedure takes time.
Use this field to
specify how many elements you want to
store in
memory so the next time a user accesses
that element, it is immediately available.
Field Action
Enter the number of users to cache. The
Maximum cached
default is 64.
users After a user successfully authenticates with a
server, Domino stores in memory the user’s
name, password, and the list of groups to
which the user belongs. Use this field to
increase the number of users for whom
Domino stores this information.
Enter the time interval in seconds during
Cached user
which
expiration Domino regularly removes user names,
interval passwords, and group memberships from
the cache. The default is 120.
Remove user names, passwords, and group
memberships from the cache periodically to
force Domino to look up credentials in the
directory the next time those users access
the server.
Field Action
HTTP Specify whether you want to enable persistent
persistent HTTP connections on the Web server. These
connection connections remain active under the following
conditions:
• HTTP protocol is 1.1.
• The server application returns an HTTP response
code less than 400. (If the server application
returns an HTTP response code greater than or
equal to 400, the connection will be closed by the
server.)
• The HTTP request did come through a proxy
server.
• The client did not send a connection close
header.
• The number of connections that the server can
support is running low, or the number of
connections queued for the thread processing the
request is too large.
If the connection is kept open, then the following
settings apply:
Field Action
HTTP • The connection will be closed if the maximum
persistent number of requests per connection is exceeded. •
connection The connection will be closed if the persistent
(continued time-out is exceeded. • The connection will be
) closed if no data is received by the server within
the specified input timeout. • The connection will
be closed if a complete request is not received
within the specified request timeout. Note
Persistent connections require more server
overhead than connections that are limited by
network activity.
Specify the maximum number of HTTP requests
Maximum
that can be
requests handled on one persistent connection. The default
per is 5.
persistent
connection
Specify the length of time for which you want
Persistent
persistent
connection connections to remain active. The default is 180
seconds.
timeout
Specify the amount of time for the server to wait
Request
to receive
timeout an entire request. The default is 60 seconds. If the
server
doesn’t receive the entire request in the specified
time
interval, the server terminates the connection.
Input Enter the time, in seconds, that a client has to
timeout send a
request after connecting to the server. The default
is 15
seconds. If no request is sent in the specified time
interval,
then the server terminates the connection. If only
a partial
request is sent, the input timer is reset to the
specified time
limit in anticipation of the rest of the data arriving.
Enter the maximum time, in seconds, that the
Output
server has to
timeout send output to a client. The default is 180
seconds.
CGI The maximum time, in seconds, that a CGI
timeout program started
by the server has to finish. The default is 180
seconds.
Field Enter
Run Web Choose one: • Enabled —To allow more than
agents one agent to run on the Web server at the
concurrently? same time (asynchronously) • Disabled
(default) —To run only one agent at a time
(serially)
Chapter 35
Setting Up Domino to Work with Other Web
Servers
This chapter describes how to set up Domino to process requests from
other types of Web servers.
Setting up Domino to work with other Web servers
Back-end Domino 6 servers can receive, and respond to, requests from
front-end IBM HTTP Servers (IHS) or from Microsoft Internet Information
Servers (IIS). For this communication to occur, the appropriate
WebSphere Application Server (WAS) 4.0.3 or later plug-in must be
installed on the front-end server. These plug-ins recognize HTTP requests
for Domino applications and pass them along to the Domino server. Other
HTTP requests will be handled by the front-end server itself.
A typical scenario is for the front-end server to be outside a firewall. The
front-end server receives requests from Web users, the plug-in relays the
requests over HTTP, through the firewall, to the HTTP task on the
back-end Domino 6 server. The Domino 6 server then processes the
request and sends the reply back to the plug-in, which relays it to the user.
A plug-in can be configured to support any number of backend servers.
Since Domino uses the same plugins as WebSphere, you can also
combine Domino and WebSphere servers. For example, a Domino server
hosting a mail application and a WebSphere server hosting a J2EE
application could both be placed behind the same IIS front-end server.
The backend Domino server can be on any supported operating system
platform. The following front-end servers are supported:
IBM HTTP Server on AIX, Windows NT 4.0, and Windows 2000 Server.
Microsoft IIS on Windows NT 4.0 and Windows 2000 Server.
