Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Query results for : June 2012

Signing and deploying Eclipse Plugins into Notes Clients- 26 June 2012 - (2) Comments

Thomas Hampel
 26 June 2012

Installing Eclipse plugins in a Notes client is a simple task. I'm sure users would be even more happy if admins would sign them properly before rolling them out.
Otherwise, meaning when they are not signed, or if signed with an invalid signature, users will see messages like this:
Image:Signing and deploying Eclipse Plugins into Notes Clients

For a quick and dirty solution it would be possible set some preferences in the plugin_customization.ini or in the Notes client so that it will not show these warnings at all.
Unfortunately this will lower the security of the entire environment and therefore is not recommended.

The better method is to sign the plugin properly with a self signed certificate and then create a trust relationship with a Domino root certificate.
So these are the actions that need to be performed:
1.) Extract the Eclipse update site you want to sign to a temporary location on your hard disk
2.) Detach this command file to the same folder location where the file "site.xml" is located
signupdatesite.cmd
3.) Edit the file and customize the settings according to your needs - see remarks within the file.
4.) Run the .cmd file
5.) Save a copy of the .keystore, .cer and sign_.cer files, they can be used to sign new release plugin if required.
6.) Import the new certificate (.cer) into the Domino server
7.) Create a cross-certificate from the internet certificate
8.) Publish the certificate to clients through security policy settings
9.) Create a new NSF based Eclipse update site and import the local update site from the temporary location (see step 1)
10.) Create a widget catalog
11.) Create a new widget using the Toolbar icon "Getting started with Widgets"  Image:Signing and deploying Eclipse Plugins into Notes Clients and choose "Features and Plugins"
Image:Signing and deploying Eclipse Plugins into Notes Clients

12.) Add the widget created to the widget catalog created in step 10 and don't forget to define a meaningful title and category. (e.g. Autoinstall) if you want the widget to be applied automatically. See next step for details.
13.) In the Domino Directory update the Desktop policy settings to include the newly created Widget catalog
Image:Signing and deploying Eclipse Plugins into Notes Clients

All together it will allow automatically distributing plugins in the Notes client without error messages and without overall lowering security.
Well, one prompt remains....
Image:Signing and deploying Eclipse Plugins into Notes Clients

QuickR - How to count the number of registered users?- 14 June 2012 - (0) Comments

Thomas Hampel
 14 June 2012

Lets assume an IBM QuickR environment where all users are allowed to access the Domino server that QuickR runs on.
How would an administrator report the number of users?

Using the log.nsf is not the right place, because users leave a trace there just by accessing (e.g.) the Domino directory, but not QuickR.
A better way is to use the QuickR Place Catalog (placecatalog.nsf) on your Quickr server. It's design is set to not show up in the Open Database dialog, so you either need to type in the filename or use the Admin client to open it up.

Image:QuickR - How to count the number of registered users?
It contains a view named "Total Places By Member" which will show the total number of quickr users across all places including those with Anonymous access, all categorized by user name.

Image:QuickR - How to count the number of registered users?
So to identify the number of QuickR users, collapse everything
Image:QuickR - How to count the number of registered users? in this view so that you can see the first category only.
What you can see is  member number and the user name  
Image:QuickR - How to count the number of registered users?
Now scroll down to the last entry in this view - the last number displayed there is the total number of unique users.


Be aware:
  • If there are places which grant access to a group, then groups displayed in this view need to be resolve recursively
  • If Anonymous access is enabled , special licensing rules apply

If anyone would like to do this automatically, here is some LotusScript code which might help.



%REM

        Agent Count number of registered QuickR Users
        Created Jun 14, 2012 by Thomas Hampel
        Description:
        A simple agent to report QuickR user names - feel free to modify
%END REM
Option Public
Option Declare
Const QuickRServer$ = "Domino-Name-Of-QuickR-Server"
Const QuickRPlaceCatalog$ = "PlaceCatalog.nsf"
Const QuickRViewName$ = "TotalPlacesByMember"
Const NABServer$ = "Domino-Name-Of-QuickR-Server"
Const NABFilename$ = "names.nsf"
Dim userlist List As boolean
Sub Initialize
        Dim nab As New NotesDatabase (NABServer$, NABFilename$)
        Dim PlaceCatalog As New NotesDatabase (QuickRServer$, QuickRPlaceCatalog$)
        Dim view As NotesView
       
        If Not NAB.IsOpen Then
                Print "Unable to open Domino Directory : " & NABServer$ & " - " & NABFilename$
                end
        End If
       
        If Not PlaceCatalog.Isopen then
                Print "Unable to open QuickR PlaceCatalog : " & QuickRServer$ & " - " & QuickRPlaceCatalog$
                End
        End If
       
        '# load all elements into list object
        Set view = PlaceCatalog.getView (QuickRViewName$)
        Call LoadNamesFromView (view)
               
        '# resolve membership
        Call ResolveGroupMembers
       
        '# output result
        Print "Total number of unique users is " & CountUsers()
       
        '# Anonymous access...
        If IsElement (userlist ("anonymous")) Then
                Print "Anonymous access to one or more places is ENABLED"
        Else
                Print "Anonymous access to one or more places is DISABLED"
        End If
End Sub

Function LoadNamesFromView (View As NotesView)
        Dim doc As NotesDocument
        Dim tDoc As NotesDocument
        Dim usernameArray As variant
        Dim usercount#
        '# exit if the view is not valid
        If view Is Nothing Then Exit Function
        view.AutoUpdate = False

        Set doc = view.getFirstdocument
        While (Not doc Is Nothing)
                Set tdoc = view.getNextDocument (doc)
                If doc.isValid Then
                        usernameArray = Evaluate (|@Unique(@Trim(PlaceOwners : PlaceManagers : PlaceEditors : PlaceAuthors : PlaceReaders))|, doc)
                        ForAll u In usernameArray
                                '# add name to list of unique users
                                userlist (u)= True
                                usercount# = usercount + 1
                        End ForAll
                End If
                Set doc = tdoc
        Wend
        Print "Found " & usercount# & " entries across all places."        
End Function

Function expandGroupNames(GroupName As String, GroupMemberArray As Variant) As Boolean
        on Error GoTo errorHandler
        expandGroupNames = False
        If Len(Trim$(GroupName)) = 0 Then
                GoTo functionExit '# if no name is passed, don't even try to resolve the group name
        End If
 
        '# Undocumented @Formula from http://www-304.ibm.com/support/docview.wss?uid=swg21101582
        '# Input from http://www.dominoguru.com/pages/01202009030630.html
       
        GroupMemberArray = Evaluate(|@ExpandNameList("| & NABServer$ & |":"| & NABFilename$ & |";"| & GroupName$ & |")|)
        GroupMemberArray = ArrayUnique(GroupMemberArray, 5)
        If UBound(GroupMemberArray) = 0 Then
                '# if there's only one group member, check to see if it's valid
                if StrCompare(GroupMemberArray(0), GroupName$, 5) = 0 Then
                        '# if the only member found is the group name itself, the group couldn't be resolved
                        GoTo functionExit
                 End If
          End If
        expandGroupNames = True
       
functionExit:
Exit Function

errorHandler:
        MsgBox "Error " & Err & ": " & Error & " at line " & Erl & " of " & GetThreadInfo(1) & ".", , "Error encountered!"
        Print "Error " & Err & ": " & Error & " at line " & Erl & " of " & GetThreadInfo(1)
        Resume functionExit
End Function

Function ResolveGroupMembers As Integer
        Dim GroupMemberArray As Variant
        '# loop all users found
        ForAll user In userlist
                '# try to resolve the existing list entry
                If expandGroupNames (ListTag(user), GroupMemberArray) Then
                        ForAll members In GroupMemberArray
                                '# add the new name to the list
                                userlist (members) = true
                        End ForAll
                End If
        End ForAll
End Function


Function CountUsers As Long
        Dim count&
        ForAll user In userlist
                count& = count + 1
        End ForAll
        Countusers = count&
End Function

Bug in DominoBlog template- 12 June 2012 - (0) Comments

Thomas Hampel
 12 June 2012

For some reason it wasnt possible to use embedded images within blog postings, looking at the HTML source of the resulting web page showed that some piece of HTML code was inserted when saving the document.
Image:Bug in DominoBlog template
After some debugging, I figured out that it was caused by the scriptlibrary "DXNotesContentProcessing" where the function "autoCreateLinks" is the one to be looked at.


Function
autoCreateLinks(strIn As String) As String
   
If configdoc.config_createlinks(0)="Create Links" Then
           
'Search for text and replace with link
           autoCreateLinks=strIn

           
Dim view As notesview
           
Dim docLink As NotesDocument
           
Set view=db.getview("vLinksDesc")
           
Set docLink=view.GetFirstDocument
           
Do Until docLink Is Nothing
                   
If Instr(autoCreateLinks," "+docLink.linktext(0)+" ")>0 Then
                           autoCreateLinks=R5replaceSubstring(autoCreateLinks,
" "+docLink.linktext(0)+" ",{ <a href="}+docLink.link(0)+{" title="}+docLink.linktext(0)+{">}+docLink.linktext(0)+{</a> })
                   
End If
                   
Set docLink=view.GetNextDocument(docLink)
           
Loop
   
Else
           autoCreateLinks=strIn

   
End If
End
Function

This function is used to replace a piece of text with the URL configured for it. Its using the links from "Configuration\Links" to search for any entry where the field "Link Text" is matching the HTML string.
Bad luck if one created links like this one, where no link text is specified:

Image:Bug in DominoBlog template


which causes the function above to search for the occurance of 2 spaces "  ", which unfortunately is true for embedded images... actually they are located directly behind the tag.