The plug-in files are packaged with the Domino 6 server and their use is
covered by your Domino license. You do not need to install any other
WebSphere components to use the Microsoft IIS plug-in. However, to use
the IHS plug-in you must install the IHS components of WebSphere on
the front-end server.
35-1
Web
The following features are supported for the Domino back-end servers:
core Domino database functionality, Lotus iNotes Web Access, Lotus
Domino Off-Line Services (DOLS), Lotus Discovery Server™. Additional
Domino products may also be supported; refer to the product
documentation for details.
Setting up Domino to work with IBM HTTP servers
The IBM HTTP Server (IHS) is packaged as part of the WebSphere
server. For information on installing IHS and the WebSphere server see
the WebSphere installation documentation. Installing the plug-in is an
option during WebSphere installation. For information on installing the
plug-in during WebSphere setup, see the WebSphere installation
documentation.
The plug-in files are also packaged with the Domino 6 server. If the
plug-in was not installed during WebSphere installation, the
administrator can copy the plug-in files from the Domino 6 server.
To install the WebSphere plug-in from Domino
1. Install a Domino 6 server. The plug-in files are packaged with the
server.
2. On the IHS server, create the appropriate directory structure.
For AIX:
/usr/WebSphere/AppServer/bin
/usr/WebSphere/AppServer/config
/usr/WebSphere/AppServer/logs
For Win32 (you can use any drive):
c:\WebSphere\AppServer\bin
c:\WebSphere\AppServer\config
c:\WebSphere\AppServer\logs
Note The rest of these instructions assume you are using an AIX
server.
3. Copy the following files from the Domino server to the IHS server:
Copy <Domino data
directory>/domino/plug-ins/aix/mod_ibm_app_server_http.so to
/usr/WebSphere/AppServer/bin
Copy <Domino data directory>/domino/plug-ins/plugin-cfg.xml to
/usr/WebSphere/AppServer/config
35-2 Administering the Domino System, Volume 1
4. On the IHS server, edit the IHS configuration file httpd.conf (on a
default installation this file is located at
/usr/HTTPServer/conf/httpd.conf). Add the following lines to the
bottom of the file:
LoadModule ibm_app_server_http_module
/usr/WebSphere/AppServer/bin/mod_ibm_app_server_http.so
WebSpherePluginConfig
/usr/WebSphere/AppServer/config/plugin-cfg.xml
5. Modify the plugin-cfg.xml file according to the instructions for
configuring the WebSphere plug-in.
6. Set up the Domino server according to the instructions for IIS.
7. Restart the IHS server and test your installation.
Testing the IHS installation
To test your IHS server with plug-in:
1. Start Domino.
2. To verify that the Domino server HTTP task is functional, from a
browser enter the URL:
http://<domino server name:http port>/homepage.nsf
(or any other NSF request supported by your Domino Web
application). This request should be sent directly to the Domino
server, and the Domino HTTP task should respond with the expected
page.
3. Start the front-end Web server.
4. To verify that the frontend server is functional and that the plug-in is
working, in the browser enter:
http://<frontend-server:http port>/homepage.nsf.
This request should be sent to the front-end server; the WebSphere
plug-in should relay it to the Domino server. The resulting page
should look identical to Step 2.
Setting up Domino to work with Microsoft IIS servers
To use a Microsoft IIS server as a front-end machine, you must install the
WebSphere Application Server 4.0.3 plug-in for IIS on the IIS server. The
plug-in files are packaged with the Domino 6 server and must be copied
from the Domino server to the IIS server. After you copy the plug-in files,
you must configure the plug-in, then configure the Domino server to
work with the plug-in IIS. You do not need to install any other
WebSphere components to use the Microsoft IIS plug-in.
Setting Up Domino to Work with Other Web Servers 35-3
Web
See the following topics:
To
install the WebSphere plug-in on an IIS server
To configure the WebSphere plugin
To configure the Domino server to work with Microsoft IIS
Setting up security for Microsoft IIS
Details of Microsoft IIS security options
To install the WebSphere plug-in on an IIS server
Do the following to install the WebSphere plug-in on the IIS server and
enable it for a Web site. Before beginning this procedure, you should be
familiar with the Internet Services Manager configuration tool. On
Windows NT this tool is accessed through the Microsoft Management
Console.
1. Create the following directory structure on the IIS machine (you may
use any drive);
C:\WebSphere\AppServer\bin
C:\WebSphere\AppServer\config
C:\WebSphere\AppServer\etc
C:\WebSphere\AppServer\logs
2. Copy the following files from the Domino server to the IIS server:
a. Copy data/domino/plug-ins/plugin-cfg.xml to
c:\WebSphere\AppServer\config.
b. Copy data/domino/plug-ins/w32/iisWASPlugin_http.dll to
c:\WebSphere\AppServer\bin.
c. Copy data/domino/plug-ins/w32/plug-in_common.dll to
c:\WebSphere\AppServer\bin.
3. Start the Internet Service Manager application.
4. Create a new Virtual Directory for the Web site instance you want to
work with WebSphere. To do this with a default installation, expand
the tree on the left until you see “Default Web Site.” Right click on
“Default Web Site” and select New - Virtual Directory. This opens
the wizard for adding a Virtual Directory.
5. In the Alias field, enter “sePlugins.”
6. In the Directory field, browse to the WebSphere bin directory
(C:\WebSphere\AppServer\bin).
7. For access permissions, check and uncheck all other permissions.
8. Click Finish. A virtual directory titled “sePlugins” is added to your
default Web site.
35-4 Administering the Domino System, Volume 1
9. Right click the machine name in the tree on the left and select
Properties.
10. On the “Internet Information Services” tab, select “WWW Service” in
the “Master Properties” drop down box and click Edit.
11. In the “WWW Service Master Properties” window, click the “ISAPI
Filters” tab.
12. Click Add. This opens the “Filter Properties” dialog.
13. In the “Filter Name:” field, type “iisWASPlugin.”
14. In the “Executable:” field, click Browse. Open the WebSphere bin
directory and select “iisWASPlugin_http.dll.”
15. Close all open windows by clicking OK.
16. Open the Windows registry file and create the following key path:
HKEY_LOCAL_MACHINE - SOFTWARE - IBM - WebSphere
Application Server - 4.0. Select 4.0 and create a new string value
“Plug-in Config”. Set the value for this variable to the location of the
plugin-cfg.xml file (C:\WebSphere\AppServer\config\
plugin-cfg.xml)
17. To enable the plug-in for additional Web sites, repeat Steps 4
through 8.
To configure the WebSphere plug-in
The WebSphere configuration file WebSphere\AppServer\config\
plugin-cfg.xml controls the operation of the plug-in. In order for the
plug-in to relay requests to the target Domino server, you must add
directives to plugin-cfg.xml to define a transport route to the server, and
pattern rules for the URL namespaces that identify requests which are to
be relayed to Domino. The plug-in will only relay requests that match a
namespace rule. All other requests will be handled by the front-end Web
server.
Setting Up Domino to Work with Other Web Servers 35-5
Web
To configure plugin-cfg.xml
1. Open plugin-cfg.xml in Notepad.
2. Modify the <Transport> element to target the appropriate Domino
server. To do this, change the Hostname and Port parameters to the
proper values required for the plug-in to reach your backend server’s
HTTP task. For example:
<!— Server groups provide a mechanism of grouping
servers together. —>
<ServerGroup Name=“default_group”>
<Server Name=“default_server”>
<!— The transport defines the hostname and
port value that the web server
plug-in will use to communicate with the
application server. —>
<Transport Hostname=“mydomino.server.com”
Port=“81” Protocol=“http”/>
</Server>
</ServerGroup>
3. Add these directives to the top of the <UriGroup> section. These
directives specify common URL patterns needed for accessing
Domino Web applications.
<UriGroup Name=“default_host_URIs”>
<Uri Name=“/*.nsf*”/>
<Uri Name=“/icons/*”/>
<Uri Name=“/domjava/*”/>
If your Domino application requires additional namespaces, you can
create <Uri> directives for those patterns also.
Note All the WAS plug-ins automatically reread the configuration file
once a minute to pick up changes. If you don’t want to wait that long,
you must stop and restart the front-end Web server. In the case of the IIS
plug-in, you must stop the World Wide Web Publishing Service from the
Windows services control panel, then restart the Web site from the
Internet Services Manager. Just stopping and restarting the Web site by
itself won’t work because the plug-in DLL won’t be reloaded.