Image:Bug in DominoBlog template

Workaround
  • Turn off "Auto Create Links from Link List" located in the configuration document of the blog under "Site Settings\Content Creation"
  • Make sure that all links in "Configuration\Links" are created with a propper link text

What about a permanent fix?

Modify the form "Link" and add an input validation formula to the field "linktext" as shown below.

Image:Bug in DominoBlog template

ID Vault - Error 03:11- 8 June 2012 - (0) Comments

Thomas Hampel
 8 June 2012

When deploying the IDVault, administrators may see the following error in the Log.nsf of the server hosting the IDVault.

06/08/2012 04:54:18 PM  ID failed to upload to vault 'O=XYZ-IDVault'.  'Firstname Lastname/OU/O' (IP Address a.b.c.d:port) made request.  Error: 03:11
06/08/2012 04:59:16 PM  Unable to find ID for 'Firstname Lastname/OU/O' in vault 'O=XYZ-IDVault'.  Error: 03:11


Image:ID Vault - Error 03:11
Root cause for this is a pending name change reuqest which was not applied to the user. Take a look into the person document of this user, especially the tab "Administration",
the Client Information section will display if there are any pending name change requests outstanding.

Technically the name change request is stored in a field called "ChangeRequest", supported by "ChangeRequestDate" which is storing the date/time of when this request was initiated.
In my particular case, the name change request was almost 3 years old and it was not possible to find out what has caused this request to still appear in the system.

Image:ID Vault - Error 03:11
Workaround:

Remove both fields (or set them to an empty value) e..g. by using the
Change Any Field method

Passthru configuration done right- 2 June 2012 - (2) Comments

Thomas Hampel
 2 June 2012

I'm wondering why some customers are not using Passthru - a function which exists in Notes/Domino for years.

From an infrastructure point of view, a Domino passthru server is nothing else than a special reverse proxy for Notes/Domino. Compared to normal reverse proxy servers it is providing an higher level of security due to the fact that authentication/authorization is using the NotesID for authentication and not relying on username/password

I've seen customers who create multiple location documents and tell end users to switch between them to force the usage of passthru. Personally I dont think that this is what end users expect, so here is a configuration which will use the passthru server automatically when it can not find a direct connection.


To efficiently use an existing passthru server, Notes Clients should be configured the following way:

1.)
Create a server connection document in the personal address book of the Notes Client pointing to the passthru server name and its IP address(or DNS name)

2.) Create another connection document, of type "passthru" which is used for */Org , where Org is the root certifier of your organization.

Image:Passthru configuration done right

important for this one is to set the usage priority to "Low" as shown in this picture

Image:Passthru configuration done right

Once completed, its time for
testing the connection.

Advanved options:

When using multiple passthru servers, its possible to put an IP sprayer or load balancer in front of them, so all servers are addressable with the same DNS name.
Typically a Notes client will reject connecting to a server that is using a different name than the one requested.
No need to worry, because
Technote 1233210 already provides the solution.
On each of the Domino passthru servers behind the network sprayer you can add NETWORK_SPRAYER_ADDRESS=sprayer to notes.ini. Where "sprayer" is supposed to be a comma separated list of acceptable names or IP addresses of the load balancer.


Result :

If the Notes Client is within the corporate network it will directly connect to the target Domino server, but if the direct connection fails it will try to use the next available passthru server.

Can’t contact LDAP server- 1 June 2012 - (0) Comments

Thomas Hampel
 1 June 2012

Authenticating Domino users against a remote LDAP is nothing new. Some people have blogged about it or created a presentation already.
Furthermore there are some good articles out there explaining the implementation of AD Authentication, Directory Integration and SPNEGO.

When you're done with the configuration, things may run smooth first, but after a few days authentication may not work any longer.
Restarting the server might help, but only for a short time frame - the reason for that is a bug in the Domino server referenced as SPR# AJMO8NVM8F where Domino seems not to find the remote LDAP server any longer.

Steps to reproduce:
1.        Enable the following debug parameters:
Debug_DirectoryAssistence=1
WebAuth_Verbose_Trace=1
LDAPDEBUG=512
2.        After some time, Domino may become unable to contact the remote LDAP server
The error message displayed at the console is the following:
LDAP> connect_to_host:  EndPoint connect failed:  The remote server is not a known TCP/IP host.
LDAP> Unable to chase references (Can't contact LDAP server)

This issue has been documented in LO66491 http://www-304.ibm.com/support/docview.wss?uid=swg1LO66491
It seems the problem still exists in Domino 8.5.3 with FixPack1. so if you run into this problem, open a PMR to get an hotfix.

A temporary workaround is to issue the command "show xdir reload" at the server, which can also run as a scheduled program document every 30min.
It wont fix the issue itself, but will reload directory assistence tables by which the error state will reset back to normal.
Thomas Hampel, All rights reserved.