35-6 Administering the Domino System, Volume 1
To configure the Domino server to work with Microsoft IIS
On the back-end Domino server, add the following line to NOTES.INI:
HTTPEnableConnectorHeaders=1
This setting enables the Domino HTTP task to process the special headers
added by the plug-in to requests. These headers include information
about the frontend server’s configuration and user authentication status.
As a security measure, the HTTP task ignores these headers if the setting
is not enabled. This prevents an attacker from mimicking a plug-in.
Setting up security for Microsoft IIS
When you have set up an IIS plug-in and a Domino backend server, Web
applications are subject to both IIS security and Domino security. After
IIS authenticates a user based on the NT Windows account registry, those
credentials, if any, are passed to Domino for user authorization.
Microsoft IIS supports four methods of user authentication. The Domino
plug-in configuration supports all except Digest authentication.
Anonymous
access (the user does not enter a name or password)
Basic
Authentication (the user enters a name and password)
Digest
authentication (an enhanced version of Basic authentication
available only on Windows 2000). The Domino plug-in configuration
does not support this authentication method.
Integrated
Windows authentication (a special protocol supported by
Microsoft Internet Explorer. On NT, this protocol is called Windows
NT Challenge/Response)
SSL
IIS requires user authentication in order to control access to resources
owned by IIS such as the file system and Active Server Pages. If a user
requests access to a Domino resource, the IIS plug-in passes the
authentication information to Domino. The information passed depends
on the combination of authentication methods enabled on IIS. After the
information is passed, Domino authenticates the user according to the
procedures discussed in the topic “Details of Microsoft IIS security.” All
of the Domino directory options are available, such as using multiple
Domino Directories and LDAP directories.
For information on setting up security options on the Domino server, see
the chapter “Planning Security.”
Setting Up Domino to Work with Other Web Servers 35-7
Web
To set up security on the IIS server:
1. Start the Internet Services Manager (or Microsoft Management
Console on NT).
2. Right-click the IIS Web site and select Properties.
3. Click the Directory Security tab.
4. Click Edit in the Anonymous Access and Authentication Control
section.
5. Choose one or more of the authentication options and click OK.
Details of Microsoft IIS security options
Anonymous Access
Anonymous Access lets Web users access a Web site without a user name
or password. IIS always maps anonymous Web users to a specific NT
anonymous user account, which you can configure. If Anonymous
Access is the only IIS authentication method enabled, IIS does not use
any user credentials — that is, a user name and password — sent by the
browser for authentication, but the IIS plug-in passes the credentials to
Domino, and Domino will authenticate the user according to the normal
procedure for Web users. If an anonymous user attempts to access a
Domino resource that requires authentication, Domino will respond
appropriately according to the security options you have set for the
Domino Web site (a Basic name-and-password challenge, or a session
authentication login page). Therefore, if you want Domino to completely
handle user authentication, you should enable Anonymous Access as the
only security option for the IIS Web site.
For information, see the chapter “Setting Up Name-and-Password and
Anonymous Access to Domino Servers.”
Anonymous Access uses the following guidelines:
The
Web user does not need to be a registered NT user.
If you want a user to access secure resources, the Web user must be a
registered Domino user and the user must have an Internet
password.
35-8 Administering the Domino System, Volume 1
Basic Authentication
When using Basic Authentication, IIS verifies the user credentials that the
browser sends as a valid NT user account. If Basic Authentication is the
only IIS authentication method enabled, IIS requires all browser requests
to have credentials — anonymous access is not allowed. Whenever a user
sends a Domino request, the IIS plug-in passes the user name to Domino
and informs Domino that the user has been authenticated by IIS. Such a
user is called a “pre-authenticated” user. The plug-in passes the
pre-authenticated name exactly as the user entered it in the browser.
Domino then attempts to look up that name in its directories. Since IIS
has already verified the user’s password, Domino does not use the
Internet password stored in the user’s Person document or LDAP entry.
If Domino finds the name in a Domino Directory, then Domino uses the
primary name in the Person record for authorization (ACL checking). If
Domino does not find the name, then Domino uses the pre-authenticated
name as-is for authorization.
In both cases, Domino builds the user’s group list from the set of groups
in the Domino Directory which include the user as a member, and
Domino also adds the special group “-WebPreAuthenticated-” to the
group list. You may use -WebPreAuthenticated- as a group entry in
database ACLs and other access lists.
Note If you want to list IIS users by name in database ACLs, you must
be careful to use the correct form of the name. Use the primary name if
the user is listed in the Domino Directory, or the IIS pre-authenticated
name if the user is not in the directory. Remember that if a user is listed
by name in an ACL and is also a member of a group in the ACL
(including “-WebPreAuthenticated-” or any other group), the name entry
takes precedence over the group entry.
In summary, Basic Authentication uses the following guidelines:
Anonymous
access is not allowed.
The Web user must be a registered NT user.
The Web user does not have to be a registered Domino user.
Domino does not use the user’s Internet password.
The Web user is automatically assigned to the
-WebPreAuthenticated- group.
Integrated Windows Authentication (called Windows NT
Challenge/Response on NT)
Integrated Windows authentication is a Microsoft-specific protocol
supported by Internet Explorer (IE). When a Web user makes a request to
the site, IE automatically sends to IIS the user’s current Windows logon
account name. IIS verifies the name against the Windows registry on the
Setting Up Domino to Work with Other Web Servers 35-9
Web
IIS server. When a user makes a Domino request, the IIS plug-in passes
to Domino the user’s Windows name and Domino processes the
pre-authenticated name as described above for Basic authentication.
Windows account names use the form domain\username or
machinename\username — for example, SALES\JSmith. If Domino is
using Person documents in the Domino Directory to authenticate the
Windows users, the documents must contain the exact Windows account
names as aliases. For example, if Joe Smith has a Notes ID in the
“CorpSales” domain and a Windows user account in the “SALES”
Windows domain, the User name field in Joe Smith’s Person document
needs to contain:
Joe Smith/CorpSales
SALES\JSmith
This allows Domino to authenticate the Windows user SALES\JSmith as
the Domino user Joe Smith/CorpSales.
In summary, integrated Windows authentication uses the following
guidelines:
this is the only authentication method enabled, only IE users can
If
access the Web site.
Anonymous
access is not possible since IE automatically sends the
user’s Windows account name on every request.
The Web user must be a registered NT user.
If you want to match the Windows user to a Domino Person
document, You need to add the user’s NT Windows account name as
an alias to the Person documents.
Domino does not use the Internet password.
The user is automatically assigned to the -WebPreAuthenticatedgroup.
SSL
If you enable SSL on a Web server, IIS handles the actual SSL connection.
However, if a Web user provides a client certificate, the IIS plug-in
passes the certificate to Domino and Domino uses the certificate to
authenticate the user. If Domino cannot find a certificate for the user,
then Domino will downgrade the user to Anonymous access.
Chapter 36
Setting Up the Web Navigator
This chapter describes how to set up the server that runs the Web
Navigator and how to manage the information retrieved from the
Internet.
The Web Navigator
The Web Navigator lets Notes workstations access the Web, without
having a direct connection to the Internet. The Web Navigator server,
which has a direct connection to the Internet, retrieves pages for users.
The Web Navigator retrieves pages on Internet servers — for example,
servers that use Internet services such as HTTP, FTP, or Gopher.
When someone requests a new page, the Web Navigator server connects
to the Internet server, retrieves the requested page, and copies the page
as a document into the Web Navigator database (WEB.NSF). If the
requested page already exists in the database, Domino immediately
opens the document without requesting it again from the Internet server.
Using the Web Navigator provides many benefits, including:
Reduced
Internet connection costs. Storing all the retrieved Web
pages in a centralized database allows users to access the page on the
database instead of connecting to the Internet.
Monitoring
capabilities. You can monitor Web-based activity, if
needed.
Simplified
troubleshooting for Internet connections. You
troubleshoot only one connection instead of troubleshooting one
connection for each workstation.
Familiar
Notes interface. The retrieved Web pages are stored as
documents in a database where people can request, view, and
manage them using the Notes interface.
The following diagram shows the process the Web Navigator uses to
retrieve a page that a Notes client requests from a Web site.
Setting up a Web
Navigator server
The first time you start the Web task, Domino creates the Web Navigator
database (WEB.NSF) and enters default settings for the Web Navigator
database.
1. Set up a Domino server.
For more information, see the chapter “Installing and Setting Up
Domino Servers.”
2. Start the Web task on the server.
3. Set up the connection between the server and the Internet.
For information on setting up the Internet connection, contact your
Internet Service Provider.
4. If necessary, use a proxy to connect the Web Navigator server to the
Internet.
5. Edit the Server document for the users’ home/mail server.
6. Set up users to use the Web Navigator.
Starting and stopping the Web Navigator program
Field Enter
HTTP proxy The name or IP address of the proxy and the
port to access HTTP pages.
FTP proxy The name or IP address of the proxy and the
port to access FTP pages.
Gopher proxy The name or IP address of the proxy and the
port to access Gopher pages.
SSL Security The name or IP address of the proxy and the
proxy port you want to go through for pages on
Internet servers that use SSL.
Field Enter
HTTP Tunnel Do not enter a value. This field is used to send
proxy Notes remote procedure calls (NRPC). NRPC is
the architectural layer of Notes and Domino
that control services such as replication and
mail. The Web Navigator does not use NRPC for
communication.
SOCKs proxy The name or IP address of the proxy and the
port. If you enter a name or IP address in both
the SSL Security proxy and SOCKs proxy fields,
Domino uses the SSL Security proxy. If you
enter a name or IP address in both the HTTP
proxy and SOCKs proxy fields, Domino uses the
SOCKs proxy.
No proxy for The names of the hosts and domains you want
these hosts to access without going through the proxy. You
and domains can bypass the proxy to access certain domains
on the Internet or to access your internal
intranet domain. Do not enter the IP address in
this field; you must use the name. Separate
multiple entries with commas or returns. You
can use wildcard (*) characters, for example,
*lotus.com or www.*.com.
6. Complete the procedure “Editing the Server document for the Web
Navigator.”
Editing the Server document for the Web Navigator
1. Make sure that you already set up the connection between the server
and the Internet. If necessary, use a proxy to connect the server to the
Internet.
2. From the Domino Administrator, click the Configuration tab.
3. Expand the Server section and then click All Server Documents.
4. Open the Server document for the Web Navigator server.
5. Click the Basics tab. Open the Server Location Information section
and go to the Servers section. Complete the InterNotes server field,
and save the document.
Field Enter
InterNotes The hierarchical name of the server running the
server Web
task. This is the default server to use if the
InterNotes
server field in the user’s Location document is
blank.
Field Enter
Internet
Notes
browser
Retrieve/open “From InterNotes server”to use the Web
pages Navigator server specified in the InterNotes
server field on the Servers tab.
Field Enter
The number you enter depends on the system
Concurrent
configuration
retrievers for your server. If user access is slow because the
number of users specified in this field is less than
the number of users attempting to retrieve pages
from the Internet, increase the number.
Default is 50.
Field Enter
Allow access One or more of the following, separated by
to these commas or spaces: • A DNS name —for
Internet sites example, www.lotus.com • An IP address —for
example, 205.159.212.10 • A DNS name or IP
address with a wildcard (*) —for example,
www.*.com. You can use only one wildcard per
entry —for example you cannot enter
w*.*.com.
Deny access
Same as above.
to
these Internet
sites
Field Enter
One or more of the Internet services provided. The
Services
default is
HTTP, FTP, and GOPHER.
Field Enter
Accept SSL site certificates Choose Yes.
To view certificates
1. From the Domino Administrator, click the Configuration tab, and
choose Miscellaneous - Certificates.
2. Look at the Internet Cross Certificates category.
Sending mail from a Web page to the Internet
When users click a mailto URL on a Web page, Domino opens a new
mail message and enters the Internet address (user@company.com) in the
To: field.
Note If you use the Lotus SMTP MTA (Domino 4.6 and earlier) as the
gateway for Internet mail, users must append the foreign domain of the
SMTP Gateway for each Internet address — for example,
user@company.com@foreigndomain. So that users don’t need to specify
the foreign domain each time, you can specify the foreign domain of the
gateway.
1. Make sure that users’ Notes workstations are already set up to use
Notes mail.
For information, see the chapter “Setting Up and Managing Notes
Users.”
2. From the Domino Administrator, click the Configuration tab, and
then open the Server document for the Web Navigator server.
3. Click the Server Tasks - Web Retriever tab, complete this field, and
then save the document:
Field Enter
SMTP
The name of the foreign domain of the SMTP mail
Domain
gateway.
Agents
The Web Navigator database contains three agents that administrators
can use to manage documents in the database. The Purge agent removes
documents that meet the criteria you specify. Regularly purging
documents keeps the size of the Web Navigator database manageable.
The Refresh agent updates the contents of pages stored in the Web
Navigator database with the Web site content from which they were
originally retrieved. Pages in the database are not automatically updated
after they are retrieved; therefore, the page content may quickly become
outdated unless you use this agent.
The Averaging agent creates an average rating of user-recommended
pages. The top ten pages appear in the Recommended by Top Ratings
view.
Web tours and Recommendation documents
Web tours and Recommendation documents allow users to collaborate
with others who use the Web Navigator database.
Using a Web tour document, users can group a set of Web pages for
others to view sequentially — for example, to create training materials or
to collect a set of pages that you previously viewed on the Web.
Using a recommendation document, users can add useful Web sites to
the Web Navigator database.
Customizing the Web Navigator database
You can customize the Web Navigator database as follows:
Display
the names of users who retrieve pages
Customize
the default appearance of elements on retrieved Web
pages
Save and view HTML sources
Rename and move the database
Set preferences for the Purge, Refresh, and Averaging agents
Use the Purge agent to manage the size of the database
Use the Refresh agent to update pages in the database
Use the Averaging agent to calculate page ratings in the database
For information, see the topics that follow.
1. Make sure you have the WebMaster role in the ACL of the Web
Navigator database.
2. Using the Notes client, open the Web Navigator database using a
network connection to the server.
3. Choose View - Go to and select All Documents.
4. Choose Actions - Administration, and then in the HTML Preferences
section, customize any of these settings:
Field Enter
URL links Anchors Underline/Blue
Times 11-point Body
Font and size of elements not
Text
defined in other fields in the
HTML
Preferences section
Font for text in the
Plain Courier
<PLAINTEXT>,
<PRE>, and <EXAMPLE> The font size is
tags defined by
the Body Text field.
Font for text in the <CODE>, Fixed Courier The font size
<SAMPLE>, <KBD>m and is defined by the
<TT> tags Body Text field.
Field Enter
Web The new file name of the Web Navigator
Navigator database
database
Field Enter
Max Maximum is 360. The default is 10 (Daytime
LotusScript/Java Parameters) and 15 (Nighttime Parameters.)
execution time This field controls the time, in minutes, that
the LotusScript agent has to run. Also
controls execution time of agents created
with Java.
Maximum is 90. The default is 50 (Daytime
Max % busy
Parameters)
before delay and 70 (Nighttime Parameters.)
This field controls the percentage of time the
agent manager can spend running agents.
The time is a percentage of the Start and End
times.
Field Enter
Max Maximum is 360. The default is 10 (Daytime
LotusScript/Java Parameters) and 15 (Nighttime Parameters.)
execution time This field controls the time, in minutes, that
the LotusScript agent has to run. Also
controls execution time of agents created
with Java.
Maximum is 90. The default is 50 (Daytime
Max % busy
Parameters)
before delay and 70 (Nighttime Parameters.)
This field controls the percentage of time the
agent manager can spend running agents.
The time is a percentage of the Start and End
times.
Field Enter
Maximum The maximum size of the Web Navigator
database size database The default is 500MB
Purge agent One of these methods to use when purging
action documents: • Delete page to delete pages
permanently from the database. • Reduce page
to delete the contents of the page, but saves
the URL so you still see the page in the
database views. Delete page is the default.
Field Enter
Update Choose one: • Never (default) —To perform no
cache verifications • Once per session —To check only the
first time the user accesses the page during a session •
Every time —To check each time the user opens a
page that is already in the database